IT NEWS

A few months after the LockBit gang released version 3.0 of its ransomware, LockBit 3.0 Black, the builder for it has been leaked by what seems to be a disgruntled developer. LockBit has been by far the most widely used ransomware in 2022 and the appearance of the builder could make things worse. It is likely to be popular, so we could see new gangs appear that aren’t affiliated with the LockBit group but use its software, for example. We also expect to see fake packages offered online that infect the person running the builder, rather than building ransomware for them.

The builder turned up in two different places and was leaked using two different online identities. But where it came from and why isn’t really that interesting, certainly not for people looking to defend against it. For that, what it can do and what the implications are, are far more interesting.

Testing

Malwarebytes ransomware researchers managed to get their hands on a copy of the builder and found that, sadly, building your own ransomware has never been easier.

The whole builder actually only holds four files: An encryption key generator, keygen.exe, the actual builder.exe, a modifiable configuration file, config.json, and a batch file to build all of the files called build.bat.

The builder offers a high level of customization. In the included example of the configuration file the ransomware operator can choose their own C2 server, choose the processes they want to terminate, modify the ransom note, and so on.

Once the operator has set the configuration they can start a batch file that produces all of the files they need to start a new ransomware campaign.

A blessing in disguise is that thie Lockbit 3.0 Black fixes a decryption bug that was present in previous versions. The new version encrypts and decrypts flawlessly. You absolutely don’t want to infected with ransomware, but if you are, you want the process to be reliably reversible.

Mitigation

We recommend reading an expert view on simplifying the fight against ransomware, but to some it up in a few bullet points:

• Stop initial access by turning off or hardening RDP, having a plan for how and when you’ll do your security updates, and training users to spot malicious emails.
• Make privilege escalation and lateral movement as hard as possible by using the principle of least privilege, segmenting your network, and deploying EDR.
• Use an anti-malware solution that can identify ransomware and can roll back infections.
• Keep your data safe with offsite, offline backups that are out of the reach of attackers.
• Accept that even with the best defences, breaches can still happen. Prepare a distaster recovery plan.

G2 has released their Fall 2022 reports, ranking Malwarebytes as the leader across a number of endpoint protection categories. 

Based on factual customer reviews, Malwarebytes has been ranked #1 over top EDR vendors for endpoint malware and antivirus protection, detection and remediation of web-based threats, product usability, and more. These results continue Malwarebytes’ top ranking by G2, reinforcing Malwarebytes leadership in the endpoint security platform market. 

Summary Report

• Malwarebytes has ranked #1 for 4 reports OVERALL across all vendors and market segments

  • Grid

  • Results Index

  • Implementation Index

  • Usability Index

• Malwarebytes has ranked #1 for 5 Mid-Market reports

  • Results Index

  • Relationship Index

  • Grid report (main report)

  • Implementation Index

  • Usability Index

• Malwarebytes has ranked #1 for 1 Small Business reports

  • Grid report (main report)

Most rapid time to value (TTV)

Small- to medium-sized business (SMB) security teams need a solution that is quick to deploy, easy to set-up, and uncomplicated. Malwarebytes is that solution.

Ranked #1 in G2 Crowd’s Fall 2022 Implementation Index report, Malwarebytes’ endpoint protection suite provides the most rapid time to value (TTV) of all competitive solutions in the market today.

Best ROI

Looking for endpoint security that will provide maximum return on your investment? Malwarebytes is the answer. 

Ranked #1 in G2 Crowd’s Fall 2022 Results Index report, Malwarebytes provides the best estimated ROI of all endpoint protection suites based on our unique combination of rapid time to go live and time to ROI.

Malwarebytes ranked #1 for 4 reports OVERALL across all vendors and market segments

Grid® Report for Endpoint Protection Suites

• Largest Market Presence and received the highest Satisfaction score among products in Endpoint Protection Suites. 98% of users rated it 4 or 5 stars.

Europe Regional Grid® Report for Endpoint Protection Suites

• Market Presence and received the highest Satisfaction score among products in Endpoint Protection Suites. 98 percent of users rated it 4 or 5 stars.

Implementation Index for Endpoint Protection Suites

• Contributing factors: Ratings for “Ease of setup,” “Implementation time,” and “User adoption.”

• Earned badge for highest implementation score.

Results Index

• Contributing factors: Ratings for “Likely to recommend,” “Meets requirements,” and “Estimated ROI.”

• Earned badge for highest overall Results score.

Usability Index for Endpoint Protection Suites

• Contributing factors: Ratings for “Ease of admin,” “Ease of use,” “Meets requirements.”

• Earned badges for highest overall Usability score and highest ease of use rating. 

Malwarebytes ranked #1 for 5 Mid-Market reports

Badges are awarded to products that receive the highest overall ratings along certain categories. For example, the Highest Quality of Support badge goes to the product with the highest overall quality of support score.

Mid-Market Results Index for Endpoint Protection Suites

• Contributing factors: Ratings for “Likely to recommend,” “Meets requirements,” and “Estimated ROI.”

• Earned badges for highest overall Results score and highest likehood to recommend score.

Mid-Market Relationship Index for Endpoint Protection Suites

• Contributing factors: Ratings for “Ease of business,” “Likely to recommend,” and “Quality of support.”

• Earned badge for highest overall best relationship score.

Mid-Market Grid® Report for Endpoint Protection Suites

• Malwarebytes has the largest Market Presence and received the highest Satisfaction score among products in Endpoint Protection Suites. 99 percent of users rated it 4 or 5 stars.

Mid-Market Implementation Index for Endpoint Protection Suites

• Rated for “Ease of setup,” “Implementation time,” and “User adoption.”

Mid-Market Usability Index for Endpoint Protection Suites

• Contributing factors: Ratings for “Ease of admin,” “Ease of use,” “Meets requirements.”

• Earned badge for highest most implementable score.

Malwarebytes ranked #1 for 1 Small Business report

Small-Business Grid® Report for Endpoint Protection Suites

• Malwarebytes has the largest Market Presence and received the highest satisfaction score among products in Endpoint Protection Suites. 98 percent of users rated it 4 or 5 stars.

Easy, effective, and efficient cyber protection validated by real users

Malwarebytes is committed to delivering a stellar experience for our users.

Customer reviews are critical to ensuring that endpoint security solutions perform well where it counts, whether that’s ease-of-use, implementation, or overall satisfaction. To read more about what customers have to say about Malwarebytes Endpoint Protection and EDR, check out our case studies page.

More resources

Malwarebytes receives highest rankings in recent third-party tests

Why MRG-Effitas matters to SMBs

MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks

Why MITRE matters to SMBs

On September 20, 2022, the official Twitter account for 2K Support tweeted an important message from the Customer Support team.

The tweet said an unauthorized party illegally accessed the credentials of one of the vendors of the helpdesk platform. The attacker then used that access to send out communications that contained a malicious link.

The email

There is some confusion about the email, which is clear from reading the replies and tweets on 2K support. From what we managed to put together based on the tweets and what little information 2K provided, the first email looked similar to this one:

2K Support request

In some cases, these were followed by a second email that looked similar to this one.

Email with a direct link to the malware

The malware turns out to be RedLine infostealer. RedLine specializes in stealing banking information from a system’s clipboard. It also attempts to steal other data from the affected system, like browser history, cookies, and saved browser passwords.

Info stealers like this are usually delivered to an affected system when users download them under false pretenses, often disguised as popular software or cracks.

Supply chain

Breaking into the supply chain like this can give an attacker access to a large amount of potential victims. Most of the customers in this case had open tickets, so they weren’t surprised to receive an email from the Support desk. And it’s not uncommon for Support desks to send out files for system analysis, which can help support to pinpoint the problems customers might have with the installation of their product or any other hardware or software conflicts.

Mitigation

Anyone that has downloaded the file must now do a full system scan to remove any malware.

If you have executed the file, this means that information from and about your system may have been sent to the attacker.

What can you do to limit the dangers of stolen information as much as possible?

• Change the passwords that might have been stolen for every website you can remember logging into. Depending on how your browser stores the passwords, you may have to do the same for every password that the browser remembers for you. All modern web browsers come with a built-in password manager that offers to store your login credentials, but the degrees of security encryption are very diffferent.
• If your email account has been compromised, change that password first as other credentials may be sent to you by mail and still end up in the wrong hands. Some online shops even send you a password in plain-text.
• Keep a close eye on your banking and eMoney accounts. Use the activity alerts that some banks offer.
• Keep tabs on your posts in social media. It may look silly to check what you have supposedly posted yourself, but imagine someone else doing it for you.

Extra precautions

• Enable 2FA wherever possible.
• Do not re-use passwords, and consider a password manager to generate and remember all your passwords for you.

Malwarebytes customers were protected against this attack because the Premium version blocked the C2 server that the 2K Launcher.exe contacts when it is executed.

Malwarebytes blocks the connection to the C2 server

On Tuesday, the Securities and Exchange Commission (SEC) charged financial company Morgan Stanley a $35M fine for “the firm’s extensive failures, over five years, to protect the personal identifying information, or PII, of approximately 15 million customers. The company agreed to settle the penalty.

As early as 2015, Morgan Stanley wasn’t properly disposing of devices containing sensitive customer data, according to a press release. In one instance, it hired a moving company with “no experience or expertise” in data destruction to eliminate thousands of devices containing hard drives and servers with thousands of unencrypted customer data. The company later auctioned these devices online with data still intact.

Gurbir Grewal, the SEC’s director of the Division of Enforcement, described Morgan Stanley’s failures as “astonishing”.

“Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” Grewal said in a statement. “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”

Morgan Stanley recovered some of the re-sold assets, but “a vast majority” of these devices were not.

On top of that, 42 servers, potentially containing unencrypted data by the thousands, from a local office and branch servers Morgan Stanley shut down went “missing”.

Regardless of the amount of data that was “misplaced” for seven years, the company said it’s not aware any of the lost sensitive data were exploited.

“We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information,” a spokesperson from Morgan Stanley said in a statement to CNN.

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.

In Firefox 105 a total of seven vulnerabilities were patched, three of which received the security risk rating “high”. In Thunderbird three security vulnerabilities were patched. One with the rating “high” risk.

Security advisories were published for Firefox 105, Firefox ESR 102.3, and Thunderbird 91.13.1. Firefox 105 is the browser most Mozilla users will have on their system. Firefox Extended Support Release (ESR) is an official version of Firefox developed for large organizations that need to set up and maintain Firefox on a large scale. Thunderbird is Mozilla’s free email application.

How to update

To find out which version you are using on a Windows machine, open the application menu and click on Help > About. On a Mac, look at the top menu and click Firefox > About Firefox. This will show which version you currently have and whether an update is available. On Android use the My apps & games item in the PlayStore side-menu and find Firefox Browser in the list. Use the Update button next to it.

Downloading available update screen Firefox

The screens and the way to access them are largely the same for all Mozilla programs, including Thunderbird.

Once you’ve updated, you’re protected against these vulnerabilities.

Stay safe everyone!

The technical details

Firefox vulnerabilities

CVE-2022-40959: (High) Bypassing FeaturePolicy restrictions on transient pages. During iframe navigation, certain pages didn’t have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments. The HTTP Feature-Policy header provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any iframe elements in the document.

CVE-2022-40960: (High) Data-race when parsing non-UTF-8 URLs in threads. Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash. UTF-8 is an encoding system for Unicode characters. It can translate any Unicode character into a matching unique binary string. A non-UTF-8 character is a sequence of bytes that is not a valid UTF-8 character. Since UTF-8 as character encoding was introduced in 2005, there may be still some URLs which use a different encoding. Or they could be constructed to exploit this vulnerability.

CVE-2022-40962: (High )Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3. These bugs were found by Mozilla developers and the Mozilla Fuzzing Team. Some of these bugs showed evidence of memory corruption and it is likely that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2022-40958: (Moderate) Bypassing Secure Context restriction for cookies with __Host and __Secure prefix. By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks. In a session fixation attack, the attacker already has access to a valid session and tries to force the victim to use that particular session for his or her own purposes. In such a case the attack is initiated before the user logs in and the session fixation attack fixes an established session on the victim’s browser.

CVE-2022-40961: (Moderate) Stack-buffer overflow when initializing Graphics. During startup, a graphics driver with an unexpected name could lead to a stack-buffer overflow causing a potentially exploitable crash. This issue only affects Firefox for Android. Other operating systems are not affected.

CVE-2022-40956: (Low) Content-Security-Policy (CSP) base-uri bypass. When injecting an HTML base element, some requests would ignore the CSP’s base-uri settings and accept the injected element’s base instead. The HTTP CSP base-uri directive restricts the URLs which can be used in a document’s <base> element.

CVE-2022-40957: (Low) Incoherent instruction cache when building WASM on ARM64. Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash. Wasm is designed as a portable compilation target for programming languages, enabling deployment on the web for client and server applications. This bug only affects Firefox on ARM64 platforms. ARM64 is the architecture used by newer Macs built on Apple Silicon, shipped in late 2020 and beyond.

Thunderbird

CVE-2022-3033: (High) Leaking of sensitive information when composing a response to an HTML email with a META refresh tag. If a Thunderbird user replied to a crafted HTML email containing a meta tag, with the meta tag having the http-equiv=”refresh” attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. This bug doesn’t affect Thunderbird users who have changed the default Message Body display setting to ‘simple html’ or ‘plain text’.

CVE-2022-3032: (Moderate) When receiving an HTML email that contained an iframe element, which used a srcdoc attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed.

CVE-2022-3034: (Moderate) An iframe element in an HTML email could trigger a network request. When receiving an HTML email that specified to load an iframe element from a remote location, a request to the remote document was sent. However, Thunderbird didn’t display the document.

The US FDA (Food and Drug Administration) has warned users of Medtronic’s MiniMed 600 Series Insulin Pump System—specifically, models for MiniMed 630G and MiniMed 670G—that their medical devices have a cybersecurity issue with its communication protocol. If compromised, attackers could gain unauthorized access to the pump system itself, and alter it to deliver too much or too little insulin to the patient.

Because the MiniMed 600 series devices have components (the insulin pump, the blood glucose meter, the continuous glucose monitoring transmitter, and the CareLink USB device) that communicate wirelessly, nearby attackers could gain unauthorized access to them when the pump is paired with these components. Medtronic clearly stated that such an attack could not be done over the internet.

“Medtronic has no evidence to date that such an issue has occurred,” the company’s Urgent Medical Device Correction notification page states. “However, in the unlikely event that unauthorized access would be successful, the access could be used to deliver too much or too little insulin through delivery of an unintended insulin bolus or because insulin delivery is slowed or stopped. Too much insulin could result in hypoglycemia (low blood sugar) which can potentially lead to seizure, coma or death. Too little insulin could result in hyperglycemia (high blood sugar) which can potentially lead to diabetic ketoacidosis.”

The FDA continues to work with Medtronic to identify, communicate, and prevent the devices’ vulnerability effects. Medtronic advises taking action and the necessary precautions to avoid being at risk. First, the company advises users to turn off the “Remote Bolus” feature of the pump, which is on by default.

The company also reminded users to keep their insulin pump and its components within their control at all times, never confirm connection requests on the pump screen unless initiated by them or their care partner, and not share their insulin pump’s or device’s serial numbers with anyone but their healthcare provider, distributor, and Medtronic. A detailed list of precautions can be found on this page.

Watch out for an energy-themed scam being sent out via SMS. The message plays on energy price fears, similar to what we’ve seen previously.

Scam alert. I just received this text. Click through and it looks very official. It’s a scam. The £400 energy bill discount is automatic, you don’t need to register or share any details with anyone. Please be aware. pic.twitter.com/76bT9YSkOy

— Marc Ashdown (@marcashdown) September 20, 2022

It reads as follows:

GOVUK: We have identified you as eligible for a discounted energy bill under the Energy Bills Support Scheme. You can apply here [URL]

The message, which claims to be from the UK government, directs clickers to a phishing page which resembles a typical gov.uk website.

Energy Bills Support Scheme

Register now to receive a £400 non-repayable discount under the Energy Bills Support Scheme.

Anyone “registering” to the website may well find themselves out of pocket. Considering those most likely to respond to such a message may be people already struggling financially, this is a particularly despicable attack.

Phishing for info

The pattern followed by this site is typical of this kind of attack. First it asks potential victims to enter a variety of personal information:

• Name

• Date of birth

• Phone number

• Address

• City

• Postcode

Once this is done, the site asks for your current energy supplier, and provides a list of pre-fills.

The site eventually asks for:

• Card number
• Card expiry date
• Card security code

It also places the logo of whichever company you’ve selected at the top of the page, along with the following message:

This should be the account linked to your [business name] account. This is the account your supplier will send the payments to.

It’s worth noting that the URL is already being flagged by some browsers. For example, Chrome will make you confirm that you want to visit the site, ignoring its prominent “this site is bogus” warning. If you actually visit the page despite this, it’s also tagged as “Dangerous” where the green padlock in the URL bar is located. Users of Malwarebytes are protected from the phishing URL used in this attack.

How to avoid energy scams

• Phone calls, emails, and random SMS messages asking for payment information are not going to be legitimate. You should also never be asked for login details for your online banking or other accounts from a cold-caller.
• If you receive an unexpected call about energy prices or rebates, insist on calling “them” back on their official number taken from an official website directly. If the caller objects to this, that’s an immediate red flag. A genuine caller would have no possible reason to object to this.
• Bogus fake energy company websites are very popular and easy to set up. Visit the official website listed in official correspondence only, and pay close attention to URLs sent to you by text or email. Don’t trust sites sent your way in relation to any money back, discount, or rebate offer.

Stay safe out there!

With children now back at school, it’s time to think about social media, and their use of it.

Are they already firing out tweets, chatting in Discord channels, or even just looking to set up a Tik-Tok account? Now is the time to consider giving your kids some security and privacy tips for all their social media needs.

1. Get to grips with default settings

Most sites are in the business of making your data their business. EULAs and privacy policies are frequently terribly confusing for grown ups. Expecting a child to make sense of 1,000 very legal words is unfeasible. Social networks are absolutely in the business of providing services for free, and then using analytics to drive advertising on their sites.

Often, privacy settings are defaulted in a way which makes it easier for marketing/advertising/data-gulping to take place. Some examples:

• Allow third party/relevant advertising tailored to your interests

• GPS location set to on (usually ties into the targeted advertising point above)

• Find your friends (in other words, import your address book and make connections between email addresses and social media profiles)

These are things which may sound helpful, and no doubt are to some, but everybody using an app does not need any or all of these enabled by default. With this in mind, here’s what to tell your kid about default settings:

Look out for anything mentioning offers, location, advertising, relevant content, and finding friends. All of these options and settings help the site you’re using to operate, but they’re not necessarily going be helpful for you too. Before you start posting, ensure options like location in particular are disabled unless you have a very good reason for needing it.

2. It’s all about location

We touched on this briefly above, but this is a key component of your “Please watch out for these things” conversation. Trolling. Doxxing (grabbing personal details in a way which identifies an individual and then publishing them online). Swatting (sending fake emergency calls to law enforcement which results in armed officers crashing through your door). All of these things are very bad, and you don’t want your child getting tangled up in any of it.

Sadly, location services on social networks can cause problems in this area. Sometimes location is kept private for the user only. Other times, the location is in full view. It may be somewhat generic and say a major city like London, or it may drill down to a street.

Even without tech related issues or troublesome settings, the real-world can also give details away. Thanks to open-source tools, reverse image searches, and crowd-sourcing data, it’s never been easier to give the locational game away:

• A letter in a photograph with your address on it
• Unique identifiers (views outside a window, for example)
• Regional dialects or other specific references in the background of video footage

Almost anything can provide somebody with the clue to get an idea of where your child may be living. Here’s what to tell your child:

Pay close attention to the world around you if you’re a fan of streaming, Tik-Tok, or selfies. Keep your home, identifiable locations, and anything with your name and address on it out of shot. Even grown ups make these mistakes, so it’s very easy to accidentally do it yourself. Oh, and if you’re going on holiday you may wish to reference it only once you’ve returned home. Tales of empty houses being broadcast to the world at large on social media may not end well.

3. The value of anonymity

Back in the olden days, most of us were online using a pseudonym. It wasn’t massively common to have your real name or other potentially unique identifiers following you around from site to site. In fact, for the first few years of my security career, writers and journalists referred to me as my online handle because they didn’t actually know my name.

This is a far cry from what we currently have, with real names everywhere, verified profiles, authentication, and the common refrain that only people with something to hide don’t use their real name.

The reality is, people don’t use their real name online for all sorts of valid reasons. There might be domestic abuse or harassment issues. They may live somewhere where free speech or being critical of their government is frowned upon.

However, it’s important to note that you don’t have to be in one of the above awful scenarios to insist on anonymity of one form or another. Indeed, going down the anonymous route from the get-go may help ward off potentially unpleasant situations at a future date anyway.

Most sites will allow you to use whatever visible username you like. A few insist on real names, but it’s unlikely your kids are currently hanging out on Facebook. While you’re usually asked to put a real name alongside your online handle, it’s not mandatory and there’s a good chance nobody will ever check what you put there. Nor are the platforms likely to suddenly lock an account and demand additional verification of some kind at a later date. Here’s what you should tell your children about this issue:

There’s nothing wrong with being anonymous on social media, and unless the site explicitly asks for a real name and additional information you shouldn’t feel pressured into handing it over. Keeping yourself anonymous also helps to ward off some of the issues related to location oversharing. Pick the level of generic anonymity that you’re comfortable with.

4. Watch out for the fakers

Social media is rife with scams, and scammers will happily target anyone in front of them. In fact, some will actively target children specifically because of their likely inexperience in spotting a fake-out. Kids are also unlikely to use additional security measures like two-factor authentication. This means less work for the attacker. Fortunately you can help with this.

Any platform you can think of has scams particularly suited to it. Instagram is awash with Bitcoin scams and bogus competitions. Twitter has lots of phishing, NFT scams, bogus video game downloads, and get rich quick schemes. Facebook sees a fair amount of fake PlayStation sales and more generic Messenger scams. Compromised verified accounts, which add legitimacy to fraud, are common across all platforms.

What you should tell your kids:

Every site has its own groups of scammers, each with their own preferred method of attack. Spend a few minutes reading the site’s security pages to ensure you keep your account safe from harm. If an offer or deal sounds too good to be true, it probably is. Very few social media giveaways are genuine.

If you receive direct messages from strangers, or you’ve been notified that you violated a website policy and need to re-verify your identity, come and tell us and we’ll take a look for you. Never, ever grant someone access to your account…even if they claim to be employees for the site. This is never going to be a genuine request from a member of staff and you may lose your account.

5. Be honest and respect privacy

Many times, young children and teens don’t want the hassle of locking everything down and micromanaging passwords or security settings. They may already have email addresses and various social media accounts. Are those email addresses locked down? Using two-factor authentication? Do your kids know their way around the various security settings across all of their logins? How about password managers?

In these cases, parents often offer to help. Where younger children are concerned, I know some parents who use one of their pre-locked down email addresses to tie social media accounts to. Most of the time, you don’t really need to do much with whatever address you link to Twitter or Tik-Tok or anywhere else, you just need it to tie your username to. As a result, hooking the accounts to a secure email managed by parents can be a quick and easy win for everybody.

Of course, there are privacy issues here to consider. The older the child, the more likely they may be to send other social media users direct messages. Parents should be open about this; some platforms send a digest of all private messages to the connected email account. You can turn this feature on and off in Twitter, for example, but every site is different. You should see how your child feels about this. Some may not care, but others most definitely will. What to tell them:

I’m happy to micromanage the security practices behind the scenes. The trade-off is that some, or all, of what you do may be sent back to me through the email used to register the account. We can check how the site in question works in relation to this, and set it in a way you’d be comfortable with. Remember that sites often change existing features or add new ones, and we may have to adjust as we go.

Closing out the Summer

It’s not easy getting kids ready to go back to school. It’s even trickier to ensure they keep themselves safe from harm online. We hope the advice above will be helpful to you in getting one of those two gargantuan tasks off the table. Stay safe out there!

The United States Attorney for the Southern District of New York has sentenced Ariel “Melo” Jimenez (38) to 12 years in prison for leading a “tax fraud and identity theft conspiracy” that resulted in the fraudulent claiming of tax credits, earning him millions of dollars.

“Ariel Jimenez was the leader of a long-running fraudulent tax business that cheated the Government of tax refunds by stealing the identities of vulnerable children and using those identities to falsely claim tax credits on behalf of his clients,” said US Attorney General Damian Williams in a press release. “Today’s sentence holds Jimenez accountable for brazenly selling the identities of children to his customers for his own profit.”

Jimenez was arrested with eight of his co-conspirators: Evelin Jimenez and Ana Yessenia Jimenez, his sisters; Ireline Nunez, Leyvi Castillo, Cinthia Federo, Guillermo Arias Moncion, Marcos “Junior” De Jesus Pantaleon, and Jose “Jairo” Castillo. The unsealed complaint mentioned a “corrupt New York City employee” and a “cooperating witness” (CW-1), but it didn’t name them.

Modus operandi

According to the complaint, Jimenez conspired with a fraud investigator (known as “CW-1”) within the New York City Human Resources Administration (HRA) when he established his tax fraud business in 2007 in the Bronx. The NYC HRA is a government organization tasked with providing food and emergency rental assistance for those in need.

CW-1 admitted to stealing children’s data, which comprised their names, dates of birth, and SSNs (Social Security Numbers), from the Welfare Management System and selling these to Jimenez. Jimenez would then list these children as dependents on tax returns Jimenez prepared for his clients. Jimenez and his team are said to have callously referred to these children’s identities as “pollitos” (“little chickens” or “chicks” in Spanish).

Jimenez would charge his clients between $1,000 and $1,500 per child he’d fraudulently add to their tax returns. These children are included as false dependents so the taxpayers (Jimenez’s clients) can file for inflated tax refunds.

“Jimenez’s use of stolen identities harmed the actual caretakers of the children who were fraudulently claimed as dependents,” the press release states. “In some cases, the people actually taking care of these children had much-needed tax refunds delayed and were required to prove their actual connection to their own dependent children.”

A lavish lifestyle

Since setting up his business in 2007, Jimenez has amassed millions of dollars, which he used to purchase real estate and fund a lavish lifestyle. He admitted to spending a total of $5.5M buying properties in the US and abroad and buying jewelry, cars, and gambling. He transferred several properties to his parents to hide his source of funds.

On top of a 12-year sentence, Jimenez was ordered to give up three of his properties and pay forfeiture amounting to $14.580M. He was also ordered to pay restitution for $44,769,906.

There’s been some smart phishing campaigns running over the last few weeks, and this one is particularly sneaky. Bleeping Computer reports that a phishing page is targeting Greek taxpayers with a tax refund scam. The added sting in the tail comes in the form of an embedded keylogger which grabs everything entered onto the page.

An untimely tax refund

The phishing mails rely on that time-honoured tradition of bogus tax returns and non-existent refunds. The landing page, which mimics an official gov.gr portal, reads as follows:

The Hellenic Tax Office has calculated your tax return, you are entitled to a tax refund of Є634.13 (around $633 USD). We have tried to transfer the amount to your account. Unfortunately we were unable to confirm your current account number.

What follows is a drop-down form where the victim can select their bank and “log into the portal”. According to researchers at Cyble, there are several URLs being used to phish victims and they all do a decent job of imitating the real deal. Multiple major banks are listed in the drop-down menu, and the bogus bank pages closely resemble the real thing. Unfortunately for site visitors, this is where the previously mentioned sting in the tail comes into play.

A sneaky way to grab data

Phishing sites typically rely on the visitor hitting the submit button to send their personal information into the hands of the scammers. If someone realises something isn’t quite right at the last minute and abandons ship, the scammers are left with nothing.

In this case, the site has an embedded JavaScript keylogger ticking away in the background. What this means is that anything entered into the various entry boxes is grabbed via the keylogger and immediately sent to the fraudsters. In this scenario, realising something is wrong may not save the victim. Anything they punched into the site up to that point will already be waiting for the phisher to retrieve at their leisure. Sure, they may have only entered information which won’t help attackers, but smart scammers using this technique will likely front load entry forms with the important details first.

What can you do?

Tools used to block third-party trackers reportedly aren’t effective against this kind of embed. With that being the case:

• Tax refunds are rather rare for most people, so question the authenticity of such a claim should you receive one. Contact your local tax authority directly. Many host an up-to-date list of common and current tax scams, which may help to answer your question before you’ve even picked up the phone.

• Rogue attachments are common where fake tax refunds are concerned. If you happen to open a file from someone you weren’t expecting, don’t disable your software’s “read only” mode or its closest equivalent. Steer clear of enabling Macros, too.

• If you believe you’ve entered any data on a phishing site, there’s a small chance it may have a JavaScript keylogger running under the hood. If you know your way around code, you might be able to spot it. If not, you’re left with the hassle of trying to figure out if you need to take some action. Did the site ask for logins upfront, before anything else? Payment details? Certain forms of personal information? It’s time to do a small risk assessment checklist, and then make the appropriate decision as to whether you need to change passwords, cancel your card, or more.

Malwarebytes users are protected from the domains used in this attack. Stay safe out there!