IT NEWS

The German Sparkasse bank has launched a browser that is especially designed to do your online banking. The browser called S-Protect is available for macOS and Windows users.

The idea is interesting, since having a separate browser for banking can certainly add an extra layer of security.

Separate browsers

Unfortunately there is a low correlation factor between what most people find the best browsers and what are the best browsers when it comes to privacy and security. If you look at the market share of the most popular browsers, there is one browser that steals the crown without a lot of competition: Google’s Chrome. But as we all know there are more secure and privacy oriented browsers available.

I have personally advocated for using different browsers for different things in the past and I still use that method myself, but using a browser that is designed for banking alone? Why not use the app instead? What’s the difference?

S-Protect

According to the Sparkasse’s website [in German] S-Protect is a so-called ‘hardened banking’ browser. You can best think of it as an additional protective screen for online banking. S-Protect prevents Trojans and other malicious programs that may have hidden on your computer from spying on or manipulating online banking. Setting up and using S-Protect is child’s play and gives you a great security advantage in all financial transactions.

The browser has been built for Sparkasse by Coronic GmbH who has built a “protect browser” for other clients and who add that:

“with PROTECT you can work securely on any PC and smart device – even if the computer is already compromised. Malware and hackers don’t stand a chance. Banking and payment remain secure. This helps bank customers who are still reluctant to do online banking.”

Advantages

Your advantages with S-Protect would be:

• Additional protection against data theft, phishing attacks, fake websites
• Easy handling, no installation or configuration
• Automatic login function
• No interference with other security procedures

Access to third-party websites, like manipulated or fake banking sites will be automatically blocked, because the browser is based on the “know your friends” principle, which limits the sites it can visit to that of the bank and their partners.

Phishing

In addition, the browser checks the security certificates of the pages to ensure their authenticity. However, if a user clicked on a phishy link in their email client then the URL will be opened in their default browser. If that default browser is not S-Protect—and why would it be, given its limited reach—the phishing site will be opened. That’s not S-Protect’s fault, but it just means that users will still need to keep their wits about them to make sure they’re using the correct browser.

Infected system

Sparkasse claims that the browser can be safely used for banking on an infected system, but we would advice very strongly against doing this. We also could not find any information about how the browser is hardened. For example, S-Protect claims to block screenshots of the browser, but would it stop a keylogger from being able to intercept what you are doing?

Disclaimer

Even though the idea deserves merit, I think we should be careful and not expect miracles to happen. Many browsers already have sandboxing in place. Sandboxing is the practice where an application, a web browser, or a piece of code is isolated inside a safe environment against any external security threat. That will stop malware from escaping the browser onto the system or the network. But none have demonstrated a good level of the other way around—stopping malware on the system affecting the browser—however hardened the browser may be. I can only hope Coronic will prove me wrong.

I would have loved to try some of the features of this browser, but I was unable to install S-Protect on my Windows 7 VM so the testing ended there for me.

Stay safe, everyone!

The post A special browser designed for online banking. Good idea, or not so much? appeared first on Malwarebytes Labs.

Swearing off a company used to be easier. Rude customer service, an unfortunate bout of food poisoning, even standing up for workers’ rights against the alleged involvement of a private company to order a country’s military to brutally quash a strike—almost every facet of an individual boycott could be satisfied by simply refusing to purchase a company’s products.

But such a move can be far more difficult to accomplish today, especially when you’re trying to sever your relationship with an Internet conglomerate. Tired of Facebook? Be sure to jump off Instagram and WhatsApp, too, which are both owned by the social media giant. Over Amazon? Good luck trying to navigate the web without landing on at least one site hosted by Amazon Web Services.

And what about Google?

The online behemoth has become so much more than a search engine, as it owns and produces hardware like Android phones, Google Pixel phones, Nest thermostats, and FitBit devices, while also operating Google Chrome, Google Mail, Google Calendar, Google Hangouts, YouTube, and Waze.

Saying goodbye to Google, then, isn’t as easy as refusing to buy an Android phone. It means likely changing several aspects of your life, including some that will affect the people around you.

Thankfully, this daunting task has already been taken on by the cybersecurity evangelist Carey Parker, who spoke recently on the Lock and Code podcast from Malwarebytes. According to Parker, it isn’t that he wanted to remove Google because he “hates” its products—if anything, he’s a fan. Instead, he wanted to start supporting other companies that will respect him and his data privacy.

“Google knows so much about us,” Parker said, explaining that Google makes the overwhelming majority of its revenue from online advertising, which it can only do because of how much data it collects from its users. “For me, it was about limiting as best I could how much information Google knows about me, removing as much as I can for things they already know about me, and then wanting to support companies who put privacy first.”

For anyone who has wanted to take a similar plunge into a Google-less life, here are some of the tips that Parker shared with us.

Start with the individual—Search, Chrome, and Android

Getting rid of everything Google product all at once could be a disaster, as there are simply too many services and products to track. Instead, Parker began the first steps of his experiment by only removing the products that directly affected him.

“I started with the easiest things—at least I think the easiest things,” Parker said. “The ones that have maybe the least tendrils into other things. They don’t affect anybody but yourself.”

For Parker, that meant removing and finding new providers for Google Search and the web browser Google Chrome. When it comes to stepping away from Android devices, Parker found that easy—he’s been using iPhones for years.

In finding an alternative to Google Search, Parker offered two suggestions: DuckDuckGo and the search engine Startpage, both of which claim to refuse any user data tracking for revenue purposes. Instead, the companies say they serve purely contextual ads based on the searches themselves—like showing ads for Nike and Adidas for anyone looking for shoes—and they do not record or keep data on users’ specific searches. In fact, Parker said, Startpage actually works with Google to deliver search results, but the company tells users that it refuses to collect user IP addresses, device information, and browsing history.

“You don’t have to track people to make money,” Parker said, “and Startpage is proof of that.”

In looking for a different, privacy-focused browser, Parker suggested his personal choice, Mozilla’s Firefox, and also the up-and-coming browser Brave.

Bigger shifts with Gmail and GCal

Having found different solutions for searching and browsing the Internet, Parker said he then focused his attention on finding alternatives to Google services that impact those around him.

“[Google Search and Google Chrome were] the first tier, and then, the next one, which is harder—a lot harder, because it involves other people—are Google email and Google calendar, Gmail and Gcal,” Parker said, “I’ve got shared calendars with my family and I am not going to expect them to drop Google like I am trying to do, so for that reason, I’m going to be stuck there for a little while, but I can minimize it.”

After researching the many options out there, Parker found two email providers—one that fulfills much of Google’s functionality and integration with a calendar function, and another that provides end-to-end encryption on messages sent and received between users of the same program.

The first suggestion is Fastmail. Fastmail, Parker said, is a for-profit email provider that users pay to use through a monthly subscription. The email provider also has a calendar solution that works directly with its main product. Even better, Parker said, is that Fastmail respects its users’ data.

“[Fastmail] explicitly say they don’t mine your data, and they are privacy-focused even if they’re not end-to-end encrypted by default,” Parker said. “It’s a really great service and it has the full suite of email, calendar and contacts, among other things. I use it for all my business stuff and some personal stuff.”

For user who wish to prioritize security, Parker suggested ProtonMail, which, by default, provides end-to-end encryption for all emails sent between ProtonMail users. That means that even if your emails get intercepted by a third party along route, those emails cannot be read by anyone other than you and your intended recipient.

More complexity with Google Drive and Google Docs

For users who want to take even more data out of Google’s view, there are just a couple final products to remove from the daily workflow. Those are the cloud storage service Google Drive and the cloud-based word processor Google Docs.

For each product, Parker encountered headaches and obstacles, but he managed to find alternatives that both respected his privacy and provided similar feature sets and functionality.

In finding a proper cloud storage platform, Parker recognized that some of the major players, such as Box and Dropbox, did not provide meaningful encryption for users’ data that would prevent the companies from scanning and gleaning information from user files.

Parker offered several suggestions depending on what users want most. If a user wants to securely send a private file to someone else, he recommended the online services Swiss Transfer and Mega, which can give users the option to set certain parameters on how they share a file, including how long a shareable link is active and whether the file requires a password to access.

For pure storage options, Parker recommended the service Sync.com because of its client-side encryption. Many of the cloud storage providers today, Parker explained, will promise to keep your data secure, but they will also hold the decryption keys to anything that you store on their servers.

“Machines will review the files that you have stored on these drives, either for advertising purposes or, a lot of times it’s for copyright violations,” Parker said. “They’ll look and see—are you trading movies or music with other people? And they’ll flag that and give you grief.”

But after extensive research, Parker found that Sync.com actually provided users with a type of encryption that the company cannot work around.

“[Sync.com is] end-to-end encrypted,” Parker said, “meaning that, even if behind the scenes, Sync.com uses Amazon Web Services, Amazon can’t see what my files are.”

As to finding an alternative to Google Docs, Parker said he struggled a great deal, simply because Google Docs works so well. After first trying to adopt a solution that Parker said is “secure, it’s private, it’s end-to-end encrypted—as far as checking boxes, it checks them,” Parker grew disappointed with the solution’s interface and its sluggish response time. Then, a second option called OnlyOffice was, as Parker put it, “not for the faint of heart” because of a high technical bar which could require renting out cloud servers.

The best, most accessible alternative, then, Parker said, is Skiff, which has an easy-to-use interface, but which only has a replacement for Google Docs, and not for the other, related tools, like Google Spreadsheets or Google Slides. Skiff’s tool can be found at Skiff.org.

Step by step

Taking Google out of your life can be a long and complex process, but it doesn’t have to be hard at the very beginning. And remember, if you ever start to doubt what you’re doing, think about what made you want to start the process. If you’re anything like Parker, you’re motivated to keep your data private and out of the hands of a company that is making money off of you and your browsing habits.

“At the end of the day, we are in an age of surveillance capitalism,” Parker said, “and Google is a publicly traded company with a fiduciary responsibility to maximize profits for their shareholders. Absent privacy regulations in the United States, the financial incentives are just too great to ignore. That’s money off the table.”

Parker emphasized that until Google creates—and there’s no evidence this will happen—a version of its products that users can pay for with their own funds rather than with their own privacy, that users should assume that “at any moment, any Google product unfortunately can and probably will, somehow, monetize your data.”

As the saying goes, Parker said, “if the product is free, then you are probably the product.”

You can listen to our full conversation with Parker on the Lock and Code podcast below.

The post How to remove Google from your life appeared first on Malwarebytes Labs.

Earlier this year, many members of the public were introduced to the facets of a long-ignored crime in cyberspace: The romance scam. A flashy documentary called The Tinder Swindler had premiered on Netflix, and in it, filmmakers documented the efforts of one man to manipulate several women into giving him tens of thousands of dollars after sometimes convincing them that he was their one true love.

Immediately after the documentary premiered, viewers judged the victims. Some viewers blamed the women in the documentary for falling for what looked, externally, like an obvious scam. Others asked how the women could be swept off their feet with so many red flags present? Others blamed the victims for not doing better research into the man, who had worked tirelessly to build fraudulent websites that claimed he was the son of a billionaire diamond miner.

But according to Cindy Liebes, Chief Cybersecurity Evangelist for Cybercrime Support Network, this public perception misses a lot, particularly in how skilled these scammers can be in their work.

This week on the Lock and Code podcast with host David Ruiz, we speak with Liebes about the facts behind romance scams: How prevalent they are, the types of damage they cause beyond financial ruin, and how you can spot a romance scam as it is happening.

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “God God” by Wowa (unminus.com)

The post Recovering from romance scams with Cindy Liebes: Lock and Code S03E10 appeared first on Malwarebytes Labs.

The Australian Cyber Security Centre (ACSC) has announced it is aware of the existence of Proof of Concept (PoC) code exploiting a F5 Security Advisory Addressing Multiple Vulnerabilities in its BIG-IP Product Range.

The vulnerability listed as CVE-2022-1388 allows attackers to bypass authentication on internet-exposed iControl interfaces, potentially executing arbitrary commands, creating or deleting files, or disabling services.

F5 BIG-IP

The BIG-IP platform by F5 is a family of products covering software and hardware designed around application availability, access control, and security solutions. It is used for various applications like load balancing and application delivery.

On May 4, 2022 F5 notified users of the existence of a vulnerability in BIG-IP iControl REST where undisclosed requests could bypass iControl REST authentication. F5 stated that the vulnerability could allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. The attacker, in other words, could gain complete control over the affected device.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed as CVE-2022-1388 and received a CVSS score of 9.8 out of 10.

F5 added that there is no data plane exposure; this is a control plane issue only. So, not much of a problem if the management plane is not exposed to the public Internet, you would think. But since F5 BIG-IP devices are commonly used in enterprises, this vulnerability is a significant risk as it would allow threat actors to exploit the bug to gain initial access to networks and then spread laterally to other devices. And experts estimate based on online searches there are some 2,500 devices exposed to the Internet.

Exploits

Soon after the patch, two separate groups of researchers announced on Twitter that they had developed exploits and would publish them soon. Other researchers noticed online scanning was ongoing for BIG IP.

Exploits are often found by reverse engineering the changes made by the patch, which is one of the reasons why patches should be applied as soon as possible. Besides assumed reputation damage, this is a reason why vendors and open source maintainers are often hesitant to request a CVE.

The researchers that created the exploits warned that all admins should immediately update their devices as soon as possible due to the trivial nature of the exploit. Now the ACSC has warned about the existence of a proof of concept, and attempts by malicious actors to exploit this vulnerability on Australian networks.

Mitigation

A list of vulnerable products and versions can be found in the F5 KB article. Experts recommend to take Internet-facing devices offline and check if they are safe first, before applying the patches. If an attacker has already planted a backdoor, they can still control the product even after patching.

Until it is possible to install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to iControl REST to only trusted networks or devices, thereby limiting the attack surface.

• Block iControl REST access through the self IP address
• Block iControl REST access through the management interface
• Modify the BIG-IP httpd configuration

For future use, this F5 BIG-IP Security Cheatsheet is a great resource to make sure your product is configured securely, and that attackers will not have access to the management interface from the Internet.

Please note that BIG-IP 11 and 12 are vulnerable as well but these are too old to be patched.

Stay safe, everyone!

The post Update now! F5 BIG-IP vulnerability being actively exploited appeared first on Malwarebytes Labs.

It’s not been plain sailing recently for Conti ransomware, the Ransomware as a Service (RaaS) group with several major attacks under its belt. In August last year, a pen tester leaked valuable manuals and documents related to the operation. These leaks continued as the Conti gang expressed support for the Russian Government in the midst of their invasion.

Elsewhere, researchers gained access to a ransomware server and the owners eventually pulled Conti’s infrastructure offline for two days. To top it off, an offshoot based on leaked source code is targeting Russian organisations with this rather unambiguous message:

By now it’s probably painfully apparent that your environment has been infected with ransomware. You can think Conti for that…your President should not have committed war crimes. If you’re searching for someone to blame for your current situation look no further than Vladimir Putin.

In short, it’s quite the volatile situation. As offshoots butt heads against the public support for Russia coming from the Conti gang, the ransomware organisation is increasingly becoming the digital public enemy number one in Costa Rica.

Going toe to toe with Conti

Conti ransomware has been causing major problems in Costa Rica since at least April, with several important agencies impacted by outbreaks, which according to Bleeping Computer includes:

• Costa Rican Social Security Fund
• Administrative Board of the Electrical Service of the province of Cartago
• Radiographic Costarricense
• The Ministry of Science, Innovation, Technology, and Telecommunications
• National Meteorological Institute

On top of this, there also exists a 672GB dump of data which may include data from multiple compromised Government agencies. The message accompanying the leak reads as follows:

It is impossible to look at the decisions of the administration of the President of Costa Rica without irony, all this could have been avoided by paying you would have made your country really safe, but you will turn to Biden and his henchmen…no government of other countries has finalised this attack, everything was carried out by me with a successful affiliate. The purpose of this attack was to earn money, in the future I will definitely carry out attacks of a more serious format with a larger team.

Little wonder, with all of this happening, that Costa Rica is on high alert.

Embattled services struggle with outbreaks

As this article points out, the Treasury alone has been without any form of digital service for three weeks. It’s also unclear at this time if tax payer information has been stolen. This has meant a return to physical procedures as opposed digital. As we’ve seen previously where Conti is concerned, any move away from digital to physical can result in all manner of problems.

Counting the cost

Make no mistake, the attacks have been varied and relentless. Last month, the administrative systems of a government agency managing electricity in Cartago were encrypted and rendered useless. That’s roughly 160,000 people potentially impacted in one go. A cool $10m was demanded as a ransom during the attack on the finance ministry. This attack is claimed to have caused losses of $200m.

Little wonder, then, that the US State Department has offered up to $10m for information on the Conti group. If you’re able to identify key individuals in the group, you may well be in for a significant payday. On top of that, there’s an additional $5m in relation to arrests/convictions for affiliates.

As the release notes:

The FBI estimates that as of January 2022, there had been over 1,000 victims of attacks associated with Conti ransomware with victim payouts exceeding $150,000,000, making the Conti Ransomware variant the costliest strain of ransomware ever documented. In April 2022, the group perpetrated a ransomware incident against the Government of Costa Rica that severely impacted the country’s foreign trade by disrupting its customs and taxes platforms. In offering this reward, the United States demonstrates its commitment to protecting potential ransomware victims around the world from exploitation by cyber criminals.

It appears the game is most definitely afoot. Will anyone actually be able to bring the group and affiliates to justice before another major attack? Based on what we’ve seen so far, the answer for the time being is almost certainly not.

The post Costa Rica continues defence against sustained Conti ransomware attacks appeared first on Malwarebytes Labs.

While we recently “celebrated” World Password Day, almost every security outlet keeps telling us that passwords alone are not enough.

In practice, in the last few years this has meant pairing passwords with something else, such as a one-time code from an app or an SMS message, in a scheme called two-factor authentication (2FA).

But while pairing passwords with a second factor is much better than using a password by itself, it is just a way of working around some very serious, inherent flaws in password authentication. Which begs the question: If passwords are such a problem, why use them at all?

Now Apple, Google and Microsoft have announced that you don’t have to.

The trio of tech giants all used World Password Day to declare increased support for FIDO Alliance standards like FIDO2, a globally-recognized standard for passwordless authentication.

According to the alliance:

In a joint effort to make the web more secure and usable for all, Apple, Google and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.

Microsoft, Google, and Apple

Last year, Microsoft announced that as of September 15, 2021 you can completely remove the password from your Microsoft account and use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to Microsoft apps and services.

On May 5, 2022, Google announced it will implement passwordless support in Android and Chrome, and Apple announced its support for new authentication capabilities enabled by the adoption of FIDO’s latest standard.

The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN.

With all three tech giants on board, we can expect passwordless FIDO sign-in across macOS and Safari; Android and Chrome; and Windows and Edge. This means that, for example, users will be able to sign in on a Google Chrome browser that’s running on Microsoft Windows, using a passkey on an Apple device.

FIDO2

Instead of using a password, which can be intercepted as it passes over the Internet, and has to be processed and stored by each service you use, FIDO2 uses public-key encryption. It performs the cryptographic operation that verifies who you are on a device you own, using a private key that never leaves your possession. This means that nothing of value is shared with or stored on the website or service you’re using, and the information sent back and forth during authentication is of no use to an attacker.

FIDO2 combines two standards: WebAuthn and CTAP. WebAuthn does the important job of setting out how web browsers authenticate to websites, but the real magic of FIDO2 is CTAP, the Client to Authenticator Protocol.

CTAP is what allows that crucial cryptographic operation to happen on a wide variety of devices (referred to as “roaming authenticators”), including hardware keys, phones, and laptops. These roaming authenticators are expected to have a mechanism to obtain a “user gesture” which authorises the cryptographic operation, such as a consent button, a password, a PIN, a fingerprint, or face recognition. And this is what allows you to approve your authentication to a website using your iPhone’s Touch ID or Windows Hello.

Devices that act as roaming authenticators can also communicate with other devices, so you can do things like signing in to websites you’re visiting on your laptop by using Touch ID on your iPhone or drawing a pattern on your Android tablet.

Will it work?

The idea of passwordless authentication is to create a login method that is secure and easy-to-use, and that eliminates the risks of phishing, password guessing, password reuse, and credential stuffing.

As with all security innovations, we don’t expect attackers to respond by giving up and going home, just to shift their attention to (hopefully) more difficult and expensive forms of attack.

When Microsoft announced in September that you no longer needed a password, we spoke to Per Thorsheim, one of the world’s leading experts on passwords. He had some major concerns about situations when people lose access to their choice of authenticator, and with that lose access to their Microsoft account.

[I am concerned about] when people lose access to their choice of authenticator, and by that lose access to their Microsoft account. I’ve attempted account recovery with Microsoft before, and I know others who have tried and failed miserably. Account recovery is hard, usually to avoid making the process a prime target for hackers.

FIDO2 puts a heavy burden on the account recovery process. Will there be a backup method similar to a “forgot my password” procedure, or do I have to create a new account which can then be linked to my online persona? Either way, such a method could create create a backdoor for attackers to target instead of FIDO-protected authentication.

Passwordless authentication could also multiply the stress caused by a stolen or lost device. If an attacker can guess your PIN or pattern they have access to all of your accounts.

Fortunately, rate-limits on phones makes that very difficult. Even if you secure your device with a 4-digit PIN or a pattern, an attacker finding or stealing your device will have to be very lucky to guess it correctly before the device shuts them out altogether.

However, trusting someone with the access code to your phone will become the equivalent of handing them the key to your entire online life.

If the importance of device access increases, this could lead to more stringent authentication requirements on our pohnes. For example, PINs with 10 digits instead of four or six, or more complicated patterns. And perhaps we’ll say goodbye to default PINs as well.

Nevertheless, we look forward to the passwordless future, even if we may have to work out some details along the way. Passwords have outlived their use for important resources: Victims have been made despite doing everything right; and threat actors have made an industry out of phishing our passwords, keyphrases, and security questions, and from brute-force guessing our passwords.

It is time for something new and three tech giants working together with an established industry association on a passwordless future looks promising.

Stay safe, everyone!

The post Google, Apple, and Microsoft step hand in hand into a passwordless future appeared first on Malwarebytes Labs.

If you’ve dealt with a scammer, you’ll know that making up stories is their bread and butter. Think about it: Just when you thought you’d heard all the infamous 419 scam backstories, scammers surprise you with a “stuck astronaut” scam, something so utterly hilarious, nonsensical, and otherworldly that you’ve just got to tell your friends and families about it.

While the 419 cosmonaut backstory (surprisingly!) has layers of truth to it, your typical Instagram scam story doesn’t have an iota of fact it can stand on. But because the stories that hook someone were designed to trigger an instant emotional response and a sense of urgency, Instagram scammers are more effective at getting the job done speedily.

Mind you, scammers are not after every Instagram user. They just need a handful of those people who will help someone without thinking. And since they’re not after money, just a bit of someone’s time, they already have one foot in the door.

Instagram scammer backstories vary, but the scams themselves follows one pattern: They ask you for help, tell you their backstory, and put their fate in your hands.

Here are some of the stories that scammers are known to use:

• “I’m launching my own product line“.
• “I’m in a competition and need you to vote for me“.
• “I’m trying to get verified on Instagram and need people to confirm my fanbase with a link“.
• “I need a help link to get into Instagram on my other phone“. (This is a very common tactic.)
• “I’m contesting for an ambassadorship spot at an online influencers program“. This one is surprisingly popular, with fake ambassadors everywhere.

Regardless of the script they’re following, scammers will say you’ll receive a link on your phone via SMS. They will then ask you not to click the link but merely take a screenshot and send the image back to them.

The link is a legitimate Instagram “forgotten password” URL for your account, and scammers want you to screenshot it so they can use the URL to reset your password, take over your account, and lock you out.

It’s impossible to say what fraudsters will say next just to get you to screenshot a forgotten password link. Regardless, any requests for link screenshots should be treated with extreme suspicion. Whether product lines or ambassador programs, you can safely ignore these messages and report the sender.

Stay safe out there!

The post How Instagram scammers talk users out of their accounts appeared first on Malwarebytes Labs.

A site has been bouncing around YouTube comments for the past couple of weeks. The site sometimes changes, the messages alter slightly, but the essence remains the same: In all cases, people acting in suspiciously automated fashion ask if everyone is using this “glitch” or generator without ever clarifying what, exactly, either of them are, or do.

The site offers “tweaked apps”, apparently available with a single click and requiring “no jailbreak, no root.” (Jailbreaking is the practice of breaking out of the iPhone’s default, highly-restricted mode, and getting “root” is the rough equivalent on an Android device.) That’s what they claim, anyway. There’s an OnlyFans Premium, Netflix Premium, a Pokemon Go Spoofer Injector, and many more.

No matter which app you select though, the outcome is the same.

A page informs you of the last time the app was updated, your IP address, whether the app is compatible with your device, and “no injection detected”.

They go on to say the following:

App injection required!

Follow the steps on the next page. To get started, we first need to inject the content into this app. This is a simple process and you will only have to do this once to get access.

Despite claiming that this process will “only work” on mobile, they’re being somewhat liberal with the truth. You absolutely can start the so-called injection process on a desktop, because there is no injection process, it’s all fake.

Here’s a supposed “Premium Unlocker” for OnlyFans.

When you start the “injection process” a message saying “Injecting: connecting with your phone” pops up, whether you’re using a phone or not.

It’s all a fraud. We’re redirected to a domain aimed at promoting ad offers / surveys / deals to mobile users. We are, rather nostalgically, in the land of the survey scams. At one point these seemed to be the only form of fakeout in town, made massively popular by gating non-existent unicorn deals behind walls of clickthrough ads.

A stack of empty promises

If you were promised a game, you’d get a demo version. Money off vouchers? You’d likely have to spend more signing up to deals to receive one in the first place. In other words, it was a massive scam factory for people up to no good. Note the desperation on the prompt urging to you to keep opening up new offers before receiving your non-existent reward:

All you’re likely to get from this is:

• Surveys or popups
• Malicious mobile downloads
• Signup offers that require personal information or payment.

You could easily go into this thing expecting free premium content for your service of choice, and exit with spyware or monthly payments for subscription services you don’t actually need. As a rule, free versions of paid-for apps offered on random websites simply do not exist. Sites which claim to offer hacks or generators for titles like Roblox, FIFA, or GTAV, are simply making it up. They will almost certainly be a survey scam or something else you don’t want to get involved in.

If you’re really in need of premium versions of services you use, you’re better off paying for them. At the very least, it has to be better than spinning the wheel on sites like the above and hoping you don’t get burned.

The post Steer clear of fake premium mobile app unlockers appeared first on Malwarebytes Labs.

I don’t know about you, but I open Instagram to look at cool photos of pets, not to make a fortune via suspicious claims of riches by strangers.

Despite this, following someone whose photos I liked resulted in a very peculiar message.

It’s possible I waved goodbye to a path to untold riches. Maybe if I’d stayed the course I’d now have my own “Become a millionaire in six months or less” e-book.

However, it’s more likely I dodged a Bitcoin scam. The kind of scam where I’d have to use screenshots of my bank account slowly being drained of all available funds for my next blog post.

Shall we take a look?

Introducing my good friend, Steven McBitcoin

This is the message that greeted me from my newest Instagram contact, who for ease of reference I’ve dubbed Steven McBitcoin:

Steven: Hello 

Good day

Are you interested in bitcoin mining?

I mean, oh boy am I ever. Possibly not quite in the way they were expecting, though. I decided to go with the “I don’t know anything, tell me more approach” with the vaguely non-committal:

Me: Hello possibly, how come?

Steven: I’m willing to teach you about bitcoin, coach you on how to invest and earn your profits as soon as possible. With a minimum investment of $1,000 I guarantee you of making $10,000 directly into your bank account, bitcoin wallet or any withdrawal method of your choice.

Understood?

Well now, that’s quite the promise. $10,000 dollars from $1,000 guaranteed? What could possibly go wrong…apart from everything?

How do I make this kind of money?

The messages continue to rumble on. Now we’re getting into the nuts and bolts of how this stack of digital currency shall be mine.

Me: Where would I invest and how?

Steven: Do you have cashapp, coinbase, crypto.com or Trust wallet?

It appears I’ve reached the “pretend you have one of the options mentioned and see what he says next” stage of the proceedings.

Me: Cashapp

Steven: OK good

Now go to your cashapp main page and send me the screenshot so I can give you direct guidelines on how to get paid.

You got it?

Generally speaking, sending people screenshots of the inside of your payment or bank portals is not a great idea—you can give away a lot about yourself.

This is also often used as a distraction by people who simultaneously ask for other details, such as logins. Consider it a distant cousin of the “please turn off your anti-virus while installing the dolphin.exe file you got from Limewire” technique.

The pinky-swear of digital currency

I wanted to know a little more about the guaranteed return of $10,000. That’s quite the generous deal. Some people would say it’s almost too good to be true.

I am absolutely one of those people.

Me: i have a question. How do you guarantee that i make $10,000 from $1,000? is there a time limit on when i should hit the 10k? what happens if i don't or I end up with less? is the guarantee in writing or anything?

Let’s see what cast-iron agreement he has in store. I simply cannot wait to find out how good this is. Getting it in writing? Of course I’ll be getting it in writing.

Steven: You profit is safe and guaranteed that I can very well assure you and you'll also get your money in less than 2 hours

You won't end up less than but instead even an higher profit from your trade.

I need you to believe me when I say that you have absolutely nothing to worryabout, just follow my lead and you'll be the one to thank me later OK.

Send me the screenshot let's proceed with your trade now.

Turns out the guarantee is “dude, trust me”. At this point, in the best documentary tradition, I made my excuses and left (by which I mean I blocked and reported him).

Notice how insistently pushy he becomes towards the end of the conversation. I imagine he’s already moved on to beguiling the next victim with tales of gigantic Bitcoin victory. Hopefully they block and report Mr McBitcoin too.

Common Instagram Bitcoin scams

Sadly, people promising get rich quick Bitcoin schemes on Instagram are a growing market of garbage and dross. There is currently no end of people on Facebook bemoaning the loss of their account to any one of the scams listed below:

1. Big wins, short timespan: Claims that you’ll make big returns on smaller investments rapidly are a red flag, as is pressure to transfer funds as quickly as possible. If someone you know suddenly starts talking about all the money they’re making thanks to their “Bitcoin mentor”—run away. It’s another very common scam related to compromised accounts.
2. Send me the money: On a similar note, asking you to go off and buy digital currency then send it to another person’s wallet to “invest” are likely going to get you nothing but an empty wallet.
3. Held hostage to cryptocurrency: Many videos regarding wild claims of Bitcoin success are actually incredibly creepy hostage videos. This is where people previously scammed out of their cash are made to film promos to keep the scam going.
4. A change in circumstances: If you’re asked to change your login details / email address to something somebody else has given you, you’ll simply be locked out of your account and it’ll be used to spam others.
5. When profit becomes taxing: Here’s one which started with a $1,000 deposit—just like the messages I received—and actually did finish up with a supposed profit of $15,000. Unfortunately for the victim, the scammer then asked for a $15,000 “tax payment” in order to release the now stolen funds. The thousand dollars are not coming back.

If you receive a get rich quick missive, you may wish to report it and block the sender. You can do this on Instagram by selecting the “…” next to the Follow button, then choosing Report > report account > posting content that shouldn’t be on Instagram > scam or fraud.

At the risk of resurrecting the “if it’s too good to be true…” dead horse, it has a fair bit of merit here. If someone had the secret to huge amounts of wealth, they wouldn’t be sharing it with random people on Instagram. Sadly, the only people making bank from this kind of deal or offer are the scammers pulling the strings in the first place.

The post Steer clear of these Instagram “Get rich with Bitcoin” scams appeared first on Malwarebytes Labs.

OpenSea, the primary marketplace for buyers and sellers of non-fungible tokens (NFTs), has reported major problems with its Discord support channel. How major? Well, there’s a “potential vulnerability” which allowed spambots to post phishing links to other users. A problem that lead OpenSea Support to declare “please do not click any links in the Discord.”

There’s no further information on how this occurred, but situations like this can happen if a channel’s administrator gets phished. If Discord had suffered a software vulnerability we would expect to see other channels being compromised too.

The spam messages originate from something called “Carl-Bot”. Discord channels typically make use of bots for low-level admin duties, general assistance and so on. Carl-Bot itself is a common sight across Discord, with lots of time saving features. Sadly, spamming phish links is not supposed to be one of them.

Carl-bot! No!

If Carl-Bot was present in the channel prior to the compromise, its purpose has been changed and not for the better. Here’s some of the spam Carl-bot was pushing out:

The spam message reads as follows:

Important announcement

We have partnered with YouTube to bring their community into the NFT space, and we’re releasing a mint pass with them that will allow holders to mint their project for free along with getting other insane utilities for being a holder of it.

The bot then mentions the limited supply of free items it is definitely, absolutely giving away to “fortunate” individuals:

You are able to get this mint pass below for 100% free. There will only be 100 of these however, once they are gone they won’t be coming back.

You can mint the YouTube Genesis Mint Pass here for free [url removed]

Fear of missing out (FOMO) is a huge driver in the NFT space, with the emphasis on scarcity of supply and rare, non-replicable items. In addition to that, YouTube has previously announced intentions to move into the NFT space. Seeing messaging like the above in the official OpenSea support Discord is bound to trick a lot of enthusiasts.

The scam site recedes into the distance

Here’s the site as it looked a few short hours ago:

The site right now is a blank page save for mention of a Twitter account, which has no content or likes posted to it. It could be the calling card of whoever did this, or it could be misdirection on the part of the site owner. Either way, Malwarebytes blocks the URL in question.

Protecting Discord

This is a developing story and information is thin on the ground. Having said that, there are still some things to keep in mind:

1. You can often avoid scams like these with a little common sense. Even a trusted Discord channel can turn rogue if someone compromises the right account. But would a rare, NFT-themed giveaway only be referenced in this one channel and nowhere else? It seems unlikely.
2. Use 2FA and a password manager. We don’t know what the phishing page was trying to obtain, but it will be something valuable, which probably means cryptocurrency or Discord logins. You can make it harder to steal your Discord login by using a password manager and two-factor authentication (2FA). While 2FA tokens can be phished, it sets a higher bar for scammers to clear, and a password manager will not enter your password into a phishing site.

Protecting your cryptocurrency

Protecting your cryptocurrency is all about keeping your private cryptographic keys and recovery phrases private. If you control them, you decide what happens to your money and what transactions to make. If somebody else controls them, they get to decide. Sites or random Discord accounts asking for recovery phrases should be avoided, as you risk losing all your funds for good.

The safest way to keep your keys safe is to store them offline, in a “cold wallet” that isn’t connected to the Internet. Even if you do that, your coins aren’t safe if you willingly send them to somebody though. Don’t send funds to Bitcoin addresses promising to double your payment, no matter which celebrity appears to be endorsing it.

The post OpenSea warns of Discord channel compromise appeared first on Malwarebytes Labs.