IT NEWS

Swearing off a company used to be easier. Rude customer service, an unfortunate bout of food poisoning, even standing up for workers’ rights against the alleged involvement of a private company to order a country’s military to brutally quash a strike—almost every facet of an individual boycott could be satisfied by simply refusing to purchase a company’s products.

But such a move can be far more difficult to accomplish today, especially when you’re trying to sever your relationship with an Internet conglomerate. Tired of Facebook? Be sure to jump off Instagram and WhatsApp, too, which are both owned by the social media giant. Over Amazon? Good luck trying to navigate the web without landing on at least one site hosted by Amazon Web Services.

And what about Google?

The online behemoth has become so much more than a search engine, as it owns and produces hardware like Android phones, Google Pixel phones, Nest thermostats, and FitBit devices, while also operating Google Chrome, Google Mail, Google Calendar, Google Hangouts, YouTube, and Waze.

Saying goodbye to Google, then, isn’t as easy as refusing to buy an Android phone. It means likely changing several aspects of your life, including some that will affect the people around you.

Thankfully, this daunting task has already been taken on by the cybersecurity evangelist Carey Parker, who spoke recently on the Lock and Code podcast from Malwarebytes. According to Parker, it isn’t that he wanted to remove Google because he “hates” its products—if anything, he’s a fan. Instead, he wanted to start supporting other companies that will respect him and his data privacy.

“Google knows so much about us,” Parker said, explaining that Google makes the overwhelming majority of its revenue from online advertising, which it can only do because of how much data it collects from its users. “For me, it was about limiting as best I could how much information Google knows about me, removing as much as I can for things they already know about me, and then wanting to support companies who put privacy first.”

For anyone who has wanted to take a similar plunge into a Google-less life, here are some of the tips that Parker shared with us.

Start with the individual—Search, Chrome, and Android

Getting rid of everything Google product all at once could be a disaster, as there are simply too many services and products to track. Instead, Parker began the first steps of his experiment by only removing the products that directly affected him.

“I started with the easiest things—at least I think the easiest things,” Parker said. “The ones that have maybe the least tendrils into other things. They don’t affect anybody but yourself.”

For Parker, that meant removing and finding new providers for Google Search and the web browser Google Chrome. When it comes to stepping away from Android devices, Parker found that easy—he’s been using iPhones for years.

In finding an alternative to Google Search, Parker offered two suggestions: DuckDuckGo and the search engine Startpage, both of which claim to refuse any user data tracking for revenue purposes. Instead, the companies say they serve purely contextual ads based on the searches themselves—like showing ads for Nike and Adidas for anyone looking for shoes—and they do not record or keep data on users’ specific searches. In fact, Parker said, Startpage actually works with Google to deliver search results, but the company tells users that it refuses to collect user IP addresses, device information, and browsing history.

“You don’t have to track people to make money,” Parker said, “and Startpage is proof of that.”

In looking for a different, privacy-focused browser, Parker suggested his personal choice, Mozilla’s Firefox, and also the up-and-coming browser Brave.

Bigger shifts with Gmail and GCal

Having found different solutions for searching and browsing the Internet, Parker said he then focused his attention on finding alternatives to Google services that impact those around him.

“[Google Search and Google Chrome were] the first tier, and then, the next one, which is harder—a lot harder, because it involves other people—are Google email and Google calendar, Gmail and Gcal,” Parker said, “I’ve got shared calendars with my family and I am not going to expect them to drop Google like I am trying to do, so for that reason, I’m going to be stuck there for a little while, but I can minimize it.”

After researching the many options out there, Parker found two email providers—one that fulfills much of Google’s functionality and integration with a calendar function, and another that provides end-to-end encryption on messages sent and received between users of the same program.

The first suggestion is Fastmail. Fastmail, Parker said, is a for-profit email provider that users pay to use through a monthly subscription. The email provider also has a calendar solution that works directly with its main product. Even better, Parker said, is that Fastmail respects its users’ data.

“[Fastmail] explicitly say they don’t mine your data, and they are privacy-focused even if they’re not end-to-end encrypted by default,” Parker said. “It’s a really great service and it has the full suite of email, calendar and contacts, among other things. I use it for all my business stuff and some personal stuff.”

For user who wish to prioritize security, Parker suggested ProtonMail, which, by default, provides end-to-end encryption for all emails sent between ProtonMail users. That means that even if your emails get intercepted by a third party along route, those emails cannot be read by anyone other than you and your intended recipient.

More complexity with Google Drive and Google Docs

For users who want to take even more data out of Google’s view, there are just a couple final products to remove from the daily workflow. Those are the cloud storage service Google Drive and the cloud-based word processor Google Docs.

For each product, Parker encountered headaches and obstacles, but he managed to find alternatives that both respected his privacy and provided similar feature sets and functionality.

In finding a proper cloud storage platform, Parker recognized that some of the major players, such as Box and Dropbox, did not provide meaningful encryption for users’ data that would prevent the companies from scanning and gleaning information from user files.

Parker offered several suggestions depending on what users want most. If a user wants to securely send a private file to someone else, he recommended the online services Swiss Transfer and Mega, which can give users the option to set certain parameters on how they share a file, including how long a shareable link is active and whether the file requires a password to access.

For pure storage options, Parker recommended the service Sync.com because of its client-side encryption. Many of the cloud storage providers today, Parker explained, will promise to keep your data secure, but they will also hold the decryption keys to anything that you store on their servers.

“Machines will review the files that you have stored on these drives, either for advertising purposes or, a lot of times it’s for copyright violations,” Parker said. “They’ll look and see—are you trading movies or music with other people? And they’ll flag that and give you grief.”

But after extensive research, Parker found that Sync.com actually provided users with a type of encryption that the company cannot work around.

“[Sync.com is] end-to-end encrypted,” Parker said, “meaning that, even if behind the scenes, Sync.com uses Amazon Web Services, Amazon can’t see what my files are.”

As to finding an alternative to Google Docs, Parker said he struggled a great deal, simply because Google Docs works so well. After first trying to adopt a solution that Parker said is “secure, it’s private, it’s end-to-end encrypted—as far as checking boxes, it checks them,” Parker grew disappointed with the solution’s interface and its sluggish response time. Then, a second option called OnlyOffice was, as Parker put it, “not for the faint of heart” because of a high technical bar which could require renting out cloud servers.

The best, most accessible alternative, then, Parker said, is Skiff, which has an easy-to-use interface, but which only has a replacement for Google Docs, and not for the other, related tools, like Google Spreadsheets or Google Slides. Skiff’s tool can be found at Skiff.org.

Step by step

Taking Google out of your life can be a long and complex process, but it doesn’t have to be hard at the very beginning. And remember, if you ever start to doubt what you’re doing, think about what made you want to start the process. If you’re anything like Parker, you’re motivated to keep your data private and out of the hands of a company that is making money off of you and your browsing habits.

“At the end of the day, we are in an age of surveillance capitalism,” Parker said, “and Google is a publicly traded company with a fiduciary responsibility to maximize profits for their shareholders. Absent privacy regulations in the United States, the financial incentives are just too great to ignore. That’s money off the table.”

Parker emphasized that until Google creates—and there’s no evidence this will happen—a version of its products that users can pay for with their own funds rather than with their own privacy, that users should assume that “at any moment, any Google product unfortunately can and probably will, somehow, monetize your data.”

As the saying goes, Parker said, “if the product is free, then you are probably the product.”

You can listen to our full conversation with Parker on the Lock and Code podcast below.

The post How to remove Google from your life appeared first on Malwarebytes Labs.

Earlier this year, many members of the public were introduced to the facets of a long-ignored crime in cyberspace: The romance scam. A flashy documentary called The Tinder Swindler had premiered on Netflix, and in it, filmmakers documented the efforts of one man to manipulate several women into giving him tens of thousands of dollars after sometimes convincing them that he was their one true love.

Immediately after the documentary premiered, viewers judged the victims. Some viewers blamed the women in the documentary for falling for what looked, externally, like an obvious scam. Others asked how the women could be swept off their feet with so many red flags present? Others blamed the victims for not doing better research into the man, who had worked tirelessly to build fraudulent websites that claimed he was the son of a billionaire diamond miner.

But according to Cindy Liebes, Chief Cybersecurity Evangelist for Cybercrime Support Network, this public perception misses a lot, particularly in how skilled these scammers can be in their work.

This week on the Lock and Code podcast with host David Ruiz, we speak with Liebes about the facts behind romance scams: How prevalent they are, the types of damage they cause beyond financial ruin, and how you can spot a romance scam as it is happening.

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “God God” by Wowa (unminus.com)

The post Recovering from romance scams with Cindy Liebes: Lock and Code S03E10 appeared first on Malwarebytes Labs.

The Australian Cyber Security Centre (ACSC) has announced it is aware of the existence of Proof of Concept (PoC) code exploiting a F5 Security Advisory Addressing Multiple Vulnerabilities in its BIG-IP Product Range.

The vulnerability listed as CVE-2022-1388 allows attackers to bypass authentication on internet-exposed iControl interfaces, potentially executing arbitrary commands, creating or deleting files, or disabling services.

F5 BIG-IP

The BIG-IP platform by F5 is a family of products covering software and hardware designed around application availability, access control, and security solutions. It is used for various applications like load balancing and application delivery.

On May 4, 2022 F5 notified users of the existence of a vulnerability in BIG-IP iControl REST where undisclosed requests could bypass iControl REST authentication. F5 stated that the vulnerability could allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. The attacker, in other words, could gain complete control over the affected device.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed as CVE-2022-1388 and received a CVSS score of 9.8 out of 10.

F5 added that there is no data plane exposure; this is a control plane issue only. So, not much of a problem if the management plane is not exposed to the public Internet, you would think. But since F5 BIG-IP devices are commonly used in enterprises, this vulnerability is a significant risk as it would allow threat actors to exploit the bug to gain initial access to networks and then spread laterally to other devices. And experts estimate based on online searches there are some 2,500 devices exposed to the Internet.

Exploits

Soon after the patch, two separate groups of researchers announced on Twitter that they had developed exploits and would publish them soon. Other researchers noticed online scanning was ongoing for BIG IP.

Exploits are often found by reverse engineering the changes made by the patch, which is one of the reasons why patches should be applied as soon as possible. Besides assumed reputation damage, this is a reason why vendors and open source maintainers are often hesitant to request a CVE.

The researchers that created the exploits warned that all admins should immediately update their devices as soon as possible due to the trivial nature of the exploit. Now the ACSC has warned about the existence of a proof of concept, and attempts by malicious actors to exploit this vulnerability on Australian networks.

Mitigation

A list of vulnerable products and versions can be found in the F5 KB article. Experts recommend to take Internet-facing devices offline and check if they are safe first, before applying the patches. If an attacker has already planted a backdoor, they can still control the product even after patching.

Until it is possible to install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to iControl REST to only trusted networks or devices, thereby limiting the attack surface.

• Block iControl REST access through the self IP address
• Block iControl REST access through the management interface
• Modify the BIG-IP httpd configuration

For future use, this F5 BIG-IP Security Cheatsheet is a great resource to make sure your product is configured securely, and that attackers will not have access to the management interface from the Internet.

Please note that BIG-IP 11 and 12 are vulnerable as well but these are too old to be patched.

Stay safe, everyone!

The post Update now! F5 BIG-IP vulnerability being actively exploited appeared first on Malwarebytes Labs.

While we recently “celebrated” World Password Day, almost every security outlet keeps telling us that passwords alone are not enough.

In practice, in the last few years this has meant pairing passwords with something else, such as a one-time code from an app or an SMS message, in a scheme called two-factor authentication (2FA).

But while pairing passwords with a second factor is much better than using a password by itself, it is just a way of working around some very serious, inherent flaws in password authentication. Which begs the question: If passwords are such a problem, why use them at all?

Now Apple, Google and Microsoft have announced that you don’t have to.

The trio of tech giants all used World Password Day to declare increased support for FIDO Alliance standards like FIDO2, a globally-recognized standard for passwordless authentication.

According to the alliance:

In a joint effort to make the web more secure and usable for all, Apple, Google and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.

Microsoft, Google, and Apple

Last year, Microsoft announced that as of September 15, 2021 you can completely remove the password from your Microsoft account and use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to Microsoft apps and services.

On May 5, 2022, Google announced it will implement passwordless support in Android and Chrome, and Apple announced its support for new authentication capabilities enabled by the adoption of FIDO’s latest standard.

The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN.

With all three tech giants on board, we can expect passwordless FIDO sign-in across macOS and Safari; Android and Chrome; and Windows and Edge. This means that, for example, users will be able to sign in on a Google Chrome browser that’s running on Microsoft Windows, using a passkey on an Apple device.

FIDO2

Instead of using a password, which can be intercepted as it passes over the Internet, and has to be processed and stored by each service you use, FIDO2 uses public-key encryption. It performs the cryptographic operation that verifies who you are on a device you own, using a private key that never leaves your possession. This means that nothing of value is shared with or stored on the website or service you’re using, and the information sent back and forth during authentication is of no use to an attacker.

FIDO2 combines two standards: WebAuthn and CTAP. WebAuthn does the important job of setting out how web browsers authenticate to websites, but the real magic of FIDO2 is CTAP, the Client to Authenticator Protocol.

CTAP is what allows that crucial cryptographic operation to happen on a wide variety of devices (referred to as “roaming authenticators”), including hardware keys, phones, and laptops. These roaming authenticators are expected to have a mechanism to obtain a “user gesture” which authorises the cryptographic operation, such as a consent button, a password, a PIN, a fingerprint, or face recognition. And this is what allows you to approve your authentication to a website using your iPhone’s Touch ID or Windows Hello.

Devices that act as roaming authenticators can also communicate with other devices, so you can do things like signing in to websites you’re visiting on your laptop by using Touch ID on your iPhone or drawing a pattern on your Android tablet.

Will it work?

The idea of passwordless authentication is to create a login method that is secure and easy-to-use, and that eliminates the risks of phishing, password guessing, password reuse, and credential stuffing.

As with all security innovations, we don’t expect attackers to respond by giving up and going home, just to shift their attention to (hopefully) more difficult and expensive forms of attack.

When Microsoft announced in September that you no longer needed a password, we spoke to Per Thorsheim, one of the world’s leading experts on passwords. He had some major concerns about situations when people lose access to their choice of authenticator, and with that lose access to their Microsoft account.

[I am concerned about] when people lose access to their choice of authenticator, and by that lose access to their Microsoft account. I’ve attempted account recovery with Microsoft before, and I know others who have tried and failed miserably. Account recovery is hard, usually to avoid making the process a prime target for hackers.

FIDO2 puts a heavy burden on the account recovery process. Will there be a backup method similar to a “forgot my password” procedure, or do I have to create a new account which can then be linked to my online persona? Either way, such a method could create create a backdoor for attackers to target instead of FIDO-protected authentication.

Passwordless authentication could also multiply the stress caused by a stolen or lost device. If an attacker can guess your PIN or pattern they have access to all of your accounts.

Fortunately, rate-limits on phones makes that very difficult. Even if you secure your device with a 4-digit PIN or a pattern, an attacker finding or stealing your device will have to be very lucky to guess it correctly before the device shuts them out altogether.

However, trusting someone with the access code to your phone will become the equivalent of handing them the key to your entire online life.

If the importance of device access increases, this could lead to more stringent authentication requirements on our pohnes. For example, PINs with 10 digits instead of four or six, or more complicated patterns. And perhaps we’ll say goodbye to default PINs as well.

Nevertheless, we look forward to the passwordless future, even if we may have to work out some details along the way. Passwords have outlived their use for important resources: Victims have been made despite doing everything right; and threat actors have made an industry out of phishing our passwords, keyphrases, and security questions, and from brute-force guessing our passwords.

It is time for something new and three tech giants working together with an established industry association on a passwordless future looks promising.

Stay safe, everyone!

The post Google, Apple, and Microsoft step hand in hand into a passwordless future appeared first on Malwarebytes Labs.

If you’ve dealt with a scammer, you’ll know that making up stories is their bread and butter. Think about it: Just when you thought you’d heard all the infamous 419 scam backstories, scammers surprise you with a “stuck astronaut” scam, something so utterly hilarious, nonsensical, and otherworldly that you’ve just got to tell your friends and families about it.

While the 419 cosmonaut backstory (surprisingly!) has layers of truth to it, your typical Instagram scam story doesn’t have an iota of fact it can stand on. But because the stories that hook someone were designed to trigger an instant emotional response and a sense of urgency, Instagram scammers are more effective at getting the job done speedily.

Mind you, scammers are not after every Instagram user. They just need a handful of those people who will help someone without thinking. And since they’re not after money, just a bit of someone’s time, they already have one foot in the door.

Instagram scammer backstories vary, but the scams themselves follows one pattern: They ask you for help, tell you their backstory, and put their fate in your hands.

Here are some of the stories that scammers are known to use:

• “I’m launching my own product line“.
• “I’m in a competition and need you to vote for me“.
• “I’m trying to get verified on Instagram and need people to confirm my fanbase with a link“.
• “I need a help link to get into Instagram on my other phone“. (This is a very common tactic.)
• “I’m contesting for an ambassadorship spot at an online influencers program“. This one is surprisingly popular, with fake ambassadors everywhere.

Regardless of the script they’re following, scammers will say you’ll receive a link on your phone via SMS. They will then ask you not to click the link but merely take a screenshot and send the image back to them.

The link is a legitimate Instagram “forgotten password” URL for your account, and scammers want you to screenshot it so they can use the URL to reset your password, take over your account, and lock you out.

It’s impossible to say what fraudsters will say next just to get you to screenshot a forgotten password link. Regardless, any requests for link screenshots should be treated with extreme suspicion. Whether product lines or ambassador programs, you can safely ignore these messages and report the sender.

Stay safe out there!

The post How Instagram scammers talk users out of their accounts appeared first on Malwarebytes Labs.

A site has been bouncing around YouTube comments for the past couple of weeks. The site sometimes changes, the messages alter slightly, but the essence remains the same: In all cases, people acting in suspiciously automated fashion ask if everyone is using this “glitch” or generator without ever clarifying what, exactly, either of them are, or do.

The site offers “tweaked apps”, apparently available with a single click and requiring “no jailbreak, no root.” (Jailbreaking is the practice of breaking out of the iPhone’s default, highly-restricted mode, and getting “root” is the rough equivalent on an Android device.) That’s what they claim, anyway. There’s an OnlyFans Premium, Netflix Premium, a Pokemon Go Spoofer Injector, and many more.

No matter which app you select though, the outcome is the same.

A page informs you of the last time the app was updated, your IP address, whether the app is compatible with your device, and “no injection detected”.

They go on to say the following:

App injection required!

Follow the steps on the next page. To get started, we first need to inject the content into this app. This is a simple process and you will only have to do this once to get access.

Despite claiming that this process will “only work” on mobile, they’re being somewhat liberal with the truth. You absolutely can start the so-called injection process on a desktop, because there is no injection process, it’s all fake.

Here’s a supposed “Premium Unlocker” for OnlyFans.

When you start the “injection process” a message saying “Injecting: connecting with your phone” pops up, whether you’re using a phone or not.

It’s all a fraud. We’re redirected to a domain aimed at promoting ad offers / surveys / deals to mobile users. We are, rather nostalgically, in the land of the survey scams. At one point these seemed to be the only form of fakeout in town, made massively popular by gating non-existent unicorn deals behind walls of clickthrough ads.

A stack of empty promises

If you were promised a game, you’d get a demo version. Money off vouchers? You’d likely have to spend more signing up to deals to receive one in the first place. In other words, it was a massive scam factory for people up to no good. Note the desperation on the prompt urging to you to keep opening up new offers before receiving your non-existent reward:

All you’re likely to get from this is:

• Surveys or popups
• Malicious mobile downloads
• Signup offers that require personal information or payment.

You could easily go into this thing expecting free premium content for your service of choice, and exit with spyware or monthly payments for subscription services you don’t actually need. As a rule, free versions of paid-for apps offered on random websites simply do not exist. Sites which claim to offer hacks or generators for titles like Roblox, FIFA, or GTAV, are simply making it up. They will almost certainly be a survey scam or something else you don’t want to get involved in.

If you’re really in need of premium versions of services you use, you’re better off paying for them. At the very least, it has to be better than spinning the wheel on sites like the above and hoping you don’t get burned.

The post Steer clear of fake premium mobile app unlockers appeared first on Malwarebytes Labs.

I don’t know about you, but I open Instagram to look at cool photos of pets, not to make a fortune via suspicious claims of riches by strangers.

Despite this, following someone whose photos I liked resulted in a very peculiar message.

It’s possible I waved goodbye to a path to untold riches. Maybe if I’d stayed the course I’d now have my own “Become a millionaire in six months or less” e-book.

However, it’s more likely I dodged a Bitcoin scam. The kind of scam where I’d have to use screenshots of my bank account slowly being drained of all available funds for my next blog post.

Shall we take a look?

Introducing my good friend, Steven McBitcoin

This is the message that greeted me from my newest Instagram contact, who for ease of reference I’ve dubbed Steven McBitcoin:

Steven: Hello 

Good day

Are you interested in bitcoin mining?

I mean, oh boy am I ever. Possibly not quite in the way they were expecting, though. I decided to go with the “I don’t know anything, tell me more approach” with the vaguely non-committal:

Me: Hello possibly, how come?

Steven: I’m willing to teach you about bitcoin, coach you on how to invest and earn your profits as soon as possible. With a minimum investment of $1,000 I guarantee you of making $10,000 directly into your bank account, bitcoin wallet or any withdrawal method of your choice.

Understood?

Well now, that’s quite the promise. $10,000 dollars from $1,000 guaranteed? What could possibly go wrong…apart from everything?

How do I make this kind of money?

The messages continue to rumble on. Now we’re getting into the nuts and bolts of how this stack of digital currency shall be mine.

Me: Where would I invest and how?

Steven: Do you have cashapp, coinbase, crypto.com or Trust wallet?

It appears I’ve reached the “pretend you have one of the options mentioned and see what he says next” stage of the proceedings.

Me: Cashapp

Steven: OK good

Now go to your cashapp main page and send me the screenshot so I can give you direct guidelines on how to get paid.

You got it?

Generally speaking, sending people screenshots of the inside of your payment or bank portals is not a great idea—you can give away a lot about yourself.

This is also often used as a distraction by people who simultaneously ask for other details, such as logins. Consider it a distant cousin of the “please turn off your anti-virus while installing the dolphin.exe file you got from Limewire” technique.

The pinky-swear of digital currency

I wanted to know a little more about the guaranteed return of $10,000. That’s quite the generous deal. Some people would say it’s almost too good to be true.

I am absolutely one of those people.

Me: i have a question. How do you guarantee that i make $10,000 from $1,000? is there a time limit on when i should hit the 10k? what happens if i don't or I end up with less? is the guarantee in writing or anything?

Let’s see what cast-iron agreement he has in store. I simply cannot wait to find out how good this is. Getting it in writing? Of course I’ll be getting it in writing.

Steven: You profit is safe and guaranteed that I can very well assure you and you'll also get your money in less than 2 hours

You won't end up less than but instead even an higher profit from your trade.

I need you to believe me when I say that you have absolutely nothing to worryabout, just follow my lead and you'll be the one to thank me later OK.

Send me the screenshot let's proceed with your trade now.

Turns out the guarantee is “dude, trust me”. At this point, in the best documentary tradition, I made my excuses and left (by which I mean I blocked and reported him).

Notice how insistently pushy he becomes towards the end of the conversation. I imagine he’s already moved on to beguiling the next victim with tales of gigantic Bitcoin victory. Hopefully they block and report Mr McBitcoin too.

Common Instagram Bitcoin scams

Sadly, people promising get rich quick Bitcoin schemes on Instagram are a growing market of garbage and dross. There is currently no end of people on Facebook bemoaning the loss of their account to any one of the scams listed below:

1. Big wins, short timespan: Claims that you’ll make big returns on smaller investments rapidly are a red flag, as is pressure to transfer funds as quickly as possible. If someone you know suddenly starts talking about all the money they’re making thanks to their “Bitcoin mentor”—run away. It’s another very common scam related to compromised accounts.
2. Send me the money: On a similar note, asking you to go off and buy digital currency then send it to another person’s wallet to “invest” are likely going to get you nothing but an empty wallet.
3. Held hostage to cryptocurrency: Many videos regarding wild claims of Bitcoin success are actually incredibly creepy hostage videos. This is where people previously scammed out of their cash are made to film promos to keep the scam going.
4. A change in circumstances: If you’re asked to change your login details / email address to something somebody else has given you, you’ll simply be locked out of your account and it’ll be used to spam others.
5. When profit becomes taxing: Here’s one which started with a $1,000 deposit—just like the messages I received—and actually did finish up with a supposed profit of $15,000. Unfortunately for the victim, the scammer then asked for a $15,000 “tax payment” in order to release the now stolen funds. The thousand dollars are not coming back.

If you receive a get rich quick missive, you may wish to report it and block the sender. You can do this on Instagram by selecting the “…” next to the Follow button, then choosing Report > report account > posting content that shouldn’t be on Instagram > scam or fraud.

At the risk of resurrecting the “if it’s too good to be true…” dead horse, it has a fair bit of merit here. If someone had the secret to huge amounts of wealth, they wouldn’t be sharing it with random people on Instagram. Sadly, the only people making bank from this kind of deal or offer are the scammers pulling the strings in the first place.

The post Steer clear of these Instagram “Get rich with Bitcoin” scams appeared first on Malwarebytes Labs.

OpenSea, the primary marketplace for buyers and sellers of non-fungible tokens (NFTs), has reported major problems with its Discord support channel. How major? Well, there’s a “potential vulnerability” which allowed spambots to post phishing links to other users. A problem that lead OpenSea Support to declare “please do not click any links in the Discord.”

There’s no further information on how this occurred, but situations like this can happen if a channel’s administrator gets phished. If Discord had suffered a software vulnerability we would expect to see other channels being compromised too.

The spam messages originate from something called “Carl-Bot”. Discord channels typically make use of bots for low-level admin duties, general assistance and so on. Carl-Bot itself is a common sight across Discord, with lots of time saving features. Sadly, spamming phish links is not supposed to be one of them.

Carl-bot! No!

If Carl-Bot was present in the channel prior to the compromise, its purpose has been changed and not for the better. Here’s some of the spam Carl-bot was pushing out:

The spam message reads as follows:

Important announcement

We have partnered with YouTube to bring their community into the NFT space, and we’re releasing a mint pass with them that will allow holders to mint their project for free along with getting other insane utilities for being a holder of it.

The bot then mentions the limited supply of free items it is definitely, absolutely giving away to “fortunate” individuals:

You are able to get this mint pass below for 100% free. There will only be 100 of these however, once they are gone they won’t be coming back.

You can mint the YouTube Genesis Mint Pass here for free [url removed]

Fear of missing out (FOMO) is a huge driver in the NFT space, with the emphasis on scarcity of supply and rare, non-replicable items. In addition to that, YouTube has previously announced intentions to move into the NFT space. Seeing messaging like the above in the official OpenSea support Discord is bound to trick a lot of enthusiasts.

The scam site recedes into the distance

Here’s the site as it looked a few short hours ago:

The site right now is a blank page save for mention of a Twitter account, which has no content or likes posted to it. It could be the calling card of whoever did this, or it could be misdirection on the part of the site owner. Either way, Malwarebytes blocks the URL in question.

Protecting Discord

This is a developing story and information is thin on the ground. Having said that, there are still some things to keep in mind:

1. You can often avoid scams like these with a little common sense. Even a trusted Discord channel can turn rogue if someone compromises the right account. But would a rare, NFT-themed giveaway only be referenced in this one channel and nowhere else? It seems unlikely.
2. Use 2FA and a password manager. We don’t know what the phishing page was trying to obtain, but it will be something valuable, which probably means cryptocurrency or Discord logins. You can make it harder to steal your Discord login by using a password manager and two-factor authentication (2FA). While 2FA tokens can be phished, it sets a higher bar for scammers to clear, and a password manager will not enter your password into a phishing site.

Protecting your cryptocurrency

Protecting your cryptocurrency is all about keeping your private cryptographic keys and recovery phrases private. If you control them, you decide what happens to your money and what transactions to make. If somebody else controls them, they get to decide. Sites or random Discord accounts asking for recovery phrases should be avoided, as you risk losing all your funds for good.

The safest way to keep your keys safe is to store them offline, in a “cold wallet” that isn’t connected to the Internet. Even if you do that, your coins aren’t safe if you willingly send them to somebody though. Don’t send funds to Bitcoin addresses promising to double your payment, no matter which celebrity appears to be endorsing it.

The post OpenSea warns of Discord channel compromise appeared first on Malwarebytes Labs.

After the FBS arrested 14 of its members in January, and a subsequent lull in action, the REvil ransomware gang appears to be back. We say “appears” because it’s still unclear whether the group’s operations have indeed restarted.

To the trained eye, REvil’s movements seem out of sorts. When REvil’s old Tor infrastructure came back to life in April, it was modified to redirect visitors to URLs owned by a new ransomware group. The sites the nodes point to looked nothing like REvil’s. And its data leak blog is prepopulated with new ransomware victims and old REvil victims.

“And they are recruiting,” added Malwarebytes Threat Intelligence Analyst Marcelo Rivero.

REvil ransomware: a brief look back

When the REvil ransomware gang began its operations in 2019, it started strong. REvil, also known as Sodinokibi or Sodin, was the new RaaS (ransomware as a service) of the criminal underground, filling the hole GandCrab left behind.

Like any “big-game hunting” operator, REvil only targets high-earning organizations. The logic behind this is that such targets are presumed to pay up, even a high ransom. They presumed correct.

2021 was the ransomware gang’s last year of activity. REvil attacked JBS, one of America’s largest meat and poultry processors, in June. JBS underwent recovery proceedings immediately after the attack, unlike other ransomware victims. It was revealed months after that the company paid REvil to the tune of $11M (£7.8M).

In July, REvil attacked Kaseya, the company behind Kaseya VSA, a popular remote monitoring and management software. The ransomware gang asked for a whopping $70M ransom, but the company didn’t pay. Instead, it used a decryption key “from a third party” to decrypt all its encrypted files.

Many suspected that something was up. Kaseya could not give any more details, as it was bound by an NDA (non-disclosure agreement), but the ransomware gang claimed that the decryptor was leaked by one of its operators.

Is REvil really back?

A ransomware sample is needed to dispel speculations on whether REvil has re-emerged or not. Sure enough, cybersecurity researcher Jakub Kroustek (@JakubKroustek) discovered one recently.

Multiple security researchers who looked into the sample said they noticed a few changes to the code based on old REvil ransomware code. The most notable changes in the encryptor are the version, the new accs configuration option, and the campaign and affiliate identifiers.

In an interview with BleepingComputer, Advanced Intel CEO Vitali Kremez said he believes this option “is used to prevent encryption on other devices that do not contain the specified accounts and Windows domains, allowing for highly targeted attacks.”

When asked about his thoughts, Rivero said, “I think this REvil sample is just a test file because it doesn’t encrypt.”

On top of this, the sample also adds a random extension name to affected files and creates a ransom note—both as text and HTML files—identical to old REvil’s. The web version of the ransom note links users back to new paid Tor sites and the new data leak blog.

Malwarebytes detects this new REvil sample as Sodinokibi.Ransom.Encrypt.DDS.

What should previous victims do now?

When REvil’s servers disappeared on an early Tuesday morning in July 2021, current victims of the ransomware gang were left stumped, not knowing what to do next. They were stuck in mid-negotiations, fearing they might never hear from the gang again, leaving their essential files encrypted forever.

With REvil back and the new operators apparently inheriting former victims of the old ransomware gang, what does this mean for victims?

It’s almost a year since REvil’s infrastructure went dark, and victim companies may have already moved on or sought help from law enforcement. Either way, REvil might one day come knocking at their digital doors to pick up where it left off.

The post It’s business as usual for REvil ransomware appeared first on Malwarebytes Labs.

Google has made updates available for Android 10, 11, 12 and 12L. The May Android Security Bulletin contains details of security vulnerabilities affecting Android devices.

The Pixel Update Bulletin contains details of security vulnerabilities and functional improvements affecting supported Pixel devices. Pixel phones are Google’s “pure Android” phones.

In total, these two bulletins mention three vulnerabilities rated as critical. Two of those vulnerabilities only concern Pixel users.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Below we will discuss the CVEs that were rated as critical.

Bootloader

CVE-2022-20120: A remote code execution (RCE) vulnerability in the bootloader. On Android, the bootloader is a piece of software that loads the OS every time you boot your phone. By default, it will only load software that was signed by Google. But if you unlock the bootloader, it will load whatever software you tell it to. The exact issue has (not yet) been disclosed, but depending on the level of access needed to exploit this vulnerability, this could be very serious.

Titan-M

CVE-2022-20117: An information disclosure (ID) vulnerability in Titan M. Titan M is an enterprise-grade security chip custom built for Pixel phones to secure the most sensitive on-device data and operating system. Titan M helps the bootloader make sure that you’re running the right version of Android. Again, details about the issue have (not yet) been disclosed. But being able to steal information from the part that is supposed to secure the most sensitive data doesn’t bode too well.

Qualcomm

Qualcomm’s chipsets are the most common ones in the Android smartphone space. The severity assessment of their issues is provided directly by Qualcomm.

CVE-2021-35090: CVSS 9.3 out of 10. Listed by Qualcomm as a Time-of-check Time-of-use (TOC TOU)  Race Condition in Kernel. And specified as a possible hypervisor memory corruption due to TOC TOU race condition when updating address mappings. In general a TOC TOU occurs when a resource is checked for a particular value, such as whether a file exists or not, and that value then changes before the resource is used, invalidating the results of the check. A race condition occurs when two or more threads can access shared data and they try to change it at the same time.

Mitigation

None of the vulnerabilities have been flagged as being used in the wild. Google discloses that the most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege (EoP) with user execution privileges needed, but does not tell us which of the four candidates that is.

For Google and other Android devices, security patch levels of 2022-05-05 or later address all issues in these bulletins. To learn how to check a device’s security patch level, see Check and update your Android version. We encourage all users to update to the latest version of Android where possible.

The Pixel 3a and Pixel 3a XL series will receive security updates for the last time this month. Then they reach the End-of-Life (EOL) stage when it comes to support. For the Pixel 4 and Pixel 4 XL, this will be the case in October 2022.

Stay safe, everyone!

The post Google fixes two critical Pixel vulnerabilities: Get your updates when you can! appeared first on Malwarebytes Labs.