IT NEWS

Second colossal LinkedIn “breach” in 3 months, almost all users affected

LinkedIn has reportedly been breached—again—following reports of a massive sale of information scraped from 500M LinkedIn user profiles in the underground in May. According to Privacy Shark, the VPN company who first reported on this incident, a seller called TomLiner showed them he was in possession of 700 million Linkedin user records. That means almost all (92 percent) of LinkedIn’s users are affected by this.

privacy shark tomliner
The underground seller known as TomLiner is in possession of the 700M LinkedIn records on sale. They’re also classed as a “GOD User”, which could suggest that their name has weigh in the underground market. (Source: Privacy Shark)

RestorePrivacy, an information site about privacy, examined the proof the seller put out and found the following information, scraped from LinkedIn user profiles:

  • Email addresses
  • Full names
  • Phone numbers
  • Physical addresses
  • Geolocation records
  • LinkedIn username and profile URL
  • Personal and professional experience/background
  • Genders
  • Other social media account usernames

Note that account credentials and banking details don’t appear to be part of the proof. This suggests that the data was scraped rather than breached. Scraping happens when somebody uses a computer program to pull public data from a website, using the website in a way it wasn’t intended to be used. Each individual request or visit is similar to a real user visiting a web page, but the sum total of all the visits leaves the scraper with an enormous database of information.

How was the seller able to scrape hundreds of millions of records? According to RestorePrivacy, the seller abused LinkedIn’s API, a similar tactic to the one used in the almost-as-enormous April LinkedIn “breach”, and the huge Facebook “breach” in the same month.

restoreprivacy linkedin api
The seller confirmed that they abused LinkedIn’s API to scrape data. And sells them for $5,000 USD. (Source: RestorePrivacy)

In a statement, Privacy Shark garnered from Leonna Spilman, who spoke on behalf of LinkedIn, the company claims there is really no breach: “While we’re still investigating this issue, our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources. This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed. Scraping data from LinkedIn is a violation of our Terms of Service and we are constantly working to ensure our members’ privacy is protected.”

Spilman’s statement echoes the one LinkedIn released after the April “leak” blow out: “We have investigated an alleged set of LinkedIn data that has been posted for sale and have determined that it is actually an aggregation of data from a number of websites and companies. It does include publicly viewable member profile data that appears to have been scraped from LinkedIn. This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review.”

restore privacy sample scrape
A redacted shot from a small bit of the “proof-of-breach” sample given by the underground seller. (Source: RestorePrivacy)

What to do?

Some may read news stories like this and think “Eh, they just got my info that I wanted to be public. It’s not a big deal, right?”

Look at it this way: Having, say, your email address or contact number available for everyone—even strangers—to see is risky. If they know these two things about you, you can be a candidate target for spam campaigns: email, SMS, and robocalls. We don’t know anyone who likes receiving these campaigns.

To make matters worse, the more that scammers know about you, the more plausible and enticing they can make their messages for, and the easier it is for them to pretend to be you when scamming others.

If you’re a LinkedIn user, and you’re worried about the possible repercussions, now is a good time to take the time to sit down and audit your LinkedIn profile.

Start with security: Make sure you have two-factor authentication (2FA) enabled. You may also want to check whether your email address or phone numbers are on HaveIBeenPwned (LinkedIn suffered a genuine breach in 2012, and over 100 million passwords were stolen).


Don’t know what HaveIBeenPwned is? Check our writeup about it what it is and how to use it here!


Take a look at your LinkedIn profile and decide which bits of it you’d rather make private. After all, if a company shows interest in hiring you, you can give them some of your info, such as your contact number, if they ask for it. Better yet, consider setting up a Zoom call with them instead. Remember that you, as a LinkedIn user, can decide which information to show or hide, and who gets to see them, too.

Stay safe!

The post Second colossal LinkedIn “breach” in 3 months, almost all users affected appeared first on Malwarebytes Labs.

Babuk ransomware builder leaked following muddled “retirement”

In the last days of April 2021, the operators of Babuk ransomware announced they were going to focus on demanding a ransom for information stolen from compromised networks, leaving the encryption part of their operation behind. It meant that they no longer needed ransomware at all.

“Babuk changes direction, we no longer encrypt information on networks, we will get to you and take your data, we will notify you about it if you do not get in touch we make an announcement”

And now, in one of the last days of June, a researcher has discovered the Babuk builder used to create the ransomware’s unique payloads and decryption modules.

Confusion

There are some doubts on how the Babuk operators planned to proceed after they contradicted their own announcement by also announcing they planned to switch to the Ransomware-as-a-Service (RaaS) model and so-called “double extortion”. Double extortion entails both encrypting a victim’s data and threatening to leak it. A threat actor operating the RaaS model provides the infrastructure, including the ransomware, for other threat actors to use.

This business model makes it hard to fathom why RaaS customers would be interested in working with Babuk operators, if they abandoned the encryption part of the model. Extortion by threatening to release stolen data does not require the same specialized knowledge or infrastructure as encrypting data.

History of Babuk

The Babuk operators surfaced at the end of 2020 and managed to make a name for themselves by attacking Washington DC’s Metropolitan Police Department (MPD), after which they released the personal data of several MPD officers. Shortly after that, they announced they would terminate their operation.

“The babuk project will be closed, its source code will be made publicly available, we will do something like Open Source RaaS, everyone can make their own product based on our product.”

At the time, many suspected they were making this move to dodge the heat that was turned up as a result of their attack on the MPD.

It needs to be said that the Babuk operators were always a bit fickle in their communications. One moment they would announce something, only to delete it shortly after and issue a new statement. As our esteemed colleague Adam Kujawa, director of Malwarebytes Labs said when Maze announced its retirement:  

“Ransom actors are professional liars and scammers; to believe anything they say is a mistake.”

How did the builder end up on VirusTotal?

That is the puzzling question here. VirusTotal (VT) is often used as a quick way for interested parties to check whether a file is malicious or not. But it has been a while since malware authors were dunce enough to upload their work to VT to check whether it would be detected by the anti-malware industry or not. The vendors that cooperate on VT have access to any files uploaded there. So, if their freshly created malware was not detected immediately, it would be soon after. Since those days, malware authors have their own services to run these checks without sharing their work with the anti-malware vendors.

By uploading the builder to VirusTotal they were basically making the source code available. There are a few possible scenarios on why someone would upload the Babuk builder:

  1. Someone received or found the file and did not trust it, so they checked it for malware on VT. It is very unlikely that someone would get this file without knowing what it is. And if a cybercriminal wanted to check who detects this, they would use a service that does not share it with anti-malware vendors. But accidents happen and we have all heard the stories of important documents getting uploaded to VT to check whether they were clean.
  2. Someone wanted to destroy the Babuk operation by throwing their builder under the (VT) bus. This only seems likely if one of the competitors or associates wanted to ensure that the Babuk operators would really stop the encryption part of its business, or at least wanted to slow it down for some time.
  3. The Babuk operators chose this as an odd way to make the source code available. This seems very unlikely as they would certainly have made this known through their usual channels, if this was the plan.

Maybe we have missed the scenario that describes what really happened. As always our comments are open for your ideas.

Another fact that may be of consequence, somehow, is that researchers found several defects in Babuk’s encryption and decryption code. These flaws show up when an attack involves ESXi servers and they are severe enough to result in a total loss of data for the victim.

Decryption

It will take a thorough analysis of the Babuk builder before we know whether it contains enough information to create software that can decrypt files encrypted by Babuk ransomware. That would be nice for the victims that did not pay the ransom. We will keep you posted.

The post Babuk ransomware builder leaked following muddled “retirement” appeared first on Malwarebytes Labs.

Police seize DoubleVPN data, servers, and domain

A coordinated effort between global law enforcement agencies—led by the Dutch National Police—shut down a VPN service that was advertised on cybercrime forums. The VPN company promised users the ability to double- and triple-encrypt their web traffic to obscure their location and identity.

The service, called DoubleVPN, had its domain page seized on June 29. According to a splash page that has replaced DoubleVPN’s domain, in seizing the VPN’s infrastructure, law enforcement also seized “personal information, logs, and statistics kept by DoubleVPN about all of its customers.”

“Servers were seized across the world where DoubleVPN had hosted content, and the web domains were replaced with a law enforcement splash page,” Europol said in a press release issued Wednesday. The takedown effort received support from law enforcement and judicial authorities in The Netherlands, Germany, the United Kingdom, Canada, the United States, Sweden, Italy, Bulgaria, and Switzerland, along with coordination from Europol and Eurojust.

According to an archive of DoubleVPN’s domain before it was seized, the company offered “simple,” “double,” and “triple” encryption to customers. Like any VPN service, DoubleVPN told its users that their web activity would first be encrypted through a VPN tunnel before connecting them to the Internet. The additional layers of encryption advertised by the company—which came in costlier monthly subscription plans—came from additional connections to VPN servers that DoubleVPN controlled.

In its press release, Europol said DoubleVPN “was heavily advertised on both Russian and English-speaking underground cybercrime forums as a means to mask the location and identities of ransomware operators and phishing fraudsters.” A screen capture taken by the news outlet BleepingComputer appears to support this. In the image, a hacker forum user is answering a question about the “best, fully anonymous” VPN service and they offer two options. One of those options is DoubleVPN.


Hear the story of how a cyberstalker who hid his activity through a VPN was eventually caught

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”


The takedown now marks at least the third time this year that law enforcement agencies across the world have come together to stop cybercrime.

In January, Europol was also involved in taking down the infrastructure of the Emotet botnet, and just two weeks ago, Ukrainian law enforcement officials—aided internationally—arrested several individuals allegedly involved in money laundering for the Clop ransomware gang.

The post Police seize DoubleVPN data, servers, and domain appeared first on Malwarebytes Labs.

Fired by algorithm: The future’s here and it’s a robot wearing a white collar

Black Mirror meets 1984. Imagine that your employer uses a bot to keep track of your “production level.” And when this bot finds that you are an under-performer it fires off a contract-termination mail. Does this sound like the world you live in? Unfortunately, for some people it is.

The case

Amazon.com has used algorithms for many years to manage the millions of third-party merchants on its online marketplace. In those years many sellers have been booted for selling counterfeit goods and jacking up prices. Which makes sense, when it’s justified. But who do you argue with if the deciding party is a bot?

Now, according to an investigation by Bloomberg, Amazon is dealing with its Flex drivers in the same way. Flex drivers are “gig” workers who handle packages that haven’t made it on to an Amazon van but need to be de delivered the same day.

Tracking the workflow

So, being fired by a bot is not something that we want to warn you about because it might happen in the future. It already happens. As we have reported before, many employers find it necessary to spy on their workforce, especially now that working from home (WFH) is at discussion. Should we continue to work from home now that it looks like offices are slowly opening up again in many countries? Can we find some middle ground now that we have found out that WFH works much better than we expected? By now many organizations have the tools and infrastructure in place to allow WFH where and when possible. Do workers even want to continue working from home? I imagine many will be happy to return to the office even if they won’t say it out loud. Does being monitored, be it at home or in the office, make any of this easier?

Doomsday scenario?

So, what does workflow tracking have to do with bots firing real people? Well, in Amazon’s case the algorithm received information about the times the drivers were active, how many deliveries they made in that time, and whether delivered packages fell victim to theft by so-called “porch pirates”. These numbers were crunched into a rating for each individual driver. One too many bad ratings and the driver could expect to get the mail that told them their services were no longer needed.

Bloomberg interviewed 15 Flex drivers, including four who say they were wrongly terminated, as well as former Amazon managers who say the largely automated system is insufficiently aware of the challenges drivers face every day.

Blame the method, not the bot

Some will argue that computers are heartless machines, and they are right. But what about the managers that leave this kind of decisions to the machines? Are they hiding behind the decision the algorithm made because they are not brave enough to make those decisions themselves? Or is hiring and firing such a legal minefield that it’s easier to leave it to an algorithm?

It’s not even the blind trust in the algorithm that is infuriating. It’s the shrug when such a life-changing decision is left to a machine. And how would management be able to find out whether there are flaws in the algorithm without thorough investigations? According to Bloomberg, many Amazon Flex drivers did not take their dispute to arbitration because of a $200 fee and little expectation of success. In doing that they may also have denied the algorithm the kind of “false positive” data it would need in order to improve.

Artificial Intelligence and human decisions

In several business functions, such as marketing and distribution, artificial intelligence (AI) has been able to speed up processes and provide decision-makers with reliable insights. In my opinion that describes how this should work. The algorithm can produce all the numbers it wants and a human decision maker can assess whether there is a reason to talk to the employee that seems to be performing below par. Find out what is going on. What is the reason for the lack of results? Discuss how performance can be brought back to a satisfactory level. Have a conversation that empowers the employee. Research has shown that when employees feel empowered at work, this results in stronger job performance, job satisfaction, and commitment to the organization. That sounds a lot better than getting caught up in arbitration cases.

The underlying problem

Former Amazon managers who spoke to Bloomberg accuse their old employer of knowing that delegating work to algorithms would lead to mistakes and damaging headlines. Instead, they say, Amazon decided it was cheaper to trust the algorithms than pay people to investigate mistaken firings, so long as the drivers could be replaced easily.

Those that get fired by the bot and did take the trouble to challenge their poor ratings say they got automated responses. At least, they were unable to tell if they were communicating with real people. According to Bloomberg, a former employee at a driver support call center claims dozens of part-time seasonal workers with little training were overseeing issues for millions of drivers.

Algorithms

Amazon has automated its human-resources operation more than most companies. Maybe these are teething troubles, or maybe they overdid it. What’s certain is that, whether it’s at Amazon or elsewhere, the use of algorithms to make decisions that have a big impact on people’s lives is making headway. Before we go any further into turning Black Mirror from a work of fiction to a documentary series, it may be wise to think about how impactful we will allow these decisions to be, and whether there are any red lines we shouldn’t cross.

The post Fired by algorithm: The future’s here and it’s a robot wearing a white collar appeared first on Malwarebytes Labs.

Binance receives the ban hammer from UK’s FCA

Binance, the world’s largest and most popular cryptocurrency exchange network, has had a rough few days.

First, Japan’s financial regulator, the Financial Services Agency (FSA), issued its second warning to Binance on Friday, 25 June, for operating in the country without permission (The first warning was issued in 2018).

That same day, Binance withdrew its services from Ontario, Canada after the Ontario Securities Commission (OSC) published a Notice of Hearing and Statement of Allegation against Bybit, another crypto trading platform that is based in Singapore, taking it as a sign for them to bail. The OSC has accused Bybit of noncompliance with province regulations.

Then on Saturday, 26 June, the UK’s own financial regulator, the Financial Conduct Authority (FCA), ordered Binance to cease activities in the UK. The warning reads:

“Most firms advertising and selling investments in cryptoassets are not authorised by the FCA. This means that if you invest in certain cryptoassets you will not have access to the Financial Ombudsman Service or the Financial Services Compensation Scheme if things go wrong.

While we don’t regulate cryptoassets like Bitcoin or Ether, we do regulate certain cryptoasset derivatives (such as futures contracts, contracts for difference and options), as well as those cryptoassets we would consider ‘securities’. […] A firm must be authorised by us to advertise or sell these products in the UK.”

Binance Markets Limited, Binance’s unit in the UK, filed a registration with the FCA but withdrew its application in May due to not meeting anti-money laundering requirements.

According to the FCA’s Financial Services Register page for Binance Markets Limited, Binance must put up a public notice on its website and apps stating to its UK users that Binance Market is banned from offering its service. The FCA also ordered Binance to “not promote or accept any new applications for lending by retail customers through the operation of its Electronic Lending System, and must cease marketing any reference to EddieUK/Binance/BinanceUK being an FCA regulated platform for buying and trading cryptocurrencies.”

Binance troubles in the first half of 2021

In March, Bloomberg reported that the US Commodity Futures Trading Commission (CFTC) investigated Binance for whether the crypto trading platform, which isn’t registered with the agency, allowed US citizens to buy and sell derivatives—something that the CFTC regulates. But as this report went out, Binance hasn’t been charged with any wrongdoing. That said, Changpeng Zhao, CEO of Binance, took to Twitter to air his thoughts.

The following month, the Federal Financial Supervisory Authority—or BaFin, Germany’s financial regulation—issued a warning to Binance for potentially violating a securities laws for putting on offer “stock tokens” without correct documentation. This means that Binance allegedly failed to issue a prospectus.

A prospectus is an official document that generally tells investors what a particular investment is about so they can make an informed decision. It has information on financial security to potential investors, the company offering the investment, and what the financial risks are that accompany an investment.

Offering stock tokens that track the movement of shares in (at that time) MicroStrategy, Tesla, and Coinbase represent securities that require a prospectus. These stocks are bought and sold using Binance’s own cryptocurrency.

Magic words

As the FCA issued a warning to British consumers about Binance Markets Limited, the financial regulator also offered words of wisdom to anyone interested in investing in cryptocurrency assets: Do your research.

It’s very easy to get caught in the hype, and the loudest drones could be enough to drown out any more sensible voices. Doing your research, reading up more about the company you’re going to be investing in and what you’re investing on, and reading stories that show successes and failures in such investments could put one’s head in better perspective to not make hasty decisions. Furthermore, make sure they are legally recognized to conduct business in your country, else no one will back you up if or when things go south—and sometimes they do pretty quickly.

“Check with Companies House to see if the firm is registered as a UK company and for directors’ names. To see if others have posted any concerns, search online for the firm’s name, directors’ names and the product you are considering,” the FCA urges the British public, “Always be wary if you are contacted out of the blue, pressured to invest quickly or promised returns that sound too good to be true.”

The post Binance receives the ban hammer from UK’s FCA appeared first on Malwarebytes Labs.

A week in security (June 21 – June 27)

Last week on Malwarebytes Labs:

Other cybersecurity news:

Stay safe, everyone!

The post A week in security (June 21 – June 27) appeared first on Malwarebytes Labs.

Is it game over for VR advergaming?

We’ve been warning about advergaming—the combination of virtual reality (VR) and ads—for years on the Labs Blog. I’ve given a few talks on the subject too, and how ad networks will slowly work their way into enclosed spaces formerly reserved for your head. They still might, but thanks to a recent decision by Oculus VR game Blaston, that version of the future looks like certain than it once did.

VR gaming: The hardware differences

There are two main types of VR headset, one more expensive than the other. The cheaper option is any “empty shell” headset you care to mention. They could be made of plastic, or cardboard, and may require self assembly. There’s no hardware or software component at all, it’s just fancy goggles with a space for your mobile. All of the VR activity takes place on your goggle-mounted phone. Unless you have a recent model, you may struggle to run software successfully.

The more expensive option is the dedicated headset. These work with VR-ready PCs, and combine a lot of intricate hardware and software built into the device. There’s frequently additional synchronicity with platform specific software installed on the PC. A final splash of integration may come from gaming platforms such as Steam.

The major players here are Oculus, HTC Vive, and Steam’s new Index headset. Now that we’ve covered the headsets, we’ll briefly dive into potential types of VR advertising.

VR adverts: The lay of the (virtual) land

VR ads are attractive to advertisers because they have the potential to crank the behavioural advertising we’re used to on the web—where advertisers watch what you do, build a profile, and show you personalised ads—up to eleven.

For the cheaper, mobile VR sets, Adobe made waves in 2017 with an ad platform optimised for mobile VR platforms. It also potentially had the ability to pop ads while in a movie theatre, which may or may not be your cup of heavily discounted tea. Nokia were particularly enchanted by mixed reality advertising. Indeed, adding digital elements to real world views has become very popular and mimics many common mobile features used daily. This familiarity probably helps put viewers of mixed reality ads somewhat at ease.

The really big potential for ads lies with the top end hardware though. In 2017, HTC made headway with “Innovative VR ads.” This was a pretty sophisticated setup, similar in look and feel at the sign-up process to other ad platforms, like Google Ads. Sales/payout reports, test/publish facilities, 2D and big screen video ads were just some of its features.

The most interesting part was the eye tracking functionality. Many VR games track eye movement to further aspects of gameplay. Here, it served to let publishers know if gamers or headset users looked at their ads. If nobody looked, no charges from the ad system would be forthcoming.

Deepening the ties between games and adverts

One potential danger from advergaming is that a deep level of ad tracking can impact a game’s level design. For example: developers make use of systems like heatmaps, particularly in multiplayer titles. A heat map shows where players go, and where they avoid. You can see which parts of your map are popular, and which are essentially dead zones. Developers will sometimes revamp maps based on this data.

Where it goes wrong, is if developers become too immersed in ad systems populating their games. Imagine a scenario where developers generate income from ads in their title. They may make money when people look at the ads, for example, the same way ad publishers are only billed if the ad network tracks players looking at the ads.

There’s an incentive for the developers to place the ads in ever more prominent…some may say intrusive…locations. This could harm the overall aesthetic of a title, or make level design bad in favour of jamming adverts everywhere. It also raises an interesting question. Is a game developer making adverts that are gaming the advertising network system? That’s something for the devs, ad publishers, and ad network to figure out.

This was all back in 2017. How did the VR ad landscape evolve?

The changing face of VR ads

By the end of 2018, companies involved in the VR/AR ad space were talking about serving 1 billion ad impressions, and how the “novelty” factor had mostly fallen away. By the end of 2019, there was evidence that some organisations had found success with so-called “immersive” ad campaigns. This was especially the case where technology like 360 degree video was deployed. Even so, there hasn’t really been a buzz with regards VR/AR ads in gaming spaces. Until now, that is.

Negative buzz is still a form of buzz, right?

A timeline of ad disaster

May, 2021

Back in May, Oculus announced a lot of additions for tools, apps, and videos. It also mentioned the introduction of an ad ecosystem, and tied it to notions of “discoverability” and helping developers. They did also link to an article explaining how to control the ads users see. However, leaving mention of ads till the very end is something which would annoy some people on the assumption it may be something a lot of folks don’t bother reading. What sort of reader numbers make it to the end of an arguably already niche post?

Not a major thing, but something which immediately leaps out.

June, 2021

This is the point where Oculus explained how ad testing is going to work. Specifically, adding in-headset ads to the popular VR title Blaston. There are ways to make ads properly integrated into a video game title. You wouldn’t have an advert for SPACE WARS 2067 in a World War 2 setting, or an advert for a brand new motorcar on the last billboard in a ruined apocalypse. I mean, you might, but it wouldn’t look very good.

Things like that leap out. By the same token, we can argue that ads seamlessly integrated into games to the point you don’t notice them are incredibly sneaky. You can see more of that fine line here.

I’m not familiar with Blaston myself, but the screenshots look very out of place. The blog talks about making sure the ad content is relevant to the VR user, but nobody seems to consider the relevance of the ad to its environment. Put simply: An ad for “Fast free delivery” of Jasper’s something or other, lit up in bright green against an otherwise grimey, purple landscape fairly screams “I don’t belong here”.

The post also goes into detail about restrictions on ads, which is welcome. For example, they don’t use information processed / stored locally. They don’t use movement data to target ads, unlike some other ad plans where tracking / movement is an important element. Random conversation content is also off the table, they don’t want it.

That’s good, then. However, they also promised “more to come”. Shall we see how this all panned out?

The crushing inevitability of what comes next

You can probably guess where this is going, so without further ado:

The major problem here is that Blaston is a paid-for title. Given Oculus headsets are a premium purchase as it is, gamers would likely feel incredibly annoyed at having ads placed in something they paid various amounts of money for. The game is also available on the Steam platform, where it can be played via Oculus, HTC Vive, or Valve Index. Unless I’ve missed it, there’s no mention of ads being introduced while playing with Vive or Index.

That’s an immediate product disparity liable to fan the flames of anger.

The devs appear to have realised this, and have suggested resuming the ad trial in one of their free titles at a later date. All the same, some damage has potentially been done to the game’s brand. I hadn’t heard of it prior to this, and now all I’ll probably think is “Oh, that game with the advert blowout.”

Game over?

Despite ads in VR games being pushed as “the next big thing” way back in 2017, it’s now 2021. There’s a lot of ad impressions for VR/AR generally. Organisations are definitely making money from it.

Games, though? Those are going to be a very tough sell. This is, again, one small test of ad-placements to see how it all fits together…and look what happened! Game developers will be looking at the sudden blast of negative reviews for Blaston, and likely choosing to avoid ad integration for their paid titles at a bare minimum. For whatever financial boost it gives a software house, the solid chorus of condemnation is probably something they’ll want to avoid for a long time to come.

The post Is it game over for VR advergaming? appeared first on Malwarebytes Labs.

Lil’ skimmer, the Magecart impersonator

This blog post was authored by Jérôme Segura

A very common practice among criminals consists of mimicking legitimate infrastructure when registering new domain names. This is very true for Magecart threat actors who love to impersonate Google, jQuery and many other popular brands.

In this post we look at a skimmer recently disclosed by security researchers that has been around for over a year but managed to keep a low profile. In addition to naming several of their domains after Google, the threat actor is also naming their domains after the websites they have compromised.

Often, identifying additional infrastructure on the same network is a relatively simple exercize. But in this case it is more complex because the hosting servers are comprised of a large number of domains names, many of which are also malicious but not skimming related. Hiding in the noise is another common trait for threat actors.

Keeping it simple

This skimmer was publicly mentioned by Eric Brandel in early June 2021 and unlike Magecart JavaScript code, this one is very straightforward. Jordan Herman had also previously spotted this skimmer and referred to it as Lil’ Skim. Based on an urlscan.io crawl, it appears the earliest instance is from at least March 2020, via googie[.]host.

A dense network hiding more skimmer domains

A quick review of the Autonomous System (AS198610 Beget) where those skimmer domains are found shows a significant number of malicious hosts tied to phishing kits, Windows payloads, and Android malware just to name a few. Two IP addresses in particular, 87.236.16[.]107 and 87.236.16[.]10, are host to additional skimmer domains belonging to Lil’ Skim.

graph
Figure 1: VirusTotal Graph showing a number of Google-like domains

For example, tidio[.]fun is a play on tidio.com, a chat application for website owners wishing to interact with customers. We recognize the same Lil’ Skim code here as well:

tidio
Figure 2: tidio[.]fun hosts the same Lil’ Skim skimmer

Custom domains by compromised store

And then we discovered a number of skimmer domains that were named after compromised stores. This in itself is not a new practice and is often seen with phishing sites. The threat actor simply replaced the top level domain name with .site, .website or .pw to create hosts that load the skimmer code and receive stolen credit card data.

site1
Figure 3: Legitimate website and copycat domain hosting a skimmer
site2
Figure 4: Legitimate website and copycat domain hosting a skimmer

All the domains we found (c.f. IOCs) were hosted on 87.236.16[.]107.

Conclusion

Lil’ Skim is a simple web skimmer that is fairly easy to identify and differs from other Magecart scripts. The threat actor is keen of impersonating internet companies but also the victim sites it goes after.

We were able to track this actor across the same ASN where they registered a number of different domains over a period of at least a year. There likely are more pieces of infrastructure to uncover here, but that might be a time consuming process.

We have notified the stores that have been impacted by this campaign. Additionally, Malwarebytes customers are already protected via our web protection module across our different products including Malwarebytes Browser Guard.

Indicators of Compromise

The following IOCs are linked to urlscan.io crawls whenever possible.

Standard skimmer domains

googletagsmanager[.]website
googie-analitycs[.]site
googie-analytics[.]online
googie-analytics[.]website
cdnattn[.]site
facebookmanagers[.]pw
googletagmanager[.]space
googie[.]website
googleapis[.]website
googie[.]host
tidio[.]fun
jquery[.]fun
cloudfiare[.]site

Skimmer domains impersonating compromised sites

perfecttux[.]site
gorillawhips[.]site
bebedepotplus[.]site
postguard[.]website
dirsalonfurniture[.]site
dogdug[.]website
bebedepotplus[.]website
perfecttux[.]website

Skimmer IPs

87[.]236[.]16[.]107
87[.]236[.]16[.]10

Known victim sites

acquafiller[.]com
bebedepotplus[.]com
cartpartsplus[.]com
cosmoracing[.]com
dirsalonfurniture[.]com
dixongolf[.]com
dogdug[.]com
gorillawhips[.]com
gpxmoto[.]com
instaslim[.]com
perfecttux[.]com
pitboss-grills[.]com
totalskincare[.]com

The post Lil’ skimmer, the Magecart impersonator appeared first on Malwarebytes Labs.

What is the WireGuard VPN protocol?

In layman’s terms, a VPN uses encryption to create a private online connection between a device and a VPN server. With a good VPN service, you can shield your data from curious eyes.

A VPN protocol is the set of rules that shapes how your data travels between your computer, mobile phone, tablet, or any other device, and a VPN server. The type of VPN protocol that you use can affect the speed, stability, ease of use, security, and privacy of your connection.

WireGuard is the newest player in the VPN protocol world and has many advantages over older types of protocols. Many experts are excited about WireGuard because it trims the fat to be faster and lighter than protocols like OpenVPN. For example, WireGuard has less than 4000 lines of code while other protocols have hundreds of thousands of lines. However, like any cutting-edge technology, the protocol also has some areas to improve.

WireGuard vs OpenVPN and other protocols

Many popular VPN protocols preceded WireGuard. While some are obsolete, others remain popular today. One of the earlier ones, the Point-to-Point Tunneling Protocol (PPTP), was created in the mid-90s by Microsoft to enhance privacy on the now obsolete dial-up networks.

PPTP’s basic encryption is a bit of a double-edged sword. Although PPTP is fast because of its light security, it’s also vulnerable to breaches. Its successor, Layer 2 Tunnel Protocol (L2TP), is more secure once paired with IPsec (Internet Protocol Security). Unfortunately, L2TP/IPsec is slow and easy to block with network firewalls. 

You must also look at Secure Socket Tunneling Protocol (SSTP) to truly compare VPN protocols. Another protocol from Microsoft, SSTP, is more secure and more challenging to block than PPTP. Unfortunately, it’s challenging to run on platforms other than on Windows and offers limited access to developers.

OpenVPN is popular because it’s a well-rounded protocol—it’s open-source and features the impressive AES-256-bit key encryption. Experts say that even the most powerful supercomputer today would need millions of years to breach 256-bit encryption.

Despite its many strengths, OpenVPN is far from perfect. The most common complaint about OpenVPN is that it’s slow. It’s not unusual for a video streaming through OpenVPN to turn into a slideshow. Some users also complain about connections dropping on OpenVPN. This is where WireGuard comes in. The protocol is stable, speedier, less complex, and easier to configure than OpenVPN.

How fast is WireGuard?

One study tested 114 VPN servers to see if WireGuard is faster than OpenVPN. Here are the highlights:

  • WireGuard was quickest in nearly 60% of the download tests.
  • WireGuard is almost 15% faster than OpenVPN on UDP.
  • WireGuard is 56% faster than OpenVPN on TCP.

It’s faster than OpenVPN, but is WireGuard safe?

WireGuard isn’t just quick, it’s also very secure. At Malwarebytes, we pair WireGuard with a 256-bit AES encryption to safeguard connections.

One thing to note about WireGuard is that by default, the protocol assigns the same IP address every time a user connects. Using the same address each time gives users a predictable ID that’s shared with every service they use, including any advertisers watching on.

To counter this, some VPN service providers modify the VPN protocol so that it assigns a random IP address, which makes it harder for advertisers, websites, and others to track your activity from one session to the next.

A number of popular VPN services have embraced WireGuard to offer customers fast and secure connections. If you’ve heard that VPNs slow down your connection significantly, perhaps you’re looking for a VPN to use while gaming, or you just generally want a fast VPN service, providers that use the new WireGuard protocol are worth looking in to.

The post What is the WireGuard VPN protocol? appeared first on Malwarebytes Labs.

Brave takes aim at Google with privacy-first search engine

The privacy-forward web browser Brave launched its new search engine in beta on Wednesday, promising a more private experience that does not track user searches, build user profiles, or require the use of an external, pre-existing search index to deliver results.

Clear from the company’s early marketing, Brave intends to position its search tool as a foil to Google, telling audiences in a promotional video that using its new search tool alongside its browser provides “the first, independent, 100 percent private alternative to Google Search and Chrome.”

How Brave expects to compete against Google—which owns 92 percent of the global search engine market share—is less clear, as “search” today is not just the delivery of information, but also the integration of that information into a company’s product suite, like when a Google search for a restaurant’s location can auto-populate that restaurant’s address into Google Maps, or when a Google search for movie times considers a user’s location.

For Google, its search business is not just an Internet answer box. It is the oil that both fuels and smooths its online convenience machine.

To its credit, Brave is expanding its offering. The company launched both a news reader and a combination VPN and firewall tool last year, and since 2019, it has implemented a novel advertising model that lets users earn money for viewing “privacy-preserving” ads.

From a certain lens, then, Brave’s growing stable of products begins to resemble a response to Google’s massive data collection regime—a suite of tools that do not prioritize making life easier for the user but making life harder for those who invade user privacy. (The company has also pushed back against FLoC, Google’s new online tracking model released just months ago.)

Brave Search features

Brave Search, which was available to a limited number of users before Wednesday’s beta release, promises users a unique set of features that the company claims no other browser provides. Users will enjoy “fully private, anonymous search,” much like DuckDuckGo, which means that users will not have their searches collected, shared, or sold for advertising purposes, and users will not have profiles built on their search activity.

Users will also get the benefit of transparent search result rankings and a search engine that integrates directly into a web browser made by the same company. In fact, by next year, the company plans to make Brave Search the default search engine in its web browser.

Further, according to the company, Brave Search is one of the rare search engines today that is not built on another company’s search index, meaning that its search results are not just scoured and collected by Google and packaged by their engine. Instead, Brave Search is powered by an independent scan of the Internet—an enormous task which was likely made possible by Brave’s earlier purchase in March of Tailcat, a search engine developed by a team previously working for the privacy-focused web browser Cliqz. That Munich-based company once positioned its own product as an alternative to Google’s search, but it shuttered in May 2020 following disruptions due to coronavirus.

Brave Search also provides a surprising amount of information about its independent search index.

For instance, every single Brave Search query provides basic info about whether the engine relied on third parties—often Google and Bing—to complete the delivered search results. When Malwarebytes Labs searched “Malwarebytes,” Brave Search said that “all results” came from Brave alone. Brave Search also provides users with an “independence metric”—offered as a percentage—from a personal and global perspective. These metrics express the same measurement of whether Brave relied on third parties, but the personal metric is derived from someone’s aggregate, personal searches, whereas the global metric is derived “from all searches, across all people who use Brave Search,” the company said.

Screen Shot 2021 06 23 at 3.06.12 PM

As to how Brave Search will make money? The company already hinted at two models—a paid option with no advertisements, and a free option supported by ads. In the Brave Search FAQ, the company wrote that both options could be on the table for users who want to choose.

It is still early days for Brave Search, and competing in the online search market is far from easy. Still, more options for users means more ways that users can take control of how they engage online. Whether enough users will peel away from Google is a different question, because Brave’s big bet isn’t about convenience—it’s about privacy.

The post Brave takes aim at Google with privacy-first search engine appeared first on Malwarebytes Labs.