IT NEWS

The deadline for filing your taxes in the US is nearly upon us. April 18 is the very last date that you can afford to hand your tax returns in to the IRS.

People will naturally gravitate toward all manner of filing tools to get the job done. But it’s worth noting that sites are lurking in search engine results to potentially make it harder to file, not easier.

Taxing times in search engine land

One such tool used to complete tax returns is TurboTax. This product requires a registration code to activate, and this is where the search engine results come into play. Some folks have issues registering or installing software for a variety of reasons. Maybe it’s hardware, perhaps it’s the software. Incompatibility frequently rears its head, and sometimes other third-party software may be interfering with installation.

Entire industries exist on forums and elsewhere to provide answers to the most obscure tech issues you can possibly imagine. While many solutions can usually be found for these issues, it pays to be cautious where search results are concerned.

Searching for install instructions

Hunting for “install Turbotax” in Yahoo, for example, brings us the following results:

It’s currently the first result after the sponsored ad and the official link. Here’s the site in question:

Hitting the “Click me” button directs visitors to the next step in the process, hosted elsewhere. It asks visitors to sign into their account, then activate their purchase and get on with sorting out their tax returns.

It’s license key time

Site users are asked to enter their 16-digit activation code.

Two things to note here. The site will allow any code with a minimum of four digits and up – it doesn’t have to be a maximum of 16. There is clearly no checking taking place for the code entered. What happens if you punch in a too short, non-existent activation key? You’re told that the activation attempt has failed, not that your code is too short.

Sending whoever runs this site your activation code means that the people running the site may now have your activation code. As a general rule of thumb, you shouldn’t give licence or registration keys for any product to anybody. Depending on product, you may be handing a stranger your one-time use key. When that happens, you then have the problem of figuring out how to get it back.

There’s a few official support situations where informing somebody of a key’s details will be required. This isn’t one of them.

“Contact the support team…”

Help is at hand with the supposedly failed activation:

The page says:

Sorry, your code has failed to activate.

Detected issue:

• Your activation code is stolen
• Code expired
• Repeated use of code
• Your code is not generated in database
• Or your system is virus infected

Note: Repeated failure may lead to expire code. Do not try to enter your code again and again.

Contact support team to fix this issue immediately: [number removed]

Error code: OOXOOO16FA and Correlation ID: c147654ad-41fg-ds7df-cfa9f5jhdjhsg

Keep your activation code ready while speaking to customer support

This “error code” often pops up on various forms of tech support scam, so there’s another bad sign.

What is happening in these support calls?

A colleague sent over a Reddit link detailing an example of a call between someone handling the “support” conversation on behalf of their father, who had originally arrived on a related landing page found via basic searching:

There’s a lot to take in there in terms of not sounding particularly credible.

1. The TurboTax code activation being interrupted due to “foreign connections on the network”
2. The caller being connected to the person’s relative via TeamViewer with Netstat open
3. Non-official URLs open on the desktop

These are all frequently signs of tech support scams, often involving the installation of bogus security tools alongside additional payment. The fact that the page which claims the activation key doesn’t work may be down to a “virus infection”, alongside the bogus error code found on many tech support scams, makes this something to steer well clear of.

We reported both the initial landing page and the activation code page. The URL for the latter has been suspended. However, sites like these tend to use fallback URLs and webspace so it might not be gone for good.

Don’t make tax season even more taxing than it has to be

If you need help installing or activating a product, contact the relevant company directly. Don’t leave it in the hands of search engines to decide your fate. Paid results, adverts, SEO gaming, or even SEO poisoning can all cause big problems. With the tax deadline ticking down, you simply can’t afford to get into stolen key/broken computer antics this late in the process.

The post Filing your taxes? Be wary of help found through search engines appeared first on Malwarebytes Labs.

Spam which claims your account has been locked out and needs to be fixed are common. They drive people to phishing campaigns on a daily basis.

The mail below follows the same pattern with one key difference. It looks like a phish, but goes somewhere else entirely.

No, your Apple ID has not been locked

The mail claims to be from Apple, and is titled

Re: [Ticket #265763] Your Appl‌e‌ І‌D has been locke‌‌d‌‌ on [date]

It reads as follows:

Your AppI‌e‌ ‌l‌D‌ ‌‌h‌‌a‌‌s‌‌ ‌‌b‌‌e‌‌e‌‌n‌‌ ‌‌l‌‌ocke‌‌d‌‌ on [date] 2022 for ‌‌s‌‌ecurit‌‌y‌‌ ‌‌r‌‌eason‌‌s‌‌ ‌‌b‌‌ecaus‌‌e‌‌ you have ‌‌r‌‌eache‌‌d‌‌ the ‌‌m‌‌aximu‌‌m‌‌ ‌‌n‌‌umbe‌‌r‌‌ of ‌l‌n‌v‌a‌l‌i‌d‌ ‌s‌i‌g‌n‌-‌i‌n‌ ‌a‌t‌t‌e‌m‌p‌t‌s‌

You cannot ‌a‌c‌c‌e‌s‌s‌ your ‌a‌c‌c‌o‌u‌n‌t‌ and any AppI‌e‌ services

‌‌T‌‌o ‌u‌n‌l‌o‌c‌k‌ your account, ‌y‌o‌u‌’‌l‌l‌ ‌n‌e‌e‌d‌ ‌s‌o‌m‌e‌ ‌a‌d‌d‌i‌t‌i‌o‌n‌a‌l‌ ‌v‌e‌r‌i‌f‌i‌c‌a‌t‌i‌o‌n‌

For your ‌‌s‌‌ecurit‌‌y‌‌ and to ‌‌e‌‌nsur‌‌e‌‌ only you have ‌a‌c‌c‌e‌s‌s‌ to your ‌a‌c‌c‌o‌u‌n‌t‌. We will ask you to ‌v‌e‌r‌i‌f‌y‌ your ‌i‌d‌e‌n‌t‌i‌t‌y‌.

From phish to website spam

Clicking the big grey “verify account” button should, in theory, lead you to an Apple phishing page. However, that’s not the case here.

The link directs people to completely random domains. Some of them appear to be advertisements. Others run the full range of everything from wall cladding services and polytechnics to hotels.

There appears to be no rhyme or reason to the URLs being served up. Clicking the link could pretty much drop you anywhere without warning.

It currently leads to what appears to be a half-finished page about QR code generation.

Why is this happening?

At this point, we’ve established that there’s no phish here. It’s using phishing as a panic-ruse to have you click through to multiple URLs via email campaigns. In this case, it appears someone has signed up to the below service, and is using this to spam.

Navigating to the URL included in the mail with the campign component stripped out leads us to the below message:

Mail blasting for fun and profit

Mail spammers will try and abuse legitimate services in order to drop as many missives in your mailbox as possible. Even with countermeasures in place, they’ll slip through the net of even the most careful service provider.

Regardless of how the spam gets through, get through it will. If you provide mail marketing services, it’s important to have a reporting feature in place. The ability to tie valid registrant details to campaign URLs is also crucial.

If it’s possible to highlight in mails sent out in some way that it’s via your tool or app, so much the better.

Keeping yourself safe from mail spam

For recipients, much of the typical spam mail advice applies here:

• Always report spam, especially if it’s going beyond the usual “please buy this t-shirt” missive. If it’s a phish, a social engineering trick of some kind, or even something malware related, block and report. It’ll help keep bad content away from others that little bit quicker.
• If you are redirected to a phish, you’re perilously close to handing over logins to a scammer. Websites asking for details without the HTTPs are a massive red flag. However, as we often point out, scammers often make use of HTTPs certificates so this is no guarantee of safety from phishing. Rather, ask yourself if you typically receive emails from Facebook or Google or anyone else asking you to visit links and enter personal details. The answer should almost certainly be no.
• You can try the “strip out the campaign portion of the URL and see where you end up” tactic. However, you won’t know in advance if the URL on display is from a genuine marketer or just another rogue website. Search engines may assist here, but it’s a bit of a shot in the dark and potentially risky.
• One final reminder: spammers reuse bogus mails all the time. While this one appears to redirect to random websites, the next identical message in your mailbox may well drive you to a phishing domain. Keep these fraudsters at arm’s length with a metaphorical return to sender.

We’ve reported the above mail campaign to the organisation above and hopefully it’ll be shut down soon.

The post “Your AppI‌e‌ ‌l‌D‌ ‌‌h‌‌a‌‌s‌‌ ‌‌b‌‌e‌‌e‌‌n‌‌ ‌‌l‌‌ocke‌‌d‌‌” spam email takes you on a website mystery tour appeared first on Malwarebytes Labs.

Microsoft has announced that its Digital Crimes Unit (DCU) has taken legal and technical action to disrupt a malicious botnet called Zloader.

Zloader or Zbot are common names used to refer to any malware related to the ZeuS family. There are a lot of those because the ZeuS banking Trojan source code was leaked in 2011, and so there’s been plenty of time for several new variants to emerge.

The Zloader at hand is a botnet made up of computing devices in businesses, hospitals, schools, and homes around the world which is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money.

Legal action

Microsoft obtained a court order from the United States District Court for the Northern District of Georgia, allowing it to take control of 65 domains that the Zloader gang had been using to grow, control and communicate with its botnet. These domains are now directed to a Microsoft sinkhole so they can no longer be used by the botnet operators.

A sinkhole is a way of redirecting malicious internet traffic so that it can be captured and analyzed by security professionals, and are often used to seize control of botnets. We also saw this method recently used against the Strontium group.

Domain Generating Algorithm

Zloader has a Domain Generating Algorithm (DGA) embedded within the malware that creates additional domains as a fallback or backup communication channel for the botnet. In addition to the hardcoded domains, the court order allowed Microsoft to take control of an additional 319 currently registered DGA domains. Microsoft is working on a method to block the future registration of DGA domains.

Zloader

The primary goal of Zloader was originally financial theft, stealing account login IDs, passwords and other information to take money from people’s accounts. This makes sense, knowing the source code it started from was a banking Trojan. But Zloader also includes a component that disables popular security and antivirus software, thereby preventing victims from detecting the Zloader infection on their systems.

Over time, those behind Zloader began offering malware as a service, acting as a delivery platform to distribute ransomware such as Ryuk, DarkSide, and BlackMatter.

Zloader is a malware family known for its flexibility and the ability to evolve and change from campaign to campaign. As such, it has undergone a lot of development since its inception. The evolution has been worked on at many fronts, since several groups started working from the original ZeuS source code.

For those looking for a technical analysis of Zloader, in 2020 Malwarebytes published a report with an analysis of the “Silent Night” Zloader variant that demonstrates some of the botnet features developed for Zloader. And Microsoft provided some insight on the techniques and tactics used by this particular Zloader group.

Disruption

Microsoft worked with telecommunications providers around the world to disrupt key Zloader infrastructure. It is expected to see some attempts to revive the operations, but these attempts will be monitored closely. If the method to prevent new DGA domains is successful, it will take a fresh restart to build out another botnet.

Mitigation

Given the tactics used by this Zloader group, the general rules of internet hygiene apply, starting with some that are more specific for this group:

• Be careful with email attachments
• Don’t click on sponsored Google results
• Secure authentication methods
• Patch management
• Network segmentation
• A backup strategy in case prevention measures fail

Stay safe, everyone!

The post Zloader, another botnet, bites the dust appeared first on Malwarebytes Labs.

After having tracked stalkerware for years, Malwarebytes can reveal that in 2021, detections for apps that can non-consensually monitor another person’s activity reached their highest peak ever, but that, amidst the record-setting numbers, the volume of detections actually began to significantly decrease in the second half of the year.

This decrease in stalkerware-type activity never reached the lower levels in 2019 that Malwarebytes recorded before the start of the global coronavirus pandemic, which was recognized in 2020 and which spread quickly across the globe beginning in the months of February, March, and April. During that year, it appeared as though the increase in physical, regional lockdowns coincided with the increase in detections of stalkerware-type apps, which Malwarebytes records as “Monitor” and “Spyware.”

Documented to have a clear intersection with situations of domestic abuse, it was not only stalkerware-type activity that increased during the global pandemic, but also cases of domestic abuse as reported by state and federal prosecutors and by shelters.

In 2021, Malwarebytes recorded a total of 54,677 detections of Android monitor apps and 1,106 detections of Android spyware apps. This represents a 4.2 percent increase in monitor detections and a 7.2 percent increase in spyware detections year-on-year, making 2021 even worse than 2020, and the worst year for stalkerware so far.

However, although the overall numbers are up, detections have taken an unmistakable downward turn since the peak of May and June 2020.

In the second half of 2021, average monthly detections for monitor apps fell by 39 percent, to just 3,459 detections per month, compared to an average of 5,654 detections per month in the first half of 2021. The same trend happened with spyware too: Average monthly detections fell by 20 percent in the second half of the year compared to the first half.

What’s at play here?

When stalkerware saw its distressing uptick in 2020, Malwarebytes, in consultation with other domestic abuse support networks, hypothesized that the increased stalkerware activity came about because of the real-world physical restrictions put in place to combat COVID-19 around the world. The increase was also detected by other members of the Coalition Against Stalkerware, and coincided with news reports of increased calls to domestic abuse agencies.

In 2021, many governments loosened their coronavirus restrictions, allowing the public to mix and travel more freely. And, just as the sudden increase in stalkerware detections mirrored the sudden, mass imposition of restrictions, the gradual decline in detections appears to reflect their gradual easing.

The tidal wave of stalkerware in 2020 also led to increased awareness of the stalkerware problem, which turned into action in 2021. Last year the Federal Trade Commission issued its second-ever enforcement action against a stalkerware developer, and Google removed several ads that promoted stalkerware.

The decline in stalkerware is welcome, but the causes for it are not clear and it is too early to celebrate. It is increasingly easy for abusers to monitor their targets using off-the-shelf technology designed for other purposes. Abusers may simply have turned to other forms of technology as stalkerware became more widely detected. Or they may have returned to previous patterns of control and abuse as restrictions eased.

Thankfully, the Coalition Against Stalkerware continued to grow in 2021, increasing its contributors and accepting more expertise so as to expand its stalkerware detection threat list, which antivirus vendors can use to improve their own detection tools. As a founding member, Malwarebytes will continue to share intelligence with the Coalition Against Stalkerware to improve industry-wide detections while also guiding the domestic abuse support networks within the coalition through thorny, technical questions of detection, removal, and prevention.

You can read more interesting stats from the last year in the Malwarebytes 2022 Threat Review.

The post Stalkerware-type detections hit record high in 2021, but fell in second half appeared first on Malwarebytes Labs.

Yesterday I received an SMS from “TestNTrace”, with the message resembling an official NHS communication:

The text reads as follows:

NHS: You’ve been in close contact with a person who has contracted the Omicron variant. Please order a test kit via: [URL redacted]

Well, that’s an alarming thing to wake up to. However, not everything is as it first seems.

Health and (security) safety concerns

The first red-flag is that this isn’t an official NHS URL. Additionally, there’s no explanation as to how or why they know I’ve “been in close contact” with somebody. Nevertheless, people will take this message at face value.

Receiving this will be especially concerning for anyone with specific health risks related to COVID-19 exposure. There’s also a few reasons as to why this kind of spam message may prove successful in the current climate.

Testing times for…tests

It’s becoming increasingly difficult to obtain PCR tests in the UK. The rules have changed, leading to frequent delays and issues. Previously you could obtain free tests as and when you needed them. Now, tests are no longer free. As per the official guidance page:

If you’re in Scotland or Northern Ireland, you might be eligible to get a free polymerase chain reaction (PCR) test to check if you have coronavirus (COVID-19).

In England or Wales you can no longer get free PCR tests to check if you have COVID-19.

There are some exemptions, but they’re few and far between.

What this means in practice is a glorious opportunity for scammers and fakers to make even more money off the back of the pandemic. Scams targeting people with coronavirus themes are bad enough at the best of times. When you can’t even get hold of a test, it’s particularly ghoulish.

Digging into the website

The landing page resembles a standard UKGOV NHS page related to the pandemic. The links also all lead to genuine NHS sites and information portals.

It reads as follows:

“Order (COVID-19) Omicron PCR test kit

The UK has decided to deploy test kits in response to the risks of the Omicron variant. COVID-19 cases have soared by their highest number since the start of the pandemic as the Omicron variant continues to spread rapidly.

Due to rising cases among fully vaccinated patients, research has shown that it is still possible to catch and spread COVID-19 even if you are fully vaccinated.

Order your (COVID-19) Omicron PCR test kit below.

Information:

PCR tests are mandatory and failure to register could lead to movement restrictions and compulsory isolation.

Note: PCR test kits are free, you will only have to pay £0.99 for postage of the kit.“

That’s a very long way of saying “please give us £0.99”. However, there’s a lot of clues in that block of text to suggest you shouldn’t give them a thing.

Of movement restrictions and compulsory isolation

“PCR tests are mandatory and failure to register could lead to movement restrictions and compulsory isolation” is quite the statement, designed to encourage people throwing money their way as fast as they can.

Confirmatory PCR tests are no longer required. You’re also no longer required by law in the UK to stay at home and isolate if infected. The Test and Trace contact service is now closed. I couldn’t even begin to tell you what the supposed movement restrictions are all about.

Clearly, we’re dealing with something here which isn’t exactly reflecting reality as it currently stands. If we proceed to the next page anyway, the site asks for a range of personal information.

Personal details, and payment for postage

The site asks for name, DOB, email, phone, and address.

The follow up page asks for payment details.

Avoiding the PCR payment rush

If you need to obtain test kits, your best option is likely to be local pharmacies and supermarkets. Random texts and emails which lead to sites other than nhs.uk should be treated with caution, especially when tied to requests for payment.

Even if they claim the kits are free, they’ll likely ask for postage costs. All this, on top of how they magically know you’ve come into contact with somebody who has COVID-19 in the first place. While there may well be delays and low supplies in trusted stores, it’s still a much safer option than handing your payment details and personal information to random websites.

This is one text you can happily block and report. If you need a test at short notice, answering random SMS spam is definitely not the way to get one.

The post Steer clear of this “TestNTrace” SMS spam appeared first on Malwarebytes Labs.

On April 9, hacking group BlueHornet tweeted about an experimental exploit for NGINX 1.18 and promised to warn companies affected by it. On April 10, BlueHornet claimed to have breached the China branch of UBS Securities using the NGINX vulnerability.

All we learned on Twitter was that a new zero-day vulnerability in the NGINX web server existed and had been publicly revealed. The vulnerability could allow remote code execution (RCE) on a vulnerable system.

But on April 11, NGINX responded with an article saying that after investigating the issue, it had found it only affects reference implementations. Specifically, the NGINX LDAP reference implementation which uses LDAP to authenticate users of applications being proxied by NGINX.

NGINX

NGINX is an open-source HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server. When it was first released, NGINX was used mostly for serving static files, but since then, it has grown into a complete web server that deals with the entire spectrum of server tasks. NGINX has surpassed Apache in popularity due to its lightweight footprint and its ability to scale easily on minimal hardware. According to specialists, NGINX can run thousands of connections of static content simultaneously and is 2.5 times faster than Apache.

LDAP

Lightweight directory access protocol (LDAP) is a protocol that makes it possible for applications to query user information rapidly. Companies store usernames, passwords, email addresses, printer connections, and other static data within directories. LDAP is an open, vendor-neutral application protocol for accessing and maintaining that data. LDAP can also tackle authentication, so users can sign on just once and access many different files on the server.

The NGINX LDAP reference implementation uses LDAP to authenticate users of applications proxied by NGINX. The reference implementation was announced in June 2015. The solution leverages the ngx_http_auth_request_module (Auth Request) module in NGINX and NGINX Plus, which forwards authentication requests to an external service. In the reference implementation, that service is a daemon called ldap‑auth. It’s written in Python and communicates with a LDAP authentication server.

The vulnerabilities

The primary way to configure the LDAP reference implementation is with a number of proxy_set_header directives. However, the configuration parameters can also be set on the command line that initializes the Python daemon. The vulnerabilities exist in the way unsanitized input can be used to change or set LDAP configuration parameters.

The NGINX blog specifies the circumstances that need to be fulfilled for the vulnerabilities to be exploited:

• Command-line parameters are used to configure the Python daemon
• There are unused, optional configuration parameters
• LDAP authentication depends on specific group membership

Mitigation

NGINX provides mitigation recommendations for each of these conditions.

When configuration parameters are specified on the command line, an attacker can override some or all of them by passing specially crafted HTTP request headers. To protect against this, ensure that the corresponding configuration parameters have an empty value in the location = /auth-proxy block in the NGINX configuration.

Also ensure that any unused, optional parameters have an empty value in the location = /auth-proxy block in the NGINX configuration.

The Python daemon does not sanitize its inputs. Consequently, an attacker can use a specially crafted request header to bypass the group membership (memberOf) check and so force LDAP authentication to succeed even if the user being authenticated does not belong to the required groups. To mitigate against this, ensure that the backend daemon that presents the login form strips any special characters from the username field. In particular, it must remove the opening and closing parenthesis characters ( ) and the equal sign =, which all have special meaning for LDAP servers.

NGINX states that the backend daemon in the LDAP reference implementation will be updated to sanitize this type of input in due course.

And we have rounded up some additional advice.

Because LDAP extends to IoT devices, of which there are many more than IT devices, organizations running LDAP need to encrypt traffic using TLS certificates on IoT devices, keep the firmware up to date, and apply proper password management.

Make sure that you sanitize any input before it gets passed to the daemon.

Stay safe, everyone!

The post NGINX zero-day vulnerability: Check if you’re affected appeared first on Malwarebytes Labs.

It’s that time of the month again. Time to check what needs to be updated and prioritize where necessary. The Microsoft updates include at least two zero-day vulnerabilities that deserve your attention.

Microsoft

Microsoft has released security updates and non-security updates for client and server versions of its Windows operating system and other company products, including Microsoft Office and Edge.

For those that have extended support for Windows 7, there are four critical remote code execution (RCE) vulnerabilities to worry about:

• CVE-2022-24500 CVSS 8.8 out of 10, a Windows SMB Remote Code Execution vulnerability
• CVE-2022-24541 CVSS 8.8, a Windows Server Service Remote Code Execution vulnerability
• CVE-2022-26809 CVSS 9.8, a Remote Procedure Call Runtime Remote Code Execution vulnerability
• CVE-2022-26919 CVSS 8.1, a Windows LDAP Remote Code Execution vulnerability

CVE-2022-26809 does have a CVSS of 9.8 for good reason. It affects almost every Windows OS and Microsoft has it listed as more likely to be exploited. To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service. TCP port 445 is used to initiate a connection with the affected component. And some quick Shodan scans showed that millions of systems have that port open.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. The zero-day vulnerabilities fixed in this update cycle are:

• CVE-2022-26904 CVSS 7.0, a Windows User Profile Service Elevation of Privilege (EoP) vulnerability. This one is marked with a high attack complexity, because successful exploitation of this vulnerability requires an attacker to win a race condition. But the vulnerability is public knowledge and there is an existing Metasploit module for it. Metasploit is an open-source penetrating framework used by security engineers as a penetration testing system and a development platform that allows to create security tools and exploits.
• CVE-2022-24521 CVSS 7.8, a Windows Common Log File System Driver Elevation of Privilege vulnerability. This vulnerability has been used in the wild. Microsoft says that attack complexity is low. The vulnerability was reported to Microsoft by the National Security Agency (NSA) and Crowdstrike.

Other notable CVEs:

• CVE-2022-24491 CVSS 9.8, a Windows Network File System Remote Code Execution vulnerability. This vulnerability is only exploitable for systems that have the NFS role enabled. An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution.
• CVE-2022-24997 CVSS 9.8, another Windows Network File System Remote Code Execution vulnerability. This vulnerability is only exploitable for systems that have the NFS role enabled. An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution.

On these systems with the NFS role enabled, a remote attacker could execute their code with high privileges and without user interaction. This worries experts as these may turn out to be wormable bugs between NFS servers. For a temporary solution, more information on installing or uninstalling Roles or Role Services is available here.

A vulnerability is considered to be wormable if an attack can be launched that requires no human interaction to spread. The impact can be considerable if the number of vulnerable machine is high enough. In these cases web application firewalls (WAFs) would help to mitigate the risk.

In related news, Microsoft announced the release of Windows Autopatch, which is set for July 2022. This will hopefully lessen some of the burdens that come with patch management.

Edge and Chrome

The Microsoft updates included 26 Microsoft Edge vulnerabilities and Google released a stable channel update for Windows, Mac, and Linux that includes 11 security fixes. Eight out of those 11 were rated with a High severity, none were marked as Critical.

Other updates

While you’re at it, we also saw updates from vendors like:

• Adobe
• Cisco
• VMWare

Stay safe, everyone!

The post April’s Patch Tuesday update includes fixes for two zero-day vulnerabilities appeared first on Malwarebytes Labs.

We’re seeing lots of examples of peculiar SMS messages sent to random groups of people. Most of these messages promise free gifts and/or offers after having paid bills. Nobody has asked for these texts, and they’re not being sent by providers of any services. What’s going on?

The set up

Most of the messages we’ve seen, and indeed received ourselves, are identical to the below example:

Free Msg: your bill is paid for March. Thanks, here’s a little gift for you [URL removed]

Where do the links go?

A very good question. Clicking any of the links while on desktop typically results in a site failing to load error. Most likely, they’re checking the user agent of your browser to ensure you’re on mobile when hitting the link.

On mobile, you’re bounced through a secondary URL before landing on a 404 error on Facebook or Twitter. Despite a piece of this website daisy-chain being lost to the void, the texts are still coming and it’s probably child’s play to correct the broken landing pages to something functional. As a result, we can’t say for sure what the final destination is. 

A friend of mine mentioned they ended up on some sort of airpod/free mobile accessories offer site from a similar group message not so long ago, so that’s one possibility. What we can say is that you should definitely avoid clicking these links should you receive one. We simply don’t know where you’ll end up, and you can very easily end up out of pocket with one mis-click.

Tips to avoid this SMS group spam

• A lot of people are sending “STOP” messages in response to these messages. Unfortunately this won’t work, and you’re not going to opt-out of anything in this scenario.
• Blocking the sender number helps, but they’re coming from several numbers one after the other. If you’ve received one, sadly you should probably expect more. Remember to report every single one which comes your way.
• It can be tricky generally to block messages when dropped into a random group. Depending on phone/app, you should be able to tap three dots (or similar) and report the spamming number from there. This may also result in blocking all numbers in the group by default, which means you won’t receive dozens of unsubscribe style messages all day long from 19 other people.

Remember: If in doubt, visit your provider’s website and see first-hand if they’re offering up freebies for payment. The likelihood is they’re not, but it’s still better than clicking any of the above to find out.

The post SMS group spam promises free gifts in return for bill payment appeared first on Malwarebytes Labs.

Dozens of apps were removed from the Google Play Store after they were found to be harvesting the data of device owners. The code in question—a software development kit (SDK)—was used inside apps which were downloaded over 10 million times.

What happened?

A wide range of Android apps were found to have this particular SDK lurking. There’s no obvious connection between the apps besides the SDK, as they’re all from different sources and developers. A mobile powered speed camera radar. QR barcode scanners. Weather/clock widgets. Even a remote control PC mouse app. They all had this SDK running under the hood, doing things it shouldn’t have been. The only key point among them all is that they made use of something designed to help monetise their app.

It’s possible the app developers believed there was no issue with including the SDK in their apps. Indeed, there seems to be some confusion as to what, specifically, some developers thought the SDK was doing.

According to WSJ, one dev claimed they were told it was “collecting data on behalf of internet service providers”. These supposed ISPs were complemented by financial service/energy companies. Others claim to have signed non-disclosure agreements.

Google did not find these antics impressive, and swiftly removed many of the apps. The SDK is able to collect clipboard data, exact location, phone numbers, emails, and nearby devices. It can also scan other locations such as WhatsApp downloads.

Mapping out a person

You have to be very careful with visual clues to a person’s physical location, but also digital ones too. Stripping out GPS data from a photograph, or disabling geolocation on a social media portal. This can also work its way down to other areas, such as Bluetooth beacons in towns and department stores. Even Apple AirTags are now generating significant issues for people.

Even without physical stalker threats, you still need to know what’s going on inside the phone in your pocket. As the researchers note, whoever is collecting this information could link an email and mobile to GPS location data. This is very bad news for journalists working on sensitive stories. It’s also very bad in places where forms of political activism are not appreciated. In fact, it’s bad for everybody. Consider that your “not a big deal” is someone else’s “well that’s a disaster” on their personal threat model scale.

Back into the fold

Google is allowing removed apps back on the store for a second chance, assuming the SDK element has been removed. The BBC reports that the majority of apps have already returned. There is the question of whether or not some developers were up to no good. Perhaps some were totally unaware, maybe some saw harmless looking promotions for more accurate data collection and a bump in cash. Sadly, they may not have considered what, exactly, the SDK would be doing in return.

Is my device safe from this SDK?

Google hasn’t revealed how many more apps on the Play Store included the SDK. It’s very likely that all traces are now gone.

The age old advice of “the best way to keep your Android safe is to only download apps on the Play Store” may sound contradictory. However, it’s still the case that this is entirely accurate.

You’re much better off using the store than a third party download location. Simply hoping that it isn’t a scam from top to bottom won’t save you from a rogue install. Depending on device model, you may even have to tick the “allow installs from unknown sources” option to even use third party stores in the first place.

This could very well make things even more insecure in terms of your mobile device.

Keep applying those OS updates as they come along. Pay attention to reviews of apps before you download them. Take a look at some of the requested permissions at install time. If your device is capable of installing a trusted security tool, consider installing one of those too. All of this will help keep your device safe. While there’s never any guarantees, we’d be surprised if the Play Store gives the wheel back to this problematic and unwanted Android app addition.  Looks like it’s back to business as usual for the Play Store – for now, at least.

The post Apps removed from Google Play for harvesting user data appeared first on Malwarebytes Labs.

There are times when you would like a folder to be accessible by you alone. Financial information, personal documents, or work related files on your personal system sometimes need to be hidden from prying eyes. One of the ways to do this is to password protect the folder.

Windows

For the Windows section of this article we will answer a few frequently asked questions.

Can you put a password on a folder?

Well, Windows does not provide you with an option to simply password protect a folder, but it does provide you with some options that you can utilize to put a password on a folder.

In Windows you can encrypt a folder by following these instructions:

• Right-clicking it
• Select Properties from the menu.
• On the form that appears, click the General tab.
• On that tab click the Advanced button
• Select Encrypt content to secure data.
• Click OK.

An important downside to this method is that your Windows username and password will be used to encrypt and password protect the folder, so people logging in on the same account as you can still see the content.

It is also important to note that when the process completes, you’ll be prompted to back up your encryption key if you’ve never used the feature before. Click the recommended option on the notification and follow the prompts to make a note of your encryption key. You’ll need this information if you ever lose access to your encrypted files, so it’s important you take the time to back it up.

How do I password protect a folder in Windows 10?

For Windows versions later than Windows 7 there is also an option to send files to a compressed folder (a zip file) which you can password protect. This Send to option is usually faster than encrypting the content. But you will have to keep in mind that the option creates a duplicate, so you will need to delete the original once you’re satisfied the compressed version is complete and accessible.

How do I hide a folder?

Hiding folders is not an ideal solution, but we want to point out that it is available in Windows. It works like this:

• Right-click on the file or folder that you want to hide.
• Select Properties.
• Click the General tab
• Under the Attributes section, check Hidden.
• Click Apply.

Why is it not ideal? Anyone that has access to the system can check the option to Show hidden files, folders, and drives in the folder options.

Many advanced Windows users already have this option enabled, and you may forget to change the setting after you have accessed your hidden folder.

MacOS

You can password protect folder contents using macOS and Disk Utility, a built-in utility on your Mac. This method will also encrypt the content.

• Open Disk Utility on your Mac
• With Disk Utility open, select File from the menu bar
• Then choose New Image -> Image from Folder.
• Select the folder you want to protect with a password
• Choose your encryption level: 128-bit, or 256-bit AES encryption
• Enter and verify the password for your folder (After you type the password into both the Password and Verify text boxes make sure to uncheck Remember password in my keychain, otherwise anyone logged into your account will still be able to access the data.
• Give the folder a name if desired
• Under Image Format select read/write from the menu
• Select Save

This creates a disk image holding the contents of the folder in encrypted storage. So, you’ll need to delete the original folder after verifying the disk image is complete and accessible.

Another important thing to remember is that this method only creates a fairly small—and fixed—amount of free space on the disk image, so if you want to make changes you’ll be dealing with a limited capacity. If you want a disk image with unlimited capacity, you’d be better off creating a blank image, and choosing sparse bundle disk image as the image format. If you create a 200 MB sparse bundle disk image, you can copy a 1 GB file onto it and it’ll resize to fit. However, it will not decrease in size if you were to delete that 1 GB file.

Third party software

It is not our place to make recommendations about software you can use to achieve the goal of password protecting folders, but there are several third party software packages for both Windows and Macs that are very good at compressing files and folders and providing the resulting compressed files with a password. If they are any good you will not need to decompress the entire folder before you can look at an individual file.

Just be careful not to download any potentially unwanted programs (PUPs) or one that is bundled with PUPs or adware.

The post How to password protect a folder appeared first on Malwarebytes Labs.