IT NEWS

Malware spent months hoovering up credit card details from 300 US restaurants

Criminal hackers have been able to steal at least 50,000 credit cards from 300 restaurants in the US, after launching two Magecart campaigns that target the MenuDrive, Harbortouch, and InTouchPOS online payment platforms:

Magecart is a web-skimmer—malware that is injected onto a vulnerable website so it can steal credit card information as it’s entered into the site’s checkout. Because it does not interupt card payments, it just quietly siphons off users’ card details, it can be very difficult for both its victims and their users to spot.

Recorded Future’s Insikt Group recently identified two Magecart campaigns targeting the aforementioned online payment platforms. Stolen details were offered for sale in various underground marketplaces on the dark web.

“Online ordering platforms are a very attractive target since they deal with many vendors downstream, which also means a high number of customers are going to be entering payment data that could be skimmed,” said Jerome Segura, Senior Director of Malwarebytes’ Threat Intelligence Team, and an expert in web skimmers.

Although MenuDrive, Harbortouch, and InTouchPOS are not as popular as Uber Eats, Hungrrr, or DoorDash, many small, local restaurants across the US outsource their online ordering process to them as it’s cost-effective.

The Insikt Group discovered the first Magecart campaign on January 18 this year, affecting 80 restaurants via MenuDrive and 74 restaurants via Harbortouch. On both platforms, the skimmer was injected into the restaurant’s web pages, including the subdomain on the online payment service’s platform.

Skimmers deployed two scripts to MenuDrive, one built for stealing payment card details, the other made for stealing user details like the card holder’s name, email address, and phone number. On Harbortouch, however, only a single script is used to steal all personally identifiable information (PII) and card details.

mwb code
The skimmer code use on MenuDrive with the exfiltration URL highlighted in orange.

The campaign against InTouchPOS started earlier than the other two—around November last year—but most skimmer injections didn’t happen until January 2022.

Instead of stealing data as it was entered into the site, the InTouchPOS skimmers overlaid the site with a fake payment form for users who are ready to checkout.

“Attackers routinely probe networks using automated tools or a more manual approach, especially if the target is deemed highly valuable,” Segura said. “Compromising a third-party site breaks the chain of trust already established between a provider and a merchant but on a scale of ‘one to many’.”

The post Malware spent months hoovering up credit card details from 300 US restaurants appeared first on Malwarebytes Labs.

Lock down your Neopets account: Data breach being investigated

Bad news for players of long-time virtual pet management title Neopets. Word is spreading of a compromise claimed to have accessed around 69 million user accounts. This compromise, posted to a hacking forum, is said to include both the database and around 460 MB of compressed source code from Neopets.com.

Data claimed to have been taken includes:

  • Usernames
  • Names
  • Email address
  • Date of birth
  • Zip code
  • Date of Birth
  • Gender
  • Country
  • Registration email

Considering the young age of many Neopets players, this would be quite bad from a privacy and safety standpoint, if the breach turns out to be genuine. This wouldn’t be the first time Neopets has experienced a breach situation either. Back in 2014, “tens of millions” of Neopets accounts were said to have been traded on underground forums. The data in question had apparently been compromised prior to the current owners, Jumpstart, acquiring Neopets.

In 2020, there were claims of ways to potentially gain access to user accounts. Neopets also addressed this. Unfortunately, the current owners may now have a whole new incident to deal with.

Is this a genuine compromise?

There is currently no explanation of how the individual claiming to have done this managed to achieve their database swipe. BleepingComputer, who first reported this, has not been able to find independent verification of the breach. References to confirmation from the Neopets team on Discord actually came from volunteer moderators.

Nevertheless, there is some official recognition of something having happened behind the scenes. For example, the official Neopets twitter admits it “recently became aware that customer data may have been stolen” and has engaged the services of a forensics firm:

What does this mean in practice? Well, we won’t know for sure until more information is released. One common occurrence in situations such as these is for large, existing data dumps to be passed off as new. When the data is examined, it often turns out to be lots of old stolen data bundled in with new content. Or it can even be old data across the board! Without proper analysis and comparison to old data, it’s wise to wait and see.

The main thing to note for now is that Neopets has acknowledged something has happened, and is looking into it. In the meantime: what can you do as a Neopets user, or as someone with a child in the house who plays it?

Tips to keep your Neopets account safe

  1. Change your password, as Neopets suggests. Don’t use something you’ve used previously on the Neopets site, or on any other site. This may be time to start looking at a password manager, for added safety. No need to use easily guessed passwords if you can store complex logins inside a management tool instead!
  2. Don’t tell anybody your password, whether they’re other Neopets users, or people on random forums or Discord servers. You won’t receive any free gifts or special in-game items for doing so; you’re just risking losing your account.
  3. Be wary of Neomails phishing attacks, sent your way via the Neopet site’s private message system. The only official communication you’ll receive via Neomail would be from “theneopetsteam”, in the form of warnings.
  4. Watch out for email phishing attempts via the mail you have registered to the site. If this data is truly out there, phishers will almost certainly try their luck. Gaming accounts of any kind are always juicy targets for scammers.

At this point, we’d typically suggest also making use of two-factor authentication to keep your login more secure. Unfortunately, Neopets doesn’t currently offer a way to do this. As a result, it’s even more important that you try and keep your Neopets logins safe with a strong password.

The post Lock down your Neopets account: Data breach being investigated appeared first on Malwarebytes Labs.

A week in security (July 18 – July 24)

Last week on Malwarebytes Labs:

Stay safe!

The post A week in security (July 18 – July 24) appeared first on Malwarebytes Labs.

The winding road to compliance

“Here are the keys. Buy milk and bread. Drive safely.”

These are important instructions for a new driver tasked with running an errand. But unless the driver knows where they are going, a bit of guidance on how to get to the store can only help. Without it, the driver may complete the errand successfully, or at least make a good effort; but they might not complete the errand or be inefficient in the attempt.

For IT and security teams, aiming for compliance feels eerily similar to running errands without
direction.

Like the driver, these users want to accomplish the task at hand (in this case, regulatory
compliance) but are often stymied by the ambiguity or lack of direction on how to do so. Often,
compliance standards define the ultimate objectives, but give organizations the flexibility to determine
for themselves the path they take to get there.

Consequently, some users experience the equivalent of making three left turns when they didn’t know they could have just made a right.

Navigating by the stars

Freedom to define your own path has some benefits, of course. So, how do you reach the goal
efficiently to optimally protect your organization against breaches?

If you’re working through this question, you’re not alone. In fact, data from earlier this year suggests more cybersecurity decision-makers are focused on ensuring governance and compliance standards are met (56%), topping the list of priority projects during the first quarter of 2022.

It’s no secret that complying with leading standards in your industry protects your business in several
ways – some more obvious than others.

Immediately, there is the imperative protection for corporate data, personally identifiable information (PII), intellectual property, etc., and mandatory compliance with these protections to operate in certain industries or countries. Then there are the expanded values gained from compliance, such as assurances you can provide to executives and Boards about the organization’s cybersecurity posture, or your improved stance for cyber insurance.

Overriding all of these benefits is the primary reason compliance programs exist: to increase organizations’ level of prevention against an attack (akin to the “drive safely” instruction to a new driver).

Help along the journey

With the freedom to choose how you meet compliance requirements, a navigator who is easy to travel
with and able to help guide you efficiently can be the best kind of travel companion. You need a solution
partner who can help you check off some of those distance-markers along the compliance highway.

Malwarebytes EDR includes essential threat prevention capabilities to keep nefarious actors from
entering your environment.

These are complimented by threat detection and remediation tools to help you identify threats that get past the gate, so your IT or security team can respond effectively and efficiently. The platform aligns nicely with NIST and ENISA attack response frameworks, which include guidelines for best practices that help you achieve compliance.

Compliance may not be the pinnacle of your journey, either; perhaps your organization’s focus is
reinforcing specific attack surfaces. In cases like these, the value of an expandable, cloud-based platform becomes apparent.

Malwarebytes EDR is built to run in our Nebula cloud platform, which empowers you to easily add
modules that fortify specific vectors. For example, adding our Vulnerability Assessment and Patch
Management (VPM
) modules to your Malwarebytes EDR deployment helps protect against software exploits.

Connecting our DNS Filtering module yields greater control over internet browsing and content
access, providing end users a safer, more secure web experience. In addition to their inherent enhanced
protection value, these modules help businesses with specific HIPAA, PCI and GDPR compliance criteria,
and public sector entities meet additional requirements of CJIS compliance, for example.

Drive safely!

The path to compliance is easier with an informed companion. Malwarebytes EDR helps you navigate
the compliance highways and byways, like a travel companion with experience in and expert knowledge
of the routes to optimal protection. Our platform is easy to learn and use and can effectively help you
reach your compliance destination (and beyond). Get started with an EDR demo or trial today.

The post The winding road to compliance appeared first on Malwarebytes Labs.

The Wren Eleanor story: Why you should keep your kids’ images off social media

TikTok moms have started a movement: Calling out potential creeps who follow child influencer accounts on the platform. The latest account in the spotlight is @wren.eleanor, a TikTok account with a massive 17.3 million followers. It’s an impressive number and one that got the attention of armchair sleuths.

@hashtagfacts, another account, posted a video about what other people on TikTok have observed about this account’s followers. They’ve noted the number of times specific clips of 3-year-old Wren have been saved. Perhaps, more surprisingly, they’ve taken note of the pre-filled texts that appear in TikTok’s search box when one starts searching for “wren”.

And that’s just the tip of the iceberg. Many also found a lot of “disgusting comments left by men” in certain videos about Wren.

“My daughter is 12 and a half,” @hashtagfacts said in her video post, “The issue with all of these saves and the follows are that people are watching your children. And doing disgusting things.”

“Protect your children.”

Regardless of your intentions when you post pictures and videos of your children publicly, realize and accept the fact that the Internet, with all its awesomeness, also harbors creeps who follow social media accounts featuring kids for disturbing reasons. It’s safe to assume they’re everywhere: Facebook, Instagram, YouTube, TikTok, Omegle, and others.

The simplest way to protect your children from the harms you know, and especially the harms you don’t, is to keep them off social media entirely. Let them decide how they want to use it when they are old enough to understand and navigate the risks they face. That means no social media accounts for them, and no posting images of them on your own accounts.

If that simply isn’t an option for you, for whatever reason, there are ways that you can still safely share photos and videos of your kids on social media while keeping them far away from the hawking eyes of online child predators. In reality, there are many things we can’t control when it comes to protecting our children. However, as one TikTok commenter correctly pointed out, we can control what we post online about our kids.

So, parents and carers, let’s take control.

Take your social media accounts private

If you need to act quickly but don’t have the time now to weed through all the media to pick which ones to delete and keep, consider protecting your tweets or making your Instagram account private.

Doing this also gives you time to think about what to consider before deciding on where you stand with the sharing of your child’s photos and videos. Because at the end of the day, you, the responsible parents and carers, get to decide, not people on the internet.

Limit access to the child’s photos and videos

Even though your entire account is public, some social media platforms allow you to pick and choose who among your contacts can see specific things you share. Better yet, share to a Private group on Facebook and Instagram comprising only of close family members and friends you’ve known and trusted for long enough you consider them as family.

The smaller the circle of trust, the better.

Yes, share via secure messengers and private albums

Social media platforms aren’t the only places where you can safely share pictures and videos of your kids. Secure messengers like iMessage, WhatsApp, or Signal can also do this for you, so make good use of them.

If your family and friends all have Apple devices, or if you use Google Photos, you can also set up a private, shared photo album where you can share media of all family members safely.

Prepare your kids for a life with social media

Posting media of your kids on social media is one thing. Creating social media accounts for them, whether they meet a social network’s minimum age requirement or not, is quite another. Because for children, especially girls aged 11 to 13, who are targeted by online predators more than other groups, just being online is already a huge risk.

Don’t assume they know enough to look after themselves. Make sure they do. We suggest you adopt T.A.L.K., a series of comprehensive and actionable steps parents and carers can take to help guide kids through a safe online experience as they grow up.

T.A.L.K. stands for:

  • Talk to your child about online sexual abuse. Start the conversation—and listen to their concerns.
  • Agree on ground rules about the way you use technology as a family.
  • Learn about the platforms and apps your child loves. Take an interest in their online life.
  • Know how to use tools, apps and settings that can help to keep your child safe online.

Age shouldn’t be the only indicator for when you can allow your kids to start exploring the wider Internet more. Maturity of mind should be considered, too.

We also believe that part of keeping kids secure online is developing their self-esteem. So no matter what negativity the online world throws at them, they will rise above it. An insecure child will easily succumb to criticisms, want to be famous, or feel the need to get approval and acceptance from everyone.

Putting them in front of the camera for millions of people to watch and look at won’t build up the self-esteem your child needs.

The post The Wren Eleanor story: Why you should keep your kids’ images off social media appeared first on Malwarebytes Labs.

Vulnerabilities in GPS tracker could have “life-threatening” implications

Researchers at BitSight have discovered six vulnerabilities in the MiCODUS MV720 GPS tracker, a popular vehicle tracking device.

The vulnerabilities are severe enough for the Cybersecurity & Infrastructure Security Agency (CISA) to publish a Security Advisory titled ICSA-22-200-01: MiCODUS MV720 GPS Tracker.

What’s happened?

The MiCODUS MV720 is a hardwired GPS tracker that offers anti-theft, fuel cut off, remote control and geofencing capabilities. In total, there are 1.5 million of these devices in use today across 420,000 customers, including government, military, law enforcement agencies, and Fortune 1000 companies.

If the vulnerabilities are successfully exploited, an attacker could take control of the tracker, giving them access to location, routes, and fuel cutoff commands, as well as the ability to disarm various features like alarms. The found vulnerabilities are very diverse and would imply that the application was not built with security in mind. Or certainly not top of mind.

The vulnerabilities

Hard coded credentials

CVE-2022-2107: The API server has an authentication mechanism that allows devices to use a hard-coded master password. This may allow an attacker to send SMS commands directly to the GPS tracker as if they were coming from the GPS owner’s mobile number.

Improper authentication

CVE-2022-2141: SMS-based GPS commands can be executed without authentication.

Improper neutralization of input during web page generation

CVE-2022-21999: The main web server has a reflected cross-site scripting (XSS) vulnerability that could allow an attacker to gain control by tricking a user into making a request.

Authorization bypass through user-controlled key

CVE-2022-34150: The main web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification.

Another authorization bypass through user-controlled key

CVE-2022-33944: The main web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter “Device ID,” which accepts arbitrary device IDs.

Exploiting these vulnerabilities could potentially put drivers in danger and disrupt supply chains. In fact, there are many possible scenarios which could result in loss of life, property damage, privacy intrusions, and threaten national security.

Mitigation

Since MiCODUS has not provided updates or patches to mitigate these vulnerabilities, users are advised to turn the vulnerable devices off.

The researchers first contacted MiCODUS about the vulnerabilities in September 2021, and due to a lack of response CISA and BitSight decided to publish their research.

The post Vulnerabilities in GPS tracker could have “life-threatening” implications appeared first on Malwarebytes Labs.

Facebook gets round tracking privacy measure by encrypting links

A form of individual tracking specific to your web browser is at the heart of a currently contested privacy battle, and one which Facebook has just got the upper hand to.

This type of tracking involves adding additional parameters to the URLs that you click on a daily basis. When you click one of these parameter-laden links, the organisation which added the parameter to the URL knows that you’ve clicked it.

Sites make use of the added parameters in order to track your clicks across a range of sites or services, an activity which can be monetised for marketing or analytics. A company may also be able to know where you visit away from their own website. The marketing possibilities are endless, and so too are the privacy implications.

Browsers tackle the problem of tracking parameters

Major browsers have been looking at this issue for a while, and some now strip the tracking from urls.

At the end of June, Firefox rolled out something called “Query parameter stripping“. Now, when you click a link or copy and paste it, Firefox removes all forms of tracking appended to the URL you wish to visit. When you click the link and arrive at the other end, it’s as though the tracking aspect added to the URL was never there in the first place. It’s worth noting that this feature is disabled by default unless you’re using private browsing, and needs to be enabled in the Privacy & Security section of the browser options for it to work.

Firefox isn’t alone in this fight. Other browsers, like Brave, have been addressing this issue for some time already.

As Brave explains, removing and blocking other aspects of a site for security or privacy purposes can prevent the site from working correctly. For example, disabling JavaScript may reduce the risk of attacks in your browser, but it may also break the websites that you visit. Blocking cookies may steer you away from invasive tracking, but it could also prevent you from logging in.

However, unlike the two examples above, stripping tracking parameters from a link doesn’t generate usability issues. If you take one of them out, the site carries on working as intended.

So far, so good.

Unfortunately for those with a fondness for removing tracking parameters, this may not be the case for much longer. Some organisations which make use of added parameters are presenting browsers and surfers with a stark choice.

Keep the tracking…or break the site.

Facebook: A knock-out blow?

Up until now, Facebook was using “Fbclid” in its URLs for parameter tracking. You may well have seen this appear in your URL bar as part of the addresses you’ve been clicking on. Web browsers keep track of all the additional parameters added to URLs, and strip them out as they appear. If a site changes the text of their additional parameter, the browser would have to update its own lists to be able to continue stripping them out.

Instead of playing a never-ending game of changing their parameter additions, Facebook is trying something very different, which is sure to cause the browser developers some headaches on the parameter stripping front.

Facebook has now switched to encryption for its parameter tracking needs. What this means is that the encrypted part of the URL is essentially part of the whole URL. If you remove it, you won’t be directed to the specific page you’re looking for. As per the example given on this Ghacks article: You’ll arrive on the main landing page for a site, but not the article you’re looking for.

The only real workaround for this at present is to try and avoid as much as Facebook’s tracking as possible. This isn’t always something you’re easily able to do. At the bare minimum, you’d want to consider signing out of Facebook and blocking all Facebook-centric domains. This doesn’t solve the issue of encrypted URLs though, and it’s likely that anyone already happy to strip URLs may have been doing this in the first place.

Browser developers: your move.

The post Facebook gets round tracking privacy measure by encrypting links appeared first on Malwarebytes Labs.

Another ransomware payment recovered by the Justice Department

The Justice Department today announced a complaint filed in the District of Kansas to forfeit cryptocurrency paid as ransom to North Korean hackers or otherwise used to launder such ransom payments. The seized funds amounting to half a million US dollars, include ransoms paid by health care providers in Kansas and Colorado.

Maui ransomware

Deputy Attorney General Lisa O. Monaco said at the International Conference on Cyber Security:

“Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui.’”

Malwarebytes recently reported on the North Korean APT that targets US healthcare sector with Maui ransomware. The FBI started responding to incidents involving Maui in May 2021. Unlike the ransomware we usually see that plagues organizations and regularly hits the news, Maui is never sold or offered to affiliates as a ransomware-as-a-service (RaaS) tool. It is, instead, developed and used privately for state-backed actors.

New at the time

According to court documents, in May 2021, North Korean hackers used a ransomware strain called Ransom.Maui to encrypt the files and servers of a medical center in the District of Kansas. After more than a week of being unable to access encrypted servers, the Kansas hospital paid approximately $100,000 in Bitcoin to regain the use of its computers and equipment. Because the Kansas medical center notified the FBI and cooperated with law enforcement, the FBI was able to identify the never-before-seen North Korean ransomware and trace the cryptocurrency to China-based money launderers.

Follow the money

In April 2022, the FBI observed a payment of approximately $120,000 in Bitcoin into one of the seized cryptocurrency accounts identified thanks to the cooperation of the Kansas hospital. The following investigation confirmed that a medical provider in Colorado had just paid a ransom after being hacked by actors using the same Maui ransomware strain. In May 2022, the FBI seized the contents of two cryptocurrency accounts that had received funds from the Kansas and Colorado health care providers. The District of Kansas then began proceedings to forfeit the hackers’ funds and return the stolen money to the victims.

Not the first time

We’ve seen ransomware recoveries in the past and we hope to see many more in the future. The most well known and probably one of the first was when the US Department of Justice recovered much of the ransomware payment that Colonial Pipeline paid to free itself from the attack that derailed the oil and gas supplier’s operations for several days.

Another example: The University of Maastricht in the Netherlands was hit by ransomware in December 2019 and paid a ransom of 197,000 Euro in Bitcoin. A part of this ransom was recovered in 2020 from a laundering operation in Ukraine. Due to the difference in Bitcoin prices, the University received a return payment of 500,000 Euro. The “profit” will be donated to disadvantaged students.

Mitigation

Even though ransom recovery is a good thing, it only happens on rare occasions and the general advice is to refrain from paying ransoms. It doesn’t guarantee you will get your data back, nor does it free you from recovery costs (because you still have to harden your system against the next attack), and it marks you as a target for repeat attacks.

Although Maui may be a little different from run-of-the-mill ransomware, the steps to protect against it are not:

  • Maintain offsite, offline backups of data and test them regularly.
  • Create a cybersecurity response plan.
  • Keep operating systems, applications, and firmware up to date.
  • Disable or harden remote desktop protocol (RDP).
  • Require multi-factor authentication (MFA) for as many services as possible.
  • Require administrator credentials to install software.
  • Report ransomware incidents to your local FBI field office.

Stay safe, everyone!

The post Another ransomware payment recovered by the Justice Department appeared first on Malwarebytes Labs.

Google ads lead to major malvertising campaign

Fraudsters have long been leveraging the shady corners of the internet to place malicious adverts, leading users to various scams. However, every now and again we see a campaign that goes mainstream and targets some of the world’s top brands.

Case in point, we recently uncovered a malvertising chain abusing Google’s ad network to redirect visitors to an infrastructure of tech support scams. Unsuspecting users searching for popular keywords will click an advert and their browser will get hijacked with fake warnings urging them to call rogue Microsoft agents for support.

What makes this campaign stand out is the fact that it exploits a very common search behavior when it comes to navigating the web: looking up a website by name instead of entering its full URL in the address bar.

Hijacking traffic from on a specific user flow

The threat actors are abusing Google’s ad network by purchasing ad space for popular keywords and their associated typos. A common human behavior is to open up a browser and do a quick search to get to the website you want without entering its full URL. Typically a user will (blindly) click on the first link returned (whether it is an ad or an organic search result).

Let’s say you want to load YouTube and type ‘youtube’ instead of entering the full address ‘youtube.com’ in the browser’s address bar. The first result that appears shows ‘www.youtube.com’ so you are likely to trust it and click on it:

yt

Hijacking traffic in such a way is a clever and likely profitable scheme outlining some of the issues and abuses associated with the placement of ads versus organic search results.

The top searches we have seen for malware-laden ads in this campaign are:

  • youtube
  • facebook
  • amazon
  • walmart

Victims were simply trying to visit those websites and relied on Google Search to take them there. Instead, they ended up with an annoying browser hijack trying to scam them.

Cloaking and other violations

The technique used to divert traffic for malicious purposes is known as cloaking and is based on two prerequisites:

  • User looks fake (non residential IP address, wrong user-agent string or simply a crawler)
    • A redirect to the requested website will take place
  • User looks legitimate
    • A redirect to a different site and different content happens

As per Google, “Cloaking is considered a violation of Google’s Webmaster Guidelines because it provides our users with different results than they expected.” Again, based on Google’s policy violation a buyer that uses a creative (ad) containing malware can be suspended for a minimum of three months.

rules

Traffic and redirects

There is a short chain of redirects leading to the browser locker. In this section we will take apart another malicious ad for Facebook this time. The ad is of course quite misleading as there is nothing that indicates that clicking on it would redirect anywhere else but to the requested website. Note how it appears before the top organic search result, guaranteeing a higher click rate.

ad

The redirection mechanism is engineered in such a way that static analysis of the HTML code is difficult and does not give away the browser locker URL easily.

traffic

First redirect

This page determines whether to load decoy content (in this case the legitimate Facebook website) or a secondary script on the same attacker-controlled infrastructure.

redirect

Second redirect

This is where the browser locker URL is found and we can see that the threat actors don’t actually want to make a formal redirect but instead are loading it within an iframe.

decode iframe

When the page is rendered, the main address bar still shows the .com (cloaking domain) while the content is actually loaded from an iframe (100% width and height) from a disposable CloudFront URL.

iframe

Multiple cloud platforms affected

Below are examples of malvertising chains we have observed using slightly different variations but that we believe are related to the same threat actor. They used a clever approach by adopting different flows for the cloaking and browser locker such that detecting and taking down one would not impact the overall campaign.

Specifically, we see the threat actor using more expensive domains mixed with disposable domains on shady TLDs. For infrastructure, again they diversified between paid VPS on hosting companies and free cloud providers (PaaS).

Traffic flow – case 1 : throwaway domains

  1. Google search: google.com/search?q=walmart&{…}
  2. DoubleClick ad network: ad.doubleclick.net/ddm/clk/{…}
  3. Cloaking domain: ssgvbcxcc[.]ga/?url=https://www.walmart.com/ip/{…}
  4. Browser locker: prolesscodenet856[.]ml/erxczzxEr0rgdxvngEr0hjhvhhxEr0cbchk0252infoyxZdzc

Traffic flow – case 2: IP address

  1. Google search: google.com/search?q=walmart&{…}
  2. Ad platform: clickserve.dartsearch.net/link/click?_v={…}
  3. Cloaking domain: gettouy[.]org/t2/?url=https://www.walmart.com/ip/{…}
  4. Browser locker: 159.203.183[.]136/windowsecurity/

Traffic flow – case 3: Digital Ocean PaaS

  1. Google search: google.com/search?q=facebook&{…}
  2. Ad platform: clickserve.dartsearch.net/link/click?_v={…}
  3. Cloaking domain: playcrpm[.]com/?url=https://www.facebook.com/f{…}
  4. Browser locker: starfish-app-irxap.ondigitalocean[.]app/{…}&number=1-866-896-0189{…}

Traffic flow – case 4: Azure cloud

  1. Google search: google.com/search?q=zillow&{…}
  2. Ad platform: clickserve.dartsearch.net/link/click?_v={…}
  3. Cloaking domain: vlt[.]me/.2zqd4/?url=https://www.zillow.com/?url={…}
  4. Browser locker: wdq23r2fdadqwdqwdfwedadasasd.azurewebsites[.]net/fC0deJdfd008f0d0CH888Err0r80dBG88/index.html

Reporting and protection

As far as we can tell, these different campaigns have been going on for several weeks already. Although we don’t have statistics to figure out how many people were exposed, we can infer that the number was high based on a couple of factors:

  • The ads target popular keywords (which also indicates that the threat actors are not opposed to paying a premium)
  • We were able to replay the malvertising chains in our lab multiple times (live replays of malvertising on high profile sites is usually difficult)

We reported the malicious ads and flagged them under the “An ad/listing violates other Google Ads policies” category.

report

We also shared and are currently sharing the cloaking domains infrastructure with relevant parties. The browlock domains themselves have such a short lifespan that it is practically useless to act upon them.

Meanwhile, Malwarebytes users were already protected against this campaign thanks to our heuristic detection of the browser locker pages that force a fullscreen and auto play an audio warning.

Indicators of Compromise

eauxedrill[.]com
shopmealy[.]com
aeowqpeqwpa924[.]ga
ejdcvvdhsjdj[.]ml
feopqwoeqw245[.]ga
iowqepwoqe425[.]ga
rasteringfileweb539[.]ga
rsgdkffvsjkoavd[.]ml
ssgvbcxcc[.]ga
gettouy[.]org
getcdprm[.]org
playcrpm[.]com
monhomedecore[.]com
allnewz[.]site
vlt[.]me
youtubelinktrack[.]live
morth[.]buzz
abhihomeabh[.]com
kalarahulshet[.]com
tevarsingh[.]com
bhtl[.]digital
cduitiek[.]tk

The post Google ads lead to major malvertising campaign appeared first on Malwarebytes Labs.

Ring shares data with police without consent (but it’s in good faith), says Amazon

Ring, the Amazon-owned company behind the popular smart doorbells, has admitted to giving doorbell data to law enforcement willy-nilly. All they have to do is fill out a form called the Amazon Law Enforcement Request Tracker—no need to ask for the data owner’s consent, give a warrant or court order. The company revealed this in response to a letter Senator Edward Markey (D-Mass.) sent Amazon in June 2022.

Senator Markey’s letter contains a request for updates regarding the steps Ring has taken “to remove private policing agencies from its Neighbors Public Safety Service (NPSS), reduce the potential for its products to be misused in harmful ways, and protect individuals’ right to privacy.” The NPSS is a means for public safety agencies, which include law enforcement, to connect with their local communities that can publicly share posts or video recordings to the Neighbors App feed.

Amazon responded in writing to Senator Markey’s letter, but the response was only revealed to the public recently. Below are some takeaway points from the response:

  • Ring refuses to change the default setting of automatically recording audio when recording videos via its doorbell camera.
  • Ring currently doesn’t have a voice recognition feature. But that doesn’t mean it won’t in the future.
  • There are currently 2,161 law enforcement agencies and 455 fire departments on the NPSS platform.
  • Ring generally doesn’t allow private security companies on NPSS, and it will only onboard such companies “if they are peace officers under state law and subject to constitutional restrictions.”
  • Ring affirms its right to respond immediately to law enforcement requests under emergency circumstances involving imminent danger of death or serious bodily harm. At times like these, it says, it will share details without asking for consent. And it has done so in 11 incidents this year.

Brendan Daley, Ring’s spokesperson, told Politico that although Ring doesn’t need user consent when handing footage to law enforcement with warrants, it does notify the owners of the video footages.

Speaking with Ars Technica, Policy Analyst for Electronic Frontier Foundation (EFF) Matthew Guariglia said, “There are always going to be situations in which it might be expedient for public safety to be able to get around some of the usual infrastructure and be able to get footage very quickly.”

But the problem is that the people who are deciding what constitutes exigent circumstances and what constitutes the type of emergency, all of these very important safeguards, are Ring and the police, both of whom, as far as I know, don’t have a great reputation when it comes to deciding when it’s appropriate to acquire a person’s data.

~ Matthew Guariglia, EFF

The Policing Project at New York University (NYU) School of Law recently concluded its two year audit of Ring to improve its products and services, focusing on NPSS. Ring admitted to making more than 100 changes to its products, policies, and legal practices. This includes the introduction of Requests for Assistance, which ensures transparency on the part of public safety agencies when asking for assistance from communities in the form of information or video as part of ongoing investigations. The company deliberately created Requests for Assistance to keep control of owners’ hands, not the requesting agencies.

When it comes to sharing private data, both the NYU and Guariglia have landed on the same conclusion: Policymakers need to lay more ground rules on how much private surveillance data police can rely on.

The post Ring shares data with police without consent (but it’s in good faith), says Amazon appeared first on Malwarebytes Labs.