IT NEWS

An “exceptionally rare and dangerous” advanced persistent threat (APT) malware kit, containing custom-made tools designed to target some of North America’s industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices, appears to have been caught before it could be let loose on America’s oil refineries and power grids.

Multiple US federal government agencies, including the FBI, NSA, and CISA, have released a joint advisory about this kit dubbed PipeDream. It features one-of-a-kind tools designed to work against systems belonging to Schneider Electric, OMRON, and the Open Platform Communications Unified Architecture (OPC UA).

While CISA has declined to name the state actor behind the tools, Mandiant and Dragos, two cybersecurity companies specializing in advanced persistent threats (APTs) that partnered with the agency, said that the tools’ behavior pointed to Russia as the likely source. However, this link, they say, is “largely circumstantial”.

Once inside ICS/SACADA operational technology (OT) networks, PipeDream can gain full system access to target devices, allowing them to scan, control, and compromise Windows-based engineering workstations using an exploit. Having full access also enables threat actors to elevate privileges, move laterally within the OT environment, and disrupt critical systems. Such disruptions could lead to machinery getting physically destroyed and, worse, loss of human lives.

Since the invastion of Ukraine began, President Biden has urged businesses to strengthen their security against possible Russian cyberattacks. However, cyberthreats against vital US infrastructure have been a concern for years, not least since Stuxnet successfully compromised nuclear centrifuges in Iran more than a decade ago.

ICS attacks—scary, but very hard to do

The outcome of a successful attack against vital infrastructure—such as a power grid, power station or water treatment plant—could be very bad indeed. And although we have yet to learn of a nation state successfully attacking one in the US, we can get a glimpse of the possible disruption by looking at other, similar forms of attack.

For example, a ransomware attack against Colonial Pipeline in 2021 caused it to halt operations for six days. Long lines of US motorists began queuing up at gas stations to panic buy fuel, causing prices to go up on the East Coast. A similar attack happened a month later, against meat processing giant JBS, stirring fear of shortages and price rises.

With catastrophic possibilities forecasted before any actual events ever happen, it is easy to get caught in the hype and assume that a critical infrastructure “big one” will play out sooner than expected. But such a possibility is, in fact, very slim, according to Lesley Carhart, principal threat hunter with Dragos.

Carhart spoke to Malwarebytes podcast host David Ruiz on an episode of the Lock and Code podcast last year all about disaster planning and the slim chance of a critical infrastructure “big one.”

Internet-connected ICS may be easy to find, but they are difficult to exploit in reality. Carhart attests to this. “These systems are honestly so complex and so distributed and so heterogeneous that they are really difficult to attack at scale,” she said.

The problem for attackers is that OT environments are all about risk mitigation. Their designers and operators spend their lives thinking about the risks in their environment and coming up with ways to mitigate them. Even if an attacker can compromise a computer and use it to make an environment do something it’s not supposed to, there are typically controls and operators primed to identify and stop errant systems before they can cause any harm.

“A more sophisticated, determined adversary has to think about how to get around those mitigations,” Carhart added.

A successful attack also demands a lot of time, resources, and preparation. According to Carhart, attackers oftentimes sit in networks for months and even build their own industrial facility to learn more about it. ICS attacks are “astronomically expensive”, she says.

Manufacturers of such systems are also increasingly creating them with security in mind. Despite what you might hear, Carhart does not think the dangers of an ICS “big one” are increasing. “In a lot of ways, people are more aware of the threats,” says Carhart. “They’re deploying more security monitoring, and they’re starting to build incident response plans for their industrial environments specifically. They’re starting to do threat hunting, penetration testing, [and] red teaming in their industrial environments.”

To learn more about the reality of defending critical infrastructure, listen to the podcast, embedded below.

The post US warns of APT groups that can “gain full system access” to some industrial control systems appeared first on Malwarebytes Labs.

Oracle has issued a Critical Patch Update which contains 520 new security patches across various product families. A few of these updates may need your urgent attention if you are a user of the affected product.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that look most urgent.

Oracle Communications Applications

The update contains 39 new security patches for Oracle Communications Applications. 22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

CVE-2022-21431 is a vulnerability in the Connection Manager component of the Oracle Communications Billing and Revenue Management product and it has the maximum CVSS score of 10 out of 10. Supported versions that are affected by this flaw are 12.0.0.4 and 12.0.0.5.

CVE-2022-23305 is a Log4j vulnerability with a CVSS score of 9.8. It affects the Oracle Communications Messaging Server and allows attackers to manipulate a database by entering SQL strings into input fields or headers. (Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.) The same Log4j vulnerability affects the Cartridge Deployer Tool component of Oracle Communications Network Integrity and the Logging component of Oracle Communications Unified Inventory Management. It also affects several components of Oracle Fusion Middleware.

CVE-2022-23990 is a vulnerability in the user interface (LibExpat) component of the Oracle Communications MetaSolv Solution, and it also has a seriously high CVSS score of 9.8. LibExpat versions before 2.4.4 have an integer overflow in the doProlog function that allows an attacker to inject an unsigned integer, leading to a crash or a denial of service.

Oracle Blockchain Platform

The update contains 15 new security patches for Oracle Blockchain Platform. 14 of these vulnerabilities may be remotely exploitable without authentication.

CVE-2021-23017 is a security issue in nginx resolver with a CVSS score of 9.8. It could allow an attacker who is able to forge UDP packets from the DNS server to cause a 1-byte memory overwrite.

Oracle GoldenGate

The update contains 5 new security patches plus additional third-party patches for Oracle GoldenGate.  4 of these vulnerabilities may be remotely exploitable without authentication.

CVE-2021-26291 is a security issue in Apache Maven with a CVSS score if 9.1. it affects the Oracle GoldenGate Big Data and Application Adapters. Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom), which may be unknown to users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository.

Oracle Communications

The update contains 149 new security patches plus additional third party patches noted below for Oracle Communications. 98 of these vulnerabilities may be remotely exploitable without authentication.

CVE-2022-22947 is another vulnerability with a CVSS score of 10. It is a vulnerability in Spring Cloud Gateway that affects Oracle Communications Cloud Native Core Network Exposure Function and Oracle Communications Cloud Native Core Network Slice Selection Function. In Spring Cloud Gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.

Oracle Java SE

The update contains 7 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication.

CVE-2022-21449 is a vulnerability in the Oracle GraalVM Enterprise Edition product of Oracle Java SE with a CVSS score of 7.5. The 7.5 is a very low score due to the wide range of impacts on different functionality in an access management context. This vulnerability applies to Windows systems only, but an attacker can trivially and completely bypass them if your server is running any Java 15, 16, 17, or 18 version before the April 2022 Critical Patch Update. An elaborate analysis of this vulnerability was published by ForgeRock.

Mitigation

For a complete list of the security vulnerabilities have a look at the Oracle security alerts page. Several of the discussed vulnerabilities in this Patch Update are vulnerabilities in third-party components which you may have patched earlier, but it’s definitely worth looking into.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. You can follow the links in the Patch Availability Document column on the Oracle page to access the documentation for patch availability information and installation instructions.

Stay safe, everyone!

The post Oracle releases massive Critical Patch Update containing 520 security patches appeared first on Malwarebytes Labs.

Today we look at a fakeout which begins with Elon Musk, and ends with a trip to Mars (or, if you’re really lucky, the Sun).

One of the most annoying “features” of Twitter is being added to lists without permission. It’s a theoretically useful way to keep track of certain topics. It’s often also used for trolling or spam. A friend of mine was added to a list over the weekend by what appeared to be Elon Musk.

It was not Elon Musk.

Dodging detection

The account in question is doing a pretty good job of not attracting attention while getting up to mischief. As you can see from the profile, it has an almost perfect no followers / no following ratio. There’s no tweets, no replies, no likes…nothing.

The account would simply pass you by, if you were looking for people up to no good.

Except.

Check out the account’s Twitter lists. This is done by clicking into the “…” and then hitting lists in the dropdown menu. With this done, we see a so-called “giveaway marathon” list. The giveaway isn’t detailed with text, so it is again very easy to miss. Rather, it’s a picture of a fake Elon Musk tweet which reads as follows:

I decided to randomly choose 1000 new followers, who can participate to the biggest crypto giveaway. Hurry up to join at [url removed].

For flying under the radar purposes, it’s almost perfect. Shall we take a look at this “biggest crypto giveaway”?

Behold, the “biggest crypto giveaway”

“5,000 BTC giveaway”, screams the banner.

They say:

Our marketing department here at Tesla HQ came up with an idea: to hold a special giveaway event for all crypto fans out there.

For those keeping score, 5,000 Bitcoin totals somewhere in the region of $200,000,000. Not bad for a giveaway pot!

How do you get your hands on this amazing slice of cash, I hear you cry? Well, you have to guess which planet “Tesla” is trying to explore. You do this by clicking on the planet we’re supposed to be exploring.

Some observations:

1. You can click on Earth, or indeed the Sun.
2. The image includes Pluto—a big salute to “Team Pluto is Definitely a Planet”. That muddy ball of ice and rock couldn’t have done it without you.
3. I did say we’d be going to Mars at the start of this blog, but the truth is, you can click anywhere you like to proceed. Yes, even the Sun.

I guess what I’m trying to say is I doomed humanity with an all-expenses paid trip to the Sun. With a payoff like that, I sure hope we’re about to get rich off the back of this giveaway.

Getting rich quick off the back of this giveaway

The site presents itself as being a giveaway specifically from Tesla.

It makes the following claim:

To verify your address, just send from 0.02 to 1 BTC to the address below and get from 0.10 to 10 BTC back.

Well, that’s a bold strategy. They’re saying that if you give them $40,000 then you’ll get $400,000 back at the upper contribution level. The advice is to use any wallet which supports Bitcoin, and then “select the amount you want multiplied…for example, to get 10 BTC, send 1 BTC.”

There’s also a fake “free Bitcoin remaining” timer counting down which tries to panic you into getting involved. Refreshing the page restarts the timer.

Speeding things up

One thing which people may not know about Bitcoin transactions is that there can be a delay with regard to transaction confirmation. This is down to verification and recording of new transactions. Essentially: You perform an action of some kind, and you have to wait for the Bitcoin blockchain to do blockchain things and confirm that you did, in fact, send cryptocurrency to somebody and it all went through as planned.

You’ll note that our Sun-bound BTC giveaway says “Still waiting for transaction? Click here!”

You’d assume it would mention the possibility of transaction notifications being delayed. To be fair, it does – but then adds a little something extra:

“Sometimes transaction network is under load and it can take more time. You can speed up the transaction by sending the same amount again to our address. This is an official promotion and every transaction address we receive gets their bonus back”

Considering we arrived here in the first place from Fake Elon, and this “official” Tesla giveaway is absolutely not an official Tesla giveaway, I’m not entirely sure I believe them. They’re asking you to send, at the upper donation limit, roughly $80,000 to try and help nudge the first transaction through.

In what may be the most not-needed spoiler warning of all time: This probably isn’t going to end well.

Aborting launch

All in all, we’d have to suggest giving this one a big miss. You’re not going to magically generate tons more money than you put in, and as fun as it is to suggest sending humanity into the fiery heart of the Sun it probably won’t make you very rich in the meantime.

Sorry, Fake Elon, but we’re going to have to pass.

The post The fake Elon Musk Bitcoin giveaway marathon will NOT make you rich appeared first on Malwarebytes Labs.

Tragic tales are being posted to Facebook, combined with the offer of a giveaway. However, some are perhaps not quite what they seem. The PS5 is still one of the hottest bits of tech around, and near-total lack of availability, combined with a high sale price, means that some people will do whatever they can to obtain one.

As a result, PS5 scams are rife. Bogus giveaways and deals abound on social media and elsewhere. Scammers will often sweeten the deal by offering the item for free initially, before switching to asking for postage costs. Should you pay up, it’s quite possible the seller will vanish and you’ll be left out of pocket with no PS5 and no way to recover your funds.

“Browser beware” in local trade groups

Multiple posts have appeared in various groups where goods are sold or traded, typically from accounts with no other content associated with them. On initial viewing, they appear to tell a terrible tale of loss and bad memories, with the offer of household objects too painful to keep around.

The first red flag is that the Facebook posts that have been popping up, on and off, over the past few months are all very similarly written. Here’s one example, sent to me by a friend:

My daughter died while coming back from college last week. She was hit by a running car, my heart bleeds everyday. I bought a PS5 for her, she never got to see it. I want to give out the PS5 for free to someone who needs it. Seeing the PS5 everyday hurts my soul.

This sounds awful.

But before you offer yourself up as a potential recipient, there are some questions you should ask yourself. Starting with “why do the pictures of the unused machine show a PS5 that’s clearly plugged in, and in use?” I’m not saying it’s impossible for a parent to set up a PS5 for their kid. However, having set one up myself, there’s a fair bit of work involved. Not even accounting for system updates and other aspects of the setup routine, you also have to tie the console to a playstation account. This means a username, password, potential use of QR codes, and more.

An even better question is “why are completely unrelated people posting the exact same message elsewhere?” The one linked reads as follows:

My daughter died while coming back from college on Friday, she was hit by a running car my heart bleeds everyday I thought a PS5 for her she never get to see it. I want to give the PS5 out for free to someone who need it. Seeing the PS5 each day hurt my soul

As someone notes in the replies, they’ve seen this identical post from somebody else posted elsewhere, with the same images.

Here’s the same “my daughter died” example, except this time applied to a PS4. If you forward through to image 2 on that post, you’ll see image reuse for both the PS5 and also the dog in the funeral home—except now it’s about someone’s son instead of their daughter.

A popular seller group post format…

Seller groups are seeing these types of post more and more. Speaking of image reuse, here’s one from a group in Glace Bay, Canada in relation to someone’s daughter. Note the dog at the coffin, it appears a lot:

Meanwhile, here’s one from a different person in Ohio except now the dog is mourning the loss of the poster’s son:

I’ve lost count how many times the dog has now put in an appearance, and that’s before we get to the PS5 pictures!

“Buyer” beware

The majority of these posts switch off replies and have interested parties message them directly. They then try and convince them to pay for shipping costs upfront. Assuming the person paying is dealing with a scammer, both money and seller will drop all communication and / or vanish afterward.

It’s probable that some of these accounts have been compromised, so the supposed seller is likely going to have more problems once they recover their account. All things considered, there’s simply too many red flags associated with this style of Facebook post.

If you see a post like the above in a local group, you may want to contact the Admin and have them do some investigation before anybody commits to paying anything. We suspect the post will be removed long before anybody starts looking for shipping fees.

The post Beware tragic “my daughter died…” Facebook posts offering free PS5s appeared first on Malwarebytes Labs.

A new advisory issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the US Treasury Department (Treasury), highlights the cyberthreats associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat (APT) group since at least 2020.

The Lazarus Group

APTs are defined as prolonged attacks on specific targets that aim to compromise their systems, and to gain information from or about them. The Lazarus Group, aka APT38, is commonly believed to be run by the North Korean government. It is thought to conduct financial cybercimes as a way to raise money for a regime that has few trading opportunities, because of long-standing international sanctions.

These days, financial cybercrimes often involve Bitcoin and other cryptocurrencies. The CISA advisory warns that:

The US government has observed North Korean cyber actors targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens

AppleJeus

Since 2018, one of the Lazarus Group’s tactics has been to disguse AppleJeus malware as cryptocurrency trading platforms for both Windows and Mac. CISA warns that it uses these trojanized applications to gain access to victims’ computers, to spread other malware, and steal private keys or to exploit other security gaps. All of this is done to create an environment where the group can initiate fraudulent cryptocurrency transactions.

Victims are lured into downloading the malware with a variety of social engineering tactics, including spearphishing.

Spearphishing campaigns

Spearphishing is a targeted form of phishing that’s directed at and addresed to specific individuals. It uses personalization to convince victims that they are reading and responding to legitimate messages.

CISA reports that the Lazarus Group has been sending spearphishing messages to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps) roles—using a variety of communication platforms and social media. The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malicious “TraderTraitor” malware disguised as cryptocurrency trading or price prediction tools.

TraderTraitor describes a series of malicious Electron applications that can download and execute malicious payloads, such as remote access trojans (RAT).

Mitigation

The advisory contains a lot of specific IOCs for the most recent campaigns, but if we have learned anything from the past behavior of the Lazarus APT group it is that they will change man of them as soon as their current campaigns are outed. It is important therefore to apply the basic mitigation methods to counter this type of attacks:

• Use patch management to stay on top of those security updates!
• Educate users on social engineering attacks like spearphishing.
• Enforce credential requirements and use multi-factor authentication.
• Use endpoint protection to detect exploits and stop malware.
• Watch out for third-party downloads—especially cryptocurrency applications.
• Create an incident response plan so you know how to respond to cyber-intrusions.

Stay safe, everyone!

The post North Korean Lazarus APT group targets blockchain tech companies appeared first on Malwarebytes Labs.

The invasion of Ukraine has been a money making opportunity for scammers since the moment it began: Fake donation sites, bogus Red Cross portals, phishing pages, the works.

These scams can also be found on social media.

Faking donations on Twitter

Some users of social media have become very well-known for their tweets inside affected regions. Others who were already well-known have become even more so. The ones asking for medical assistance, donations, or replacements have had some success raising whatever has been required.

Unfortunately, we’re seeing scammers try to capitalise on these activities. One such request on social media came via a well known Twitter user, @Xenta777, asking for military equipment-related donations:

In the past we have seen Twitter scams where a fake account answers a question in the replies to a tweet by a well known organisation and pretends to be customer support, hijacking the conversation and directing victims to a phishing page.

A similar tactic is being used here.

Quoting your way to donation fraud

Somebody set up an imitation account (note the additional “7” in the username), and then posted this in response to someone asking where to donate:

Like many successful scams, it’s very simple, which can easily yield results.

We reported the account, and it was eventually suspended after having apparently cycled through several different usernames. Interestingly, it had been “suspended” on the 4th of April, then returned using the original username until a few days ago.

At any rate, the scammer (appears) to be gone now.

Keeping your donations safe

One unfortunate issue with donations related to the invasion of Ukraine is that a lot of people tweeting about events as they happen don’t have verified accounts. This means it’s very easy for scammers to impersonate genuine people. There are some ways to try and reduce (not eliminate) this, though:

1. Check the account creation date. This is no guaranteed indicator of genuineness, but Twitter has been around a long time and a brand new account should make you suspicious.
2. Look for people you know who follow an account you’re considering donating to. Mutual connections are, again, no guarantee. You can at least check with them as to their estimated genuine nature of an account before taking any action.
3. Use a donation method that can give you a refund if required. This means various forms of cryptocurrency and/or wire transfers are probably not on the cards. Additionally, many people asking for help with things are using third-party payment tools which often come with money-back facilities. Someone asking you to send them bank info by email or something along those lines? Not the best of indicators.

Whenever possible, you should be donating through approved and well known channels. We realise this isn’t always possible under current circumstances, so hopefully the above tips will stop you wandering into sticky situations.

The post Watch out for Ukraine donation scammers in Twitter replies appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Credential-stealing malware disguises itself as Telegram, targets social media users
• Old Play Store apps served notice by upcoming API level changes
• Denonia cryptominer is first malware to target AWS Lambda
• Ransomware: March 2022 review
• Why identity management matters
• USPS “Your package could not be delivered” text is a smishing scam
• Apps removed from Google Play for harvesting user data
• How to password protect a folder
• Conti ransomware offshoot targets Russian organizations
• Malwarebytes Evaluation of the MITRE ENGENUITY ATT&CK Round 4 Emulations
• Steer clear of this “TestNTrace” SMS spam
• NGINX zero-day vulnerability: Check if you’re affected
• April’s Patch Tuesday update includes fixes for two zero-day vulnerabilities
• SMS group spam promises free gifts in return for bill payment
• “Your AppI‌e‌ ‌l‌D‌ ‌‌h‌‌a‌‌s‌‌ ‌‌b‌‌e‌‌e‌‌n‌‌ ‌‌l‌‌ocke‌‌d‌‌” spam email takes you on a website mystery tour
• Zloader, another botnet, bites the dust
• Stalkerware-type detections hit record high in 2021, but fell in second half
• Filing your taxes? Be wary of help found through search engines

Stay safe!

The post A week in security (April 11 – 17) appeared first on Malwarebytes Labs.

It is important to realize that uploading certain files to VirusTotal may result in leaking confidential data, which could result in a breach of confidentiality, or worse.

We have warned against uploading personal information, as does VirusTotal itself on their home page. But apparently some organizations have automated the uploading of email attachments without really thinking through the possible consequences.

VirusTotal

VirusTotal is now part of Google Cloud and its goal is to help analyze suspicious files, URLs, domains, and IP addresses to detect cybersecurity threats. It does this by scanning the submitted files with the contributing anti-malware vendors’ scanning engines. Many use VirusTotal as a “second-opinion” scanner which is obviously fine to do on occasion.

VirusTotal maintains a collection of over 70 endpoint protection solutions, but it is important to realize that there is no guarantee that the version that VirusTotal relies on is the same version that you would be running, or whether it is as up to date as your version might be.

But in the context of this article it is even more important to realize that VirusTotal was not designed to check whether an attachment is malicious. It may recognize malicious attachments, especially the ones that are used in mass email campaigns, since these samples may get uploaded more often. But in case of a targeted attack, getting the all-clear from VirusTotal does not mean the attachment is safe to open or edit.

VirusTotal offers premium services that allow participants access to files that were uploaded by third parties. This is done to increase malware detection across the participating solutions, but also to enable threat hunting and provide a historical and current overview of the threat landscape.

Breach of confidence

In March of 2022 the German Bundesamt für Sicherheit in der Informationstechnik (BSI)  which translates as the Federal Office for Security in Information Technology, warned that it noticed the (semi)-automated upload of suspicious or quarantined email attachments. In some cases these were confidential documents. These included warnings sent by the BSI marked as TLP Green and Amber.

The Traffic Light Protocol (TLP) was created in order to facilitate greater sharing of information. TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).

Uploading a document marked as TLP:GREEN, TLP:AMBER or TLP:RED is a violtion of the terms and can get you removed from the list of acceptable recipients. Receiving information with a TLP tag other than TLP:WHITE is a privilege. It means that the information owners trust the recipient to respect their wishes. The recipients should do everything in their power to be worthy of that trust.

Sharing

Maybe these uploaders didn’t realize that the files were not only shared with the 70 security vendors, but are also accessible to all other businesses that are using the premium services provided by VirusTotal. There are no restrictions about the location of the participating businesses, so there is no reason to assume that it is safe to upload confidential documents.

A search by me on VirusTotal for “invoice.pdf” provided 17.68k search results. Granted, some of these files were actually marked as malicious, but the majority had no business being available for public viewing.

Ask for permission, not forgiveness

While we do understand the occasional need to upload a file to VirusTotal, do not automate this procedure. Only use it when you have no other methods of checking whether an attachment is safe to open.

Receivers:

• If you are in the least bit uncertain about the safety of an attachment, contact the sender and ask them about it.
• Don’t use VirusTotal if you want to check whether an attachment is malicious. The result is not conclusive and you may breach confidentiality.
• Never click on links in emails or email attachments.
• Never “Enable Editing” in a document, unless the sender in person assured you it was safe.

Senders:

• Only use attachments that could be perceived as dangerous when it’s absolutely necessary.
• Inform recipients about the fact that you are sending them an attachment and for what reason.

There was good reason for Microsoft to disable macros by default.

Stay safe, everyone!

The post Why you shouldn’t automate your VirusTotal uploads appeared first on Malwarebytes Labs.

The deadline for filing your taxes in the US is nearly upon us. April 18 is the very last date that you can afford to hand your tax returns in to the IRS.

People will naturally gravitate toward all manner of filing tools to get the job done. But it’s worth noting that sites are lurking in search engine results to potentially make it harder to file, not easier.

Taxing times in search engine land

One such tool used to complete tax returns is TurboTax. This product requires a registration code to activate, and this is where the search engine results come into play. Some folks have issues registering or installing software for a variety of reasons. Maybe it’s hardware, perhaps it’s the software. Incompatibility frequently rears its head, and sometimes other third-party software may be interfering with installation.

Entire industries exist on forums and elsewhere to provide answers to the most obscure tech issues you can possibly imagine. While many solutions can usually be found for these issues, it pays to be cautious where search results are concerned.

Searching for install instructions

Hunting for “install Turbotax” in Yahoo, for example, brings us the following results:

It’s currently the first result after the sponsored ad and the official link. Here’s the site in question:

Hitting the “Click me” button directs visitors to the next step in the process, hosted elsewhere. It asks visitors to sign into their account, then activate their purchase and get on with sorting out their tax returns.

It’s license key time

Site users are asked to enter their 16-digit activation code.

Two things to note here. The site will allow any code with a minimum of four digits and up – it doesn’t have to be a maximum of 16. There is clearly no checking taking place for the code entered. What happens if you punch in a too short, non-existent activation key? You’re told that the activation attempt has failed, not that your code is too short.

Sending whoever runs this site your activation code means that the people running the site may now have your activation code. As a general rule of thumb, you shouldn’t give licence or registration keys for any product to anybody. Depending on product, you may be handing a stranger your one-time use key. When that happens, you then have the problem of figuring out how to get it back.

There’s a few official support situations where informing somebody of a key’s details will be required. This isn’t one of them.

“Contact the support team…”

Help is at hand with the supposedly failed activation:

The page says:

Sorry, your code has failed to activate.

Detected issue:

• Your activation code is stolen
• Code expired
• Repeated use of code
• Your code is not generated in database
• Or your system is virus infected

Note: Repeated failure may lead to expire code. Do not try to enter your code again and again.

Contact support team to fix this issue immediately: [number removed]

Error code: OOXOOO16FA and Correlation ID: c147654ad-41fg-ds7df-cfa9f5jhdjhsg

Keep your activation code ready while speaking to customer support

This “error code” often pops up on various forms of tech support scam, so there’s another bad sign.

What is happening in these support calls?

A colleague sent over a Reddit link detailing an example of a call between someone handling the “support” conversation on behalf of their father, who had originally arrived on a related landing page found via basic searching:

There’s a lot to take in there in terms of not sounding particularly credible.

1. The TurboTax code activation being interrupted due to “foreign connections on the network”
2. The caller being connected to the person’s relative via TeamViewer with Netstat open
3. Non-official URLs open on the desktop

These are all frequently signs of tech support scams, often involving the installation of bogus security tools alongside additional payment. The fact that the page which claims the activation key doesn’t work may be down to a “virus infection”, alongside the bogus error code found on many tech support scams, makes this something to steer well clear of.

We reported both the initial landing page and the activation code page. The URL for the latter has been suspended. However, sites like these tend to use fallback URLs and webspace so it might not be gone for good.

Don’t make tax season even more taxing than it has to be

If you need help installing or activating a product, contact the relevant company directly. Don’t leave it in the hands of search engines to decide your fate. Paid results, adverts, SEO gaming, or even SEO poisoning can all cause big problems. With the tax deadline ticking down, you simply can’t afford to get into stolen key/broken computer antics this late in the process.

The post Filing your taxes? Be wary of help found through search engines appeared first on Malwarebytes Labs.

After having tracked stalkerware for years, Malwarebytes can reveal that in 2021, detections for apps that can non-consensually monitor another person’s activity reached their highest peak ever, but that, amidst the record-setting numbers, the volume of detections actually began to significantly decrease in the second half of the year.

This decrease in stalkerware-type activity never reached the lower levels in 2019 that Malwarebytes recorded before the start of the global coronavirus pandemic, which was recognized in 2020 and which spread quickly across the globe beginning in the months of February, March, and April. During that year, it appeared as though the increase in physical, regional lockdowns coincided with the increase in detections of stalkerware-type apps, which Malwarebytes records as “Monitor” and “Spyware.”

Documented to have a clear intersection with situations of domestic abuse, it was not only stalkerware-type activity that increased during the global pandemic, but also cases of domestic abuse as reported by state and federal prosecutors and by shelters.

In 2021, Malwarebytes recorded a total of 54,677 detections of Android monitor apps and 1,106 detections of Android spyware apps. This represents a 4.2 percent increase in monitor detections and a 7.2 percent increase in spyware detections year-on-year, making 2021 even worse than 2020, and the worst year for stalkerware so far.

However, although the overall numbers are up, detections have taken an unmistakable downward turn since the peak of May and June 2020.

In the second half of 2021, average monthly detections for monitor apps fell by 39 percent, to just 3,459 detections per month, compared to an average of 5,654 detections per month in the first half of 2021. The same trend happened with spyware too: Average monthly detections fell by 20 percent in the second half of the year compared to the first half.

What’s at play here?

When stalkerware saw its distressing uptick in 2020, Malwarebytes, in consultation with other domestic abuse support networks, hypothesized that the increased stalkerware activity came about because of the real-world physical restrictions put in place to combat COVID-19 around the world. The increase was also detected by other members of the Coalition Against Stalkerware, and coincided with news reports of increased calls to domestic abuse agencies.

In 2021, many governments loosened their coronavirus restrictions, allowing the public to mix and travel more freely. And, just as the sudden increase in stalkerware detections mirrored the sudden, mass imposition of restrictions, the gradual decline in detections appears to reflect their gradual easing.

The tidal wave of stalkerware in 2020 also led to increased awareness of the stalkerware problem, which turned into action in 2021. Last year the Federal Trade Commission issued its second-ever enforcement action against a stalkerware developer, and Google removed several ads that promoted stalkerware.

The decline in stalkerware is welcome, but the causes for it are not clear and it is too early to celebrate. It is increasingly easy for abusers to monitor their targets using off-the-shelf technology designed for other purposes. Abusers may simply have turned to other forms of technology as stalkerware became more widely detected. Or they may have returned to previous patterns of control and abuse as restrictions eased.

Thankfully, the Coalition Against Stalkerware continued to grow in 2021, increasing its contributors and accepting more expertise so as to expand its stalkerware detection threat list, which antivirus vendors can use to improve their own detection tools. As a founding member, Malwarebytes will continue to share intelligence with the Coalition Against Stalkerware to improve industry-wide detections while also guiding the domestic abuse support networks within the coalition through thorny, technical questions of detection, removal, and prevention.

You can read more interesting stats from the last year in the Malwarebytes 2022 Threat Review.

The post Stalkerware-type detections hit record high in 2021, but fell in second half appeared first on Malwarebytes Labs.