IT NEWS

Credential-stealing malware disguises itself as Telegram, targets social media users

A credential-stealing Windows-based malware, Spyware.FFDroider, is after social media credentials and cookies, according to researchers at ThreatLabz.

The version analyzed by the researchers was packed with Aspack. The spyware is offered on download sites pretending to be installers for freeware and cracked versions of paid software. The analyzed version of Spyware.FFDroider disguises itself on victim’s machines to look like the instant messaging application “Telegram”. Several campaigns were found to push out this spyware, but all of them were easily connected by the malicious program embedded in the cracked versions of installers, and freeware.

Browsers

After checking the IP of the affected machine by querying the legitimate service at iplogger.org, Spyware.FFDroider starts its cookies and credentials stealing routine. It uses specific methods for each browser to exfiltrate the data stored in the target browsers:

  • Google Chrome
  • Mozilla Firefox
  • Internet Explorer
  • Microsoft Edge

The target websites it looks for are:

  • www.facebook.com
  • www.instagram.com
  • www.amazon.ca/cn/eg/fr/de/in/it/co.jp/nl/pl/sa/sg/es/se/ae/co.uk/com/com.au/com.br/mx/tr
  • www.all-access.wax.io
  • www.ebay.com
  • www.etsy.com
  • www.twitter.com

The malware also plans to steal saved VPN/dial up credentials from the AppdataMicrosoftNetworkConnectionsPbkrasphone.pbk and Pbkrasphone.pbk phonebooks if present.

Social media

For Facebook and Instagram, the stealer has another trick up its sleeve. If the malware manages to grab cookies for facebook.com or instagram.com from any of the target browsers, the cookies are replayed on the social media platforms.

First, the malware checks whether it is able to authenticate using the stolen cookies. If the cookies are valid and provide proper authentication, it sends a GET /settings request using the Access Token to facebook.com along with the authenticated cookies so it can fetch the User Account settings of the compromised account.

Next, it checks whether the compromised account is a business account and has access to Facebook Ads Manager and fetches the following details using the stolen cookies by parsing the responses:

  • Fetch Account Billing and Payment Information from the Facebook Ads Manager.
  • Fetch the users’ Facebook pages and bookmarks.
  • Enumerate the number of Facebook friends and other user related information.

Since all the stolen information is sent to a command and control (C&C) server, it is likely that this information will be leveraged later to run malicious advertisements from the victims’ account and use the compromised account’s payment method to spread the malware further.

In a very similar way, Spyware.FFDroider looks for valid session cookies for Instagram to exfiltrate personal information such as the email address, the Instagram userID, the saved password, and the phone number from the Instagram account edit webpage and send it to the C&C server.

Other functionality

Spyware.FFDroider creates an inbound whitelisting rule in the Windows Firewall to allow itself to communicate, which requires administrative privileges. This will enable normally disallowed connections to the affected system.

After stealing and sending the stolen details from the target browsers and websites to the C&C server, Spyware.FFDroider tries to upgrade itself by downloading other modules from an update server.

If the filename at the time of execution is renamed to test.exe then the malware goes into its debug state and pops up messages on every loop. It then prints out the stolen cookies and the results which are created to be sent to the C&C holding the information collected from each targeted browser for the target websites. The debug state is very likely what the malware authors used to check the malware’s functionality during development.

IOCs

Files and folders:

The malware creates a directory in %UserProfile%Documents named VlcpVideov1.01

In this folder it drops the file:

Install.exe

The malware is hosted online as:

vinmall880.exe

vinmall1.exe

lilay.exe

SHA256 hashes:

3596982adf10806e7128f8f64621ec7546f4c56e445010523a1a5a584254f786

7eb7bd960e43164184e41cdacf847394a5aa8b7bce357d65683bc641eef3381b

94031fe0fbda71abdfa4f51c370d0da17deae7578549a81335dfbb446f75c474

d7e81d5c26a9ff81d44ff842694b1a8732211e21ac32a471641c4277c1927ca5

All detected by Malwarebytes as Spyware.FFDroider

Malwarebytes blocks Spyware.FFDroider

Subdomain:

download.studymathlive.com

Malwarebytes blocks the subdomain download.studymathlive.com

IPs:

C2: http://152.32.228.19/seemorebty

Update server: http://186.2.171.17/seemorebtu/poe.php?e=<filename>

Malwarebytes blocks the IP 186.1.171.17

Registry key:

HKCUSoftwareffdroiderFFDroider

Stay safe, everyone!

The post Credential-stealing malware disguises itself as Telegram, targets social media users appeared first on Malwarebytes Labs.

Old Play Store apps served notice by upcoming API level changes

Starting very soon, old and outdated apps on the Google Play Store will no longer be available to download. A major clearout is coming, and if you’re an app developer it may be time to overhaul your product or face Android-centric oblivion.

What’s happening?

Android makes use of APIs (application program interfaces) as a way of helping to figure out what runs where, as well as how apps work alongside security measures and other features.

What we have is a sliding scale for apps becoming increasingly outdated and unsupported. Lag behind too much, and you may have a problem.

In other words: do you own an old Android phone? You may find that newer versions of apps simply refuse to install. The older devices are essentially trying to play catch-up, with applications increasingly outrunning them. This is perfectly normal, as newer apps rely on more modern features and functionality that old Android OS versions simply cannot handle.

By the same token, old outdated apps are increasingly discouraged from running on newer devices. Android is tightening restrictions on old apps in order to keep users secure, via their target API level policy.

Current and future API restrictions

Android’s target API level is the previously mentioned sliding scale for applications. Google doesn’t want you running a bunch of very old and potentially insecure apps on your device. 

Current requirements expect new apps and updates to target an Android API level “within one year of the latest major Android OS version release”. As a result, any app which falls behind this level requirement can’t be published on Google Play. This is all about to change.

From November 1, as per the Android blog:

“Existing apps that don’t target an API level within two years of the latest major Android release version will not be available for discovery or installation for new users with devices running Android OS versions higher than apps’ target API level. As new Android OS versions launch in the future, the requirement window will adjust accordingly.

The requirement for apps to focus on API levels inside of one year within the most recent OS has been for new apps only, up to this point. The changes coming in November broaden this out quite a bit. From that point on, all apps will be required to keep up with a Target API within two years of the most recent OS. New? Old? Already in the store? It no longer matters. You’ll have to play by the rules if you want to remain visible and updated.

According to Ars Technica, old apps already on the Google Play Store not targeting Android 11 and up will be hidden from store listings. Apps not targeting Android 12 and up will still be visible, but they won’t be able to update anymore.

All my apps gone?

Not exactly. It isn’t the case that all of these old apps will just vanish completely into the ether. Going back to the Android blog:

“Current users of older apps who have previously installed the app from Google Play will continue to be able to discover, re-install, and use the app on any device running any Android OS version that the app supports.

Depending on your current mobile situation, you should in theory be able to reinstall apps you simply can’t do without. Your old apps will still work with your old phone. At some point though, you may simply have to move on to app pastures new as the future ultimately looks bleak for the abandoned and the no-longer-updated.

Playing the long game

Despite these fairly major changes in Android land, developers now have quite a bit of time to figure out what to do with their apps. We can safely assume anything not updated by the time two years rolls around is probably fine to be hidden from view.

This feels like a fairly flexible setup for devs to get their app affairs in order, especially given they can ask for a six month extension should they need more time for migration. The timer is most definitely ticking, but this is ultimately what’s best for keeping Android owner’s security and privacy at the forefront of Play Store activities.

The post Old Play Store apps served notice by upcoming API level changes appeared first on Malwarebytes Labs.

Denonia cryptominer is first malware to target AWS Lambda

Security researchers at Cado Security, a cybersecurity forensics company, recently discovered the first publicly-known malware targeting Lambda, the serverless computing platform of Amazon Web Services (AWS).

Though Lambda has been around for less than ten years, serverless technology is considered relatively young, according to Matt Muir, one of Cado’s researchers. Because of this, security measures for such a technology is often overlooked.

This lack of oversight has now bore fruit.

The malware in question, dubbed “Denonia,” is a cryptominer, which is software that allows the mining of cryptocurrency on computers and servers. The malware’s name is inspired by the domain the threat actors behind the cryptominer communicate with.

A cryptominer may not be among the ranks of ransomware, worms, and general Trojans. Still, the possibility of them taking advantage of Lambda is already here; a Pandora’s Box that can no longer be sealed.

Denonia, realized

Denonia is a Go-based wrapper that contains a modified version of the popular, open-sourced cryptomining software, XMRig.

Though not inherently malicious, XMRig came into prominence after an increase in cryptojacking was recorded in mid-2017, most of which was attributed to XMRig activity maliciously mining Monero. Since then, it has gained the reputation of being the miner of choice of cryptojackers.

Upload dates of Denonia samples on VirusTotal—one was in February, and an earlier sample in January—suggest attacks may have already been going on for months.

Denonia uses a unique evasion technique around address resolution to hide its command and control (C2) domain and traffic, making it difficult to detect using typical measures while making communicating with other servers easier. We have yet to find the actors behind Denonia as they left behind little forensic clues.

Because of these, Cado researchers think the actors behind such attacks possess advanced cloud-specific knowledge to take on a complex infrastructure. Thankfully, this cryptominer has limited distribution.

It’s unknown how actors deploy Denonia, but the researchers suspect that they likely used stolen or leaked AWS access and secret keys, which has happened before. AWS confirmed that actors didn’t breach Lambda via a vulnerability, saying in a follow-up statement to VentureBeat: “the software described by the researcher does not exploit any weakness in Lambda or any other AWS service.”

“The software relies entirely on fraudulently obtained account credentials,” the statement continues. It also stresses that Denonia shouldn’t be considered malware “because it lacks the ability to gain unauthorized access to any system by itself.”

“What’s more, the researchers even admit that this software does not access Lambda — and that when run outside of Lambda in a standard Linux server environment, the software performed similarly.”

The researchers explained in their post how this is possible: “We suspect this is likely due to Lambda ‘serverless’ environments using Linux under the hood, so the malware believed it was being run in Lambda (after we manually set the required environment variables) despite being run in our sandbox.”

Can organizations protect against Denonia and other Lambda-focused attacks?

Lambda is becoming popular because its cheap to run and easier to maintain. Organizations only have to pay for its runtime, not a full server to run their applications. This is a huge money-saver, allowing organizations to allocate money they saved to other matters that may need more financial support.

When it comes to security, however, serverless environments have some catching up to do.

A good starting point for organizations is to secure root credentials and access keys. This is in accordance with AWS’s shared responsibility model, wherein AWS is responsible for taking care of and securing Lambda, but organizations are responsible for securing their own content and functions (programs or scripts) that run on Lambda.

  • Refrain from using root access to perform daily tasks. Instead, use it only to (1) create an AWS IAM (Identity and Access Management) admin user account or (2) carry out access and account management tasks.
  • Lock away your root access credentials.
  • Use a strong AWS root account password. (We have a podcast about that!)
  • Enable multi-factor authentication (MFA) on your AWS root account.
  • If you have an access key for your AWS root account, delete it. If you must keep it, change the access key regularly.
  • Never share your AWS root credentials or access key with anyone.
  • Encrypt your data. AWS has an encryption solution you can use.
  • Use TLS 1.2 or later to communicate with your AWS resources.

Amazon has more in-depth IAM, access key, and data protection best practices for further reading and consideration.

Stay safe!

The post Denonia cryptominer is first malware to target AWS Lambda appeared first on Malwarebytes Labs.

Ransomware: March 2022 review

The Malwarebytes Threat Intelligence team continuously monitors the threat landscape to stay on top of existing and emerging attacks. In this March 2022 ransomware review, we go over some of the most successful ransomware incidents based on both open source and dark web intelligence.

The March data was consistent with the first two months of the year, and the most active ransomware gangs during this month continued to be LockBit, followed by Conti, with an increase in BlackCat (ALPHV), a suspected rebrand of the DarkSide & BlackMatter ransomware groups.

Ransomware Attacks by Gang

R 02 March

Ransomware Attacks by Country

R 001 March

Ransomware Attacks by Industry

R 03 March 3

Ransomware Mitigations

Source: IC3.gov

  • Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
  • Implement network segmentation, such that all machines on your network are not accessible from every other machine.
  • Install and regularly update antivirus software on all hosts, and enable real-time detection.
  • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  • Audit user accounts with administrative privileges and configures access controls with the least privilege in mind. Do not give all users administrative privileges.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
  • Consider adding an email banner to emails received from outside your organization.
  • Disable hyperlinks in received emails.
  • Use double authentication when logging into accounts or services.
  • Ensure routine auditing is conducted for all accounts.
  • Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.

How Malwarebytes protects against ransomware

Malwarebytes can protect systems against all ransomware variants in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies. This layer of protection detects the Ransomware binary itself. Detections can happen in real-time as the binary is run or the infection can be rooted out from an already-compromised machine by conducting a full system scan.

2022 04 08 19 06 09

Anti-Ransomware is a signatureless technology in charge of monitoring system activity of processes against a certain subset of data in specific locations on the endpoint. Using patented technology, Anti-Ransomware assesses changes in those data files. If an internal scoring threshold is crossed by a monitored process, it triggers a detection from the Anti-Ransomware component.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The Rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

The post Ransomware: March 2022 review appeared first on Malwarebytes Labs.

Why data protection and privacy are not the same, and why that matters: Lock and Code S03E09

There’s a mistake commonly made in the United States that a law that was passed to help people move their healthcare information to a new doctor or provider was actually passed to originally implement universal, wide-ranging privacy controls on that same type of information. This is the mixup with HIPAA—the Health Insurance Portability and Accountability Act—and while the mixup can be harmless most of the time, it can also show up in misunderstandings of other privacy concepts around the world.

Importantly, the mixup colors how we approach data protection, as a requirement and a set of rules, and privacy, as a right granted to certain sectors of our lives. In the European Union, this split is spelled out more clearly in their laws, but in the US, this split is still muddled—there are data protection laws in the United States that aim to achieve data privacy, and there is an entire realm of privacy law that was developed before our current understanding of data.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Gabriela Zanfir-Fortuna, the vice president for global privacy at Future of Privacy Forum, to finally clear up the air on these related but not interchangeable topics. As Zanfir-Fortuna explained in our conversation, data protection can achieve privacy, but it isn’t the only goal that data protection should care about.

“The challenge with data protection, though, is that it needs to balance all of the rights, and sometimes they’re competing rights. That’s challenging indeed. But it’s important to note that the ultimate purpose of data protection is not to achieve privacy at all costs.”

Gabriela Zanfir-Fortuna, vice president for global privacy at Future of Privacy Forum

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs. 

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Why data protection and privacy are not the same, and why that matters: Lock and Code S03E09 appeared first on Malwarebytes Labs.

Successful operations against Russian Sandworm and Strontium groups targeting Ukraine revealed

The US Department of Justice (DoJ) and Microsoft have taken the sting out of two operations believed to be controlled by the Russian Federation’s Main Intelligence Directorate (GRU).

On Wednesday, the DOJ announced that it had disrupted GRU’s control over thousands of internet-connected firewall devices compromised by the Russian Sandworm group.

One day later, Microsoft disclosed information about the steps it took to disrupt cyberattacks it had seen targeting Ukraine. These attacks came from Strontium, another GRU-connected threat actor.

In light of world news, it’s important to note that the Sandworm group has always been known to target Ukrainian companies and government agencies. It has been held responsible for destroying entire Ukrainian networks, triggering blackouts by targeting electrical utilities, and releasing the NotPetya malware.

Shutdown operation

Although the DOJ announcement came just two days ago, the takedown operation actually occured a little earlier, in March 2022. And the story starts before that, with a joint advisory released on 23 February by law enforcement agenices in the UK and the USA, about Cyclops Blink malware targeting network devices manufactured by WatchGuard and ASUS.

Cyclops Blink surfaced as a replacement for VPNFilter malware, which the DOJ disrupted with an operation in 2018. Both Cyclops Blink and VPNFilter are generally attributed to the Sandworm group, which has always been seen as a Russian state-sponsored actor.

On the same day the advisory was released, WatchGuard published a diagnosis and remediation plan, and ASUS released its own guidance. However, despite their advice, a botnet of “thousands of infected network hardware devices” running Cyclops Blink remained.

In March the DOJ set out to fix that by targeting the Command and Control (C2) servers that orchestrated the botnet. The department says it did this by copying and removing Cyclops Blink malware from the C2 devices, and closing the external management ports that the Sandworm group used to access them.

WatchGuard users that need the external management ports can reverse the closure through a device restart, but they are advised to follow this knowledge base article about remote management.

Although this stopped Sandworm from controlling the thousands of compromised WatchGuard and ASUS devices, it did not remove the malware from them.

According to Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division:

This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal. By working closely with WatchGuard and other government agencies in this country and the United Kingdom to analyze the malware and to develop detection and remediation tools, we are together showing the strength that public-private partnership brings to our country’s cybersecurity.

Sinkhole

On the same day that the DOJ announced its Cyclops Blink takedown, Microsoft obtained a court order authorizing it to take control of seven internet domains being used by the Strontium group.

The Strontium group, often referred to as Fancy Bear or APT28, is another GRU-connected threat actor known to target Ukrainian institutions, as well as government institutions and think-tanks in the United States and the European Union involved in foreign policy.

After taking control of the domains, Microsoft re-directed them to a sinkhole under its control. A sinkhole is a way of redirecting malicious internet traffic so that it can be captured and analyzed by security professionals. Sinkholes are most often used to seize control of botnets.

Microsoft describes this disruption as part of an ongoing long-term campaign, started in 2016, to take legal and technical action to seize infrastructure used by Strontium. The company has established a legal process that enables it to obtain rapid court decisions for this work. Prior to this week, it says it had taken action through this process 15 times to seize control of more than 100 Strontium controlled domains.

Good riddance

While these attacks are just a small part of the cyber-activity we are seeing in Ukraine, it does help to take out a few of these active major threats.

The FBI is urging people to contact their local field office if they believe they have a compromised device. The agency says it “ontinues to conduct a thorough and methodical investigation into this cyber incident.”

The post Successful operations against Russian Sandworm and Strontium groups targeting Ukraine revealed appeared first on Malwarebytes Labs.

YouTube channels of Taylor Swift, Justin Bieber, Harry Styles, and other musicians compromised

Some of the biggest stars around have seen content placed on their YouTube accounts without permission over the last couple of days. Taylor Swift has around 40 million subscribers. Justin Bieber? 68 million. Harry Styles, a respectable 12 million. You can even add Eminem and Michael Jackson to the list of those taken over.

Big names, and even bigger numbers.

The last time I can remember an all-out targeted attack on social media musicians was way back in 2007 during Ye Olde Myspace days. While the threat for mischief there was big, this new attack far surpassed it in terms of people seeing dubious content.

Using Vevo as a stepping-stone to musician channels

According to The Record, the attack specifically targeted accounts using Vevo. The people behind it didn’t promote malware links, or spam, or phishing. Instead, they opted to post about a bizarre scam involving a security guard.

The scam involved a man claiming to have “2,000 tumours”, sentenced to 2 years in jail for grabbing around $319,000 in donations for his non-existent terminal illness. The group claiming to be behind the compromise demanded he be set free via their Twitter account.

If you’ve ever watched a music video from a major artist, there’s a good chance you’ll have seen the Vevo logo in the bottom right hand corner. This is the Vevo channel, where content is uploaded. As Gizmodo notes, videos are merged with the musician’s separate YouTube channel. Existing YouTube accounts can also be merged to create Official Artist Channels.

Speaking to The Verge, Vevo said “Some videos were directly uploaded to a small number of Vevo artist channels earlier today by an unauthorized source.”

This is what Vevo’s FAQ page has to say on the subject of how uploads work:

Vevo does not provide access directly to artists. If your music videos have been delivered to Vevo, you must work with your existing Content Provider/Label who will have access to perform these updates.

What about your YouTube security?

You may not be a multi-million album seller signed up to Vevo on YouTube, but you still need to lock down your YouTube account. Any compromise can lead to masses of spam or videos leading users off-site to phishing or malware.

Signing into YouTube requires a Google account. As such, good Google security hygiene means good YouTube security hygiene too. We’ve covered many Google-centric security concerns previously, but here’s some things you can do now to lock down your account:

  • Create a strong password, and enable two-factor authentication (2FA). Use the Google Auth app for 2FA rather than SMS codes, this will help you avoid the threat of SIM-swap attacks.
  • Don’t share sign-in information with others. If someone contacts you promising riches beyond your wildest dreams, they may ask for your login details to set up some sort of “affiliate” or partnership status. This is a bad idea, and you shouldn’t do it.
  • Use Google’s security checkup. This informs you at a glance about recent login activity, device sign-ins, Gmail settings, and more. It’s a handy, focused way to make sense of the sometimes overwhelming range of options available.
  • Remove sites and apps you don’t need or recognise. As with many social accounts, you’re able to connect to a variety of services. View connected apps here.
  • Keep an eye on the comments posted to your videos. There’s a lot of spam out there and it may sully your reputation if followers end up in bad places via your content.

This should be enough to get your account moving to a place where it’s a lot more secure than before. While the chance of you being hit by an attack like the one above targeting very well known accounts is low, people regularly look to hijack regular YouTube accounts. Let’s not make it easy for them!

The post YouTube channels of Taylor Swift, Justin Bieber, Harry Styles, and other musicians compromised appeared first on Malwarebytes Labs.

Don’t enter your recovery phrase! Phishers target Ledger crypto-wallet users

Ledger is one of the biggest hardware cryptocurrency wallets around and scammers have noticed. Phishing mails are in circulation, hoping to snag Ledger users with a sneaky request for passphrases.

What is a Ledger recovery phrase?

A recovery phrase is an incredibly important combination of words that act as the literal keys to your digital crypto kingdom. The phrase is a human-readable version of a private key—a unique secret that must keep private, because it’s the cornerstone of the cryptography that says you own a crypto-someting rather than somebody else.

The Ledger recovery phrase also acts as a backup for everything in your hardware wallet, to the extent that if Ledger ceased operations, you’d still be able to access your crypto-assets via a compatible wallet service. As it put its:

When starting to use your Ledger hardware wallet, you will receive a random set of 24 words. This is also known as your Recovery Phrase. It’s a key element in using a hardware wallet and it must be kept secure and offline at all times.

As we can see, it’s critical to the wellbeing of your digital cash.

What’s the scam?

Phising emails are being sent that refer to a non-existent breach. The “solution” to this breach is to update the 24 word phrase as soon as possible and set up a new wallet PIN.

The mail reads:

If you’re receiving this e-mail, it’s because you’ve been affected by the breach. To protect your assets, please update your 24-Word Phrase and follow the instructions to set up a new PIN for your wallet.

Sincerely, Support Team

The mail also provides a link to a website called “Ledgerphrase(dot)com”.

Should you visit the website without the userID included in the email, the page won’t resolve. If you follow any of the links directly from the email, you’ll be greeted with a passphrase update page that asks users to enter their 24-word passphrase:

ledgerphishing
A fake Ledger passphrase update page

Anyone progressing past this point is playing with fire and likely to lose all of their crypto-assets.

How to foil the phishers

Ledger has confirmed this is a phishing attempt:

It also provides a list of security measures to ward off further attempts.

The most important thing to never, ever give anybody your 24 word passphrase. Only ever enter it on your device, and never hand it over to anyone claiming to need it or to websites requesting you enter it. Whether code converter websites, or apps, YouTube livestream giveaways, or even browser extensions claiming to be official products, the advice is still the same.

No matter which form of digital wallet you use, your recovery phrase is your last line of defence to keep bad people away from your funds.

The post Don’t enter your recovery phrase! Phishers target Ledger crypto-wallet users appeared first on Malwarebytes Labs.

Watch out for fake WhatsApp “New Incoming Voicemessage” emails

Thanks to the Threat Intelligence team for their help with this article.

Security researchers from Armorblox, a cybersecurity company specializing in email-based threats, have encountered a fake WhatsApp email with the subject “New Incoming Voicemessage.”

armorblox whastsapp phishing email
The spoofed WhatsApp voicemail notification email. (Source: Armorblox)

The sender is “Whatsapp Notifier,” a spoofed name, and an email address using a legitimate domain belonging to a Russian road safety organization, to sneak through mail filters.

Recipients are encouraged to click a “Play” button and listen to their voicemail. That doesn’t happen, though—clicking “Play” directs recipients to a page where Aromorblox found an obfuscated, malicious JavaScript that redirected users to another page. The second page included an exploit, triggered when users responded to an Allow/Block prompt.

Prompts like this are also used by malvertisers when they want to push ads in front of users.

allow block notif
A malvertisers’ Allow/Block prompt

Ads can include (but are not limited to) scam sites, portals for unwanted browser extensions (PUPs), and even malware. The ads vary depending on a user’s device and location.

When we clicked the “Allow” button during our own testing, we were signed up to receive notifications from bingocaptchapoint.top.

subbed
Malvertisers sign a browser up for notifications

The domain we had agreed to receive notifications from then used its priveleged position to redirect us to a page with a bogus offer.

Malvertising seen through Fiddler
Malvertising using a domain with permission to trigger browser notifications to redirect a user

Ten seconds after subscribing we hit our first ad: A Google Chrome “search contest”. And will you look at that?—we won!

Fake Chrome search contest
The malvertiser’s fake “Chrome search contest”

This is one of many WhatsApp voicemail message scams. Another variant, detailed by Scam Detector, tricks Android users into downloading a payload called “Browser 6.5” which signs them up to receive text messages from premium rate phone numbers, for example.

What to do?

If you’re a WhatsApp user, remain vigilant and stay up to date with changes to WhatsApp’s services, so you know how they work. (For example, WhatsApp recently announced six changes to its voice message service.)

Check what you are approving before clicking “Allow” on browser prompts, and use a security tool that can block malicious sites and scripts.

and if you sign up for notifications from a site by accident you can remove it in Google Chrome by following these steps: Open Settings, click Privacy and Security, click Site Settings, click Notifications, scroll to Allowed to send notifications. Click the “three dots” icon next to the site you want to remove and click Remove.

If you believe you have fallen victim to this scam—or any other—at work, report the incident to your IT or security team.

Stay safe!

The post Watch out for fake WhatsApp “New Incoming Voicemessage” emails appeared first on Malwarebytes Labs.

Cash App breached by a former employee could affect millions

In December last year, the customer information of Cash App users was accessed by a former employee of Block, the company behind the popular mobile payment service app. This was revealed in a very recent filing to the Securities and Exchange Commission (SEC), which shows that the former employee accessed and downloaded “certain reports” containing US customer information.

The filing reads:

“While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended.”

Cash App is currently in the process of reaching out to its 8.2 million US users about the breach. That includes current and former Cash App users.

The compromised data contains full names and brokerage portfolio values. The filling explains the latter as “the unique identification number associated with customer’s stock activity on Cash App Investing”.

The document also clarified that compromised data “did not include usernames or passwords, Social Security numbers, date of birth, payment card information, addresses, bank account information, or any other personally identifiable information.” Security code, access code, or Cash App account passwords were also not part of the breached data.

According to an email interview with Vice, a Cash App spokesperson said they have already taken remediating steps, and launched an investigation “with the help of a leading forensics firm”.

We have yet to find out exactly how this former employee could still reach assets they should no longer be able to access after separating from their employer. Sadly, incidents like this happen all the time. Multiple studies have shown that many organizations’ former employees, regardless of the nature of their termination, can still access not just corporate data but also platforms used by their former employers. Such incidents are not only classified as insider threat incidents, but they are also good examples of many companies having improper offboarding practices.

Cash App can only be used in the US and UK. No UK customers were affected by this breach.

The post Cash App breached by a former employee could affect millions appeared first on Malwarebytes Labs.