IT NEWS

Michael Grime, a British games programmer, has escaped jail after using stolen credentials to access several women’s personal email accounts and social media accounts in order to steal their private and intimate photos.

Grime was caught by the National Crime Agency (NCA) as part of an operation involving several agencies and the FBI. The agencies were able to link his email address to an account in WeLeakInfo[dot]com, a website that sells leaked credentials. Grime is said to have been paying $2 USD a day to access this site before it was taken down by law enforcement in early 2020.

WeLeakInfo[dot]com is marketed as a site that offers access to 12 billion user records collected from more than 10,000 data breaches. These records contain user names, email addresses, IP addresses, passwords, and phone numbers.

In November 2020, law enforcement officers raided Grime’s home and seized a PC tower, three external hard drives, and his mobile phone. Thousands of photos and videos of women either topless or nude were found on his devices, many of which were images that had never been shared publicly.

The NCA primarily identified 11 women in the UK, most of whom went to school with Grime or had known him since childhood. It isn’t specified how many women Grime victimized outside of the UK. Some of his victims are popular figures on YouTube and Only Fans.

During a Preston Crown Court hearing, Grime admitted to having access to “around 50 accounts”. In one incident, Grime, who was described as “geeky, loner, and odd”, hacked the account of one of the women’s boyfriend’s to access private photos shared between the couple.

Lisa Worsley, prosecuting, told the court that his victims “felt betrayed and sad. One woman’s first response was to delete all her social media which she found upsetting.”

“Another said her Snapchat has been unstable and would log her out three or four times a day.” That’s a red flag there.

On the defending side, the lawyer whom outlets only name as “Mr. Forbes” told the court that Grime is “socially awkward” and may be on the autistic spectrum, although Grime has never had an official diagnosis. Forbes also said that his client became obsessed with hacking and “liked the detective work”.

“Many cybercriminals rely on the fact that lots of people use the same password on multiple sites and data breaches create the opportunity for fraudsters to exploit this,” said Detective Inspector Chris McClellan from the North West Regional Organizaed Crime Unit, who carried out the warrant at Grime’s home address in November.

“He knew it was wrong,” Forbes is quoted saying, “He stopped on occassions but [sic] and deleted material and would start again. This was something over which he felt he had little to no control over.” Forbes said Grime’s arrest was a “relief” for the young programmer as Grime didn’t have to rely on his weak will to stop himself from hacking accounts and downloading photos.

Although he wasn’t imprisoned, Michael Grime was given a community order, which orders him to do unpaid community work for 80 hours over two years. He was also ordered to undergo rehabilitation for 30 days and pay £500 as compensation for each of his 11 victims.

DI McClellan advised internet users to check if their credentials and personal data have been part of a data breach by using legitimate websites like haveibeenpwned.com. If users find one or more of their accounts have been compromised due to breaches, they should make new strong passwords for each account.

“Do not reuse passwords and where possible apply Two Factor Authentication (2FA). This will help you prove you are who you say you are when you are logging into your account. Do not share the 2FA code with anyone.”

Sage words.

The post Intimate photo hacker spared from jail, said he “liked the detective work” appeared first on Malwarebytes Labs.

Unless you’ve been hiding under a rock for the last twenty years, you’ve probably heard the one about “keeping your software up to date”. Applying software updates promptly is arguably the single most useful thing you can do to keep yourself secure online, and vendors, experts, pundits, and blogs like ours, never let users forget it!

And because it’s good advice that’s easy to follow, cybercriminals like to use fake software updates to con users.

Fake software updates have been a go-to tactic for getting users to download malware for many years. A convincingly-branded message that tells users they need to update their out of date software taps into all the good security messaging users have soaked up, it gives them a reason to install strange software from the Internet, and it carries exactly the right mixture of implied threat and urgency that social engineers like.

For years, fake Flash updates were a fixture of web-based malware campaigns. Flash provided just the right kind of patsy: It was famous for its security holes, and new updates were released almost every month. But with Adobe’s media player a year into its long overdue retirement, criminals have had to look elsewhere for a convincing cover story, and where better than perhaps the most frequently updated software of them all, the web browser? Browsers have an almost frenetic update schedule, and many users understand that installing regular updates is a normal and important part of their everyday use.

Last week, Malwarebytes’ Threat Intelligence worked with nao_sec researchers to investigate a recently-discovered update to the Magnitude Exploit Kit that was duping users with a fake Microsoft Edge browser update.

The Magnitude exploit kit uses a grab-bag of social engineering lures and exploits to attack web users and install ransomware on their computers. Although Magnitude has been used to target different geographies and deliver different kinds of ransomware in the past, these days it is strictly focussed on installing Magniber ransomware on targets in South Korea.

The fake Edge update attack flows like this:

1. A user visits an ad-heavy website and encounters a malicious ad.
2. The malicious advert redirects them to a “gate”, known as Magnigate.
3. Magnigate runs IP address and browser checks to determine if the user will be attacked.
4. If the user fits the attackers’ criteria, Magnigate redirects them to the Magnitude exploit kit landing page.
5. Based on information from Magnigate, the exploit kit chooses an attack from its collection.
6. In this case, the exploit determines the best attack is a fake Microsoft Edge update.
7. The “update” is actually a malicious Windows Application package (.appx) file.
8. The .appx file downloads Magniber ransomware from the Internet.
9. Magniber encrypts the user’s files and demands a ransom.

Magnitude is regularly updated with fresh attacks, and the fake Edge update appears to have been added in the last few weeks. In the past, Magnitude has made extensive use of Flash and Internet Explorer vulnerabilities, but as the software landscape has changed it has had to adapt. In late 2021, it was seen targeting a sandbox escape vulnerability in the Chrome browser family, for example. That should be no surprise, Chrome is the most popular web browser by far and it suffered from an unprecedented glut of zero-days in 2021.

The number of problems affecting Chrome’s V8 JavaScript engine suggest there may be underlying problems in that part of the browser, and we fully expect that the near-term future of exploit kits will be Chrome exploits. However, that won’t stop exploit kits from taking advantage of other tactics, like fake updates, where they’re more likely to succeed.

Although Edge is based on the same browser as Chrome, uses the same V8 JavaScript engine, and is vulnerable to the same exploits, those exploits will only work on browsers that are out of date. And since browsers are pretty good at installing updates, Magnitude also needs attacks that work against fully updated browsers.

The irony is that the users most likely to run into an attack telling them they need to update their browser are the ones who already have.

If you want to know what version of Edge you’re running and if there are updates available, we suggest you follow the official guidance from Microsoft:

1. Open Edge, select Settings and more, and then select Settings.
2. Scroll down and select About Microsoft Edge.

Malwarebytes blocks Magniber ransomware.

The post Ransomware targets Edge users appeared first on Malwarebytes Labs.

Players of smash hit gaming title FIFA 22 have become the target of a wave of attacks focused on account compromise. Up to 50 “high profile” accounts were hijacked by what may have been the same group.

FIFA games are, traditionally, a big draw for scammers and phishers. Many sports titles offer in-game digital items and benefits, paid for with real money. Sometimes you buy specific items via purchases called microtransactions. Other times, it might be a form of lucky dip, where you spend money on boxes which contain random items. They can be worthless, or incredibly valuable, and you don’t know what you’ll receive till you buy the so-called lootboxes. Games like FIFA frequently draw ire for it, and players who buy a lot of lootboxes are popular targets for phishers. Wherever you have players investing large sums of money, you’ll find the sharks circling in the water.

Someone decided to make a big splash with this particular attack. This isn’t supposed to be a stealthy compromise and a slow burn of stolen and plundered accounts, the attackers took over some of the biggest names in the FIFA game space and fired half a dozen flare guns at the same time. As Bleeping Computer notes, targets included actual players, currency traders, and streamers. Someone wanted attention, and they went about it in a way which guaranteed it.

Setting the scene

The problem was so visible that EA published a statement on the attacks. One may have assumed the first point of entry would be phishing gamers with fake logins and stealing their accounts. This is where additional security measures such as 2FA come in. If the attackers gain login details via bogus websites, they still need to login to the real site as the victim. If 2FA (or similar) is active, they won’t be able to do it without the 2FA code.

This potentially gives victims enough time to realise something isn’t right, and change their login details leaving the phisher with nothing.

However, even with 2FA enabled, things can go wrong. Typically this approach again focuses on the victim. A fake login site will ask for username and password, but then also ask the victim to enter their 2FA code on the phishing site. This code will then be automatically entered onto the real thing, or punched in manually (and with haste!) by the attacker. Sometimes they even ask victims to upload files designed to keep attackers from logging in.

However, on this occasion, they set EA customer support agents in their sights instead.

Going head to head with customer support

The statement reads as follows:

Through our initial investigation we can confirm that a number of accounts have been compromised via phishing techniques. Utilizing threats and other “social engineering” methods, individuals acting maliciously were able to exploit human error within our customer experience team and bypass two-factor authentication to gain access to player accounts. 

Attacking victims via customer support isn’t a new technique, but it was used to spectacular effect here. It’s not clear from the statement exactly how this played out. However, phishers often steal logins via fake sites first, then go to customer support pretending to be the victim who is “locked out” or has forgotten their details. They use pieces of the already stolen data to convince customer support they’re the real deal, and then take info from customer support to complete the attack.

The other approach is to talk to customer support with no action taken beforehand, and “simply” social engineer their way into full account control. Tricky, but not impossible, and a lot of it comes down to staff training.

Damage done, and further steps

Here’s the next part of the statement:

At this time, we estimate that less than 50 accounts have been taken over using this method…our investigation is ongoing as we thoroughly examine every claim of a suspicious email change request and report of a compromised account.

Whether pre-armed with pilfered data or not, the scam involved altering the registered mails associated with accounts. More training definitely seems to be key here, as they go on to say:

All EA Advisors and individuals who assist with service of EA Accounts are receiving individualized re-training and additional team training, with a specific emphasis on account security practices and the phishing techniques used in this particular instance.

We are implementing additional steps to the account ownership verification process, such as mandatory managerial approval for all email change requests.

Our customer experience software will be updated to better identify suspicious activity, flag at-risk accounts, and further limit the potential for human error in the account update process.

All good moves by EA.

A wide world of 2FA protection

A caveat: phishers bypassing you completely and leapfrogging customer support means your 2FA may not help in that situation. On the other hand, keeping accounts locked down with tools like 2FA may contribute to them having to dream up scams like this in the first place. Making them work harder, and going the extra mile, naturally puts up a bit of a fatigue barrier. Many will also simply move on and target less secure accounts.

I can’t think of many gaming platforms or title specific services involving passwords which don’t also offer 2FA. Playstation has it, Xbox has it, as does Steam and Epic. Many platforms and titles offer bonuses for enabling additional security measures.

All of these forms of protection differ, with varying degrees of security. Some are SMS based, which are better than nothing, but ripe for exploitation via SIM swap. Phishers will come up with inventive ways to bypass apps, especially where some crossover to the desktop exists.

The best combination, if available, is probably a password manager and a hardware security key. Some password managers, for example LastPass, will prefill login details for you, but only if you’re on the genuine website. If you’re sent to a bogus site, nothing will happen and you’ll know you’re in the wrong place.

Meanwhile, the physical security key deals with authentication – no text messages or apps required. There’s a few examples of successful attacks on physical sticks, but they’re pretty rare. Again: this won’t help if the attackers haul themselves over the finish line through customer support. That’s out of your hands. Even so, you’ve locked things down at your end and that can only possibly be a benefit to you and a hindrance to those that matter.

The post FIFA 22 phishers tackle customer support with social engineering appeared first on Malwarebytes Labs.

A 32 year-old software engineer has been sentenced to two years and two months in prison for remotely accessing chat logs, photos, videos, and webcams of his female victims.

For nine years, between 2010 to 2019, Robert Davies used malware to infiltrate his targets’ devices and access their data without them knowing. In one incident Davies accessed a schoolgirl’s webcam and secretly filmed her undressing and showering.

Davies is not only a voyeur but also a catfish. He is said to have created multiple accounts on Skype to get close to his targets with the end goal of eventually tricking them into performing sex acts for him. While using one of his Skype personas, he befriended an 11 year-old girl and built a relationship with her over the course of two years. He eventually gained access to her computer and switched on her webcam without her realizing.

Andrew Shorrock of the UK’s National Crime Agency (NCA) is quoted saying: “Davies has amassed what can only be described as a cybercriminal’s toolkit. Not only was he using these tools to break in to people’s devices, he was using them to spy on his unsuspecting victims and to steal naked images of them for his own sexual gratification.”

All in all, Davies victimized 25 individuals.

Davies pleaded guilty to all 25 counts of “causing a computer belonging to another to perform a function with intent to secure unauthorized access”, one count of voyuerism, four counts of making sexual photos of children, and one count of owning extreme pornographic media.

“The extent of the damage you have caused is immeasurable and constitutes a total violation of their privacy, ” said Judge Julie Warburton of Nottingham Crown Court as she carried out the sentence.

How to protect yourself from voyeurs and catfishers

Technology has made it possible for anyone with the right know-how and ill intent to access someone else’s device and spy on them. Thankfully, incidents of voyuerism and catfishing can be avoided. Here are some tips:

Webcams

• If you use a laptop, make sure you put something over the webcam. A simple piece of tape will do, or you can use a specially made webcam protector.
• If you have a webcam that’s not built into your computer, then get into the habit of manually disconnecting your webcam when you’re not using it.
• If your webcam has a password, change it from the default to a long and complicated one

Instant messengers (IMs) and voice-over-IP (VoIP) apps

• Treat your IM or VoIP app chat of choice as you would your online social media account: lock down your security and privacy settings, and make sure your ID/handle is not searchable just by anyone (if at all), which means random strangers cannot just add you as a contact.
• Keep chats and video sessions clean as much as possible. It may be fun for you to try something risque every now and then, but remember that the threat of sextortion, revenge porn, and blackmail are real.

General tips

• It goes without saying that you should make sure you have good security software installed on your device and keep it up to date.
• And talking of updates, make sure you’re applying them as soon as they’re available, whether that’s your phone, your computer’s OS or your browser. Cybercriminals use known flaws to exploit systems so keeping your system up to date is one way of making things harder for them.

If there is one final takeaway we can get from the Davies case, it’s that cybercriminals can be very patient. And sometimes, all it takes is one person to choose to take advantage of our trust. One can never be too careful, especially online.

Stay safe!

The post Software engineer hacked webcams to spy on girls—Here’s how to protect yourself appeared first on Malwarebytes Labs.

How time flies sometimes. Microsoft yesterday released the first patch Tuesday security updates of the year 2022. The update includes fixes for six zero-day vulnerabilities and a total of 97 bugs. This includes two Remote Code Execution (RCE) vulnerabilities affecting open source libraries. None of the zero-day flaws are known to have been exploited in the wild, but one of the other vulnerabilities is feared to be a wormable one.

A severe word of warning for those running a network with a domain controller, the side effects this month are extreme. The advice is to hold of on the patch. Microsoft has a technology called Active Directory that allows workstations to authenticate with a “domain controller.” This month’s updates are causing such drastic issues with domain controllers that they can become stuck in a boot loop.

Patches that can cause problems include the following:

• KB5009624 for Server 2012 R2
• KB5009595 for Server 2012 R2
• KB5009546 for Server 2016
• KB5009557 for Server 2019

It’s unclear if Server 2022 is similarly impacted.

Along with the update comes an announcement of a new security update guide notification system.

Let’s start by taking a closer look at the zero-days. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The first two we listed below have previously been fixed by a third party and are now being incorporated into Microsoft products.

Open Source Curl RCE vulnerability

CVE-2021-22947 is regarding a vulnerability in the curl open source library which is used by Windows. The January 2022 Windows Security Updates includes the most recent version of this library which addresses this vulnerability and others. The listed one can lead to a STARTTLS protocol injection via a Man-In-The-Middle attack.

The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted. More specifically, when curl connects to an IMAP, POP3, SMTP or FTP server to exchange data securely using STARTTLS to upgrade the connection to TLS level, the server can still respond and send back multiple responses before the TLS upgrade. Such multiple pipelined responses are cached by curl. curl would then upgrade to TLS but not flush the in-queue of cached responses and instead use and trust the responses it got before the TLS handshake as if they were authenticated.

Libarchive RCE vulnerability

CVE-2021-36976 is regarding a vulnerability in the libarchive open source library which is used by Windows. The January 2022 Windows Security Updates include the most recent version of this library which addresses the vulnerability and others. This vulnerability is described as libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).

Windows Certificate Spoofing vulnerability

CVE-2022-21836 allows an attacker to bypass a security feature. A successful attacker could bypass the Windows Platform Binary Table (WPBT) verification by using a small number of compromised certificates. Microsoft has added those certificates to the Windows kernel driver block list, driver.stl. The Windows Platform Binary Table is a fixed firmware ACPI (Advanced Configuration and Power Interface) table. It was introduced by Microsoft to allow its vendors to execute programs every time a device boots. Certificates on the driver.stl will be blocked even if present in the WPBT.

Windows Event Tracing Discretionary Access Control List Denial of Service vulnerability

CVE-2022-21839 does not provide us with a lot of details. Affected is some unknown processing of the component Event Tracing Discretionary Access Control List. The exploitability is said to be easy, and it is possible to launch the attack remotely. Required for exploitation is an authentication. A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or resource, making it inaccessible to its intended users.

Windows Security Center API RCE vulnerability

CVE-2022-21874 is a publicly disclosed RCE vulnerability in the Windows Security Center API that received a CVSS score of 7.8. This vulnerability requires user interaction to exploit, and the attack vector is local.

Windows User Profile Service Elevation of Privilege (EoP) vulnerability

CVE-2022-21919 is a publicly disclosed EoP vulnerability in the Windows User Profile Service API that has received a CVSS score of 7.0. The exploitation is known to be difficult, but the attack may be initiated remotely. The requirement for exploitation is a simple authentication.

HTTP Protocol Stack RCE vulnerability

CVE-2022-21907 is not one of the zero-days, but it stands out because it is a critical vulnerability which could allow an unauthenticated attacker to send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets. While this is a vulnerability that would mostly affect servers, the fact that it requires no user interaction, there are no privileges required and it targets an elevated service makes experts believe it is wormable. There are also some questions among experts about which Windows versions are vulnerable.

The new security update guide notification system

Notifications are sent when information is added or changed in the Security Update Guide. Based on feedback, Microsoft has been working to make signing up for and receiving Security Update Guide notifications easier. Starting today, you can sign up with any email address that you want and receive notifications at that email address. There is no longer a requirement that the email be a Live ID.

To start off, you will need to create a Security Update Guide profile by clicking “Sign in” at the top right corner of the Security Update Guide. You can use any email and password here. If this is your first time signing in, a validation email will be sent with steps to verify that you have entered a valid email address.

Other security updates

Don’t forget to look at other security updates that you may need. We have seen updates from:

• Adobe
• Android
• Cisco 
• Intel 
• SAP 
• VMWare 

Stay safe, everyone!

The post Update now: Microsoft patches 97 bugs including 6 zero-days and a wormable one appeared first on Malwarebytes Labs.

There’s a new ransomware in town—isn’t there always?—and it’s, unsurprisingly, after corporation-sized businesses.

It’s called Night Sky, and it was first spotted and revealed by MalwareHunterTeam, a group on Twitter who hunts malware online, on the first day of 2022.

Like other ransomware families before it, Night Sky uses the double extortion model in its attacks. First, it demands corporate victims stump up money for a decryption key to get at their files, then it slaps them with the threat of either leaking all the stolen data or selling it to the highest bidder should victims refuse to pay.

Less than two years ago, double extortion was only being used by the Maze ransomware gang. Now, at least 16 ransomware groups have made this a core tactic of their campaigns.

What you need to know about Night Sky

Night Sky is said to have started operating around the last week of December 2021. We don’t know much about it yet, but it’s assumed that a human operator is involved in the reconnaissance, access, and eventual extraction of files from all network endpoints before Night Sky is launched. It’s also assumed that the Night Sky attackers infiltrate corporate networks with the use of tried-and tested methods, such as social engineering tactics or the use of stolen credentials.

Once launched, this ransomware encrypts the majority of the files on affected computers. It skips files with the extensions, .dll and .exe. It also skips files and folders contained within the following folders:

• $Recycle.Bin
• All Users
• AppData
• autorun.inf
• Boot
• boot.ini
• bootfont.bin
• bootmgfw.efi
• bootmgr
• bootmgr.efi
• bootsect.bak
• desktop.ini
• Google
• iconcache.db
• Internet Explorer
• Mozilla
• Mozilla Firefox
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• Opera
• Opera Software
• Program Files
• Program Files (x86)
• ProgramData
• thumbs.db
• Tor Browser
• Windows
• Windows.old

Encypted files will have the .nightsky extension, as seen below:

Night Sky also appears to drop a ransom note in every folder, save the ones above, with encrypted files. The note has the file name, NightSkyReadMe.hta.

According to BleepingComputer, it contains information on what was stolen, email contacts, and “hard coded credentials to the victim’s negotiation page.” The latter is used by the victim to log in to a Rocket.Chat URL, which is also provided in the ransom note, to directly reach the ransomware attackers.

Malwarebytes detects Night Sky as Ransom.NightSky. We’ll continue to update this post once we receive new information.

The post Night Sky: the new corporate ransomware demanding a sky high ransom appeared first on Malwarebytes Labs.

You may not have as many people visiting your home due to the pandemic, but restrictions are a hit-and-miss affair. It’s possible your region has opened up a little, and you’re seeing folks in your home for the first time in a long time. They may well be bringing new devices to your home, and you may have changed your ISP. Some of you may even have changed your old router’s password for a brand new one. Bonus points for not sticking with the default!

This brings with it a slight headache. How do you get your friends and relatives onto your network in a safe and secure manner? One which won’t put them, or yourself and your network, at risk?

It’s time to dig into the under-the-hood action that is your home’s internet sharing capabilities.

What is a Wi-Fi password?

Your Wi-Fi password is how you keep your internet activities, and also your router, secure from people you don’t want to have access. That could include friends, neighbours, or just random people walking past your place of residence. Without a Wi-Fi password, anyone can pull up your router from a list of possible Wi-Fi connections and start using it. If you’re on metered internet, that could prove costly and leave you with no internet for a month. It also means they can potentially download all manner of dubious content and you’d be first to get the blame.

Does my router have a Wi-Fi password?

Your router should have a Wi-Fi password by default, but it’s possible there isn’t one allocated to the router out of the box. Typically, the password will be on a sticker somewhere on the underside of the device. Depending on the type of router, you may find several passwords for different types of connections.

You can use the default password if you want, and it’s better than no password at all. However, there are some risks to this approach. Common password lists do end up on the internet, and people do exploit default setups regularly. We strongly suggest changing the password to something else as soon as you’re able to.

You may have to change it via a website tied to an account, or it may require you to log into the router itself. You’ll need to consult your user guide for this one!

How can I share my password securely?

There’s quite a few convenient ways to share Wi-Fi passwords. Apple users can do this in a very straightforward fashion. Android users can do it via QR codes. For trusted relatives, you can of course write it down and store it in a convenient place to prevent them shaking your router around in the hunt for the password. This may definitely be the case where Windows 10 is concerned, as Microsoft has removed the Wi-Fi sense feature which allowed for easy connections.

Whether you use an app or the piece of paper routine, the biggest problem isn’t really sharing the password. The issue is what you’re letting onto your network, either from external threats or the newcomer’s device itself.

Keeping the network safe

We’re most likely to share passwords with immediate friends and family. With the rise of internet connected homes and integrated online services, the list can and does extend to more people. It could be a repairer, or a housing inspection, or something else tied to an essential service.

We also can’t ignore that anyone, whether relative or stranger, could bring bad things into your network. For example, if a malware-laden laptop is dropped onto your network, you could end up spreading the malware around your devices.

One solution to this is guest networks. Your router may well have the option to enable a guest network for friends, visitors, whoever you like. This keeps them separated from the password protected network you’re using. You can also use time-limited passwords or enable other restrictions related to file/setting access. As above, make sure the guest network is a) password protected, b) encrypted, and c) your password is a new unique one and not the default.

With these tips in mind, you should be securely surfing and allowing friends and visitors to do the same in no time at all. This perhaps isn’t a major threat area for most of you, but it won’t hurt to ensure your home network is as robust as can be.

The post How to share your Wi-Fi password safely appeared first on Malwarebytes Labs.

Browser developer Mozilla has announced a research project to provide insights into, and data about, a space that’s opaque to policymakers, researchers and users themselves. Tracking the trackers is the name of the game. Give up some of your data voluntarily to stop the involuntary collection by Facebook.

Mozilla is partnering with The Markup, with the aim of unravelling how Facebook’s tracking infrastructure massively collects data about people online. Data which is eventually used for targeted advertising and tailored content recommendations.

Firefox users will get the option to participate in the project dubbed “the Facebook Pixel Hunt” and volunteer to share their browser data.

What is The Markup?

The Markup is a non-profit organization that investigates how powerful institutions are using technology to change our society. The Markup is the latest partner for Rally, the privacy-first data-sharing platform that was created by Mozilla in 2021 to take back control from platforms that are not transparent about how they use people’s data. When they hide their methods, the platforms make it very difficult for independent outside research to take place.

Just a few examples: Facebook shut down CrowdTangle, blocked ProPublica’s Ad Transparency tools, modified code to prevent The Markup’s Citizen Browser from collecting user-volunteered data and canceled NYU’s AdObserver researchers’ accounts.

The research project

Using tools provided by Rally, the two organizations will research how Facebook tracks people across the web through its Facebook pixel-powered ad network, and shine a light on what Facebook knows about their online life.

The Facebook pixel is a piece of code that website owners can place on their website. The pixel collects data that helps businesses track conversions from Facebook ads, optimize ads, build targeted audiences for future ads, and remarket to people that have already taken some kind of action on their website. That’s nice for the advertisers, but the combined information of all these pixels potentially provides Facebook with an almost complete picture of your browsing behavior.

By opting into “the Facebook Pixel Hunt” study, Rally gives Firefox users the power to help answer questions like: What kind of data does the Facebook pixel collect? Which sites share this data? What can this data reveal about people? What other ways does Facebook track people? How widespread is Facebook’s tracking network?

To answer these questions the study will collect:

• The data sent to Facebook pixels as you browse
• The (full) URLs of the web pages you browse
• The time you spend browsing pages and time spent browsing and playing media on each webpage
• The presence of Facebook login cookies in your browser
• Metadata on the URLs your visit, like how far down the webpage you scrolled
• A study survey that you complete, the results of which will be combined with study data for the analysis

Who can join?

If you want to contribute to this study there are a few things to check. Participation in the study is currently available for Firefox users in the US who are 19 or older. Having a Facebook account is not mandatory. Facebook may collect information about you across the web even if you don’t have a Facebook account.

If you decide to leave the study, Mozilla Rally uninstalls the corresponding study add-on. If the study is still open, the data that the study collected will be deleted. If a study has already ended, it may not be possible to delete your data because deletion of the data may impact the ability of the partners in the study to do their research.

How can I participate?

Taking part in the study is as easy as installing a browser add-on for Firefox. You can find the Rally add-on here. After installing you will see this explanatory page:

And this flag icon in your browser bar:

For demographic reasons you will be asked a few questions, although answering them is optional. The answers will help the researchers understand the representivity and diversity of the users.

You can then choose which study you want to participate in.

After joining the study you will notice another extension in Firefox.

Users of Malwarebytes Browser Guard for Firefox that wish to participate in this study will have to disable Browser Guard or, recommended, add facebook.com to their allow list for Ads/Trackers.

Here’s how to add an entry to the allow list for Malwarebytes Browser Guard:

• Click the Malwarebytes icon in the browser bar
• Click the 3 dots icon
• Select Allow list
• Add “facebook.com” in the “Add a URL or IP address” field
• Select Ads/Trackers in the “Disable protections” field
• Click “Done”

After successfully adding the entry, the allow list should look like this:

Other add-blockers may require additional actions for users to be helpful in this study.

We are looking forward to the results and hope that Facebook will not try to frustrate this study as well.

The post The Facebook Pixel Hunt aims to unravel Facebook’s tracking methods. Will you join? appeared first on Malwarebytes Labs.

Physical objects as security threats are in the news at the moment. The oft-touched upon tale of rogue USB sticks is a common one. Being wary of random devices found on the floor, or handed out at events is a smart move. You simply don’t know what’s lurking, and it’s hard to find out safely without the right tools available. Even then, something can slip by and cause no end of trouble on your desktop or network.

Sticky situations

Back in 2015, we covered the Dead Drops art project. This involved people hiding their USB stick in public places, and others finding them to join an “anonymous file-sharing network” and see what lurks. Security wise, this is an absolutely terrible idea for most folks.

On the other hand: people absolutely do plug in USB sticks found in the street, and they also happily use freebies at events. Most won’t concern themselves with security worries, but they should. However, it’s one thing to voluntarily grab USB sticks yourself. It’s quite another to be potentially disarmed by someone sending you said device instead.

Postal peril

The FBI has warned that a malware group is sending out infected USB sticks to specific targets. The group is behind major attacks such as the notorious colonial pipeline ransomware incident. Make no mistake, these are heavy hitters (and have been here before, and that time they included gifts such as cuddly toys).

The bogus sticks have been winging their way to potential victims through the post for a number of months. There’s elements of social engineering involved, too. It isn’t just a random stick in an unlabelled baggy, there’s a variety of packaging depending on who the sticks have been sent to. It’s perhaps not quite as visually impressive as rogue teddy bears, but it still gets the job done.

Social engineering their way to USB victory

The attackers use a couple of different postal services to send the USBs into the wide blue yonder: United Parcel Service, and United States Postal Service. The sticks have been sent to “US businesses in the transportation, insurance, and defence industries”. The packages are designed to resemble Amazon gifts, and Covid alerts from the US Department of Health, which are likely to carry a strong pull factor for the unwary.

If the USB stick is inserted into a PC, it launches a BadUSB attack and the malware auto-registers as a keyboard. From there, it uses keystrokes to place malware on the system and, potentially, deposit and fire up additional rogue files. Bleeping Computer notes that the end goal is to deploy ransomware on the compromised network.

Tips for keeping USB access points safe

• It’s not realistic to suggest disabling all USB ports on workplace machines, considering how many USB devices we use on a daily basis. However, you can ensure that only ones in use are functional. You can also buy physical locks which block use of ports with no software required to do it. Similarly, you can buy devices which lock wires into ports and reveal evidence of tampering if one is somehow pulled out.
• Dedicated workstations running virtual machines, or a non Windows OS, can be set up for any “stray” USB sticks.
• Disabling autorun is also helpful should such a thing already be enabled.
• Restricting access to any and all USB sticks to a handful of trained staff may be thought of as time-intensive, but realistically you likely don’t run into dozens of mysterious USB sticks on a daily basis.

We don’t know how many organisations have been affected, nor do we know how successful this campaign has been. Organisations should be cautious if they’re in one of the sectors targeted by this attack. In fact, we should all be cautious where rogue USB sticks are concerned. Get ahead of the curve and ponder this issue now, instead of waiting to find out if your area of business is on the next FBI release a few months down the line.

The post Attackers are mailing USB sticks to drop ransomware on victims’ computers appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Ransomware attacks Finalsite, renders 8,000 school sites unreachable for days
• Patchwork APT caught in its own web
• Sophisticated phishing scheme spent years robbing authors of their unpublished work
• Google and Facebook fined $240 million for making cookies hard to refuse
• New iPhone malware spies via camera when device appears off
• Hackers take over 1.1 million accounts by trying reused passwords
• Intercepting 2FA: Over 1200 man-in-the-middle phishing toolkits detected
• Card skimmers strike Sotheby’s in Brightcove supply chain attack
• Careful! Uber flaw allows anyone to send an email from uber.com
• $10m of funds goes missing in what appears to be a cryptocurrency rug-pull
• Customer support scammers take aim at NFT enthusiasts
• Purple Fox rootkit now bundled with Telegram installer
• What angered us most about cybersecurity in 2021: Lock and Code S03E01

Stay safe!

The post A week in security (January 3 – 9) appeared first on Malwarebytes Labs.