IT NEWS

Brave browser goes the extra mile to block third party cookies

Brave is testing a new feature to stop bounce tracking, a sneaky method that websites use to load third-party tracking cookies so they can gather more information about who is visiting their site.

The Brave browser

As you may remember from our post about the best browsers for privacy and security, Brave is a Chromium-based browser that blocks unwanted content by default and does not need much tinkering to keep you safe and private. Brave is available for Windows, macOs, Linux, iOS, and Android.

Brave Nightly is the version of Brave that is used for testing and development. The releases are updated every night, hence the name, and may contain bugs. Nightly automatically sends out crash reports when things go wrong. Nightly is now used to test a feature that’s designed to prevent what’s known as bounce tracking.

Why third party cookies are out of fashion

Many browsers and, especially, ad-blockers will refuse to load third-party cookies, which are cookies that do not originate from the site that you are currently visiting. From a website administrator’s point of view, third-party cookies are tracking codes that are placed on a web visitor’s computer after being generated by another website other than their own. When a web visitor visits their site and others, the third-party cookie tracks this information and sends it to the third-party who created the cookie. The most common third-parties are advertisers, marketers, and social media platforms.

Google has long since changed its ways and adopted other methods of tracking users. But not everyone is a tech giant with the necessary resources to pull that off, so some have resorted to bounce tracking.

Bounce tracking

Tracking protection has become a mainstream feature in many browsers these days, including Apple’s Safari, Mozilla’s Firefox, and Microsoft’s Edge. So the targeted ad industry felt it had to find a way to circumvent those measures. Enter Bounce tracking, also known as redirect tracking. Another, even more invasive method is fingerprinting, which identifies users based on their computers’ unique attributes.

Bounce tracking abuses the fact that browsers’ anti-tracking tools generally allow sites to store their own cookies so they can remember repeat visitors. To limit their tracking to first-party cookies, a site that wants to track you can load an intermediary site—or tracking site—first before transferring you to the intended destination. The intermediary site sets a first-party cookie along the way, and each time you cross through it, it gathers more information about where you’ve been and where you’re going.

But there are other methods of bounce tracking like link decoration, which means a website can add a unique identifier to the links you click on, serving as a flag to the next site you visit. The destination site can then store the identifier in a first-party cookie on the original site’s behalf, letting it track your activity. The more this happens on additional sites, the more the original site can track you without ever using third-party cookies. Facebook adverts use this method in the fbclid parameter which allows the destination site to recognize you as a specific Facebook user.

Stopping bounce tracking

Some browsers have some methods to detect and stop bounce tracking but it is not always easy, since the browser doesn’t know beforehand that it will be directed through a tracking site.

In a privacy update, Brave explained how it plans to improve the existing methods. It is calling the new feature Unlinkable Bouncing. The browser will notice when you’re about to visit a privacy harming (or otherwise suspect) website, and route that visit through a new, temporary browser storage. This prevents the site from identifying you by tying your footprint to that of previous visits, but allows the site to otherwise function as normal because your visit will look like a unique, first-time visit. The temporary storage is then deleted when you browse away from the suspect site, preventing the site from re-identifying you on future visits.

The Unlinkable Bouncing feature is now enabled in Brave Nightly, and will be in Brave’s full release on version 1.37.

A possible weak point in the Unlinkale Bouncing feature is that it relies on consulting filter lists, but you can think of it as an extra layer on top of the existing features designed to stop bounce tracking, like the query parameter stripping, debouncing, and bounce-tracking interstitial features.

Stay safe, everyone!

The post Brave browser goes the extra mile to block third party cookies appeared first on Malwarebytes Labs.

Extortion scheme impersonates government officials, law enforcement

The FBI issued a public warning this week about a fraud scheme wherein scammers impersonate government officials and law enforcement personnel. According to the PSA, the scammers spoof legitimate numbers and names and use fake credentials of well-known members of the government and law enforcement agencies.

The scam starts off either as a call from the “police” or a text message from a “government agency”. The content of the calls and text messages vary, but they are all bogus.

In the case of phonecalls, victims are either informed that their identities have been used in a crime, such as drug dealing or money laundering, or told they missed jury duty. The victim is then pressed to verify their identity using their social security number (SSN) or date of birth (DOB). If the victim resists, they are threatened with fines, arrest and imprisonment.

The text messages don’t involve accusations but instead ask victims for information related to either passport, driver’s license, or medical license renewals. The scammers threaten the revocation of licenses or registration if the victims refuse to renew or hand over the information.

Other tactics include extorting money from romance scam victims to “clear their name for participating in a crime” or as means to aid law enforcement in capturing their romance scammer. The scammers also impersonate law enforcement and say they are collecting taxes and fees from lottery scam victims. Lastly, the scammers call victims to tell them they are due to recieve a government grant, but say they need to pay some money before they can claim it.

Victims are offered a variety of means of payment, including prepaid cards, wire transfers, and cash sent by mail or cryptocurrency ATMs.

The FBI says legitimate law enforcement personnel and government officials would never request payment via the above means. It also remindes people to never give out personal information over the phone without verifying that the caller is who they say they are.

The warning included some red flags to pick up on: “Scammers will use an urgent and aggressive tone, refusing to speak to or leave a message with anyone other than their targeted victim; and will urge victims not to tell anyone else, including family, friends, or financial institutions, about what is occurring.”

The post Extortion scheme impersonates government officials, law enforcement appeared first on Malwarebytes Labs.

Azure AutoWarp brings automation headaches

Azure is Microsoft’s cloud computing service providing a wide range of features for businesses worldwide. It’s particularly popular for its virtual machines and IaaS (infrastructure as a service). One useful Azure feature is Automation, which has been around for some years now. Management tasks can be automated across multiple external systems. This is where the latest vulnerability tale begins.

Researchers at Orca Security have discovered an issue with Azure which they’ve called “AutoWarp”. The issue allows for attackers to grab authentication tokens and grant unauthorised access to accounts. As per the research itself, AutoWarp could mean “…full control over resources and data belonging to the targeted account, depending on the permissions assigned by the customer”.

How could this issue be used in an attack?

The flaw enables interaction with servers managing sandboxes belonging to other entities. The tokens—used to confirm a user has the correct permissions to access Azure—could be grabbed via automation jobs.

Here’s a description of what went down from the Microsoft Security Response Center:

An Azure automation job can acquire a Managed Identities token for access to Azure resources. The scope of the token’s access is defined in Automation Account’s Managed Identity. Due to the vulnerability, a user running an automation job in an Azure Sandbox could have acquired the Managed Identities tokens of other automation jobs, allowing access to resources within the Automation Account’s Managed Identity.

A timeline of token disaster…almost

This flaw was reported to Microsoft on December 6, 2021 and it was fixed by December 10. The researchers then went hunting for other similar attacks. The good news is, they don’t appear to have found any. Not only that, but it also seems there’s no evidence of this having been exploited out in the wild.

As the Orca blog points out, you may well have been vulnerable to this problem before Microsoft fixed it if you used the Automation service and the related managed identity function was enabled by default. Even so: no examples of exploitation in the wild. That’s as good an end result as we can possibly hope for, given how many organisations may have been running with default configurations.

Why Azure is an appealing target for attackers

Anything cloud based is always going to be a hot target for people up to no good. Depending on the setup, attackers may be able to impact multiple people and companies all in one go. Exfiltration, ransomware, and blackmail all go well alongside vulnerable cloud services. This is why flaws like the above are taken so seriously.

Whether we’re talking about OMIGOD exposing virtual machines, the Mirai botnet, brute forcing, or four-year long source code leak bugs, the cloud space has been affected by many issues. Organisations place a lot of trust in cloud services, and they expect secure platforms and data that’s kept safe from prying eyes and sticky fingers.

You can’t guarantee something is 100% foolproof. Even so, the above is a great example of getting an issue resolved in a very short timeframe. We can only hope to see more of this the next time a cloud-based service runs into trouble.

The post Azure AutoWarp brings automation headaches appeared first on Malwarebytes Labs.

RagnarLocker ransomware gang breached 52 critical infrastructure organizations

In a FLASH publication issued by the FBI in coordination with DHS/CISA, the FBI says it has identified at least 52 organizations across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including organizations in the critical manufacturing, energy, financial services, government, and information technology sectors.

Threat profile

RagnarLocker can be recognized by the extension of the encrypted files which contains “.RGNR_<ID>,”  or “.ragnar_<ID>” where <ID> is a hash of the computer’s NETBIOS name.

The ransom note is called “.RGNR_[extension].txt” and states the files and data have been encrypted by RAGNAR_LOCKER.

Untitled design 22 1

Exfiltrated data of victims that refuse to pay will be published on the “Wall of Shame” leak site.

Untitled design 21

RagnarLocker iterates through all running services and terminates services commonly used by Managed Service Providers (MSPs) to remotely administer networks. The malware then attempts to silently delete all Volume Shadow Copies, preventing user recovery of encrypted files.

Don’t call the cops

In the past, RagnarLocker has warned victims explicitly against contacting the FBI, or other law enforcement agencies for that matter. In September 2021, the ransomware operators threatened to publish all the data of victimized organizations that seek help from law enforcement or investigators following ransomware attacks.

But, in the wake of recent high-profile cyber and ransomware attacks, Congress and the Biden administration have joined forces to drive policy changes that would require organizations to report certain cyberincidents to the federal government. Importantly, the legislation would give organizations 72-hours to report a cyberincident. Ransomware attacks by an entity believed to originate from the CIS would certainly qualify as such.

The FBI urges you to report ransomware incidents to your local field office. Doing so provides investigators and analysts with the critical information they need to track ransomware attackers, hold them accountable under US law, and prevent future attacks.

The FBI says it would like the following information:

Short term items:

  • Copy of the ransom note (screen shot/picture/text file)
  • Any discovered malicious IPs with time stamps/time zones (unusual RDP connections/unusual VPN connections/beacons to malicious IPs)
  • Virtual currency addresses/amount of demand
  • Any malicious files (executables/binaries)
  • Summary of timeline of events (dates of initial observation/malicious activity)
  • Evidence of data exfiltration

Long term items:

  • Brief summary of where the IOCs came from
  • Incident response report
  • Copy of any communications with malicious actors
  • Forensic images and memory captures
  • Host and network logs
  • Any available decryptor
  • Scope of impact (amount of loss)

CIS

As mentioned in our blog post Ransomware’s Russia problem, RagnarLocker is believed to be of Russian origin and will try to avoid making victims in the Commonwealth of Independent States (CIS). To do so, Ragnar Locker uses Windows API GetLocaleInfoW to identify the location of the infected machine. If the victim location is identified as “Azerbaijani,” “Armenian,” “Belorussian,” “Kazakh,” “Kyrgyz,” “Moldavian,” “Tajik,” “Russian,” “Turkmen,” “Uzbek,” “Ukrainian,” or “Georgian,” the process terminates.

IOCs

In the pdf file that carries FLASH Number CU-000163-MW you can find the current IOCs, including IP addresses, Bitcoin addresses, and email addresses.

Mitigation

To stay out of the claws of the RagnarLocker group the usual mitigation techniques for ransomware apply. The FBI lists:

  • Use multi-factor authentication with strong passwords, including for remote access services.
  • Keep computers, devices, and applications patched and up-to-date.
  • Monitor cyberthreat reporting regarding the publication of compromised VPN login credentials and change passwords and settings.
  • Consider adding an email banner to emails received from outside your organization.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Implement network segmentation.

The FBI recommends backup strategies to speed up recovery from a ransomware attack:

  • Back-up critical data offline.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.
  • Secure your backups and ensure data is not accessible for modification or deletion from the system where the data resides.

Stay safe, everyone!

The post RagnarLocker ransomware gang breached 52 critical infrastructure organizations appeared first on Malwarebytes Labs.

FormBook spam campaign targets citizens of Ukraine️

Our Threat Intelligence team has been closely monitoring cyber threats related to the war in Ukraine. Today, we discovered a malicious spam campaign dropping the Formbook stealer specifically targeting Ukrainians.

Formbook is part of a long-running malspam operation that we observe on a regular basis. This time, the email lure is written in Ukrainian and tricks victims into opening an alleged letter of approval to receive funds from the government.

ukraine1

The email can be translated as:

Dear citizens, we inform you that you are not alone in this difficult time, we in the authorities are doing everything possible to protect our citizens.
 
All citizens receive support from the Federal Government in the amount of 15,000, we want to say that you must protect each other, this is a difficult time for everyone, together with God we will fight this difficult time.
 
Your letter of approval is added
 
Sincerely.

Upon opening the file called лист підтримки.xlsx (support letter.xlsx), an exploit for CVE-2017-11882 will attempt to compromise the machine in order to download the Formbook payload from a remote server.

This is not the first — and certainly won’t be the last — time we see threat actors taking advantage of crises. As heartless as it looks, we realize that malware and criminal operations are always ongoing.

Malwarebytes customers were protected from this attack thanks to our Anti-Exploit protection layer.

Indicators of Compromise

Email subject

лист схвалення касового забезпечення – міністр

Formbook maldoc

лист підтримки.xlsx
7d39e6ca46c053c1ad744de1ca8867217596bb17bb673785eb8827b00c5ae05b

Formbook URL

103.167.92[.]57/xx_cloudprotect/vbc.exe

Formbook payload

b5f79bb30d60794b7edbf486fa96a11c1ac3ba34592a496379020e8379f281be

The post FormBook spam campaign targets citizens of Ukraine️ appeared first on Malwarebytes Labs.

Update now! Microsoft patches three zero-day vulnerabilities on Patch Tuesday

The updates for Microsoft’s March 2022 Patch Tuesday should fix 92 vulnerabilities, including three zero-day vulnerabilities.

Of the 92 vulnerabilities, 21 are for Microsoft Edge and originate from the Chromium Project. Of the 71 others, three are classified as Critical because they allow remote code execution (RCE).

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Let’s have a look at the most interesting ones that were patched in this Patch Tuesday update.

The first three are publicly disclosed vulnerabilities, which makes them zero-day vulnerabilities, but so far none of them has been seen to be exploited in the wild.

Remote Desktop Client

CVE-2022-21990: A Remote Desktop Client remote code execution vulnerability. In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client. This vulnerability might be hard to exploit since it requires an attacker to control a malicious server and that the user must willingly connect to it. There is Proof-of-Concept (PoC) code available for this vulnerability.

Windows Fax and Scan service

CVE-2022-24459: Windows Fax and Scan service elevation of privilege vulnerability is an LPE (local privilege escalation) vulnerability in the Windows Fax and Scan service. An LPE vulnerability means that an attacker should already have some level of access and can take their privileges to a higher level by exploiting this vulnerability. Such vulnerabilities can be useful in an attack chain. There is Proof-of-Concept (PoC) code available for this vulnerability.

.NET and Visual Studio

CVE-2022-24512: A .NET and Visual Studio Remote Code Execution vulnerability. The ability to exploit this vulnerability by itself is limited. An attacker would need to combine this with other vulnerabilities to perform an attack. This is because successful exploitation of this vulnerability would require a user to trigger the payload in the application.

Next up are the vulnerabilities that were rated as critical.

Exchange Server

CVE-2022-23277: A Microsoft Exchange Server remote code execution vulnerability. The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server’s account through a network call. So the attacker needs some form of authentication to exploit this vulnerability. Which makes it all the more important to change or remove compromised accounts. Stolen or leaked credentials can be used to wreak havoc.

HEVC video extensions

CVE-2022-24508: A HEVC Video Extensions arbitrary code execution vulnerability. The High Efficiency Video Coding (HEVC) extensions allow a buyer to playback files in HEVC format. An attacker could exploit the vulnerability by convincing a victim to download and open a specially crafted file which could lead to a crash. The Microsoft Store will automatically update affected customers. Alternatively, customers can get the update immediately.

VP9 video extensions

CVE-2022-24501: A VP9 video extensions arbitrary code execution vulnerability. Very much the same as the above. An attacker could exploit the vulnerability by convincing a victim to download and open a specially crafted file which could lead to a crash. VP9 is the successor to VP8 and competes with HEVC.

Finally, one vulnerability that is listed as Important and not as Critical, but which looks like a likely candidate to be exploited.

SMBv3 client/server

CVE-2022-24508: A Windows SMBv3 client/server remote code execution vulnerability. The vulnerability exists in a new feature that was added to Windows 10 version 2004 and exists in newer supported versions of Windows. Older versions of Windows are not affected. The attacker needs to be authenticated to exploit the vulnerability. The Microsoft page provides a workaround that requires administrators to disable SMBv3 compression.

Other vendors

Other vendors have published security related updates as well:

  • Cisco released security updates
  • Google released Android security updates
  • Samsung released a Security Maintenance Release package that includes patches from Google and Samsung.
  • HP released a security update to deal with 16 disclosed UEFI firmware vulnerabilities.

Stay safe, everyone!

The post Update now! Microsoft patches three zero-day vulnerabilities on Patch Tuesday appeared first on Malwarebytes Labs.

Twitter makes the leap to Tor

Tor is getting another visibility boost for people who may not otherwise come into contact with it. The reason: an attempt to navigate increasing amounts of censorship.

What is Tor?

The Tor network is something designed to keep communications anonymous. A variety of tools exist to make use of it, including messaging, web browsers, and other clients. Most people new to this realm would likely have their first experience via the standalone Tor browser. This works like any other browser download, with a lot of the same functionality. The big difference is that when you load it up, it connects to the Tor network. From the Tor browser manual:

Tor is a network of virtual tunnels that allows you to improve your privacy and security on the Internet. Tor works by sending your traffic through three random servers (also known as relays) in the Tor network. The last relay in the circuit (the “exit relay”) then sends the traffic out onto the public Internet.

Additional security tools and precautions abound in the browser to reduce the risk of fingerprinting, unwanted tracking, and more. The default search engine in DuckDuckGo. All data vanishes when the browser is closed (think Incognito mode), and three levels of security increasingly strip out page aspects such as JavaScript and media which could present problems.

That’s not all. Many sites have a .onion version available to make it even harder to perform surveillance on the user. When an onion version of a page you’re on exists, an “Onion available” notification is displayed next to the URL bar. That is highly relevant in this instance.

Peeling the onion

Onion pages are considered to have more advantages than regular sites where anonymity and privacy are concerned. Going back to the Tor manual:

  • Onion services’ location and IP address are hidden, making it difficult for adversaries to censor them or identify their operators.
  • All traffic between Tor users and onion services is end-to-end encrypted, so you do not need to worry about connecting over HTTPS.
  • The address of an onion service is automatically generated, so the operators do not need to purchase a domain name; the .onion URL also helps Tor ensure that it is connecting to the right location and that the connection is not being tampered with.

The second bullet is particularly useful for those perhaps increasingly rare occasions of dealing with a non HTTPs site. They do still exist! The third bullet is handy for service operators, and the first is good for everybody involved.

Why is the potentially obscure world of onion addresses (to regular web users at least) getting an airing in the media?

Social media makes the leap (again)

Twitter has launched an onion version of its service, available immediately. It now joins Facebook, who went live with its own onion service in 2014. While some may flag this as a response to events in Ukraine, it seems this has been in the works for some time. Indeed, one of the people behind it says they’ve been toying with the idea for several years.

Elsewhere, major news services have had onion pages for a few years now:

They’re also actively promoting relevant language specific pages:

So, then, it really depends what you’re looking for via Tor. If your personal circumstances currently require access to blocked services to communicate with friends and family, or you simply need a variety of news sources in a hurry, then you may well want to consider downloading the Tor browser, because there’s a good chance what you need is already available.

Just keep in mind that, as with all things, risks do exist, and factor in additional security precautions as appropriate. Navigating directly to the Onion pages from official links likely presents minimal risk, but forewarned is most definitely forearmed.

The post Twitter makes the leap to Tor appeared first on Malwarebytes Labs.

Google takes on Docs notification spammers

Cloud-based document suites have always been a hot target for scammers. When it’s easy to dip in and out for collaboration purposes, or just share things generally, then it’s likely that bad people will want in on the action.

In 2019, Google calendar users were wading through endless spam invites/event notifications when spammers worked out how to game the system. It was fixable, with the caveat that the fix was a multi-stage process. Quite likely a bit too much work for people who just want to access their calendars without spam, and who can blame them?

Anyway, these things come around time and time again. When a new feature appears, so too do the spam vultures. Time to cast our minds back to the end of 2020.

Of comments and exploits

The pandemic has helped nudge along additional features into collaboration tools to make remote work more straightforward. One such Google Docs revamp is the “tag tool” which fetches lists of recommended people. This operates in a similar way to how when you type in a username on Twitter, it prefills a bunch of suggestions after the “@”.

So far, so good.

Around October 2020, spam messages via Google Docs came to light. Specifically: the comments feature. It’s worth noting this behaviour wasn’t just restricted to Docs; other apps like Slides were affected too.

Spammers figured out they were able to send messages via tagging to “nearly any email address” (as per this article). Inserting a tag would generate and send mail to the tagged individual’s mailbox, with the mail appearing to have come from Google. While we can question if that alone is enough to add the legitimacy sheen required, at the baseline it’s sailing past spam filters and related precautions.

The messages included everything from “inappropriate PDFs” and fake financial transaction links to more general bogus notifications and supposed financial compensation.

Filtering out the rogues

As with the workaround for calendar spam, the process to block the mails required setting up custom filters, although I suspect a lot of regular Google users didn’t bother with figuring out the mechanics of such a procedure.

As mentioned, one really big problem with this spam technique was the absence of additional sender information. Good news: Google has now addressed this. Notifications will now also show the commenter’s email address, in order to allow recipients to be sure about who it came from.

The change is scheduled to take place over a 15-day period, and as this rollout started on March 3rd, you may well already have the new functionality. According to the Times of India, this will also be a default option. No digging around for obscure options or menus, which is always appreciated.

If you’ve been weathering the storm of spam missives via Google apps over the last few weeks or even longer, then help is now officially on the way. Let’s hope we can all get back to being productive without the risk of bogus messages as soon as possible.

The post Google takes on Docs notification spammers appeared first on Malwarebytes Labs.

When fake dating profiles try the military approach

I’ve run into many romance scams over the years. You’ll find them lurking on social media, instant messaging, chatrooms/forums, and many more besides. They’re particularly popular during times of war or natural disaster, as they often dovetail into donation and charity scams.

The icing on the cake for many of these fakeouts is an air of respectability. Anything that adds legitimacy or something seemingly trustworthy is going to pull in potential victims. Of all the romance scams I’ve dealt with, the most common element is probably the military-centric profile picture.

A profile you can trust

Nothing adds a splash of appeal in the minds of scammers quite like a dashing hero in full combat get-up. That’s their game plan, anyway. It does seem to be rather successful though, with a neverending stream of people losing lots of money. Worth noting, large volumes of cash can go AWOL even without the addition of anything military related.

Security researchers dealing with military themed romance scams will often recognise the same images in circulation time and time again. Scammers often lazily lift the first army general they can find on Wikipedia. Other times, they’ll put a bit of work into it. It’s harder to pinpoint a scam if the image being used isn’t particularly well known.

As a result, scammers will trawl social media pages, work portals, and even Linkedin profiles. One stolen profile picture later and they’re in business. One peculiar side effect of this is that the supposedly unknown image starts getting more use as additional scammers simply grab it from their peers. The end result is that no stolen soldier photograph remains unknown for long.

When dating scammers make you famous

Have you ever considered what it’s like for the army person themselves when they realise they’re the face of scams?

This is the problem faced by Col. Daniel Blackmon. His images have been used in romance scams since around 2014, and is basically playing whack-a-mole trying to get these fake accounts shut down. The scammers grabbed his photographs from his (at the time) entirely open Facebook page, and things spiralled out of control from there. The scam messages tied to the fake profiles aren’t particularly unique, and sound like all the other romance scams out there. With a military twist, of course. Some of the examples from the article:

  • Diamond sales via “the Yemen Government”
  • Secretive portfolios containing all the wealth you could possibly desire
  • Coming from a military family where at least one serving parent has been killed in a war
  • Peacekeeping missions with a lot at stake
  • Unable to access money, and not allowed to talk on video “for security reasons”

This is, of course, all nonsense. But to someone on the other side of the computer screen who’s feeling a bit lonely, it can be entirely convincing. Dropping images of someone in uniform across these profiles may well be enough to tip the scales in favour of the scammer.

How to avoid a romance scam

Romance scams are a big enough deal that banks flag potential payments before sending through the system. Should someone using Barclays select the “love interest” dropdown, when selecting the reason for transferring money, users will see a popup probing the nature of the payment. It’ll also highlight some of the things to be wary of (although the way it’s been done has itself drawn some criticism).

No matter which kind of romantic messages you’re receiving, be on your guard with people you don’t know. We recently published an article detailing some of the ways you can avoid being caught in this fashion. Here’s some of our general tips for avoiding common forms of romance scams:

  • Don’t give scammers the information they need. Scammers rely on what you volunteer about yourself online to tweak their script and lure you in.
  • Do an image search of the photo and the name of the person you’re in touch with. Scammers often steal someone else’s image to use as bait.
  • Go slow. Scammers tend to rush, building rapport with their victims as quickly as possible to fleece them of their money as equally quickly.
  • If they encourage you to invest in something—be suspicious. Start digging around online about the company that, they say, is worth investing in. Never send them money.
  • Follow your gut instinct. If something feels off, cut off contact immediately and report your experience to the police, the Internet Crime Complaint Center (IC3), and the dating or social media site where you met the scammer.

Please check the article out for more advice on subjects ranging from sextortion to bogus dating websites, as you don’t need a broken heart and a shattered bank balance to go with it.

The post When fake dating profiles try the military approach appeared first on Malwarebytes Labs.

A week in security (February 28 – March 6)

Last week on Malwarebytes Labs:

Stay safe!

The post A week in security (February 28 – March 6) appeared first on Malwarebytes Labs.