IT NEWS

How to secure a Windows PC for your kids

With the return to school fast approaching, it’s time to ready the things your kids will need to pass the next year with flying colors. Increasingly, that means computing devices, which means you’ll need to spend time thinking about the safety and security of what they will be using.

In our “Back to School” series we will talk about several types of devices you may encounter. This one is about Windows devices.

The basics

You know that when your kids are hard at work, they can’t be bothered with all the warnings, notifications, EULA’s and what not. They are relentless in their pursuit of high grades, and maybe some less admirable goals. To achieve these goals they will click “OK” on anything that stands in their way. So, what you need to set up for them is something that gives them enough room to be a bit reckless.

Not that it’s wrong to give them a certain amount of responsibility or at least inform them about what you did to keep them secure. If they know and understand the goal, most of them will be more than happy to keep their system operational.

With that in mind, here are some security basics that you should attend to just as you would on any Windows computer:

  • Apply security updates promptly. All the software on the computer needs to be maintained by installing the latest security updates when they become available. Fortunately, Windows 10 will update itself automatically, as will popular modern web browsers like Edge, Chrome, and Firefox. We suggest that you turn on automatic updates for the Microsoft Store, which will take care of any software you download from there. Whatever software those steps don’t cover will need to be checked occasionally to see if there are newer versions available.
  • Use security software. Modern versions of Windows have lots of helpful security features, but Windows is still the most popular target for malware, so we strongly recommend that you install a third-party security solution like Malwarebytes Premium.
  • Start backing up. The only backup people ever regret is the one they didn’t make, so read Microsoft’s short guide to Backup and Restore in Windows, and get yours working on day one. Backups are your last line of defense against system-altering malware, like ransomware or wipers, as well as bad software updates, and hardware failure or theft. They will also protect your child’s work against the inevitable accident of your kid deleting their most important assignment the night before it’s due.
  • Install a password manager. A password manager is software for creating and remembering strong passwords. Good ones also provide a safe way for users to share passwords with other people. Install one on your Windows computer and get your child using it as soon as possible. Proper password handling is something lots of adults struggle with, so get your kids doing the right thing from day one.
  • Give your child a local user account. Even if your child is the only person using the computer, create a separate local user account for them with limited permissions. Use a different account with administrator privileges to make changes to the computer, like installing software. Don’t share the administrator account with your child and never use it for work, web browsing or email. Malware will typically use the same permissions as the account that runs it. If your child accidentally runs malware as a local user, it will be not be able to alter the machine.

Other considerations

If the device isn’t your property

If the Windows device is provided by the school or another organization, your options for implementing your own security ideas may be very limited, but that’s OK, it just means somebody is doing it for you. It’s usual for IT staff from the school to setup and manage this kind of computer and to give your child access to a standard local user account. That should be enough access for your child to do what they need to without getting into too much trouble.

Parental controls

Children search Google for the weirdest things and topics. Whether they searched for something on purpose or just because they didn’t know what it meant, search results for some phrases are best not seen by young children.

The parental controls included with Windows allow you to enforce restrictions on screen time; block apps, websites, and games; and provide reports on what your child has been doing with their device.

Parental controls can be useful to limit the risks your children run into online, but you should know up front that they cannot eliminate every risk out there. Read our article about parental controls to learn what they can and can’t do for you.

Social media, messaging, and games

Children are inclined to share their entire lives with their friends, and keen to get their hands on the phones, computers, and accounts that will let them do it online. Unfortunately, social media, messaging apps, and gaming come with risks: It is easy for predators to hide behind a picture of a child and a believable persona, there is no break at the end of the school day from the bullying and harassment that happens online, and gaming communities can be rough and unforgiving.

Like many other aspects of the adult world, children deserve to be introduced to these things in a careful, supervised manner, and many parents opt for some kind of digital oversight or restrictions. (It is worth noting too, that most social media apps have a minimum age requirement of 13, although as a recent Omegle investigation showed, you cannot assume a platform will enforce its age restrictions or that its moderators will keep your children safe).

Alongside whatever tools or techniques you use to keep children safe online, we recommend teaching them responsible digital citizenship from an early age, to help understand the dangers, and to recognize cyberbullying and harmful content. Establishing guidelines and teaching them responsible online communication and etiquette will help them to communicate respectfully, with responsibility and confidence.

Wi-Fi

By default, Windows 10 will connect automatically to Wi-Fi networks you have used at least once. With a device moving back and forth between home and school, this creates an opportunity for an attacker (perhaps another student) to set up a network with the same name. These so-called “evil twin” Wi-Fi network attacks simulate known networks and can be used to perform a machine-in-the-middle attack (MitM).

The only way to easily protect against these attacks is by disabling the auto-connect feature. You can do this by removing the check mark when you connect to the network or in the properties of the connection by turning the “Connect automatically” option off. After doing this you can manually check the available Wi-Fi networks on location and look if there are two identical SSIDs (network names). The evil twin will not have a lock symbol near the strength indicator.

Low maintenance

In the past we have posted suggestions about how to set up a computer that requires a minimum of attention afterwards, which we called minimum effort for maximum protection. While this may seem like an attractive solution for your children, it’s important to realize that it does require some degree of security awareness of the computer user.

While this may not be suitable for all ages, it is an approach you might want to take with older children if you are trying to involve them in the process of understanding and securing their own device.

The other side

Depending on their age and computer skills, you will want to talk your kids through what you did and why. A class full of determined teenagers will break through your defenses in no time at all. If they understand what you are trying to protect them from they may use those same skills to steer clear of those dangers.

Ransomwater confusion, does the criminal know who the victim is?

When we say that attribution is always tricky, we are obviously only seeing the half of it. Apparently sometimes even the cybercriminals are not always clear on which company they breached.

Clop ransomware put out a statement that they breached Thames Water when in reality their victim was South Staffs Water. Fortunately nobody was deprived of water due to the incident.

Clop

Ransom.Clop was first seen in February of 2019. Besides encrypting systems, the Clop ransomware also exfiltrates data that will be published on a leak site if the victim refuses to pay the ransom. In February of 2021, ther group made headlines by targeting executives’ systems specifically to find sensitive data.

Hoax or not so much

After becoming aware of some reports, Thames Water made it clear that the whole thing was a hoax as far as they are concerned. It would be a hoax if there wasn’t a real victim of the attack.

On the website of South Staffs Water, we learned that South Staffordshire PLC, the parent company of South Staffs Water and Cambridge Water, had been the target of a criminal cyberattack. But the incident has not affected their ability to supply safe water. According to the statement, they are experiencing disruption to their corporate IT network and they have teams working to resolve this as quickly as possible. Their customer service teams are operating as usual.

The breach

On their leak site, Clop claims to have spent months inside the company system and noticed many very bad practices. They also said they had contacted the company with information on how to fix the problem. But they never responded. So, after spending months, you contacted the wrong company and they never gave you the time of day? How quaint.

Clop's claims

On their leak site Clop touts their accomplishments and rants about the victim company

Vital infrastructure

While we can joke about the mistaken identity and the following confusion in the media, the incident proves two points. Ransomware gangs do not shy away from attacking vital infrastructure, but you should also know that much of this infrastructure is robust enough to withstand such an attack. 

Clop claims they have not encrypted any files and that they could potentially change the chemical composition of the water, but all they did was exfiltrate 5 TB of data. As we learned from the Malwarebytes podcast with Lesley Carhart the chances of a critical infrastructure “big one” are remarkably slim. In fact, critical infrastructure’s regular disaster planning often leads to practices that can detect, limit, or prevent any wide-reaching cyberattack.

In other words, there are fail-safes in place that should reliably prevent any “chemically altered” water from ever reaching our homes, no matter whether you are a customer of Thames Water or South Staffs Water.

Clop corrects

At this moment, the Clop leak site displays “South-Staffs-water.co.uk,” not Thames Water, so they must have realized their mistake.

Leak site header (partial)

The exfiltrated data contain copies of passports and drivers licenses, a lot of schematics, email addresses, and a list of VM servers combined with login credentials. Certainly not 5TB worth of data, but probably an incentive to get the victim to pay the ransom.

Getting the victim wrong might be a case of miscommunication between the affiliate that compromised the victim and the ransomware operator combined with the poor grasp of English on one or both sides of the operation. Remember that ransomware groups now typically offer their ransomware as a service to other groups that have already infiltrated companies and organizations. By offering these cybercriminal breach teams access to their ransomware, the ransomware developers then get their ransomware into more targets than they could have by themselves, and they take a “cut” of whatever ransom gets paid. 

Importantly, though, misidentifying the victim and starting negotiations about the ransom with the wrong organization could leave the real victim clueless about what happened to them, or more to the point, who is responsible. Luckily it didn’t take too long in this case.

Update Chrome now! Google issues patch for zero day spotted in the wild

Google updated the Stable channel for Chrome to 104.0.5112.101 for Mac and Linux and 104.0.5112.102/101 for Windows which will roll out over the coming days/weeks. Extended stable channel has been updated to 104.0.5112.101 for Mac and 104.0.5112.102 for Windows , which will roll out over the coming days/weeks.

This update includes 11 security fixes. One of the vulnerabilities is labeled as “Critical” and one of the vulnerabilities that is labeled as “High” exists in the wild.

Vulnerabilities

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). We discuss some of the CVE’s included in this update below.

CVE-2022-2852: a critical use after free vulnerability in FedCM. Use after free (UAF) vulnerabilities occur because of the incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. The Federated Credential Management API (FedCM) allows the browser to understand the context in which the relying party (for example a website) and the identity provider (a third party authentication service) exchange information.

CVE-2022-2856: Insufficient validation of untrusted input in Intents. Chrome intents are the deep linking replacement for URI schemes on the Android device within the Chrome browser. Google’s Threat Analysis Group submitted the vulnerability and technical details will not be released until everyone has had ample opportunity to update.

Google is aware that an exploit for CVE-2022-2856 exists in the wild. A remote attacker can trick the victim to open a specially crafted web page and execute arbitrary code on the target system.

CVE-2022-2854: a UAF vulnerability in SwiftShader. SwiftShader is a an open source library that provides a software 3D renderer. The attacker would have to trick the victim to visit a specially crafted website.

CVE-2022-2853: a heap buffer overflow in Downloads. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap. The heap is the portion of memory where dynamically allocated memory resides.

How to protect yourself

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Chrome up to date

After the update the version should be 104.0.5112.101 or later.

Stay safe, everyone!

Nearly 2,000 Signal users affected by Twilio phishing attack

New findings following the Twilio phishing attack revealed that Signal, one of its high-value clients and a popular encrypted messaging platform, was particularly affected. 1,900 of its users had their phone numbers and SMS registration codes exposed. However, Signal reassured users that the attacker could not gain access to “message history, contact lists, profile information, whom they’d blocked, and other personal data” associated with the account.

Signal also claims that 1,900 comprises a small percentage of their user base, so a majority of their users were not affected. Nevertheless, they notified affected users this week via SMS and prompted them to re-register Signal on their devices.

The company revealed in a security notice that the attacker explicitly searched for three numbers among the 1,900 users affected. One user of the three numbers already reported that their account was re-registered. This means the attacker can now send and receive messages from that phone number.

When The Register asked Signal why an attacker would specifically target these three numbers, suggesting maybe they are people of note, the company responded: “To respect the privacy of those specific people, we are not sharing any details about them.”

Signal highlights the importance of enabling its app’s security features to fend off after-effects of attacks that may befall third-party providers it uses. Because of what happened to Twilio, the company is pushing more of its users to take advantage of registration lock and Signal PINs, which can only be activated manually.

Registration Lock prevents someone from registering a Signal user’s phone number to another device unless they know the PIN associated with the account. To enable Registration Lock, Signal users should go to Signal Settings (profile) > Account > Registration Lock.

“While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users,” Signal said.

Last week, Cloudflare revealed a similar phishing tactic that got Twilio breached also targeted their employees last month. The campaign didn’t work because Cloudflare employees were required to use physical security keys to access all applications they use in-house.

Introducing Malwarebytes Cloud Storage Scanning: How to scan for malware in cloud file storage repositories

We’re excited to announce Malwarebytes Cloud Storage Scanning, a new service that extends Nebula malware scanning options to include files stored on cloud storage repositories that are part of your organization’s digital ecosystem.

Today, the service supports scanning of files under 100Mb in size that reside on Box.com or on Microsoft’s OneDrive, and will extend to other popular file storage solutions in the coming quarters.

Malwarebytes Cloud Storage Scanning uses multiple anti-malware engines, using a combination of signatures, heuristics and machine learning to increase detection rates, decrease detection times and provide a comprehensive view to monitor and protect the health of all your enterprise data. 

Let’s dive in on how to make a scan!

Scanning for cloud malware

In Nebula, go to “Settings” and click “Cloud Storage Scans”. Here you can see existing scans and the providers being checked. Click “Add a Scan” to create a new scan.easset upload file70596 227184 e

Under “Settings”, name the scan and then select your cloud data storage provider.

easset upload file71839 227184 e

Enter the configuration details from the storage provider to select and validate your account.  To initially check all existing files for malware, do not check this box and configure a scheduled or on-demand scan. In order to connect to your provider, you will need to provide a Tenant ID, Client ID and Client Secret.

If you select “Continuous scan”, Malwarebytes will only check for new and updated files from this point forward.

Click “Connect to provider” to provide access to your cloud storage location.easset upload file15225 227184 e

Once you see a success message, go to “Items to scan” to select the users or folders to scan. You can scan folders and the sub-folders.easset upload file56316 227184 e

If you have not selected continuous scan, go to “Scan frequency” to determine the cadence. Note that with scheduled scans, you will be scanning the contents of the selected folder(s) each time versus a continuous scan that only scans the changes.

Scans can be scheduled daily, weekly or monthly. Select “Scan now” for a one-time scan to occur immediately. Save for the scan to take effect and begin running on the cadence you chose.easset upload file59644 227184 e

In this example, we have a one time scan for existing malware in the folder and a continuous scan for future changes.easset upload file96093 227184 e

Review the results of scans with “Storage detections” on the left-side navigation bar. easset upload file44745 227184 e

Here you can see a list of all detections from any cloud storage location. You can sort by “Threat name”:easset upload file79207 227184 e

Filter by cloud provider:easset upload file94328 227184 e

And “Add/Remove Columns”:

easset upload file42419 227184 e

A report is also available to send a list of detections via email. Navigate to the “Reports” section on the nav bar:

easset upload file91245 227184 e

Click “Cloud Storage Detections Summary”. You’ll be prompted with a window to configure the report.

easset upload file3003 227184 e

easset upload file15211 227184 eClick “Save”. 

As you can see, the report was delivered to our email below!easset upload file4059 227184 e

An additional layer of security

While integrated cloud malware detection solutions (e.g. BoxShield for Box.com; MS Defender for OneDrive) can be useful, many businesses use multiple different cloud storage repositories, and due to lack of integration options, are unable to get a centralized view of all of their scan results, across multiple repositories, in a single security-focused pane of glass.

Malwarebytes Cloud Storage Scanning is easy and quick to deploy, centrally managed, and is seamlessly integrated with other Malwarebytes products and services that provide cloud security best practices.

Interested in reading about real-life examples of cloud malware mitigation? Read the case study of how a business used Malwarebytes to help eliminate cloud-based threats.

CISA and FBI issue alert about Zeppelin ransomware

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a joint Cybersecurity Advisory (CSA) about Zeppelin ransomware. The advisory contains indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with ransomware variants identified through FBI investigations as recently as June 21, 2022.

Zeppelin

Zeppelin, aka Buran, is a ransomware-as-a-service (RaaS) written in Delphi and built upon the foundation of VegaLocker. Due to the RaaS model there are several methods in use to gain initial access. The CSA mentions RDP exploitation, SonicWall firewall exploits, and phishing campaigns. In earlier days, Malwarebytes’ researchers found a malvertising campaign that dropped Zeppelin ransomware as one of the possible payloads.

Zeppelin uses the double extortion where they threaten to sell or publish exfiltrated data in case the victim refuses to pay the ransom.

While anyone can fall victim to these threat actors, the FBI noted that this malware has been used to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries.

Mitigation

Besides IOCs, attack techniques, and a Yara signature, the CSA provides a lot of mitigation advice. Since the techniques used by the Zeppelin gang are far from unique, the advice is worth repeating because it works against a lot of similar ransomware operators.

But you should also realize that while it’s easy to say that you need reliable and easy to deploy backups for example, it’s not always easy to follow that advice. It is well worth pursuing though, since it may save your bacon at one time or another.

Backups

Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Maintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.

Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.

In a nutshell: Put your backups out of the reach of attackers, and make sure they work by testing that you can restore working systems from them.

Authentication

Require all accounts with password logins to meet the required standards for developing and managing password policies.

  • Require multifactor authentication wherever you can—particularly for webmail, VPNs, and critical systems.
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
  • Implement time-based access for accounts set at the admin level and higher.
  • Use long passwords (CISA says 8 characters, we say you can do better than that) and password managers.
  • Store passwords using industry best practice password hashing functions.
  • Implement password rate limits and lockouts.
  • Avoid frequent password resets (once a year is fine).
  • Avoid reusing passwords.
  • Disable password “hints”.
  • Require administrator credentials to install software.

Software

Use anti-malware software, and keep all operating systems, software, and firmware up to date. (Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.)

Networks

Segment networks to prevent the spread of ransomware and disrupt lateral movement. Identify, detect, and investigate abnormal activity with a network monitoring tool. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. Disable unused ports.

Email

Consider adding an email banner to emails received from outside your organization.

Disable hyperlinks in received emails.

Scripts

Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.

Stay safe, everyone!

A week in security (August 8 – August 14)

Researchers found one-click exploits in Discord and Teams

A group of security researchers have discovered a series of vulnerabilities in Electron, the software underlying popular apps like Discord, Microsoft Teams, and many others, used by tens of millions of people all over the world.

Electron is a framework that allows developers to create desktop applications using the languages used to build websites: HTML5, CSS, and JavaScript. It’s an open source project that has been used as the foundation for some extremely popular apps. Electron itself is built on the open source Chromium browser project (the basis of Google Chrome), and the NodeJS JavaScript runtime which is built on Chromium’s V8 JavaScript engine—a significant source of Chrome security problems.

Building blocks

It is not uncommon for developers to use other projects, frameworks and libraries as building blocks for their projects. Building on proven code makes sense: It saves time, it is easier for others to get involved, and everyone benefits from all the layers of solved problems in the existing codebase.

The problem with building software on existing foundations, provided by others, is that its developer may not fully understand the security implications of certain decisions or configurations. And they need to rebuild their own application whenever a security vulnerability is fixed in the software they’re building on top of, and then distribute that update to their users.

Probably the most famous example of such a building block vulnerability is Log4Shell. Log4Shell is a vulnerability that was found in Log4j, an open source logging library written in Java that was developed by the Apache Software Foundation. Millions of applications use it, and some of them are enormously popular—such as iCloud, Steam, and Minecraft—so the impact of the vulnerability was enormous.

The chances of applications harboring out-of-date underpinnings are software are high. And the reservoir of known bugs that are fixed in, say, Chrome, but not yet fixed in Electron, or fixed in Electron but not yet fixed an application built on top of Electron, is something that criminals and researchers can exploit.

A group of researchers recently presented research into Electron vulnerabilities at the Black Hat security conference having done exactly that. For a peek into what they did, and a look at how complicated modern bug hunting is, read researcher s1r1us’s explanation of how they went about finding a remote code execution (RCE) vulnerability in Discord by chaining a new cross-site scripting vulnerability, a CSP bypass in Discord’s out-of-date Chrome version, and an exploit for an existing V8 vulnerability.

In the case of s1r1us’s Discord bug, what the researchers found could be exploited with nothing more than a malicious link to a video. With Microsoft Teams, the bug they found could be exploited by inviting a victim to a meeting. In both cases, if the targets clicked on these links, an attacker would have been able to take control of their computers.

Mitigation

The most general and best advice in many cases is to avoid clicking on links that come in unexpected or in unusual ways. In an ideal world you would distrust them with the same vigor as the links in your mailbox and on social media. However, this can be very difficult in practice because many of these applications require you to click on links to join meetings, accept invitations and so on.

A more workable solution, suggested by the researcher, is to use apps like Discord or Spotify inside your browser, because then you have the protection afforded by Chrome, which is much larger than the one provided by Electron, and you have control whether it’s up to date or not.

Most of us though, will simply stick to downloading our security updates, and hoping the people who make the software are too.

Viral video drives malvertising on social media platform

This blog post was authored by Jérôme Segura

Viral content shared on social media is highly coveted since it gets a lot of impressions and engagement. Unfortunately, the people who push this kind of content don’t always have the best of intentions.

We recently identified a malvertising campaign on Facebook that uses a cute story that gained attention last year. The fraudsters are luring potential victims into clicking on its link so that they are conditionally redirected to a fake tech support page.

This technique is far from being new but yet still works really well and deserves to be analyzed once again so that affected parties better understand how they are being abused.

Too cute to be true

The scam starts with the sweet story of a man who jumped out of his car at a traffic light to have his puppy meet another dog. This moment was shared on a number of platforms last year and could melt any animal lover’s heart.

easset upload file39120 225262 e

We saw this post on Facebook and it has been viewed and shared since at least mid July. Yet, in this case, the link is a trap set to redirect potential victims to a malicious page known as a browser locker. While it does not actually ‘lock’ anything, the page displays fake messages about computer viruses and entices users to call for assistance. What follows after are the well-known tech support scams.

easset upload file26208 225262 e

Cloaking games

In order to evade detection and remain active for as long as possible, these fraudulent schemes use a simple technique known as cloaking. The idea is to only display the malicious page in specific scenarios while showing legitimate content the rest of the time.

Here are some examples of filters that threat actors may use to their advantage:

  • IP address
    • Geolocation (country and city)
    • Internet Service Provider (ISP)
  • Browser user-agent
    • Operating system (Windows, Mac, Mobile)
    • Browser name and version
  • Referer (the site visited just before)
  • Cookies
  • Time zone

In other words, for a given campaign a target may be: people living on the US’s west coast using Windows 10 and Google Chrome with a valid Facebook referer clicking on the link for the first time after 6 PM on weekdays. For the rest of the time and other visitors, a decoy page will be shown instead:

easset upload file37053 225262 e

The proverbial ‘smoking gun’

When it comes to reporting such abuses, most registrars, hosting companies and platforms will require some hard evidence unless you have worked with them in the past and they already trust the information you pass along.

While a video capture is a pretty damning piece of evidence, it may not necessarily be enough to convince a provider especially if they aren’t able to reproduce the issue on their side. Because of cloaking, finding that smoking gun can literally take hours of frustrated attempts until finding the right combination of parameters. In fact, in some cases you may have to wait for when the scammers manually activate a redirect for a specific time window.

Running a web proxy is often invaluable to capture the event as it is happening as well as hard evidence of the suspected behavior. For example, what we see below are the request and response headers for the domain performing cloaking.

  • The request headers show the host (fnbchecklagsin[.]com) the referer (Facebook) and the full URI we requested (GET)
  • The response headers show that the server responded with the HTTP 302 code which indicates a redirect to a new location (browser locker)

easset upload file98323 225262 e

Essentially, the malicious remote server did not even serve the decoy content but immediately redirected our browser to the tech support scam page.

easset upload file57951 225262 e

We have reported this incident to the registrar (NameCheap), the hosting provider (DigitalOcean) and the platform (Facebook) abused to spread this scam. Malwarebytes users were already protected thanks to our Browser Guard extension.

Anti-tracking tool tells you if you’re being followed

If there is one thing we know about the people around us, even the perfect strangers, it’s that they almost all have smartphones. And those smartphones aren’t merely passive receivers, they’re broadcasting constantly, looking for things you might want to connect to.

Advertisers have exploited the electronic noise that smartphones make for years, using it to track people in places like shopping malls. But now a security researcher has used the same idea to detect if you’re being followed.

Matt Edmondson had the idea for the tool when a friend of his, who also works for the government, expressed concerns about being tailed when meeting a confidential informant who had ties to a terrorist organization. Although the friend is skilled at escaping those following them by car, he was looking for “an electronic supplement”.

“He was worried about the safety of the confidential informant,” Edmondson explained to Wired.

Edmondson wears many hats. He served as a federal agent for the US Department of Homeland Security for 21 years; he is the founder of an infosec consultation company; a hacker; a certified SANS instructor; and a digital forensics expert. Suffice it to say, he has the skills and experience to create something that would make someone safe using parts that don’t cost much, some open-source Python code, and a Raspberry Pi.

Edmondson presented his project at Black Hat on Thursday. His talk, Chasing Your Tail With a Raspberry Pi, touched on how he assembled the anti-tracking device, the challenges encountered when building it, and some best practices to consider, including creating an ignore list for friendly smartphones, and the importance of randomizing your MAC address (the rarely-changed identifier that allows others to track your smart phone).

The anti-tracking device works by scanning for wireless devices and checking if these have been present within the past 20 minutes. Unlike tools made to scan stationary devices, Edmonson’s machine was designed to scan moving ones. This is necessary as the act of tailing requires movement.

The device can fit in a shoebox and is in a waterproof case. It has a Wi-Fi card that runs Kismet (a popular wireless network detector), a portable charger, and a touchscreen where the user sees alerts. Each alert solidifies the possibility that one is being tailed.

“It’s purely designed to try to tell you that you’re seeing something now that you were also seeing a few minutes ago,” Edmondson says. “This isn’t designed to follow people in any way, shape, or form.”

Edmondson pleads with the tech community to take digital tracking and surveillance seriously. “It was really kind of disheartening and depressing to look at the ratio of tools to spy on people versus tools to help you not get spied on,” he says.