IT NEWS

Microsoft says it is going to disable macros in five Office apps by default. Besides Excel 4.0 macros, which were disabled by default last month, now VBA macros obtained from the Internet will be blocked by default as well.

The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022. According to Microsoft, this significant security improvement will roll out to other Office update channels at a later date. After this change rolls out, Office users will no longer be able to enable macros with a click of a button after they’ve been automatically blocked.

VBA Macros

VBA is short for Visual Basic Application. VBA can be used to access the Windows Application Programming Interface (API). As such, macros are part of the active content options that Microsoft shipped as automation capabilities that enable users to run tasks in the background. Unfortunately, malware authors have used these capabilities to download and run malware on a large scale.

Attackers have always liked macros because they provide a simple and reliable method to spread malware using legitimate features, and without relying on any vulnerability or exploit. Emotet especially has been known to send emails that contain malicious Word documents, either attached to the email itself or downloadable by clicking on a link within the email. When a user opens one of the documents, they are prompted to enable macros so that the malicious code hidden in the Word file can run and install Emotet malware on the computer.

Blocked

With this change, untrusted macros will be blocked by default within Access, Excel, PowerPoint, Visio, and Word for any file downloaded from the Internet. Users will also no longer be able to enable content with a click of a button.

Instead, a security alert will appear:

The Learn More button goes to an article that contains information about the security risk of bad actors using macros, safe practices to prevent phishing and malware, and instructions on how to enable these macros by saving the file and removing the Mark of the Web (MOTW).

Mark of the Web

The MOTW is an attribute added to files by Windows when they have been sourced from an untrusted location, like the Internet or a Restricted Zone. Since the new warning and the block depend on this MOTW, it is important to know some more about it.

In Windows, when files are downloaded from an untrusted location, like the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier. As such, the ability to add these attributes depends on the NTFS filesystem. NTFS is the modern file system Windows likes to use by default. Since Windows XP, when you install Windows, it defaults to format your drive with the NTFS file system. But if you happen to run a FAT32 system the MOTW attribute can’t be added to a file.

There are two main strategies malware can use to circumvent the MOTW attribute. All of the techniques that we have witnessed in the wild can be categorized under these two strategies:

• Abusing software that does not set MOTW: delivering your payload in a file format which is handled by software that does not set or propagate Zone Identifier information. This works because some cloning and archiving software does not propagate the MOTW to the clone or extracted file.
• Abusing container formats: delivering your payload in a container format which does not support NTFS’ alternate data stream feature. For example, delivering the payload in an ISO format, a technique that has been used in the wild.

In the first scenario, an attacker will need some inside knowledge as to how the intended victim handles certain file formats, because not all archiving and cloning software removes the MOTW attribute.

Removing the MOTW

On a file per file bases users can remove the MOTW attribute in the file properties.

The option to Unblock files can be found in the file properties, on the General tab, under Security. There a user can put a checkmark in the Unblock option.

Note: organizations are already able to use the Block macros from running in Office files from the Internet policy in order to prevent users from inadvertently opening files from the Internet that contain macros. Microsoft recommends enabling this policy, and if you already have this setting enabled your organization won’t be affected by this change. This option has been available since Microsoft Office 2013 and all subsequent versions.

Stay safe, everyone!

The post Microsoft takes macros out of the equation for five Office apps appeared first on Malwarebytes Labs.

There’s trouble brewing in the Metaverse, but the trouble isn’t a particularly new problem. In fact, it’s been an issue for years – and so have many of the solutions. Strangely, Meta is having to play catch-up where some basic security and safety settings are concerned in the virtual realm.

At Malwarebytes Labs, we’ve kept an eye on many areas for concern in the VR realm. We’ve dug into the possibilities of ad network compromise, and explored the not very successful attempts at ad trials in paid-for VR games. We’ve also looked at the risks of placing your entire home into a virtual space. There’s even been the occasional data leak. Unfortunately, this barely scratches the surface.

Scaling up harassment

One of the biggest, most pressing issues in VR spaces has always been that of sexual harassment and abuse. VR platforms have come and gone through the years, and many had security settings to prevent abuse from happening. The absence of these options for users can result in genuinely unpleasant scenarios (fair warning, some of the descriptions here are horrifying).

Where a lack of settings exists, and where existent settings are hard to find, horrible behaviour rushes in to fill the vacuum. Many people struggle to find certain options on a plain old Windows desktop. In VR, many settings are available outside of the helmet. That is to say, you may only be able to set things to your liking on a website or portal. If you can’t even get that far, you’re going to be stuck with defaults which may not be very optimal.

Speaking of which…

After what appear to be several reports of sexual harassment of various kinds in the Metaverse, Meta is enabling a “bubble shield”/personal boundary as a default for users to help avoid troublesome individuals. From the announcement:

Personal Boundary will begin rolling out today everywhere inside of Horizon Worlds and Horizon Venues, and will by default make it feel like there is an almost 4-foot distance between your avatar and others…If someone tries to enter your Personal Boundary, the system will halt their forward movement as they reach the boundary. You won’t feel it—there is no haptic feedback. This builds upon our existing hand harassment measures that were already in place, where an avatar’s hands would disappear if they encroached upon someone’s personal space.

How do people harass other users in VR spaces?

First off, some basics. You’ll notice that Meta avatars don’t have legs or hips. This isn’t uncommon in VR. A combination of small play areas, no sensors on legs/feet, and difficulties in animation mean it’s often easier to leave the legs out of it. An additional (very helpful) consequence of this is that it’s harder for awful people to get up to no good in VR. They can’t run up and grind or hip-thrust or anything else if they’ve nothing to grind or hip-thrust with.

However: there are many more ways people can be awful whether digital lower halves are present or not. Here’s some of the things developers do to prevent bad happenings:

• Fade out arms and/or hands should you get too close to other users. This prevents groping and pawing.
• Fade out bodies generally if you get too close.
• Fade out digital representations of your controller stick or wand.
• Allow users to “push” back others if they get too close. This one isn’t always optimal, as it can be used for trolling itself depending on how things are set up. Want to Jedi force-push someone into a wall or off a cliff? A badly configured push setting is how you do it.
• Emergency teleport, alongside easy to access blocking/reporting features round off some of the most common tools in the “stop bad people” toolkit.

Perhaps somewhat oddly, Meta is only now making a bubble a default setting. It seems an odd oversight for something so essential to VR spaces to have been lost in the mix. Meta may mention that it’s looking to “set new norms in social VR”, but attempting to set those norms is nothing new. Just to give one example: here’s Playstation’s Rec Room doing much the same thing back in 2017. 

How do bubbles work?

We’ve read the Meta description of how its bubble operates. How do others do it?They tend to take several aspects of the above bullet points and roll them into one. A field is placed around the individual, and anyone trying to enter it fades into non-existence. Smart programmers don’t make the bubble a solid if invisible object. This is because they end up used as dodgem cars and you’re back to Jedi style force pushes, minus the force push.

According to reports, Meta’s bubble isn’t configurable at time of writing. Some platforms allow users to define the size and/or shape, making it larger or smaller (or even turning it off) as desired. It’s probable that Meta will allow more customisation in the near future.

All the same, Meta definitely didn’t need a raft of assault themed news stories as it tries to promote the benefits of its Metaverse. VR has always been somewhat niche, and negative perceptions via easily preventable bad actions may not help with the general uptake.

Haptic headaches may be round the corner…

You may have seen the “haptic” reference up above, and wondered what it is. When you use a touch screen and it vibrates, when you get hit in a video game and your controller rumbles, that’s haptic feedback. The artificial replication of touch is what it’s all about. Haptic sensations are one of the big future goals of VR. Meta is trialling haptic glove prototypes.

Can you imagine the problems in VR realms that haptic sensations will bring as a result of weak or absent safety settings? It’s absolutely crucial that major players in the virtual space have all their headset safety ducks in a row before adding to the sensory overload that is VR. Anything less than that is probably going to end badly for all concerned.

The post Meta blows safety bubble around users after reports of sexual harassment appeared first on Malwarebytes Labs.

With Valentine’s Day approaching, you can be sure that the scammers will want to take advantage of lovebirds everywhere. From romance scams and sextortion, to fake dating sites and phishing campaigns, here’s how to avoid a sting in the tail this Valentine’s Day.

Romance scams

Stories of online romance scams are abundant on the internet. And with COVID-19 having forced everyone to stay home much more and not meet in real life, it’s no wonder that reports of these sorts of scams have significantly increased since the start of the pandemic.

So whether you meet someone on a dating site or social media, here are some common red flags to look out for:

• Their profile and picture seem too good to be true.
• They profess their love very quickly.
• They share a lot about themselves—often personal stuff—in the first meeting.
• They claim to be overseas and cannot stay in one place for long.
• They try to lure you from whatever platform you are on to talk to you via email or video chat.
• They claim to need money for something, such as to help their friends or family, repatriation, or something else entirely.

How to avoid romance scams:

• Don’t give scammers the information they need. Scammers rely on what you volunteer about yourself online to tweak their script and lure you in.
• Do an image search of the photo and the name of the person you’re in touch with. Scammers often steal someone else’s image to use as bait.
• Go slow. Scammers tend to rush, building rapport with their victims as quickly as possible to fleece them of their money as equally quickly.
• If they encourage you to invest in something—be suspicious. Start digging around online about the company that, they say, is worth investing in. Never send them money.
• Follow your gut instinct. If something feels off, cut off contact immediately and report your experience to the police, the Internet Crime Complaint Center (IC3), and the dating or social media site where you met the scammer.

Sextortion

Sextortion is where someone threatens to share your private or sensitive files, such as photos or videos, unless you do something for them—which can be send cash to them, share more images or perform sex acts. A sextortion attempt could take several forms, but there are two common tactics sextortion scammers use.

1. A scammer contacts their target via email, telling them they have a video of the target in a compromising position (usually watching porn). The sender then asks the target to send Bitcoin in exchange for the video being kept quiet. It’s important to note that sextortion emails of this nature are empty bluffs and must be ignored.
2. A scammer befriends their target—often a minor—on social media, video chat, dating sites, or online video games. They coerce their target into sending videos of themselves naked or performing a sexual act. This material is then used to force the victim to create more videos.

How to protect yourself from sextortion:

• If a scammer tells you they have compromising images of you and they show you no evidence of the images, they probably don’t have any. Offering “proof” such as a password or phone number of yours just means they’ve got that data from another breach, and doesn’t mean they have access to your computer or webcam.
• If they do show you evidence of the images, report to your local authorities and the FBI as soon as you can. Never engage with the sextortionist.
• Be extremely cautious about what you say to someone online. When asked certain questions, be vague and never give specifics. Remember that online, people can pretend to be someone they’re not, and can even look and sound like a different person with today’s technology.
• Make sure you personalize the security and privacy settings of all your social media and chat accounts. Lock down your accounts as much as you can, and keep as much private as possible.
• Remember that once you send something to someone—whether they’re a stranger, a romantic partner, relative, or friend—you have no control over where it goes next.

Fake dating websites

Scammers create dating services that appear legitimate, and do what every dating site asks you to do, like filling in your profile information and your card details. But the websites are fake.

According to the Better Business Bureau (BBB) which classifies this as a type of romance scam, once you have signed up, you’ll start getting messages from other members who have profiles that lack basic information and photos.

The site may even ask you to connect with others that don’t match your profile, such as those living in a different city or those outside your preferred date range. If you cancel your membership, the fake dating website keeps billing you anyway.

Some sites even have features locked behind a “paywall” wherein you have to buy some form of digital token or in-dating site coins to talk to other users. In one case, a victim was double charged for buying coins and bombarded with messages from almost 200 dating service users.

Note that since these sites are fake, site members are also likely fake. They could be bots or site employees handling multiple account personalities.

How to avoid fake dating sites

• Do your research. Ask around your friends in real life about what sites they use. If you are researching the sites online, prefix your search terms with “scam” and “reviews” to find out what people really think.
• Be suspicious when many people start lining up to meet you, especially if you have an incomplete profile. This is too good to be true.
• Know how the dating website works, including how they charge members and how much. If you cancel a membership to a particular site then contact your bank to make sure the ongoing payment is cancelled from your end.

Phishing scams, some with a touch of malware

Valentine’s Day themed phishing scams come in many flavors, but one of the most common is the phony florist or delivery driver, who sends you an email (or possibly an SMS message) to warn you about a missed delivery.

Spam messages like these are ten-a-penny, but many people buy flowers and gifts for loved ones online. So, led by worry and panic, they click the link from the email/SMS to punch in their details, only for them to be stolen and misused.

Other examples of phishy messages jumping on the Valentine’s Day trend are emails that say there is a problem with a transaction after a product has been bought, or a supposed courier claiming that there is an extra charge you have to pay.

How to protect yourself from phishing

• Never click links on emails or SMS messages. Instead, go straight to the website that claims have a problem with your item. If it’s legit, you’ll likely see a message there.
• When purchasing something online, always pay with a credit card. Credit cards have more fraud protections in place than other banking cards. It is also easier for users to dispute charges.
• Refrain from scanning QR codes if there are other payment options. If it cannot be avoided, check the URL destination to ensure that you are directed to the site you’re expecting to go to.
• Make sure you have installed an antivirus solution that catches malware fast before it can wreak havoc on your computer, and keep it up to date.

Head over heart, always

When it comes to romance scammers, we have to let our heads lead over our hearts. With Valentine’s Day around the corner, stop to take a breath and consider things before chatting, clicking, replying, or anything else online. It might save you heartache further down the line.

Stay safe!

The post How to avoid being scammed this Valentine’s Day appeared first on Malwarebytes Labs.

Media giant News Corp says it has fallen victim to a cyberattack. First analysis indicates that the attack was a state sponsored attack, aimed at emails and documents of News Corp employees, including journalists. News Corp says data was stolen, but that it didn’t include financial data or subscriber information.

The hack also affected financial news unit Dow Jones and News UK, the division that controls the Times of London and the Sun, according to a statement provided by News Corp.

Investigation

News Corp reported the attack in a document which was sent to the United States Securities and Exchange Commission (SEC).

“In January 2022, the Company discovered that one of these systems was the target of persistent cyberattack activity. Together with an outside cybersecurity firm, the Company is conducting an investigation into the circumstances of the activity to determine its nature, scope, duration and impacts. The Company’s preliminary analysis indicates that foreign government involvement may be associated with this activity, and that data was taken. To the Company’s knowledge, its systems housing customer and financial data were not affected. The Company is remediating the issue, and to date has not experienced any related interruptions to its business operations or systems. Based on its investigation to date, the Company believes the activity is contained. At this time, the Company is unable to estimate the expenses it will incur in connection with its investigation and remediation efforts.”

Targets

In an email to its employees, News Corp stated that the attack was discovered on January 20 and affected a number of publications and business units including The Wall Street Journal and its parent Dow Jones, the New York Post, the company’s UK news operation, and News Corp headquarters.

“We appear to have been the target of persistent nation-state attack activity that affected a limited number of our employees.”

News Corp chief technology officer David Kline and chief information security officer Billy O’Brien stated in an email to employees:

“We will not tolerate attacks on our journalism, nor will we be deterred from our reporting, which provides readers everywhere with the news that matters.”

Attribution

The firm that was brought in to investigate the incident believes the attackers are likely involved in espionage activities to collect intelligence to benefit China’s interests. News Corp said it would provide details of the breach to other news organizations so they could take appropriate measures.

As many other security authorities have pointed out, China has been ramping up cyberattacks on US and European organizations. For example, US authorities blamed China for a massive breach in 2021 of Microsoft’s Exchange email service. In the breach, hackers associated with China’s Ministry of State Security accessed thousands of email accounts associated with businesses, government offices and schools around the world.

The post News Corp falls victim to cyberattack appeared first on Malwarebytes Labs.

An unsecured AWS server, found open to the public Internet, is the root cause of a huge compromise of data of airport employees in Colombia and Peru. This server, according to a report, belongs to Securitas, a Stockholm-based multinational company that provides security services like security guarding, fire and safety, and supply-chain risk management among others.

Affected airports

Approximately 3TB of data dating back to 2018 was housed on the server, the report says. It also names Securitas client airports most affected by this breach: El Dorado International Airport, Alfonso Bonilla Aragón International Airport, and José María Córdova International Airport in Colombia; and Aeropuerto Internacional Jorge Chávez in Peru. SafetyDetectives, who wrote the report, hasn’t examined every file in the bucket—there were almost 1.5 million files—but noted with high probability that all client airports of Securitas are affected. The report authors believe other airports in Latin America may also have been exposed.

What was leaked

A compromised AWS server exposed sensitive company data, employee PII, and datasets of Securitas employees and airport employees. These datasets include photos of ID cards and unmarked photos. As you may expect, these ID cards contain details like full names, national ID number, ID photo, and occupation.

Other data included photos of airline employees, planes, fueling lines, and more. SecurityDetectives said that exposing these photos also exposes the photos’ EXIF (Exchangeable Image File Format) data, such as GPS location, time and date, and device used to capture the images.

“Exposed employees are not just official airport staff but include staff from several different private companies, one of which was Securitas. There were photos of people, places, planes, and various other airport functions on the bucket.” the report adds.

Lastly, the exposed AWS bucket also contains Android apps used by security personnel to fulfil certain tasks like reporting incidents.

Breach impact

At this point, many of us are already familiar with the possible impacts any breach could cause to companies and affected parties.

For affected airlines, the likelihood of criminals impersonating airline and even Securitas personnel is a huge risk. This could lead to individuals or groups (think guerilla groups and terrorist organizations) gaining unlawful access to restricted areas within airline grounds.

Of course, any leaked data could be sold for profit. If not this, online criminals could target personnel whose data has been leaked, tricking them into falling for fraud and scam attempts.

Similar impersonation security infiltration attempts could happen against Securitas. On top of that, the company could face multiple sanctions and fines for violating data privacy laws against affected Colombian and Peruvian citizens.

The post Securitas breached, 3TB of airport employee records exposed appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Threat actor steals email with Zimbra zero-day
• FBI warns of bogus job postings on recruitment sites
• Investment scams are on the rise
• A worrying Etsy listing reveals the stalking potential of Apple’s AirTags
• Beware bogus OperaGX sponsorship offers
• $320 milllion stolen from Wormhole crypto-trading platform
• Cyberattack on fuel supplier causes supply chain disruption
• How to speed up your computer or laptop
• Samba patches critical vulnerability that allows remote code execution as root
• Duo of Android dropper and payload target certain countries and app users
• Android malware BRATA can wipe devices
• Apply those updates now: CVE bypass offers up admin privileges for Windows 10
• How a few PhD students revealed that phishing trainings might just not work: Lock and Code S03E03
• Actor’s verified Twitter profile hijacked to spam NFT giveaways

Stay safe!

The post A week in security (January 31 – February 6) appeared first on Malwarebytes Labs.

Preying on one of the most basic human flaws, investment scams and other get-rich-quick schemes are making up an ever larger portion of the online scammers’ cake. The number of victims, for now, is lower than the number of victims of fraudulent sales, identity fraud, and dating fraud, but the cost of investment fraud makes up almost half of all online fraud damages.

And the scammers are very much aware that a large amount of money can be made, and they are more than willing to invest in the tools that make their fraud look more trustworthy. Last week, on the 26 January, 2022, judicial and law enforcement authorities in Bulgaria, supported by Europol and Eurojust, took down a network of online investment fraudsters. The scam was exposed after complaints were made by German and Greek investors who had lost all of the deposits they had invested in the online scam. The organized crime group responsible had set up websites and several call centers that appeared to be legitimate but were actually fraudulent. 

Recognizing investment scams

We are by no means financial experts, but we have seen too many good people lose money on ponzi schemes, rug-pulls, and fake Initial Coin Offerings (ICOs), so we feel it is our job to keep you safe, and warn against these types of online investment frauds.

We realize that it is hard to tell investment scams apart from some of the more legitimate offers that are thrown at us in commercials every day. But we do want to hand you a few easy-to-follow rules to keep your money in your own hands:

• If it sounds to good to be true, it usually isn’t true.
• Very high return on investment rates, usually come with extremely high risks. Your money may sometimes even be better off in a casino.
• When you are urged to act now, remember that while some legitimate opportunities want you to hurry scammers always want you to hurry.
• If the return on investment is hardly better than what your financial advisor is offering you, is the difference really worth dealing with an unknown party?
• Make sure to read the fine print. Understand what you are getting into.
• Don’t get turned into a money mule or money launderer.

Types of investment fraud

The FBI lists the following types of investment fraud:

• Advance fee fraud. The victim pays money to someone in anticipation of receiving something of greater value and then receives little or nothing in return.
• Ponzi schemes. Ponzi schemes promise high financial returns or dividends not available through traditional investments. Instead of investing the funds of victims, however, the con artist pays dividends to initial investors using the funds of subsequent investors. The scheme generally ends when the operator flees with all of the proceeds or when the funds for continued payment of dividends dry up.
• Pyramid schemes. The difference with Ponzi schemes is that in pyramid schemes the victims themselves are induced to recruit further victims through the payment of recruitment commissions.
• Market manipulation fraud, commonly referred to as “pump and dump” schemes, this fraud creates a temporary increase in the price of a targeted security (the pump), which is rapidly sold off by the initiating party into the inflated market by the fraudsters (the dump).

There are a few other, closely related, types of investment fraud that are worth mentioning:

• Insider knowledge trading. You may see these offered from time to time. But even if the person extending the offer really has insider knowledge, using this knowledge would be illegal.
• Clone scams are a special type of market manipulation fraud. They are based upon selling worthless stock in a company that has the same or a very similar name as a legitimate company.
• Boiler room scams are schemes in which salespeople use urgent cold calls as a sales tactic to persuade investors to purchase securities, including speculative and fraudulent securities.

Sources

Scammers are often experts in creating websites and advertisements that look trustworthy. The difficult step for them is to lure visitors to look at their creations. They will not limit themselves to playing the “greed” card, you can expect to see them use explicit content, raffles, and any other topic that happens to be “hot” at the time.

Investment scams are not only pushed by online media by the way. Unsolicited emails are another common method, and some scammers will text you their offerings.

When in doubt

As indicated earlier, judging the trustworthiness of an offer by the looks of the website is not a good idea. Most scammers are really good at designing professional looking websites. One thing you can do is enter some determining factor of the website, a typical snippet, image or (fabricated) testimonials and throw them in your favorite search engine. If you can find other websites using the same content or run by the same owners, there is a good chance there are scammers at work that have run the same scheme before.

Having a physical location you can turn to is not always conclusive, but it helps to know that you can turn to someone. It also helps if they are at least in the same country as you are. That makes it easier if lawsuits or other legal action needs to be taken.

When dealing with larger sums of money there are bound to be contracts that protect both parties. Make sure to get a copy and study it before embarking. If you are not sure about the legal content, find someone who is an expert on these matters. That right there, is a good investment because it can save you a lot of money and trouble.

Safe investing

No, we are not going to tell you what to invest in. But there are a few things you might want to avoid:

• Rushing into an investment. Scammers want you to act urgently, so you spend less time thinking.
• Skipping the fine print. Not knowing what it says in the fine print can turn out to be catastrophic.
• Acting on cold calls. Treat calls, texts, mails, and other advice out the blue with extreme caution.
• Judging a book by its cover. Investment scams are profitable and they can afford to look good.

Still not convinced? I have this piece of land on Venus, that I would be willing to part with for the right price. But you will need to act fast.

Stay safe, everyone!

The post Investment scams are on the rise appeared first on Malwarebytes Labs.

Before Christmas was a busy time down at the fake job factory, with all manner of dubious antics out to ruin someone’s day. We’re now info February and the bogus job offers show no sign of abating. In fact, the FBI considers it to be such a problem that it’s issued an alert. This isn’t your typical warning about plain old fake job postings, or random messages sent via services like WhatsApp or Telegram though.

This one involves a dash of the old website exploitation.

Sounding the alarm

The alert begins as follows:

Malicious actors…continue to exploit security weaknesses on job recruitment websites to post fraudulent job postings in order to trick applicants into providing personal information or money. These scammers lend credibility to their scheme by using legitimate information to imitate businesses, threatening reputational harm for the business and financial loss for the job seeker.

Since early 2019, the average reported loss from this scheme is nearly $3,000 per victim, and many victims have also reported that the scheme negatively affected their credit scores.

So, we have a scheme that’s been ticking along for a couple years. It’s also fairly profitable for whoever is pulling the strings.

How do these attacks work?

The FBI doesn’t go into detail as to how sites being referenced are exploited. They instead mention that the scammers go in for a variety of tactics. Some of their fake ads are posted to commonly-used employment-oriented networking portals. Others are a bit sneakier, being posted to “official company pages” due to the “lack of strong security verification standards on one recruitment website”.

This had an impact on both potential victims and the organisations being spoofed. It seems it was hard for the latter to tell which postings were genuine too. This is definitely not what you need when sifting through potential job opportunities. The FBI notes that they also replicated existing, legitimate postings, altered contact information, and sent them out into the wild too. All in all, a tangled mess of lurking menaces waiting to strike.

The scam gets underway

The links posted on the ads take would-be hires away from the job site(s). What they land on is a fake site sporting bogus contact details and phone numbers operated by fraudsters. Wary of people doing some digging to ensure the legitimacy of the posting, they also use contact details of genuine employees. Those details are likely harvested beforehand from sites like Linkedin, or even just browsing the company’s website or other directories.

Again, the FBI don’t go into specifics with regard to how money is extracted from victims. The most common methods used in these scams is to wire money to fraudsters. It might be a regular wire, or they may ask them to make cryptocurrency payments. These are usually accompanied by an explanation about paying for office equipment or other expenses, with the promise to send the money back to jobseekers once everything is set up. Of course, this doesn’t happen.

Considering the impact on businesses

It isn’t just the jobseekers at risk from these tactics. As the FBI notes, there’s the possibility of reputation damage to consider for the organisations being spoofed. It’s quite possible people caught by these scams will post negative reviews or comments in relation to the unwitting businesses being impersonate. This isn’t a straightforward problem to resolve, and before long half a dozen sites could be full of bad reviews, negative replies. These kind of things can spread rapidly.

Tips to avoid being stung

The FBI has listed a number of hints to try and keep job hunters safe:

• Conduct a web search of the hiring company using the company name only. Results that return multiple different websites for the same company may indicate fraudulent job listings.
• Verify job postings found on networking and third-party websites on the hiring company’s own website or through legitimate HR representatives at the hiring company.
• Provide PII face-to-face. Legitimate companies will only ask for personally identifiable information (PII) and bank account information for payroll purposes AFTER hiring employees. It is safer to provide this information in person, or via a video call where it is easier to verify everyone’s identity.
• Never send money to someone you meet online, especially by wire transfer.
• Never provide credit card information to an employer.
• Never provide bank account information to employers without verifying their identity.
• Never share your Social Security number or other PII that can be used to access your accounts with someone who does not need to know this information.

We wish you safe and prosperous job hunting.

The post FBI warns of bogus job postings on recruitment sites appeared first on Malwarebytes Labs.

Researchers have discovered a threat actor attempting to exploit a cross-site scripting (XSS) zero-day vulnerability in the Zimbra email platform.

Zimbra is open source webmail application used for messaging and collaboration. Cross-site scripting is a type of injection attack wherein a vulnerability in a web application allows a threat actor to inject malicious code into the site’s content. In this case the target was a Zimbra email opened in a web browser.

Targets and threat actor

The entire campaign was targeted—predominantly at organizations in the European government and media realm. According to Zimbra, there are 200,000 businesses, and over a thousand government and financial institutions, using their software. How many of them fall into the target audience is unknown.

The researchers have dubbed the threat actor “TEMP_Heretic” and based on a number of observed factors they have reason to believe the threat actor is of Chinese origin.

The campaign

This campaign was named EmailThief by the researchers and consisted of two clear components. The first one was a reconnaissance mission to find people that were likely to open the second email. Using this method the attackers could weed out invalid and unresponsive receivers. The reconnaissance emails were sent on 14 December, 2021 and contained no malicious links. This first wave only contained embedded remote images in the body of email messages. These emails contained no content other than the remote image and had generic subjects often associated with non-targeted spam. These emails are unlikely to have attracted any negative attention because remote images are widely used in marketing emails to measure email open rates.

The image URLs were unique to each individual, enabling the threat actor to ascertain the validity of the email addresses, and to determine which accounts were more likely to open phishing email messages.

The second part of the campaign was only sent to the receivers that qualified as likely to open such an email in the first wave. This part of the campaign was done in four waves which were sent out at 16, 23, 24, and 27 of December, 2021. These spear-phishing waves were largely generic and mostly themed around the holiday season, notably purporting to be from various airlines or Amazon.

In these campaigns, the attacker embedded links to attacker-controlled infrastructure. Upon clicking the malicious link, the attacker infrastructure would attempt a redirect to a page on the targeted organization’s Zimbra webmail host. A specifically crafted URL format exploited a zero-day vulnerability, allowing an attacker to load arbitrary JavaScript into the page, in the context of a logged-in Zimbra session.

The overall effect of this attack is that by getting a user to click a link in an email and leave their browser window open for any length of time, the attacker can steal the contents of their mailbox.

Mitigation

Besides the theft of mailbox contents the vulnerability could also have been used to:

• Exfiltrate cookies, which could allow persistent access to a mailbox
• Send phishing messages to the user’s contacts
• Display prompts to download malware from trusted websites

At the time of writing, there is no official patch or workaround for this vulnerability, so it is a zero-day vulnerability. The researchers have notified Zimbra of the exploit and hopefully a patch will be available soon.

Users of Zimbra should consider upgrading to version 9.0.0, as there is currently no secure version of 8.8.15 and testing of version 9.0.0 by the researchers indicates it is likely unaffected.

Possible workarounds are:

• Don’t log into the Zimbra webmail client from a web browser
• The good old “don’t click on links in emails” advice

Since this campaign seems to have run its course it’s important for possible targets to check whether they have fallen victim to this campaign. In which case email communications may have been intercepted by the threat actor.

The researchers have posted a full list of IOC’s on GitHub for your perusal.

Stay safe, everyone!

The post Threat actor steals email with Zimbra zero-day appeared first on Malwarebytes Labs.

By using an exploit in the software of crypto-trading platform Wormhole, threat actors have stolen an estimated $322 million in cryptocurrencies. The platform is offering a $10 million award for the  stolen money and details about the attack.

How they pulled it off

Wormhole Portal is a web-based application that allows users to convert one form of cryptocurrency into another. These portals are often referred to as blockchain bridges. Basically they use Ethereum smart contracts (computer code stored on a blockchain) to connect the input currency and the desired output currency.

The attacker is believed to have exploited this process to trick the Wormhole project into releasing Ether (ETH) and Solana (SOL) coins for a far greater value than their input value. Analysis by experts showed that the attacker created a guardian account by using information pointing back to an earlier, legitimate and much smaller, transaction.

The short version of what happened is easy. Wormhole didn’t properly validate all input accounts, which allowed the attacker to spoof guardian signatures and mint 120,000 ETH on Solana, of which they bridged 93,750 back to Ethereum.

Earlier this year, Ethereum co-founder Vitalik Buterin already pointed out the fundamental security limits of bridges on Reddit, where he argued for a multi-chain blockchain ecosystem rather than the cross-chain applications, like bridges.

“it’s always safer to hold Ethereum-native assets on Ethereum or Solana-native assets on Solana than it is to hold Ethereum-native assets on Solana or Solana-native assets on Ethereum.”

Isn’t it ironic that he used exactly the currencies that were involved in this hack in his example?

Currency trading platforms

Crypto exchanges work like traditional money exchanges, setting prices for various currencies and taking a small fee to let users trade one. But while traditional exchanges are highly regulated by governments and international banks, it’s relatively easy to set up a cryptocurrency exchange nearly anywhere in the world and run it however you like. And under the hood they are just websites, websites that inherit all of the insecurities of the current state of web development in 2022 and inherit none of the considerable security inherent in blockchains, which are designed to prevent tampering, not theft.

Personally, I had never heard of the Wormhole platform before. That may be just me, but I’m guessing the same is true for many people. So how is it possible that someone can steal that amount of money from a platform most people have never even heard of? I was in no way shocked or surprised however to learn that such a platform can be hacked. It has happened before and it will happen again. In 2021 alone, there have been more than 20 incidents where a threat actor stole at least $10 million in digital currencies from a crypto exchange or project.

In this “industry” of fast moving money, huge profits–and losses–can be made and all that comes spiced with a hint of secrecy and hi-tech. But apparently it is more important to be the first to introduce new technologies than it is to check whether the security is in place to keep everything in check. We all know that we don’t need to invest in a fire-proof safe for the small amount of cash most people have. The investment would outweigh the risk. But if you are dealing in millions of dollars you might at least check that your account validation is waterproof, right?

The end?

Probably not. To be continued is more likely.

At the time of writing the Wormhole Portal is displaying a message stating:

“We’re actively working to get Portal back up and running.

A fix has been deployed and all funds are safe.

Thank you for your support and trust.”

In a message left on the blockchain we can read:

“We noticed you were able to exploit the Solana VAA verification and mint tokens. We’d like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you’ve minted. You can reach out to us at contact(@)certus.one”

Where we would like to take exception against the use of the term “bug bounty” which we would like to reserve for legitimate white hat hackers, working to make the world a safer place. This white hat guild holds no seat for a thief that exploits first and then sells the information about how they did it. Surely the only reason they would accept this deal is to avoid having a criminal complaint filed against them.

The only good news is that it looks like the exchange plans to carry on business so it did apparently not get robbed beyond recovery. Unfortunately, many others in the past have had to pull the plug after such an incident, leaving investors and traders in the cold.

The post $320 milllion stolen from Wormhole crypto-trading platform appeared first on Malwarebytes Labs.