IT NEWS

If you get an email saying “Item stopped due to unpaid customs fee”, it’s a fake

Our spam traps recently caught a phishing scam that neatly illustrates some of the tactics scammers use routinely to avoid both human intuition, and automatic detection.

The scam starts with an unsolicited email, of course…

A scam email posing as a message from the Post Office

The scam email is ostensibly from the Post Office, an instantly recognisable postal service brand in the UK, and it tells recipients “There is a update in your parcel. item stopped due to unpaid customs fee.” [sic] This is an echo of an extremely popular SMS scam from 2021 that told recipients they had to pay a small postage fee to release a parcel waiting for delivery.

The spelling and grammar in the email is predictably awful, and a little weird—it looks like a bad scan by an optical character reader (OCR). However, despite decades of security advice highlighting poor spelling and grammar as an enormous red flag, the fact is it doesn’t seem to hurt the scammers. So while other tactics have evolved, poor English has persisted.

As simple as it is, and as bad as it seems, the message includes a number of features that help to avoid raising suspicions:

It’s a familiar message from a trusted brand

Half the email is taken up by a giant logo for an organisation that is instantly recognisable to anyone in the UK. The scammers are building trust in the sender and telling users this is about a postal delivery, without writing a word.

They are also piggybacking on a very familiar form of email communication. Delivery companies like DHL and Royal Mail regularly bombard us with email and SMS updates about deliveries, recipients are often asked to click through to websites to track parcels, and occasionally they have to pay postage or customs fees.

The address looks good

The from address starts “PostOffice.co.uk”, suggesting it’s come from the postoffice.co.uk domain. However, that’s the Display Name, a user-friendly name that can be anything the sender wants. The address is the part in angle brackets: support@subsecure-community.zendesk.com.

Some sharp-eyed users may spot that it’s actually a zendesk.com email address, but Zendesk itself is a trusted system that’s used by big brands, and getting an email from Zendesk isn’t unusual either.

Because Zendesk is an online business, it makes setting up new accounts very easy. And because it relies heavily on email, it uses features like DKIM to minimise the chances of its emails being forged or flagged by anti-spam tools. By setting up genuine Zendesk accounts, the scammers are able to benefit from those security features, and the trustworthiness of the zendesk.com domain.

Of course criminals don’t expect their accounts to last long, and this one was quickly shut down.

The scammer's Zendesk account no longer exists

The links don’t look bad

Users who hover their pointer over the email’s links, hoping to see if they look nefarious, will be disappointed, as they’ll just see an impenetrably-complicated URL. A lot of emails use odd-looking and convoluted URLs, so it’s rare to see links that are obviously good or obviously bad, and these are unlikely to ring alarm bells.

The only oddity that might tip off knowledgeable users is that links go to Google. They look like this:

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwi2z4al48_3AhUDgf0HHQYWA-sQFnoECAkQAQ&url=https%3A%2F%2Fexample.org%2Fbaby-music%2F&usg=AOvVaw2RWSxL7fWRChaS7EhY5OuA

This URL in the email is borrowed from a Google search results page. Why? Because the links in Google search results pages are open redirects that can be used by anyone to create a google.com URL that will redirect to a web page of their choice. Many companies regard open redirects as a security vulnerability, but Google does not.

The web page you end up on if you click the link in the phishing email is highlighted below, although we’ve replaced the name of the compromised website with example.org:

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwi2z4al48_3AhUDgf0HHQYWA-sQFnoECAkQAQ&url=https%3A%2F%2Fexample.org%2Fbaby-music%2F&usg=AOvVaw2RWSxL7fWRChaS7EhY5OuA

The Google open redirect helps to hide the real URL from curious users, but it may help to hide it from automatic detection too. The open redirect on google.com uses JavaScript rather than HTTP, so automated tools that follow chains of HTTP redirects won’t reach the scammer’s website, they’ll simply stop at google.com, which returns a status of 200 OK rather than 301 Redirect.

So where does it end up? Right now, nowhere. Whatever was waiting for victims on the compromised website—malware, malvertising, a payment form, or some other equally unpleasant thing—has been removed by the site owner. All that’s left is an empty directory.

empty directory

The scammers, no doubt, have already moved on to a new compromised website, a new “burner” Zendesk account, and a different Google URL.

The post If you get an email saying “Item stopped due to unpaid customs fee”, it’s a fake appeared first on Malwarebytes Labs.

Watch out! Tinder and Grinder users targeted by cruel scammers using real abuse photos

A horrible catfishing scam is using real abuse photos in order to lure in unsuspecting victims on sites like Tinder and Grinder. Recently unearthed by Bleeping Computer, it works like this:

Boy meets good-looking girl on dating site. The longer they talk, boy notices the conversation turning into a confession of abuse, with good-looking girl providing him pictures to back up her story. Good-looking girl then asks boy to “prove” his identity using an ID service which, you’ve guessed it, costs money.

Michael (not his real name) shared screenshots of a portion of his chat records with a “beautiful trans woman” with BleepingComputer.

“I almost fell victim to a uniquely cruel catfishing scheme,” he said.

bleepingcomputer conversation copy
Michael’s chat session included disturbing images of the alleged abuse. (Source: BleepingComputer)

The woman Michael was chatting with asked that he used a third-party “ID verification” service to prove that he’s not a former sex offender, backing up her request with “evidence” of abuse she’s suffered. “Cassey Queen” directed Michael on what website to use and what to do.

From one of the sites Bleeping Computer found:

“We provide safety insurance in which both parties who are suppose to meet are being verified for safe meet up because some of our members complain that they are being harassed and sometimes ended up being robbed and beaten. We make sure that someone will be apprehended if he make some disrespectful acts.”

Many of the sites ask people to register with their card details and other information, including their full name, country of residence, ZIP code, and email address. The form where users enter their details is an HTML iframe, served by dot com sites with keysmash names. ntrfrnc.com is one of them.

ntrfrnc support wm
One of the many keysmashed dot com sites that process payment details for scammy “ID verification” sites.

There are a handful of sites with the very same site template, and they all list the same office address in Cyprus.

To verify or not to verify? No need to ask

These “ID verification” services cost victims a lot of cash.

Screenshot 2022 05 25 at 00.11.23
A sample listing of what daters would have to pay should they sign up for an ID check service. Those who sign up are also enrolled in a recurring subscription with membership options. (Source: BleepingComputer)

Additionally, all the details you give to these sites will be stored, processed, and used by these services however they like. This also means they could sell your details to third parties, use them to create synthetic profiles, or use them to pose as you online.

Users on Tinder and Grindr appear to be the targets of this scam, but keep in mind that tactics like this could easily spill over into social media sites and other watering holes that enable people to meet someone new.

Both Tinder and Grindr highly encourage their users to block and report profiles that appear to be a scam. So should you encounter one while looking for a potential date, you know what to do.

Stay safe!

The post Watch out! Tinder and Grinder users targeted by cruel scammers using real abuse photos appeared first on Malwarebytes Labs.

Massive increase in XorDDoS Linux malware in last six months

Microsoft says it’s recorded a massive increase in XorDDoS activity (254 percent) in the last six months. XorDDoS, a Linux Trojan known for its modularity and stealth, was first discovered in 2014 by the white hat research group, MalwareMustDie (MMD).

MMD believed the Linux Trojan originated in China. Based on a case study in 2015, Akamai strengthened the theory that the malware may be of Asian origin based on its targets.

Microsoft said that XorDDoS continues to home on Linux-based systems, demonstrating a significant pivot in malware targets. Since Linux is deployed on many IoT (Internet of Things) devices and cloud infrastructures, we are likely to see DDoS (distributed denial-of-system) attacks from botnets that have compromised such devices.

DDoS attacks—where normal Internet traffic to a targeted server, service, or network is overwhelmed with a flood of extra traffic from compromised machines—have become part of a greater attack scheme. Such powerful attacks are no longer conducted just to disrupt. DDoS attacks have become instrumental in successfully distracting organizations and security experts from figuring out threat actors’ end goal: Malware deployment or system infiltration. XorDDoS, in particular, has been used to compromise devices using Secure Shell (SSH) brute force attacks.

XorDDoS is as sophisticated as it gets. The only simple (yet effective) tactic it uses is to brute force its way to gain root access to various Linux architectures.

As Microsoft said in the report:

“Adept at stealing sensitive data, installing a rootkit device, using various evasion and persistence mechanisms, and performing DDoS attacks, XorDdos enables adversaries to create potentially significant disruptions on target systems. Moreover, XorDdos may be used to bring in other dangerous threats or to provide a vector for follow-on activities.”

microsoft xorddos attack flow
XorDDos’s attack vector (Source: Microsoft)

Security IoT devices

If you have an IoT device at home, know there are ways to secure it. Note that you may need some assistance from the company who built your IoT device if you’re unfamiliar or unsure how to do any of the below.

  • Change your device’s default password to a strong one
  • Limit the number of IP addresses your IoT device connects to
  • Enable over-the-air (OTA) software updates
  • Use a network firewall
  • Use DNS filtering
  • Consider setting up a separate network for your IoT device(s)
  • When you’re not using your IoT device, turn it off.

If you plan to get an IoT device soon, buy from a well-known brand. You’re much more likely to get assistance from your supplier in beefing up your IoT device’s security.

Stay safe!

The post Massive increase in XorDDoS Linux malware in last six months appeared first on Malwarebytes Labs.

Eerie GoodWill ransomware forces victims to publish videos of good deeds on social media

Ransomware does what the name implies: holds your files or network to ransom. Pay the authors, typically in cryptocurrency, and you may get your files back. Refuse, and the files could be lost forever or even leaked to the far corners of the net.

Sometimes creators of ransomware try different things. In this case, a proof of concept called GoodWill ransomware’s approach is to force victims into performing seemingly nice tasks instead of pay a ransom.

Hunting for GoodWill

GoodWill ransomware functions like any other, at least in terms of basic functionality. It encrypts the most common file types: videos, documents, photos, databases. Without the decryption key, you won’t be able to recover your locked files.

There’s one key difference, however. The people behind this attack want victims to get out there and do some public good. Perform three good deeds, and you get your files back. That’s right: No cryptocurrency payment, no gift card codes required.

Hoop jumping as kindness

Things quickly become a bit disturbing.

Imagine: you’ve just had your computer locked up with ransomware. You’re told you must perform three acts of kindness to get your files back. The catch: you have to film and upload these good deeds to social media. Is this already beginning to creep you out? Because it should.

To be clear: criminals are asking victims of crime to humiliate themselves on social media to recover things stolen from them.

The three “activities” that victims are asked to do in order to get their files back are as follows:

“Activity 1”

“That we all know Thousands of people die due to sleeping on the roadside in the cold because they do not have clothes to cover their body.
So, your 1st task is to provide new clothes/blankets to needy people of road side and make a video of this event.
Later post this video/photo to your Facebook, Instagram and WhatsApp stories by using photo frame provided by us and encourage other people to help needy people in winters. Take a screen shot of your post and send email to us with valid post link, later our team will verify the whole case and promotes you for the next activity.
It’s Does not costs you high but matters for humanity.”

“Activity 2”

“Thousands of poor children have to sleep hungry in the long cold nights, because those ill-fated people have no luxury to have dinner every night in this cruel world. You cannot feed them food for life, but you can give them 2 moments of happiness!
How!! Hmm, Listen. In the evening, pick any 5 poor children (under 13 years) of your neighborhood and take them to Dominos Pizza Hut or KFC, then allow them to order the food they love to eat and try to make them feel happy. Treat those kids as your younger brothers. Take some Selfies of them with full of smiles and happy faces, Make a beautiful video story on this whole event and again post it on your Facebook and Instagram Stories with photo frame and caption provided by us. Take a screen shot of your posts, snap of restaurant’s bill and send email to us with valid post link, later our team will verify the whole case and promotes you for the next activity.
Help those less fortunate than you, for it is real human existence.”

“Activity 3”

There are so many people in the world who have suffered the pain of losing their loved ones due to lack of money. Lack of money is the biggest misfortune to get medical treatment at the right time.
Hmm, what’s your duty now! Hmm, Listen again! Visit the nearest hospital in your area and observe the crowd around you inside the hospital premises. You will see that there will be some people who need certain amount of money urgently for their medical treatment, but they are unable to arrange due to any reason. You have to go near them and talk to them that they have been supported by you and they do not need to worry now, Finally Provide them maximum part of required amount. Again, Take some Selfies of them with full of smiles and happy faces,
Record Audio while whole conversation between you and them and send it to us.
Write a beautiful article in your Facebook and Instagram by sharing your wonderful experience to other peoples that how you transform yourself into a kind human being by becoming Victim of a Ransomware called Good Will.

Once the victim has performed all three tasks, they must send the links and the gang promises to “verify the whole case” and hand over the decryption keys.

No good will for GoodWill

Aside from anything else, this is incredibly invasive of people’s privacy. Do the people in the videos get a say in this? It seems they do not.

This is genuinely one of the most disturbing infection-themed attacks I’ve seen in a long time. Turning people into some sort of game show contestant, complete with performative acts of kindness which are only occurring because of blackmail, flies in the face of their alleged intended goal.

We also have no indication if the authors intend to change their tasks at a later date. Reports mention the file attempts to geolocate victims. Could we see location-themed tasks which account for differences in rules, funding, social norms? Or is it a dice-roll in terms of hoping you’re assigned tasks you’re actually able to complete?

Despite the file name, there’s not a lot to feel good about here. Asking for cryptocurrency payments to release files and hope they’re not leaked is bad. Making people upload videos of themselves performing baffling and potentially dangerous tasks feels even worse.

Malwarebytes detects GoodWill as Ransom.FileCryptor.MSIL.Generic.

ransomfilecryptormsilgenericblock 1

We are yet to see anyone being infected with the ransomware, so can only hope this never makes it off the drawing board in any significant capacity.

The post Eerie GoodWill ransomware forces victims to publish videos of good deeds on social media appeared first on Malwarebytes Labs.

Update now! Multiple vulnerabilities patched in Google Chrome

Google has announced an update for the Chrome browser that includes 32 security fixes. The severity rating for one of the patched vulnerabilities is Critical.

The stable channel was promoted to 102.0.5005.61/62/63 for Windows, and 102.0.5005.61 for Mac and Linux.

Critical

Google rates vulnerabilities as critical if they allow an attacker to run arbitrary code on the underlying platform with the user’s privileges in the normal course of browsing.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

This update patches the critical vulnerability listed as CVE-2022-1853: Use after free in Indexed DB.

Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

IndexedDB is a low-level Application Programming Interface (API) for client-side storage of significant amounts of structured data, including files. This API uses indexes to enable high performance searches of this data. While Document Object Model (DOM) Storage is useful for storing smaller amounts of data, IndexedDB provides a solution for storing larger amounts of structured data.

Each IndexedDB database is unique to an origin (typically, this is the site domain or subdomain), meaning it should not be accessible by any other origin.

Google does not disclose details about vulnerabilities until users have had ample opportunity to install the patches, so I could be reading this wrong. But my guess is that an attacker could construct a specially crafted website and take over the visitor’s browser by manipulating the IndexedDB.

Other vulnerabilities

Of the remaining 31 vulnerabilities, Google has rated 12 as High. High severity vulnerabilities allow an attacker to execute code in the context of, or otherwise impersonate, other origins.

Another 13 vulnerabilities were rated as Medium. Medium severity bugs allow attackers to read or modify limited amounts of information, or which are not harmful on their own but potentially harmful when combined with other bugs.

Which leaves six vulnerabilities that were rated as Low. Low severity vulnerabilities are usually bugs that would normally be a higher severity, but which have extreme mitigating factors or a highly limited scope.

How to update

If you’re a Chrome user on Windows, Mac, or Linux, you should update to version 101.0.4951.41 as soon as possible.

The easiest way to update Chrome is to allow it to update automatically, which uses the same method as outlined below but doesn’t need you to do anything. But you can end up blocking automatic updates if you never close the browser, or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities listed.

My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Chrome up to date

You should then see the message, “Chrome is up to date”.

Affected systems:

  • Google Chrome for Windows versions prior to 102.0.5005.61/62/63
  • Google Chrome for Mac and Linux versions prior to 102.0.5005.61

Stay safe, everyone!

The post Update now! Multiple vulnerabilities patched in Google Chrome appeared first on Malwarebytes Labs.

How the Saitama backdoor uses DNS tunnelling

Thanks to the Malwarebytes Threat Intelligence Team for the information they provided for this article.

Understandably, a lot of cybersecurity research and commentary focuses on the act of breaking into computers undetected. But threat actors are often just as concerned with the act of breaking out of computers undetected too.

Malware with the intent of surveillance or espionage needs to operate undetected, but the chances are it also needs to exfiltrate data or exchange messages with its command and control infrastructure, both of which could reveal its presence to threat hunters.

One of the stealthy communication techniques employed by malware trying to avoid detection is DNS Tunnelling, which hides messages inside ordinary-looking DNS requests.

The Malwarebytes Threat Intelligence team recently published research about an attack on the Jordanian government by the Iranian Advanced Persistent Threat (APT) group APT34 that used its own innovative version of this method.

The payload in the attack was a backdoor called Saitama, a finite state machine that used DNS to communicate. Our original article provides an educational deep dive into the operation of Saitama and is well worth a read.

Here we will expand on the tricks that Saitama used to keep its DNS tunelling hidden.

Saitama’s DNS tunnelling

DNS is the Internet’s “address book” that allows computers to lookup human-readable domain names, like malwarebytes.com, and find their IP addresses, like 54.192.137.126.

DNS information isn’t held in a single database. Instead it’s distributed, and each domain has name servers that are responsible for answering questions about them. Threat actors can use DNS to communicate by having their malware make DNS lookups that are answered by name servers they control.

DNS is so important it’s almost never blocked by corporate firewalls, and the enormous volume of DNS traffic on corporate networks provides plenty of cover for malicious communication.

Saitama’s messages are shaped by two important concerns: DNS traffic is still largely unencrypted, so messages have to be obscured so their purpose isn’t obvious; and DNS records are often cached heavily, so identical messages have to look different to reach the APT-controlled name servers.

Saitama’s messages

In the attack on the Jordanian foreign ministry, Saitama’s domain lookups used the following syntax:

domain = message, counter '.' root domain

The root domain is always one of uber-asia.com, asiaworldremit.com or joexpediagroup.com, which are used interchangeably.

The sub-domain portion of each lookup consists of a message followed by a counter. The counter is used to encode the message, and is sent to the command and control (C2) server with each lookup so the C2 can decode the message.

Four types of message can be sent:

1. Make contact

The first time it is executed, Saitama starts its counter by choosing a random number between 0 and 46655. In this example our randomly-generated counter is 7805.

The DNS lookup derived from that counter is:

nbn4vxanrj.joexpediagroup.com

The counter itself is encoded using a hard-coded base36 alphabet that is shared by the name server. In base36 each digit is represented by one of the 36 characters 0-9 and A-Z. In the standard base36, alphabet 7805 is written 60t (6 x 1296 + 0 x 36 + 30 x 1). However, in Saitama’s custom alphabet 7805 is nrj.

The counter is also used to generate a custom alphabet that will be used to encode the message using a simple substitution. The first message sent home is the command 0, base36-encoded to a, which tells the server it has a new victim, prepended to the string haruto, making aharuto.

A simple substitution using the alphabet generated by the counter yields the message nbn4vxa.

a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9
                                                
n j 1 6 9 k p b h d 0 7 y i a 2 g 4 u x v 3 e s w f 5 8 r o c q t l z m

The C2 name server decodes the counter using the shared, hard-coded alphabet, and then uses the counter to derive the alphabet used to encode aharuto.

It responds to the contact request with an IP address that contains an ID for Saitama to use in future communications. The first three octets can be anything, and Saitama ignores them. The final octet contains the ID. In our example we will use the ID 203:

75.99.87.203

2. Ask for a command

Now that it has an ID from the C2 server, Saitama increments its counter to 7806 and signals its readiness to receive a command as follows: The counter is used to generate a new custom alaphabet, which encodes the ID, 203, as ao. The counter itself is encoded using the malware’s hard-coded base36 alphabet, to nrc, and one of Saitama’s three root domains is chosen at random, resulting in:

aonrc.uber-asia.com

The C2 server responds to the request with the size of the payload Saitama should expect. Saitama will use this to determine how many requests it will need to make to retrieve the full payload.

The first octet of the IP address the C2 responds with is any number between 129 and 255, while the second, third and fourth octets signify the first, second, and third bytes of the size of the payload. In this case the payload will be four bytes.

129.0.0.4

3. Get a command

Now that it knows the size of the payload it will receive, Saitama makes one or more RECEIVE requests to the server to get its instructions. It increments its counter by one each time, starting at 7807. Multiple requests may be necessary in this step because some command names require more than the four bytes of information an IP address can carry. In this case it has been told to retrieve four bytes of information so it will only need to make one request.

The message from Saitama consists of three parts: The digit 2, indicating the RECEIVE command; the ID 203; and an offset indicating which part of the payload is required. These are individually base36-encoded and concatenated together. The resulting string is encoded using a custom base36 alphabet derived from the counter 7807, giving us the message k7myyy.

The counter is encoded using the hard-coded alphabet to nr6, and one of Saitama’s three root domains is chosen at random, giving us:

k7myyynr6.asiaworldremit.com

The C2 indicates which function it wants to run using two-digit integers. It can ask Saitama to run any of five different functions:

C2 Saitama
43 Static
70 Cmd
71 CompressedCmd
95 File
96 CompressedFile
Saitama functions

In this case the C2 wants to run the command ver using Saitama’s Cmd function. (In the previous request the C2 indicated that it would be sending Saitama a four byte payload: One byte for 70, and three bytes for ver.)

In its response, the C2 uses the first octet of the IP address to indicate the function it wants to run, 70, and then the remaining three octets to spell out the command name ver using the ASCII codepoints for the lowercase characters “v”, “e”, and “r”:

70.118.101.114

4. Run the command

Saitama runs the command it has been given and sends the resulting output to the C2 server in one or more DNS requests. The counter is incremented by one each time, starting at 7808 in our example. Multiple requests may be necessary in this step because some command names require more than the four bytes an IP address can carry.

p6yqqqqp0b67gcj5c2r3gn3l9epztnrb.asiaworldremit.com

The counter is encoded using the hard-coded alphabet to nrb, and one of Saitama’s three root domains is chosen at random.

In this case the message consists of five parts: The digit 2, indicating the RECEIVE command; the ID 203; and an offset indicating which part of the response is being sent; the size of the buffer; and a twelve-byte chunk of the output. These are individually base36-encoded and concatenated together. The resulting string is encoded using a custom base36 alphabet derived from the counter 7808, giving us the message p6yqqqqp0b67gcj5c2r3gn3l9epzt.

Detection

Malwarebytes customers are protected from this attack via our Anti-Exploit layer. To learn more about the recent attack involving Saitama, read APT34 targets Jordan Government using new Saitama backdoor.

IOCs

Maldoc

Confirmation Receive Document.xls
26884f872f4fae13da21fa2a24c24e963ee1eb66da47e270246d6d9dc7204c2b

Saitama backdoor

update.exe
e0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d

C2s

uber-asia.com
asiaworldremit.com
joexpediagroup.com

The post How the Saitama backdoor uses DNS tunnelling appeared first on Malwarebytes Labs.

General Motors suffers credential stuffing attack

American car manufacturer General Motors (GM) says it experienced a credential stuffing attack last month. During the attack customer information and reward points were stolen.

The subject of the attack was an online platform, run by GM, to help owners of Chevrolet, Buick, GMC, and Cadillac vehicles to manage their bills, services, and redeem rewards points.

Credential stuffing

Credential stuffing is a special type of brute force attack where the attacker uses existing username and password combinations, usually ones that were stolen in a data breach on another service.

The intention of such an attack is not to take over the website or platform, but merely to get as many valid user account credentials and use that access to commit fraud, or sell the valid credentials to other criminals.

To stop a target from just blocking their IP address, an attacker will typically use rotating proxies. A rotating proxy is a proxy server that assigns a new IP address from the proxy pool for every connection.

The attack

GM disclosed that it detected the malicious login activity between April 11 and April 29, 2022, and confirmed that the threat actors exchanged customer reward bonuses of some customers for gift certificates.

The My GM Rewards program allows members to earn and redeem points toward buying or leasing a new GM vehicle, as well as for parts, accessories, paid Certified Service, and select OnStar and Connected Services plans.

GM says it immediately investigated the issue and notified affected customers of the issues.

Victims

GM contacted victims of the breach, advising them to follow instructions to recover their GM account. GM is also forcing affected users to reset their passwords before logging in to their accounts again. In the notification for affected customers, GM said it will be restoring rewards points for all customers affected by this breach.

GM specifically pointed out that the credentials used in the attack did not come from GM itself.

“Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself. We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.”

Stolen information

Attackers could have accessed the following Personally Identifiable Information (PII) of a compromised user:

  • First and last name
  • Email address
  • Physical address
  • Username and phone number for registered family members tied to the account
  • Last known and saved favorite location information
  • Search and destination information

Other information that was available was car mileage history, service history, emergency contacts, Wi-Fi hotspot settings (including passwords), and currently subscribed OnStar package (if applicable).

GM is offering credit monitoring for a year.

Mitigation

What could GM have done to prevent the attack? It doesn’t currently offer multi-factor authentication (MFA)which would have stopped the attackers from gaining access to the accounts. GM does ask customers to add a PIN for all purchases.

This incident demonstrates how dangerous it is to re-use your passwords for sites, services and platforms. Even if the account doesn’t seem that important to you, the information obtainable by accessing the account could very well be something you wish to keep private.

Always use a different password for every service you use, and consider using a password manager to store them all. You can read some more of our tips on passwords in our blog dedicated to World Password Day.

Stay safe, everyone!

The post General Motors suffers credential stuffing attack appeared first on Malwarebytes Labs.

Instagram verification services: What are the dangers?

Instagram, like other social platforms, has a verification system for high profile accounts. A verified badge means Instagram has confirmed that the account is the authentic presence of a public figure, celebrity or brand.

Have you ever wanted to get your own account verified? We noticed a large number of Instagram accounts all claiming to offer this as a service. Quick, easy, guaranteed. Or so they claim. After digging into it, we had a few questions of our own.

Setting the scene

Here’s just some of the identical profiles we’ve seen promoting one specific verification service.

multiple verify instagram accounts

Most of the profiles contain the same information in the bio section. Here’s a typical example:

instagram verify service

The verification process “takes 1-2 hrs”, has a 100% success rate, and payment is required before processing. You can send a direct message, or visit their shortened link for more information.

Forming an orderly line

The link in the bio section leads to a Google Docs form. Unless you view the document while signed into a Google account, you won’t be able to see the content or fill it in.

The service says it will submit your profile to Instagram for verification. Given the only way to do this as a regular user is submit it yourself via the app, this means the service would presumably need your login details to do it. This is highly relevant to our next line of investigation.

Of media partners and promotional agencies

One section of the form notes the slick, professional approach it has in relation to verification and third-parties:

  • We would like to share everything about our service and marketing strategy. We are the only legitimate agency that provides a guarantee of verification. If we are not able to get you the blue badge, we will refund your entire payment.
  • As you know we have a few talented Instagram media partners agencies. They will do everything for your verification with maintaining all the terms of Instagram authority. They are highly qualified to do that and have a high success rate.

As this article mentions, celebrities may work with agencies with access to Facebook’s Media Partner Support for verification instead. Incidentally, that’s another approach filled with booby-traps. Do we think any of these identical profiles are working to that level?

The form also lists several Instagram accounts which have been “successfully verified” as a result of its guidance. This includes one account which no longer exists, and a well known brand of cheese spread which doesn’t appear to post content anymore. We reached out to the two Instagram accounts which accept direct messages, but didn’t receive a reply.

With all of this in mind, it’s time to ask one of these accounts some questions directly.

Question time for an Instagram verification service

I sent a message to the profile highlighted up above.

instagram dm conversation

I asked the following:

Hi, I have some questions about the verification process and was hoping you could answer before I sign up.

1) What are the fees, and which payment method do you use

2) The form says you use a “few talented Instagram media partner agencies”. Who are the agencies?

3) If there’s a 100% success rate, why is there a money back guarantee for unsuccessful applications?

4) How did you help to verify several accounts which are much older than your own?

5) Why is your own account not verified?

Thanks!

Question 5 is particularly important: with so many identical profiles, how do we even know which one is the real deal? If verification is so easy, where is their own verified profile badge?

At any rate, they only replied after a follow-up message, promised to answer my questions immediately, and promptly disappeared again. It seems my verified status is not to be, but on the evidence seen so far, I think I can live without paying someone money for the privilege.

How verify me scams on social media usually end

There’s a few likely final destinations for respondents of detail-free, evasive operations nestled inside dozens of spam accounts.

  1. They (eventually) send you a request for payment and a link to their processing tool of choice. Once you pay, you never see them or the money again. If you had as much difficulty as I did trying to get basic information from a supposed Instagram verifier, would you trust them with your money?
  2. You’re sent a link to a website asking you to fill in your details. The website is nothing more than a phishing page, grabbing personal details and login information. Worth noting that although the “service” I encountered above made use of a Google Docs form, it did not ask for logins.

  1. Either of these methods may involve a request for scans of identification. Sending scammers copies of your passport pages is never going to be a good idea. One of the most brazen combinations of most of these tactics can be seen in this CNET article from last year.

Safe verification practices

There’s a bit of mystery as to how certain sites verify individuals. Instagram is refreshingly straightforward and direct in its approach. It pretty much all boils down to preventing impersonation of “notable” individuals. If you’re in a big pile of press links, articles about you, things which have gained column inches somewhere, then you’re probably going to be verified.

Here’s some more information from the Head of Instagram, Adam Mosseri:

Follower count doesn’t matter. If you see someone claiming to offer verification based on follower count, you can safely disregard that entity. If you’re asked to login somewhere then don’t do it. And don’t send scans of identification documentation either.

The allure of verification on social media is too powerful for many people to resist, and that’s what scammers are banking on. If you believe you need it, by all means send in an application to your platform of choice. By the same token, think very carefully about entrusting non-verified spam accounts with your personal details, money, or even identity documents. It almost certainly won’t turn out to have been worth it.

The post Instagram verification services: What are the dangers? appeared first on Malwarebytes Labs.

Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware

The Google Threat Analysis Group (TAG) has revealed that of the nine zero-day vulnerabilities affecting Chrome, Android, Apple and Microsoft that it reported in 2021, five were in use by a single commercial surveillance company.

Did I hear someone say Pegasus? An educated guess, but wrong in this case. The name of the surveillance company—or better said, professional spyware vendor—is Cytrox and the name of its spyware is Predator.

Google

TAG routinely hunts for zero-day vulnerabilities exploited in-the-wild to fix the vulnerabilities in Google’s own products. If the group finds zero-days outside of its own products, it reports them to the vendors that own the vulnerable software.

Patches for the five vulnerabilities TAG mentions in its blog are available. Four of them affected the Chrome browser and one the Android kernel component.

Vulnerabilities

By definition, zero-day vulnerabilities are vulnerabilities for which no patch exists, and therefore potentially have a high rate of success for an attacker. That doesn’t mean that patched vulnerabilities are useless to attackers, but they will have a smaller number of potential targets. Depending on the product and how easy it is to apply patches, vulnerabilities can be useful for quite a while.

In the campaign uncovered by TAG, the spyware vendor used the zero-days in conjunction with other already-patched vulnerabilities. The developers took advantage of the time difference between the availability of patches for some of the critical bugs, as it can take a while before these patches are fully deployed across the Android ecosystem.

TAG says Cytrox abused four Chrome zero-days (CVE-2021-37973CVE-2021-37976CVE-2021-38000, and CVE-2021-38003) and a single Android zero-day (CVE-2021-1048) last year in at least three campaigns conducted on behalf of various governments.

Cytrox

TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors. Cytrox is one of these vendors, along with the NSO Group—undoubtedly the best known one among them and responsible for Pegasus spyware.

Citizenlab at the University of Toronto published information about Cytrox in December 2021. It says that Cytrox describes its own activities as providing governments with an “operational cyber solution” that includes gathering information from devices and cloud services. It also says it assists with “designing, managing, and implementing cyber intelligence gathering in the network, enabling businesses to gather intelligence from both end devices as well as from cloud services.”

Cytrox reportedly began life as a North Macedonian start-up and appears to have a corporate presence in Israel and Hungary. As such, Cytrox is believed to be part of the so-called Intellexa alliance, a marketing label for a range of mercenary surveillance vendors that emerged in 2019. The consortium of companies includes Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., Cytrox, and Senpai, along with other unnamed entities, purportedly seeking to compete against other players in the cyber surveillance market such as NSO Group (Pegasus) and Verint.

Government spyware

Spyware packages such as Predator and Pegasus create problematic circumstances for the security teams at Google, Apple, and Microsoft, and it seems like they will not stop any time soon.

Whatever arguments these vendors use about how they are working for governments, and therefore not doing anything illegal, we all know the legitimacy of some governments lies in the eye of the beholder. And it is not always easy to find out who actually controls the data received from the spyware.

It is for good reason that the European Data Protection Supervisor (EDPS) has urged the EU to ban the development and deployment of spyware with the capabilities of Pegasus to protect fundamental rights and freedoms. The EDPS argues that the use of Pegasus might lead to an unprecedented level of intrusiveness, threatening the very essence of the right to privacy, since the spyware is capable of interfering with the most intimate aspects of our daily lives.

The post Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware appeared first on Malwarebytes Labs.

A week in security (May 16 – 22)

Last week on Malwarebytes Labs:

Stay safe!

The post A week in security (May 16 – 22) appeared first on Malwarebytes Labs.