IT NEWS

Stalkerware-type detections hit record high in 2021, but fell in second half

After having tracked stalkerware for years, Malwarebytes can reveal that in 2021, detections for apps that can non-consensually monitor another person’s activity reached their highest peak ever, but that, amidst the record-setting numbers, the volume of detections actually began to significantly decrease in the second half of the year.

This decrease in stalkerware-type activity never reached the lower levels in 2019 that Malwarebytes recorded before the start of the global coronavirus pandemic, which was recognized in 2020 and which spread quickly across the globe beginning in the months of February, March, and April. During that year, it appeared as though the increase in physical, regional lockdowns coincided with the increase in detections of stalkerware-type apps, which Malwarebytes records as “Monitor” and “Spyware.”

Documented to have a clear intersection with situations of domestic abuse, it was not only stalkerware-type activity that increased during the global pandemic, but also cases of domestic abuse as reported by state and federal prosecutors and by shelters.

In 2021, Malwarebytes recorded a total of 54,677 detections of Android monitor apps and 1,106 detections of Android spyware apps. This represents a 4.2 percent increase in monitor detections and a 7.2 percent increase in spyware detections year-on-year, making 2021 even worse than 2020, and the worst year for stalkerware so far.

However, although the overall numbers are up, detections have taken an unmistakable downward turn since the peak of May and June 2020.

Monitor detections 2020 2021
Spyware detections 2020 2021

In the second half of 2021, average monthly detections for monitor apps fell by 39 percent, to just 3,459 detections per month, compared to an average of 5,654 detections per month in the first half of 2021. The same trend happened with spyware too: Average monthly detections fell by 20 percent in the second half of the year compared to the first half.

What’s at play here?

When stalkerware saw its distressing uptick in 2020, Malwarebytes, in consultation with other domestic abuse support networks, hypothesized that the increased stalkerware activity came about because of the real-world physical restrictions put in place to combat COVID-19 around the world. The increase was also detected by other members of the Coalition Against Stalkerware, and coincided with news reports of increased calls to domestic abuse agencies.

In 2021, many governments loosened their coronavirus restrictions, allowing the public to mix and travel more freely. And, just as the sudden increase in stalkerware detections mirrored the sudden, mass imposition of restrictions, the gradual decline in detections appears to reflect their gradual easing.

The tidal wave of stalkerware in 2020 also led to increased awareness of the stalkerware problem, which turned into action in 2021. Last year the Federal Trade Commission issued its second-ever enforcement action against a stalkerware developer, and Google removed several ads that promoted stalkerware.

The decline in stalkerware is welcome, but the causes for it are not clear and it is too early to celebrate. It is increasingly easy for abusers to monitor their targets using off-the-shelf technology designed for other purposes. Abusers may simply have turned to other forms of technology as stalkerware became more widely detected. Or they may have returned to previous patterns of control and abuse as restrictions eased.

Thankfully, the Coalition Against Stalkerware continued to grow in 2021, increasing its contributors and accepting more expertise so as to expand its stalkerware detection threat list, which antivirus vendors can use to improve their own detection tools. As a founding member, Malwarebytes will continue to share intelligence with the Coalition Against Stalkerware to improve industry-wide detections while also guiding the domestic abuse support networks within the coalition through thorny, technical questions of detection, removal, and prevention.

You can read more interesting stats from the last year in the Malwarebytes 2022 Threat Review.

The post Stalkerware-type detections hit record high in 2021, but fell in second half appeared first on Malwarebytes Labs.

“Your AppI‌e‌ ‌l‌D‌ ‌‌h‌‌a‌‌s‌‌ ‌‌b‌‌e‌‌e‌‌n‌‌ ‌‌l‌‌ocke‌‌d‌‌” spam email takes you on a website mystery tour

Spam which claims your account has been locked out and needs to be fixed are common. They drive people to phishing campaigns on a daily basis.

The mail below follows the same pattern with one key difference. It looks like a phish, but goes somewhere else entirely.

No, your Apple ID has not been locked

The mail claims to be from Apple, and is titled

Re: [Ticket #265763] Your Appl‌e‌ І‌D has been locke‌‌d‌‌ on [date]

It reads as follows:

Your AppI‌e‌ ‌l‌D‌ ‌‌h‌‌a‌‌s‌‌ ‌‌b‌‌e‌‌e‌‌n‌‌ ‌‌l‌‌ocke‌‌d‌‌ on [date] 2022 for ‌‌s‌‌ecurit‌‌y‌‌ ‌‌r‌‌eason‌‌s‌‌ ‌‌b‌‌ecaus‌‌e‌‌ you have ‌‌r‌‌eache‌‌d‌‌ the ‌‌m‌‌aximu‌‌m‌‌ ‌‌n‌‌umbe‌‌r‌‌ of ‌l‌n‌v‌a‌l‌i‌d‌ ‌s‌i‌g‌n‌-‌i‌n‌ ‌a‌t‌t‌e‌m‌p‌t‌s‌

You cannot ‌a‌c‌c‌e‌s‌s‌ your ‌a‌c‌c‌o‌u‌n‌t‌ and any AppI‌e‌ services

‌‌T‌‌o ‌u‌n‌l‌o‌c‌k‌ your account, ‌y‌o‌u‌’‌l‌l‌ ‌n‌e‌e‌d‌ ‌s‌o‌m‌e‌ ‌a‌d‌d‌i‌t‌i‌o‌n‌a‌l‌ ‌v‌e‌r‌i‌f‌i‌c‌a‌t‌i‌o‌n‌

For your ‌‌s‌‌ecurit‌‌y‌‌ and to ‌‌e‌‌nsur‌‌e‌‌ only you have ‌a‌c‌c‌e‌s‌s‌ to your ‌a‌c‌c‌o‌u‌n‌t‌. We will ask you to ‌v‌e‌r‌i‌f‌y‌ your ‌i‌d‌e‌n‌t‌i‌t‌y‌.

appleverify0
Fake Apple mail

From phish to website spam

Clicking the big grey “verify account” button should, in theory, lead you to an Apple phishing page. However, that’s not the case here.

The link directs people to completely random domains. Some of them appear to be advertisements. Others run the full range of everything from wall cladding services and polytechnics to hotels.

MAILSPAM1 1

There appears to be no rhyme or reason to the URLs being served up. Clicking the link could pretty much drop you anywhere without warning.

MAILSPAM2 1

It currently leads to what appears to be a half-finished page about QR code generation.

appleverify3 1
A QR code website

Why is this happening?

At this point, we’ve established that there’s no phish here. It’s using phishing as a panic-ruse to have you click through to multiple URLs via email campaigns. In this case, it appears someone has signed up to the below service, and is using this to spam.

Navigating to the URL included in the mail with the campign component stripped out leads us to the below message:

appleverify2

Mail blasting for fun and profit

Mail spammers will try and abuse legitimate services in order to drop as many missives in your mailbox as possible. Even with countermeasures in place, they’ll slip through the net of even the most careful service provider.

Regardless of how the spam gets through, get through it will. If you provide mail marketing services, it’s important to have a reporting feature in place. The ability to tie valid registrant details to campaign URLs is also crucial.

If it’s possible to highlight in mails sent out in some way that it’s via your tool or app, so much the better.

Keeping yourself safe from mail spam

For recipients, much of the typical spam mail advice applies here:

  • Always report spam, especially if it’s going beyond the usual “please buy this t-shirt” missive. If it’s a phish, a social engineering trick of some kind, or even something malware related, block and report. It’ll help keep bad content away from others that little bit quicker.
  • If you are redirected to a phish, you’re perilously close to handing over logins to a scammer. Websites asking for details without the HTTPs are a massive red flag. However, as we often point out, scammers often make use of HTTPs certificates so this is no guarantee of safety from phishing. Rather, ask yourself if you typically receive emails from Facebook or Google or anyone else asking you to visit links and enter personal details. The answer should almost certainly be no.
  • You can try the “strip out the campaign portion of the URL and see where you end up” tactic. However, you won’t know in advance if the URL on display is from a genuine marketer or just another rogue website. Search engines may assist here, but it’s a bit of a shot in the dark and potentially risky.
  • One final reminder: spammers reuse bogus mails all the time. While this one appears to redirect to random websites, the next identical message in your mailbox may well drive you to a phishing domain. Keep these fraudsters at arm’s length with a metaphorical return to sender.

We’ve reported the above mail campaign to the organisation above and hopefully it’ll be shut down soon.

The post “Your AppI‌e‌ ‌l‌D‌ ‌‌h‌‌a‌‌s‌‌ ‌‌b‌‌e‌‌e‌‌n‌‌ ‌‌l‌‌ocke‌‌d‌‌” spam email takes you on a website mystery tour appeared first on Malwarebytes Labs.

Steer clear of this “TestNTrace” SMS spam

Yesterday I received an SMS from “TestNTrace”, with the message resembling an official NHS communication:

fakehnstext

The text reads as follows:

NHS: You’ve been in close contact with a person who has contracted the Omicron variant. Please order a test kit via: [URL redacted]

Well, that’s an alarming thing to wake up to. However, not everything is as it first seems.

Health and (security) safety concerns

The first red-flag is that this isn’t an official NHS URL. Additionally, there’s no explanation as to how or why they know I’ve “been in close contact” with somebody. Nevertheless, people will take this message at face value.

Receiving this will be especially concerning for anyone with specific health risks related to COVID-19 exposure. There’s also a few reasons as to why this kind of spam message may prove successful in the current climate.

Testing times for…tests

It’s becoming increasingly difficult to obtain PCR tests in the UK. The rules have changed, leading to frequent delays and issues. Previously you could obtain free tests as and when you needed them. Now, tests are no longer free. As per the official guidance page:

If you’re in Scotland or Northern Ireland, you might be eligible to get a free polymerase chain reaction (PCR) test to check if you have coronavirus (COVID-19).

In England or Wales you can no longer get free PCR tests to check if you have COVID-19.

There are some exemptions, but they’re few and far between.

What this means in practice is a glorious opportunity for scammers and fakers to make even more money off the back of the pandemic. Scams targeting people with coronavirus themes are bad enough at the best of times. When you can’t even get hold of a test, it’s particularly ghoulish.

Digging into the website

The landing page resembles a standard UKGOV NHS page related to the pandemic. The links also all lead to genuine NHS sites and information portals.

Untitled design 26
Ordering a test kit

It reads as follows:

Order (COVID-19) Omicron PCR test kit

The UK has decided to deploy test kits in response to the risks of the Omicron variant. COVID-19 cases have soared by their highest number since the start of the pandemic as the Omicron variant continues to spread rapidly.

Due to rising cases among fully vaccinated patients, research has shown that it is still possible to catch and spread COVID-19 even if you are fully vaccinated.

Order your (COVID-19) Omicron PCR test kit below.

Information:

PCR tests are mandatory and failure to register could lead to movement restrictions and compulsory isolation.

Note: PCR test kits are free, you will only have to pay £0.99 for postage of the kit.

That’s a very long way of saying “please give us £0.99”. However, there’s a lot of clues in that block of text to suggest you shouldn’t give them a thing.

Of movement restrictions and compulsory isolation

PCR tests are mandatory and failure to register could lead to movement restrictions and compulsory isolation” is quite the statement, designed to encourage people throwing money their way as fast as they can.

Confirmatory PCR tests are no longer required. You’re also no longer required by law in the UK to stay at home and isolate if infected. The Test and Trace contact service is now closed. I couldn’t even begin to tell you what the supposed movement restrictions are all about.

Clearly, we’re dealing with something here which isn’t exactly reflecting reality as it currently stands. If we proceed to the next page anyway, the site asks for a range of personal information.

Personal details, and payment for postage

The site asks for name, DOB, email, phone, and address.

Untitled design 27
A wealth of personal information

The follow up page asks for payment details.

Untitled design 28
Payment for postage

Avoiding the PCR payment rush

If you need to obtain test kits, your best option is likely to be local pharmacies and supermarkets. Random texts and emails which lead to sites other than nhs.uk should be treated with caution, especially when tied to requests for payment.

Even if they claim the kits are free, they’ll likely ask for postage costs. All this, on top of how they magically know you’ve come into contact with somebody who has COVID-19 in the first place. While there may well be delays and low supplies in trusted stores, it’s still a much safer option than handing your payment details and personal information to random websites.

This is one text you can happily block and report. If you need a test at short notice, answering random SMS spam is definitely not the way to get one.

The post Steer clear of this “TestNTrace” SMS spam appeared first on Malwarebytes Labs.

NGINX zero-day vulnerability: Check if you’re affected

On April 9, hacking group BlueHornet tweeted about an experimental exploit for NGINX 1.18 and promised to warn companies affected by it. On April 10, BlueHornet claimed to have breached the China branch of UBS Securities using the NGINX vulnerability.

Tweet

All we learned on Twitter was that a new zero-day vulnerability in the NGINX web server existed and had been publicly revealed. The vulnerability could allow remote code execution (RCE) on a vulnerable system.

But on April 11, NGINX responded with an article saying that after investigating the issue, it had found it only affects reference implementations. Specifically, the NGINX LDAP reference implementation which uses LDAP to authenticate users of applications being proxied by NGINX.

NGINX

NGINX is an open-source HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server. When it was first released, NGINX was used mostly for serving static files, but since then, it has grown into a complete web server that deals with the entire spectrum of server tasks. NGINX has surpassed Apache in popularity due to its lightweight footprint and its ability to scale easily on minimal hardware. According to specialists, NGINX can run thousands of connections of static content simultaneously and is 2.5 times faster than Apache.

LDAP

Lightweight directory access protocol (LDAP) is a protocol that makes it possible for applications to query user information rapidly. Companies store usernames, passwords, email addresses, printer connections, and other static data within directories. LDAP is an open, vendor-neutral application protocol for accessing and maintaining that data. LDAP can also tackle authentication, so users can sign on just once and access many different files on the server.

The NGINX LDAP reference implementation uses LDAP to authenticate users of applications proxied by NGINX. The reference implementation was announced in June 2015. The solution leverages the ngx_http_auth_request_module (Auth Request) module in NGINX and NGINX Plus, which forwards authentication requests to an external service. In the reference implementation, that service is a daemon called ldap‑auth. It’s written in Python and communicates with a LDAP authentication server.

NGINX and LDAP
Image courtesy of NGINX

The vulnerabilities

The primary way to configure the LDAP reference implementation is with a number of proxy_set_header directives. However, the configuration parameters can also be set on the command line that initializes the Python daemon. The vulnerabilities exist in the way unsanitized input can be used to change or set LDAP configuration parameters.

The NGINX blog specifies the circumstances that need to be fulfilled for the vulnerabilities to be exploited:

  • Command-line parameters are used to configure the Python daemon
  • There are unused, optional configuration parameters
  • LDAP authentication depends on specific group membership

Mitigation

NGINX provides mitigation recommendations for each of these conditions.

When configuration parameters are specified on the command line, an attacker can override some or all of them by passing specially crafted HTTP request headers. To protect against this, ensure that the corresponding configuration parameters have an empty value in the location = /auth-proxy block in the NGINX configuration.

Also ensure that any unused, optional parameters have an empty value in the location = /auth-proxy block in the NGINX configuration.

The Python daemon does not sanitize its inputs. Consequently, an attacker can use a specially crafted request header to bypass the group membership (memberOf) check and so force LDAP authentication to succeed even if the user being authenticated does not belong to the required groups. To mitigate against this, ensure that the backend daemon that presents the login form strips any special characters from the username field. In particular, it must remove the opening and closing parenthesis characters ( ) and the equal sign =, which all have special meaning for LDAP servers.

NGINX states that the backend daemon in the LDAP reference implementation will be updated to sanitize this type of input in due course.

And we have rounded up some additional advice.

Because LDAP extends to IoT devices, of which there are many more than IT devices, organizations running LDAP need to encrypt traffic using TLS certificates on IoT devices, keep the firmware up to date, and apply proper password management.

Make sure that you sanitize any input before it gets passed to the daemon.

Stay safe, everyone!

The post NGINX zero-day vulnerability: Check if you’re affected appeared first on Malwarebytes Labs.

April’s Patch Tuesday update includes fixes for two zero-day vulnerabilities

It’s that time of the month again. Time to check what needs to be updated and prioritize where necessary. The Microsoft updates include at least two zero-day vulnerabilities that deserve your attention.

Microsoft

Microsoft has released security updates and non-security updates for client and server versions of its Windows operating system and other company products, including Microsoft Office and Edge.

For those that have extended support for Windows 7, there are four critical remote code execution (RCE) vulnerabilities to worry about:

  • CVE-2022-24500 CVSS 8.8 out of 10, a Windows SMB Remote Code Execution vulnerability
  • CVE-2022-24541 CVSS 8.8, a Windows Server Service Remote Code Execution vulnerability
  • CVE-2022-26809 CVSS 9.8, a Remote Procedure Call Runtime Remote Code Execution vulnerability
  • CVE-2022-26919 CVSS 8.1, a Windows LDAP Remote Code Execution vulnerability

CVE-2022-26809 does have a CVSS of 9.8 for good reason. It affects almost every Windows OS and Microsoft has it listed as more likely to be exploited. To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service. TCP port 445 is used to initiate a connection with the affected component. And some quick Shodan scans showed that millions of systems have that port open.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. The zero-day vulnerabilities fixed in this update cycle are:

  • CVE-2022-26904 CVSS 7.0, a Windows User Profile Service Elevation of Privilege (EoP) vulnerability. This one is marked with a high attack complexity, because successful exploitation of this vulnerability requires an attacker to win a race condition. But the vulnerability is public knowledge and there is an existing Metasploit module for it. Metasploit is an open-source penetrating framework used by security engineers as a penetration testing system and a development platform that allows to create security tools and exploits.
  • CVE-2022-24521 CVSS 7.8, a Windows Common Log File System Driver Elevation of Privilege vulnerability. This vulnerability has been used in the wild. Microsoft says that attack complexity is low. The vulnerability was reported to Microsoft by the National Security Agency (NSA) and Crowdstrike.

Other notable CVEs:

  • CVE-2022-24491 CVSS 9.8, a Windows Network File System Remote Code Execution vulnerability. This vulnerability is only exploitable for systems that have the NFS role enabled. An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution.
  • CVE-2022-24997 CVSS 9.8, another Windows Network File System Remote Code Execution vulnerability. This vulnerability is only exploitable for systems that have the NFS role enabled. An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution.

On these systems with the NFS role enabled, a remote attacker could execute their code with high privileges and without user interaction. This worries experts as these may turn out to be wormable bugs between NFS servers. For a temporary solution, more information on installing or uninstalling Roles or Role Services is available here.

A vulnerability is considered to be wormable if an attack can be launched that requires no human interaction to spread. The impact can be considerable if the number of vulnerable machine is high enough. In these cases web application firewalls (WAFs) would help to mitigate the risk.

In related news, Microsoft announced the release of Windows Autopatch, which is set for July 2022. This will hopefully lessen some of the burdens that come with patch management.

Edge and Chrome

The Microsoft updates included 26 Microsoft Edge vulnerabilities and Google released a stable channel update for Windows, Mac, and Linux that includes 11 security fixes. Eight out of those 11 were rated with a High severity, none were marked as Critical.

Other updates

While you’re at it, we also saw updates from vendors like:

Stay safe, everyone!

The post April’s Patch Tuesday update includes fixes for two zero-day vulnerabilities appeared first on Malwarebytes Labs.

SMS group spam promises free gifts in return for bill payment

We’re seeing lots of examples of peculiar SMS messages sent to random groups of people. Most of these messages promise free gifts and/or offers after having paid bills. Nobody has asked for these texts, and they’re not being sent by providers of any services. What’s going on?

The set up

Most of the messages we’ve seen, and indeed received ourselves, are identical to the below example:

Free Msg: your bill is paid for March. Thanks, here’s a little gift for you [URL removed]

tfu980fC
Spam messaging

Where do the links go?

A very good question. Clicking any of the links while on desktop typically results in a site failing to load error. Most likely, they’re checking the user agent of your browser to ensure you’re on mobile when hitting the link.

On mobile, you’re bounced through a secondary URL before landing on a 404 error on Facebook or Twitter. Despite a piece of this website daisy-chain being lost to the void, the texts are still coming and it’s probably child’s play to correct the broken landing pages to something functional. As a result, we can’t say for sure what the final destination is. 

A friend of mine mentioned they ended up on some sort of airpod/free mobile accessories offer site from a similar group message not so long ago, so that’s one possibility. What we can say is that you should definitely avoid clicking these links should you receive one. We simply don’t know where you’ll end up, and you can very easily end up out of pocket with one mis-click.

Tips to avoid this SMS group spam

  • A lot of people are sending “STOP” messages in response to these messages. Unfortunately this won’t work, and you’re not going to opt-out of anything in this scenario.
  • Blocking the sender number helps, but they’re coming from several numbers one after the other. If you’ve received one, sadly you should probably expect more. Remember to report every single one which comes your way.
  • It can be tricky generally to block messages when dropped into a random group. Depending on phone/app, you should be able to tap three dots (or similar) and report the spamming number from there. This may also result in blocking all numbers in the group by default, which means you won’t receive dozens of unsubscribe style messages all day long from 19 other people.

Remember: If in doubt, visit your provider’s website and see first-hand if they’re offering up freebies for payment. The likelihood is they’re not, but it’s still better than clicking any of the above to find out.

The post SMS group spam promises free gifts in return for bill payment appeared first on Malwarebytes Labs.

USPS “Your package could not be delivered” text is a smishing scam

A scam is doing the rounds which begins with a text from what claims to be the US Postal Service. The SMS reads as follows:

[U.S. Postal Service] We’re sorry to let you know that your package could not be delivered. To reschedule a delivery please visit [bit(dot)ly]

I’ve never received an SMS from the US Postal Service, but I have to imagine they don’t use bit.ly redirect links in text messages. The bit.ly link hides the actual URL being sent to people’s phones. You can view stats for a bit.ly link by placing “+” at the end of the URL. Detailed stats about the shortener’s creation date, number of clicks, and more are available through this method. On this occasion, data is hidden with the message “This link has been flagged as redirecting to malicious or spam content”.

Clicking through reveals the following warning:

  • The link may be listed on a website blocklisting service.
  • The link may have been reported to Bitly by a member of the public.
  • The link may contain malware (software designed to harm your computer), attempt to collect your personal information for nefarious purposes, or otherwise contain harmful and/or illegal content.
  • The link may be attempting to hide the final destination.
  • The link may lead to a forgery of another website or may infringe the rights of others.

Not a promising start for our missing package. Shall we take a look at the final destination?

Phishing for info

The actual landing page, located at us(dot)awaiting(dot)host, claims to be a USPS parcel tracking page. It says:

USPS Currently Awaiting Package
Undeliverable as Addressed(UAA) Problem with Address
USPS Allows you to Redeliver your package to your address in case of delivery failure or any other case.
You can also track the package at any time, from shipment to delivery.

It asks visitors to “verify address”, by filling in their name, address, city, state, ZIP code, phone number and email.

fake usps
Fake data entry form

Clicking Continue at this point would normally display a second page asking for payment information. At the time of writing, clicking continue triggers a .php URL and then redirects to the 3M science website. It’s likely the data entered has been submitted to the phisher, but why didn’t they ask for payment details too?

Forgetful phishers or long-haul social engineering?

Sometimes scammers simply forget to make sure their ruse sails smoothly from A to B. It may be that they’re only actually interested in grabbing name and address information for now via the website. The logical progression would be to follow up by phone, mail, or post.

It’s also possible they realise they’ve attracted some heat and are trying desperately to put the flames out. The site is flagged via the bit.ly link and produces warning pages in browsers such as TOR. The creators may figure it’s not worth the potential risk of keeping payment detail requests online anymore – if they were there in the first place, that is.

The right way to arrange a redelivery

This is “basic parcel delivery information” as opposed security advice, but If you do use USPS, you’ll want to head over to its dedicated redelivery page. It explains in detail what USPS customers should expect when waiting on a parcel, and what to do next.

As for the security angle: Fake USPS delivery notification spam is a popular tactic for scammers, and USPS’s recent advisory on the topic includes instructions on how to report bogus SMS messages.

No matter the delivery service, always pay attention to the URL on the landing page and ensure it matches up with the official site you’re familiar with. It’s no fun having your data harvested, even if they miss out on your payment details. There’s no guarantee they won’t follow up on such a thing at a later date, so it’s well worth taking the time to get it right the first time around.

Just over half of all smishing attacks in the last few months of 2021 in the UK alone claimed to be from delivery firms. Even as the pandemic (sort of) recedes a little, this scam refuses to go away. Next time your receive a text about a package you have no memory of, it might be worth checking your most recent purchases before responding. If the parcel is real, it’ll still be there – unlike the fly-by-night scammers.

The post USPS “Your package could not be delivered” text is a smishing scam appeared first on Malwarebytes Labs.

Apps removed from Google Play for harvesting user data

Dozens of apps were removed from the Google Play Store after they were found to be harvesting the data of device owners. The code in question—a software development kit (SDK)—was used inside apps which were downloaded over 10 million times.

What happened?

A wide range of Android apps were found to have this particular SDK lurking. There’s no obvious connection between the apps besides the SDK, as they’re all from different sources and developers. A mobile powered speed camera radar. QR barcode scanners. Weather/clock widgets. Even a remote control PC mouse app. They all had this SDK running under the hood, doing things it shouldn’t have been. The only key point among them all is that they made use of something designed to help monetise their app.

It’s possible the app developers believed there was no issue with including the SDK in their apps. Indeed, there seems to be some confusion as to what, specifically, some developers thought the SDK was doing.

According to WSJ, one dev claimed they were told it was “collecting data on behalf of internet service providers”. These supposed ISPs were complemented by financial service/energy companies. Others claim to have signed non-disclosure agreements.

Google did not find these antics impressive, and swiftly removed many of the apps. The SDK is able to collect clipboard data, exact location, phone numbers, emails, and nearby devices. It can also scan other locations such as WhatsApp downloads.

Mapping out a person

You have to be very careful with visual clues to a person’s physical location, but also digital ones too. Stripping out GPS data from a photograph, or disabling geolocation on a social media portal. This can also work its way down to other areas, such as Bluetooth beacons in towns and department stores. Even Apple AirTags are now generating significant issues for people.

Even without physical stalker threats, you still need to know what’s going on inside the phone in your pocket. As the researchers note, whoever is collecting this information could link an email and mobile to GPS location data. This is very bad news for journalists working on sensitive stories. It’s also very bad in places where forms of political activism are not appreciated. In fact, it’s bad for everybody. Consider that your “not a big deal” is someone else’s “well that’s a disaster” on their personal threat model scale.

Back into the fold

Google is allowing removed apps back on the store for a second chance, assuming the SDK element has been removed. The BBC reports that the majority of apps have already returned. There is the question of whether or not some developers were up to no good. Perhaps some were totally unaware, maybe some saw harmless looking promotions for more accurate data collection and a bump in cash. Sadly, they may not have considered what, exactly, the SDK would be doing in return.

Is my device safe from this SDK?

Google hasn’t revealed how many more apps on the Play Store included the SDK. It’s very likely that all traces are now gone.

The age old advice of “the best way to keep your Android safe is to only download apps on the Play Store” may sound contradictory. However, it’s still the case that this is entirely accurate.

You’re much better off using the store than a third party download location. Simply hoping that it isn’t a scam from top to bottom won’t save you from a rogue install. Depending on device model, you may even have to tick the “allow installs from unknown sources” option to even use third party stores in the first place.

This could very well make things even more insecure in terms of your mobile device.

Keep applying those OS updates as they come along. Pay attention to reviews of apps before you download them. Take a look at some of the requested permissions at install time. If your device is capable of installing a trusted security tool, consider installing one of those too. All of this will help keep your device safe. While there’s never any guarantees, we’d be surprised if the Play Store gives the wheel back to this problematic and unwanted Android app addition.  Looks like it’s back to business as usual for the Play Store – for now, at least.

The post Apps removed from Google Play for harvesting user data appeared first on Malwarebytes Labs.

How to password protect a folder

There are times when you would like a folder to be accessible by you alone. Financial information, personal documents, or work related files on your personal system sometimes need to be hidden from prying eyes. One of the ways to do this is to password protect the folder.

Windows

For the Windows section of this article we will answer a few frequently asked questions.

Can you put a password on a folder?

Well, Windows does not provide you with an option to simply password protect a folder, but it does provide you with some options that you can utilize to put a password on a folder.

In Windows you can encrypt a folder by following these instructions:

  • Right-clicking it
  • Select Properties from the menu.
  • On the form that appears, click the General tab.
  • On that tab click the Advanced button
  • Select Encrypt content to secure data.
  • Click OK.

An important downside to this method is that your Windows username and password will be used to encrypt and password protect the folder, so people logging in on the same account as you can still see the content.

It is also important to note that when the process completes, you’ll be prompted to back up your encryption key if you’ve never used the feature before. Click the recommended option on the notification and follow the prompts to make a note of your encryption key. You’ll need this information if you ever lose access to your encrypted files, so it’s important you take the time to back it up.

How do I password protect a folder in Windows 10?

For Windows versions later than Windows 7 there is also an option to send files to a compressed folder (a zip file) which you can password protect. This Send to option is usually faster than encrypting the content. But you will have to keep in mind that the option creates a duplicate, so you will need to delete the original once you’re satisfied the compressed version is complete and accessible.

How do I hide a folder?

Hiding folders is not an ideal solution, but we want to point out that it is available in Windows. It works like this:

  • Right-click on the file or folder that you want to hide.
  • Select Properties.
  • Click the General tab
  • Under the Attributes section, check Hidden.
  • Click Apply.

Why is it not ideal? Anyone that has access to the system can check the option to Show hidden files, folders, and drives in the folder options.

Show hidden files
Folder options

Many advanced Windows users already have this option enabled, and you may forget to change the setting after you have accessed your hidden folder.

MacOS

You can password protect folder contents using macOS and Disk Utility, a built-in utility on your Mac. This method will also encrypt the content.

  • Open Disk Utility on your Mac
  • With Disk Utility open, select File from the menu bar
  • Then choose New Image -> Image from Folder.
  • Select the folder you want to protect with a password
  • Choose your encryption level: 128-bit, or 256-bit AES encryption
  • Enter and verify the password for your folder (After you type the password into both the Password and Verify text boxes make sure to uncheck Remember password in my keychain, otherwise anyone logged into your account will still be able to access the data.
  • Give the folder a name if desired
  • Under Image Format select read/write from the menu
  • Select Save

This creates a disk image holding the contents of the folder in encrypted storage. So, you’ll need to delete the original folder after verifying the disk image is complete and accessible.

Another important thing to remember is that this method only creates a fairly small—and fixed—amount of free space on the disk image, so if you want to make changes you’ll be dealing with a limited capacity. If you want a disk image with unlimited capacity, you’d be better off creating a blank image, and choosing sparse bundle disk image as the image format. If you create a 200 MB sparse bundle disk image, you can copy a 1 GB file onto it and it’ll resize to fit. However, it will not decrease in size if you were to delete that 1 GB file.

Third party software

It is not our place to make recommendations about software you can use to achieve the goal of password protecting folders, but there are several third party software packages for both Windows and Macs that are very good at compressing files and folders and providing the resulting compressed files with a password. If they are any good you will not need to decompress the entire folder before you can look at an individual file.

Just be careful not to download any potentially unwanted programs (PUPs) or one that is bundled with PUPs or adware.

The post How to password protect a folder appeared first on Malwarebytes Labs.

Conti ransomware offshoot targets Russian organizations

Thanks to the Threat Intelligence team for their help with this article.

Conti, the infamous ransomware created by a group of Russian and Eastern European cybercriminals, has again made headlines after a hacking group used its leaked source code to create another variant of the ransomware and target Russian businesses.

The hacking group calls itself Network Battalion ’65 (@xxNB65), and it is highly motivated by Russia’s invasion of Ukraine.

NB65 has been breaching Russian entities and stealing and leaking their data online. Some of its targets include Continent Express (travel management company), Roscosmos (Russian space agency), Tensor (document management operator), Ufa Scientific Center of the Russian Academy of Science (part of a network of scientific research institutes), and VGTRK (state-owned TV and radio broadcaster). Expect the number of its victim organizations to increase, as the group says it won’t be stopping until the war stops.

NB65’s ransomware, composed of 66 percent of Conti’s code, behaves the same way as the original Conti variant but with slight yet noticeable changes. Last week, a sample was submitted to VirusTotal, allowing cybersecurity researchers to study it.

How it works

Once executed, this ransomware appends the.NB65 extension to encrypted files.

wm mwb NB65 encrypted files
These are what files look like when encrypted with the NB65 ransomware, an offshoot of Conti ransomware.

The ransomware creates the ransom note, R3ADM3.txt, a known IOC file of Conti. However, the note’s content has been changed to reflect NB65’s message to victim organizations: Blame Russian President Vladimir Putin for the cyberattack.

wm mwb NB65 ransom note
NB65 turned the tables on Russian organizations using the ransomware variant initially designed to avoid them.

By now it’s probably painfully apparent that your environment has been infected with ransomware. You can thank Conti for that.

We’ve modified the code in a way that will prevent you from decrypting it with their decryptors.

We’ve exfiltrated a significant amount of data including private emails, financial information, contacts, etc.

Now, if you wish to contact us in order to save your files from permanent encryption you can do so by emailing network_battalion_0065@{redacted}.

You have 3 days to establish contact. Failing to do so will result in that data remaining permanently encrypted.

While we have very little sympathy for the situation you find yourselves in right now, we will honor our agreement to restore your files across the affected environment once contact is established and payment is made. Until that time we will take no action. Be aware that we have compromised your entire network.

We’re watching you closely. Your President should not have commited war crimes. If you’re searching for someone to blame for your current situation look no further than Vladimir Putin.

NB65’s ransom note contains details of what the group did to prevent victims from decrypting their files using Conti decryptors. There is also a contact email for victims to who want their files decrypted by the group. However, speaking to BleepingComputer, an NB65 representative said they don’t expect victims to reach out.

When BleepingComputer pressed for reasons for attacking Russian organizations, NB65 has this to say:

After Bucha we elected to target certain companies, that may be civilian owned, but still would have an impact on Russias[sic] ability to operate normally. The Russian popular support for Putin’s war crimes is overwhelming. From the very beginning we made it clear. We’re supporting Ukraine. We will honor our word. When Russia ceases all hostilities in Ukraine and ends this ridiculous war NB65 will stop attacking Russian internet facing assets and companies.

Until then, **** em.

We will not be hitting any targets outside of Russia. Groups like Conti and Sandworm, along with other Russian APTs have been hitting the west for years with ransomware, supply chain hits (Solarwinds or defense contractors)… We figured it was time for them to deal with that themselves.

Malwarebytes users are protected from this ransomware, and we detect NB65’s variant as Ransom.Conti.

The post Conti ransomware offshoot targets Russian organizations appeared first on Malwarebytes Labs.