IT NEWS

Security researchers came across a Pega Infinity vulnerability through participation in Apple’s bug bounty program, after focusing on vendors that supplied technology to Apple. By using Burp Suite—an integrated platform for performing security testing of web applications—the security researchers discovered a password reset weakness in Pega Infinity that could allow an attacker to bypass Pega Infinity’s password reset system to lead to a full compromise.

Pega Infinity and Pegasystems Inc.

Pega Infinity is a popular enterprise software suite that provides customer service and sales automation, an AI-driven customer decision hub, workforce intelligence, and a ‘no-code’ development platform.

Pegasystems Inc. is an American software company based in Cambridge, Massachusetts. Founded in 1983, Pegasystems develops software for customer relationship management (CRM), digital process automation, and business process management (BPM).

Public facing

As with any customer relationship management (CRM) tool, these systems are largely public facing and aren’t necessarily designed to be run internally. Pega’s customers can be found in every sector and at the time of reporting, some of the customers included the FBI, US Air Force, Apple, and American Express. For example, using Pega, the FBI created a public-facing website that acts as an interface for all registered firearms dealers. When an individual attempts to purchase a firearm, an authorized user is able to securely log in and quickly submit a background check request to the FBI.

A patch is available

Pega was quick to work with the researchers to patch the vulnerability, even though they needed time for customers running Infinity on-premises to update their installations. This process, one of the researchers said, took over three months. One of the perks of running this type of software in the Cloud was that Pega could push out the patch to their cloud-based customers.

CVE -2021-27651

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability was assigned CVE-2021-27651. With the description:

“In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.”

Proof of concept (PoC)

There are several PoCs readily available, including complete videos on YouTube, so users of the Pega Infinity enterprise software platform are being advised to update their installations. The proof of concept demonstrates how an attacker could bypass Pega Infinity’s password reset system. Assailants could then use the reset account to fully compromise the Pega instance, through administrator-only remote code execution.

Version dependent updates

Pega advises their on–premise clients to review the table posted here to determine which hotfix corresponds with their Pegasystems installation. Once they have determined the appropriate hotfix ID, they can submit a hotfix request in the Pega support portal.  Pega Cloud environments running the relevant Pega versions are being proactively remediated by Pega.

Stay safe, everyone!

The post Pega Infinity patches authentication vulnerability appeared first on Malwarebytes Labs.

Royal Mail phish scams are still in circulation, slowly upgrading their capabilities with evasion tools deployed in far more sophisticated malware attacks.

Often, the quality of sites we see varies greatly. Many fake Royal Mail pages are cookie-cutter efforts existing on borrowed time. The operators know their scam is a case of here today, gone tomorrow. These bogus pages are often taken down quickly by hosts. As a result, many exist in an effort-free zone of “graphic design is my passion”.

Sometimes these sites will lift bits and pieces from the official pages they happen to be imitating. This can take the form of stolen image files, and in other cases they’ll simply hotlink the live images or design instead.

But what we haven’t seen while digging into these fake portals is a smattering of what looks to be researcher deterrents. That is until now.

Shutting down the investigation

Malware authors often obscure the inner working of their code, or prevent files from executing inside a virtual machine. A lot of analysis is done inside VMs, because it’s cheaper and less time consuming than infecting a “real” PC and then rolling everything back. This is why malware frequently looks for clues that it’s sitting inside a virtual environment, and then refuses to do anything.

Similarly, malware portals rely on the right kind of traffic. There’s no point spending a fortune on an exploit kit if potential victims aren’t running the outdated software required. Redirection Gates act like a kind of bouncer, making sure the right name is down on the list. Running an old version of Flash? Come on in. A fully patched system running security software? Sorry, this is an exclusive party.

Another similar check made by malware files when sitting in a virtual testing environment is to look for mouse movements and general desktop activity like an absence of PC screens/monitors. If none of that is happening, if no screen displaying the desktop is in evidence, the malware assumes “malware research” and doesn’t come out of its shell.

Finally, we come to phishing pages. Some phishes are aimed at mobile users only, and will check the browser’s referral agent. If it says “Chrome, desktop” the site will send the visitor away. If it says “Chrome, mobile” they’ll be allowed into the heart of the phish. What we have with this Royal Mail fake out, is an added layer of sophistication. This is, in effect, the malware portal bouncer on the door, but now they’re yelling about parcel deliveries.

Shall we take a look?

The Royal Mail phish in action

It begins with the usual SMS message claiming that a parcel has been redirected, and reads as follows:

Post Office: Your parcel has been redirected to your local post office branch due to an unpaid shipping fee. To reschedule a delivery please visit: [URL removed]

Something to note here is how much closer this is to actual Royal Mail processes. Our last example from March simply made vague references to parcels waiting for delivery. A lot of people would hopefully suspect something was suspect as a result. Here, parcels with no postage are indeed sent to the nearest Post Office to arrange a collection.

For anyone familiar with the more generic SMS blasts from this attack, this may well be the foot in the door the attacker needs.

A virtual phish? No thank you

Remember what we said about sites filtering you in or out of the scam, depending on your setup? That’s what we have here. When you click the link to visit the fake Royal Mail page, there’s a fair bit of code under the hood sniffing around for potential virtual machine use.

The below code tests for WebGL renders which it may associate with (for example) VirtualBox or RDP (Remote Desktop Protocol). It also wants to know if site visitors have a display or not. Remember, not having a screen is a possible sign of automated research tools in virtual machines. This is a tactic pulled right out of malware analysis evasion land.

Finally, the site throws a lot of placeholder text into the website’s code. This text seems to cause plenty of errors in Tor browser. Tor is another way for people researching sites to help keep themselves anonymous, so this is a smart move on the phish page creator’s part.

For those curious, the text performs the placeholder function of Lorem Ipsum text. In this case, it’s actually called Bacon Ipsum. While breaking Tor could be accidental, it seems too good to be true given the other measures on display.

Again, this isn’t a level of phish-based paranoia we’ve seen in fake Royal Mail land. Code which breaks Tor, checking for absent computer screens, sniffing for code which may denote a VM or RDP…this is an all new level of the bouncer on the door concept.

What does this Royal Mail phish do?

Assuming the bouncer lets someone in, the flow is a fairly standard Royal Mail phish scenario. The scammers ask for name, DOB, address, mobile number, and email address.

After that, the victim is asked to hand over what are essentially full banking details via the information on their debit card. That’s name, card number, expiry date, security code, account number and sort code.

If payment details are fully entered and submitted, the site pops a message to thank the victim for payment. “Your parcel will be sent out soon, and we will notify you when it is out for delivery”.

At this point, there’s a redirection off to the real Royal Mail website. We’d suggest the only thing left is to call the bank and sort out a replacement card / account block as soon as possible.

Returning a scam to sender

We’ve already looked at how devastating these attacks can be. Attackers are becoming smarter and more selective about who they want to snare in their trap. Making it harder for researchers makes it easier for them, so we all have a vested interest in bypassing these fakes and knowing what to look for. If you or your family members are worried about Smishing, we have just the thing. Fake Royal Mail messages aren’t going away anytime soon, so please keep your guard up and double check those messages. If in doubt, contacting your local depot is likely the best response you can make.

The post Royal Mail phish deploys evasion tricks to avoid analysis appeared first on Malwarebytes Labs.

Adobe. Yahoo!. The US Department of Energy (DoE). The New York Times.

What these names have in common is that they have all experienced at least one breach in 2013—the year when threat actors started targeting organizations across industries to either steal data for profit or leak them to “teach companies a lesson about cybersecurity.”

The majority of the data breached are credential information, such as usernames and passwords, with the former usually being an email address. Some personally identifiable information (PII) and other sensitive organization-centric data was added into the mix as well.

With so many breaches going on that year, plus the observed ramping up of such attacks a few  years before it, one may be led to think: How can people keep up with checking whether they’re affected by these breaches or not? Do they even know they have been breached?

This prevalence of data breaches coupled with his analysis on the Adobe attack have led Troy Hunt, an Australian cybersecurity expert, blogger, and speaker, to create Have I Been Pwned (HIBP), a website that allows internet users to check whether their personal data has been compromised or is part of a trove of leaked data following company breaches.

Feeling security fatigue? Listen to Troy Hunt with other cybersecurity experts Chloé Messdaghi and Tanya Janca in this episode of Lock and Code on how to beat it.

Is “Have I Been Pwned?” legit?

Yes, it is.

To date, HIBP has been around for almost a decade, and through the years, it has only proven itself to be an essential tool for everyday internet users, governments, and organizations alike.

Yes, you read that right: governments. HIBP has been assisting governments, such as the UK, Australia, and Romania (to name a few), in monitoring for breaches in government domains. Note that centralized monitoring is done by the  cybersecurity arms of these governments, such as the National Cyber Security Centre (NCSC) for the UK, the Australian Cyber Security Centre (ACSC) for Australia, and CERT-RO for Romania. These organizations, of course, cannot query other websites beyond government domains.

“The only access they have is to domains that their people working in those departments could query anyway via the existing free domain search model, we’re just consolidating it all into a unified service,” Hunt wrote in a 2018 blog post about this matter. If you’re interested in reading more about this, there is in-depth detail here.

HIBP is also single-handedly handled and maintained by Hunt himself, not a team. And Hunt is a well-known and very trusted name within the cybersecurity circle. On top of that, he runs the service “with maximum transparency.”

Is “Have I Been Pwned?” safe?

If you’re more of a privacy-centric person who never likes websites snooping on your queries whenever you use their search feature, it is understandable to be concerned about whether HIBP can actually snoop or, worse, record every query you make.

According to HIBP’s FAQ page: “Nothing is explicitly logged by the website. The only logging of any kind is via Google Analytics, Application Insights performance monitoring and any diagnostic data implicitly collected if an exception occurs in the system.”

Below are other storage-related questions covered in this page:

How is the data stored?
The breached accounts sit in Windows Azure table storage which contains nothing more than the email address or username and a list of sites it appeared in breaches on. If you’re interested in the details, it’s all described in Working with 154 million records on Azure Table Storage – the story of Have I Been Pwned

Does the notification service store email addresses?
Yes, it has to in order to track who to contact should they be caught up in a subsequent data breach. Only the email address, the date they subscribed on and a random token for verification is stored.

How do I know the site isn’t just harvesting searched email addresses?
You don’t, but it’s not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you’re concerned about the intent or security, don’t use it.

In 2019, Hunt opened up to his readers about Project Svalbard, a name he associated with the future of Have I Been Pwned. In a nutshell, Hunt had planned to hand over the management of HIBP to a “better-resourced and better-funded structure” when he realized that he will burn out one day. The news could have raised alarm bells for those who have trusted the site all these years as there is always fear of either having the service monetized or misuse of data by whoever will be acquiring HIBP.

At the time, Hunt penned a long and thoughtful post on Project Svalbard, including his 7-point commitments to the future of HIBP, which you can read here. Here’s the tl;dr version of that:

• Freely available consumer searches should remain freely available.
• I (Troy Hunt) will remain a part of HIBP.
• I want to build out much, much more capabilities wise. 
• I want to reach a much larger audience than I do at present.
• There’s much more that can be done to change consumer behaviour. 
• Organisations can benefit much more from HIBP.
• There should be more disclosure – and more data. 

But in March 2020, something changed. According to last-minute, unforeseen developments, the sale of HaveIBeenPwned had been stopped. As Hunt wrote:

“Have I Been Pwned is no longer being sold and I will continue running it independently. “

Have you been pwnd? Here’s what to do

While it is important to know if your personal details or credentials have been leaked, it is significantly more important to act on it. What do you do now, knowing that your account has been compromised?

For starters, change your password. Make it longer. It doesn’t have to be a complex string of uppercase and lowercase characters, symbols, and numbers. Length is enough, according to a 2021 NIST guideline. You can formulate your own long password, or you can enlist the help of a password manager.

Lastly, use two-factor authentication (2FA) to add a layer of protection to your account. We strongly suggest using a one-time password (OTP) app, or if you have a physical hardware key, such as a Yubikey, all the better. Take note that some big-name companies like Facebook already have started giving their users the option to use a hardware key. So if you want to do that, check if your online service provider offers it, too, and take advantage of it.

Stay safe!

The post “Have I been pwnd?”– What is it and what to do when you *are* pwned appeared first on Malwarebytes Labs.

Researchers have discovered a new banking Trojan that has been found targeting customers of European and South American banks. They have dubbed the new Trojan Bizarro.

How does Bizarro spread?

The Bizarro malware spreads via Microsoft Installer (MSI) packages. Identified sources so far have been spam emails and attackers may also use social engineering to convince victims to download a smartphone app. Experts have detected infections in Brazil, Argentina, Chile, Germany, Spain, Portugal, France, and Italy. Bizarro uses compromised WordPress, Amazon, and Azure servers to host the MSI packages that victims are tricked into downloading.

What is Bizarro capable of?

Bizarro has quite a few tricks up its sleeve:

• It can capture login credentials entered on banking sites. To speed up this process it reportedly closes your existing browser windows, so you are forced to log in. Bizarro also creates fake prompts to solicit 2FA codes.
• Bizarro constantly monitors the clipboard and will replace any Bitcoin address it finds there with its own (hoping of course to capture any transfers that were supposed to be paid into the original address).
• And last, but not least, it is a full-blown backdoor, which gets fired up as soon as the user visits one of a set of hardcoded banking sites.

The backdoor offers a lot of options to the attacker, including:

• Gathering data about the infected system and sending them to the C&C server.
• Searching for and stealing files from the infected computer.
• Dropping files on the affected system (such as other malware).
• Remote control of the mouse and keyboard.
• Keylogging.
• Creating fake popup windows and messages. The messages are intended to slow down the user’s response time and include progress bars.
• Emulating banking sites on the fly.

Targets

Like many other banking Trojans of Brazilian origin, Bizarro focuses on European and South American banks. Attempts have now been made to steal credentials from customers of 70 banks from different European and South American countries.

Besides the obvious victims that get the malware on their system, Bizarro also use money mules to operationalize their attacks, cash out, or simply to help with transfers. These money mules often have short-lived criminal careers before they end up in jail.

Mitigation and detection

As always the most important advice is to not click on links that come from an uncertain source. Also keep an eye out for unexpected behavior on your system. Especially when it comes to banking, it’s better to look into weird behavior than to just assume it’s Windows acting up. And double check your destination bitcoin addresses before sending them funds. (This is good advice in all circumstances: This isn’t the only malware that uses the clipboard to replace bitcoin addresses, and there are no do-overs with bitcoin!)

The downloaded ZIP archive contains the following files:

• A malicious DLL written in Delphi
• A legitimate executable that is an AutoHotkey script runner (in some samples AutoIt is used instead of AutoHotkey)
• A small script that calls an exported function from the malicious DLL

The DLL is detected by Malwarebytes’ machine learning module.

Stay safe, everyone!

The post Bizarro: a banking Trojan full of nasty tricks appeared first on Malwarebytes Labs.

As COVID-19 soldiers on, small and medium-size businesses now feel as ripe for malware attacks as deep-pocketed multinationals.

SMBs see that, along with remote work, our pandemic has also brought troubling new holes to their security. This means cybercriminals—equal opportunity charlatans that they are—now simply cast wider nets to snare any and all businesses. Large or small. Young or old. Public or private. Profitable or those just barely getting by.

For defense against these new vulnerabilities, nervous teams often purchase an endpoint protection solution. But, research shows, most SMBs are skeptical about the job their product is doing.

In Malwarebytes’ recent SMB Cybersecurity Trust & Confidence Report, 47% of respondents said their endpoint protection wasn’t up to the task of stopping new threats. Remarked a respondent: “Even a combination of solutions can’t catch every threat. Just like a flu shot can’t prevent every strain of the flu.”

According to the report, about 65% of SMBs with 50-99 employees try to make double-sure their endpoint protection is working as advertised by testing it.

And to do so, they often turn to VirusTotal.

If you’re not familiar with VirusTotal, it’s a service owned by Chronicle (part of Google/Alphabet). It offers a free service that lets you upload suspicious files and URLs for, where it inspects them and checks for viruses using 70+ third-party antivirus products, URL/domain blocklisting services, and other tools. It also offers a range of paid-for Premium Services, but in this article we will focus on its free offering.

Naturally, the price tag for analyzing malware (free) is appealing to SMBs on a limited budget. And the simplicity appeals to teams with limited resources and technical staff.

But is this the best testing solution for SMBs? Let’s explore.

1. VirusTotal isn’t running the same AV software as you

To stay up-to-date against both known and zero-day threats, endpoint protection providers update their products and protection software almost continuously. VirusTotal maintains a collection of over 70 endpoint protection solutions, and there is no guarantee that its version of what you’re running is as up to date as your version. This means they’re sometimes testing an SMB’s suspicious items with outdated AV software.

The service also runs command line versions of the AV software it tests with, rather than the GUI versions. In its own words, that means “…depending on the product, they will not behave exactly the same as the desktop versions.”

Lastly, the free version of VirusTotal performs a static analysis of your file. A more detailed and realistic view of the file is available through its Premium Services, which analyze them running in a sandbox environment.

It’s no surprise then that the free version of VirusTotal does not mirror your environment, which can easily lead to a false negative.

2. Some infections aren’t triggered in VirusTotal

Cybercriminals are getting smarter. They now create malware that senses when it’s in the VirusTotal environment, and therefore it won’t detonate. The virus just lays low until given the green light by VirusTotal. Then, when the unsuspecting SMB releases the “clean” item to their live endpoints, it wakes up and delivers the payload.

These nefarious threat actors are even getting cheeky. They sometimes program their malware to send a rude message to SMBs once the malware has exploded, taunting them for trying to outsmart them.

3. VirusTotal doesn’t want your private data

When uploading a suspicious file to VirusTotal, an SMB may also inadvertently include sensitive information. This is especially true among teams with inexperienced staff who are less familiar with what’s included in the sample.

Exposed info can range from internal data (like payroll records or intellectual property) to external information (such as customer passwords and banking information). This unprotected data can leak out to other VirusTotal customers or cybercriminals.

This is why many SMBs with compliance regulations, or those with advanced safety protocols, prohibit the use of VirusTotal, and it’s why the service’s home page says clearly: “Please do not submit any personal information.”

4. VirusTotal isn’t a testing tool

In many ways, VirusTotal is a victim of its own success. While it’s very useful for testing AV solutions it has always been clear that’s not what it’s for. Its job is to help antivirus vendors, as its FAQ makes plain:

VirusTotal service was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect. Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors

The company shows no signs of embracing its widespread misapplication either. Instead, the company’s future centers around building its premium service, VirusTotal Intelligence. It lets subscribers download virus samples from VirusTotal to a team’s own test environment. SMBs can then scan these samples internally using their endpoint protection solution, to see what they catch or miss.

Is VirusTotal the answer?

Bottom line: VirusTotal is a free service staffed with top professionals. But testing the efficacy of your AV solution is not its focus. You’ll have to weigh the pros and cons. VirusTotal is useful for testing, and the price is right (you can’t beat free), but its shortcomings could have a major impact on your business and endpoint protection.

In a follow-up article, we’ll discuss viable options beyond VirusTotal for testing and verifying your endpoint protection.

The post 4 things you should know about testing AV software with VirusTotal’s free online multiscanner appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we watched and reported on the Colonial Pipeline ransomware attack as developments of its story unfolded. This attack triggered the White House to refine a planned Executive Order on cybersecurity. We also profiled DarkSide, the ransomware responsible for the Colonial Pipeline attack, and the criminal gang behind it.

Speaking of ransomware, we spoke with Jake Bernstein, a cybersecurity and privacy attorney and our guest in the latest Lock and Code podcast episode, to talk about the legal ramifications ransomware-turned-data-breach victims may face when they have been successfully attacked.

We also highlighted “wormable” Windows vulnerabilities on last week’s Patch Tuesday updates; touched on FragAttack, a term used to describe newly found Wi-Fi vulnerabilities that basically affects all Wi-Fi devices; addressed the question “Why MITRE ATT&CK matters”; warned about Avaddon, a new ransomware campaign; raged about WhatsApp call and message features breaking unless you share data with Facebook; applauded game developers who included cybersecurity as part of the whole gaming experience, and went “ooh!” at a novel way someone can exfiltrate data out of air-gapped networks using iPhones and AirTags.

Our expert threat hunters also noted the increase in iPhone spam attacks and observed Magecart Group 12 continuing to go strong and using a PHP-based skimmer as a new tool.

Lastly, we talked about Wi-Fi and honeypots.

Other cybersecurity news

• The group behind the Colonial Pipeline attack claimed to be behind the Toshiba attack and data breach. (Source: Kyodo)
• DarkSide also netted Benntag, a chemical distribution company, and got paid for it—to the tune of $4.4M USD. (Source: BleepingComputer)
• Imposter Amazon robocalls are reaching 150 million consumers per month, according to YouMail. (Source: PR Newswire)
• Threat actors take advantage of routine site maintenance to get people to download malformed copies of MSI Afterburn from fake website. (Source: MSI News)
• According to a report from Immersive Labs, 81 percent of software developers have knowingly released applications that are vulnerable. (Source: Immersive Labs)
• Panda, a new information stealer, could nab account credentials of NordVPN, Telegram, Discord, and Steam users. It also goes after cryptocurrency wallets. (Source: The Coin Radar)
• A report on TeaBot, an new Android malware targeting European banks, was released. (Source: Cleafy)
• Users are at risk as they continue to use Windows 7, which has already reached its end of life. (Source: Security Brief)

Stay safe!

The post A week in security (May 10 – 16) appeared first on Malwarebytes Labs.

There was a time when stolen gaming accounts were almost treated as a fact of life. Console hacks weren’t taken particularly seriously. Security research in this area was occasionally derided as unimportant or trivial. Gaming accounts had an essence of innate disposability to them, even if this wasn’t the case (how disposable is that gamertag used to access hundreds of dollars worth of gaming content)?

These days, gaming security is taken very seriously indeed. The gradual roll-out of Two-factor Authentication (2FA) across both gaming platforms and titles themselves is a wonderful thing, but one worries about buy-in. When sign-up rates for something as common as Google accounts are struggling to hit double figures, it’s definitely a concern.

Customer support: compromised accounts all the way down

There’s also the impact on publisher bottom lines. More stolen accounts means more time tying up customer support lines. If the victims of the stolen accounts have invested lots of money into a title, there’s the possibility of bad press should it get that far. Forgotten passwords will tie up support’s time, for sure. But the moment someone calls through with one single account compromise, the customer service rep has no idea what they’re walking into.

It could be a fairly straightforward phish. Alternatively, someone may have imitated a game developer on a Twitch stream. Did the attacker bypass text-based 2FA by social engineering the mobile provider? Perhaps the victim fell for bogus loot crates via a YouTube video. Fake game developers sending private messages? You bet.

The possibilities are endless, and also potentially endlessly time consuming.

The digital expansion of gaming

Games haven’t been a one-purchase-and-done procedure for a long time. Downloadable content, expansions, and the concept of “Games as a Service” mean content can flow forevermore. This is particularly true in the realm of Massively Multiplayer titles. It’s not uncommon for the most popular games to keep on trucking for a decade or longer. These titles offer a variety of payment options.

Some games are a one-off payment with paid-for expansions down the line. Others might have a free-to-play option, with subscription accounts for more features and content access. A few mix all of these approaches, and there’s really no set standard.

When roleplaying sets the stage for security

MMORPGs are one online realm where security has been a big part of the overall package for years. Developers had the foresight to realise account protection would become increasingly important over time. World of Warcraft developers Blizzard released their first authenticator way back in 2009. People are often surprised when they find out how long WoW has had authentication in place. Yes, this may well be something of an outlier. They’ve also run into occasional issues with people trying to bypass the system.

Even so, this is probably one of the ways mainstream gamers run into this kind of authentication for the very first time. When the biggest organisations in a space use this tech, it hopefully encourages other companies to consider doing the same thing. In 2018, they were offering backpack upgrades for anybody using authentication and their SMS Protect service.

An increasingly valuable treasure chest

What I’m fascinated by is MMORPGs with frequently expensive in-game items bought with real money. Those in-game stores often offer premium items, and it can quickly turn into an expensive hobby. Some items are cosmetic, some give in-game benefits which can occasionally turn into “pay to win” accusations.

However you stack it up, accounts with lots of purchases are incredibly valuable targets. Going back to what I said earlier, the last thing Big Game Company Inc needs is a ton of bad press where they weren’t seen to be helping “premium” gamers. They also don’t want support channels flooded with stolen account calls.

In 2012, Steam encouraged users to enable Steam Guard in return for a badge during a community event. In 2015, they took this one step further and offered sale discounts.

A few months prior to this, MMORPG developers were already gamifying 2FA and offering rewards for enabling it. ArenaNet, developers of Guild Wars 2, were handing out a cool looking dragon for enabling 2FA. Here’s another game from 2015, Wakfu, which seems to have given small stat bonuses for using their 2FA system.

The security problems facing game developers

I’m not sure if 2015 was some sort of specific flashpoint for “everybody start using this, please” but clearly the groundwork was being laid. Due to a lot of videogame reporting being lost to the ages via link rot, I’m also uncertain if games using 2FA years prior to this offered up incentives for using it. I would assume quite a few of the older titles would say the incentive was simply “not losing your account”. Perhaps this is one reason why uptake is low. After all, people are complaining about the hassle of having to use it despite freebies on the Wakfu forums.

With this in mind, what we have is:

• Users reluctant to use the tech
• Depending on game, a potentially very young audience who may not want the hassle of setting up 2FA
• Accounts in use for long periods of time, with significant years of purchases behind them

This is clearly not ideal. As a result, gamifying the overall approach and offering up perks and items is the way to go.

Some current examples of security bonuses

Black Desert Online

A few months ago, the incredibly popular MMORPG Black Desert Online ran a “security campaign” event. If players set up a OTP (one time password) process for their logins, they were rewarded with a 7-day value pack. These value packs are incredibly useful for BDO players. They grant significant boosts for loot collection, buffs, inventory, storage, weight limit, marketplace sales, and much more.

If you’re even a semi-serious BDO player, these are prized items and you’ve likely bought quite a few, or grinded out events to get some for free. The alternative is paying for a variety of different Value Packs in the game’s Pearl Store via real money transactions. Although the event is now over, I’d be surprised if it doesn’t get another outing.

Star Wars: The Old Republic

This Bioware / EA juggernaut has been around for a few years and shows no signs of slowing down. It’s essentially free to play, but with various restrictions applied unless you purchase a subscription. It also contains an in-game store which offers up cosmetics, items, large scary animals which you can ride around on, the works.

I’ve played quite a few MMORPGs where large store purchases are involved, yet there often seems to be a lack of additional security to help keep accounts secure in some titles. That’s not the case here, as we’ll see.

The basic rule with premium stores is, everything is pretty expensive. There may be essential items like storage capacity or crafting bags hidden behind paywalls. You might be able to buy a house for cheap, but then you have to spend a lot more money to fill it with items or even unlock different rooms.

Developers really want you to feel that premium, exclusive angle on every purchase you make. As a result, anything given away for free in many games is often not very good. You’ll almost never get any of those premium items for free unless it’s during a special event.

Items are usually purchased with special forms of in-game currency. That is usually bought via a gaming platform for real money. In Star Wars: The Old Republic, this currency is called Cartel Coins. Developers don’t give premium store funds away for free, because that wouldn’t make any sense.

And yet.

One of the big pulls for setting up 2FA with the game’s dedicated authenticator app, is indeed free premium currency. As a bonus for setting up the app, gamers are rewarded with 100 Cartel Coins a month. That’s 1,200 coins every year the app is ticking over, which is certainly enough to buy an item or two a month, or one of the bigger discounted bundles when the player breaks the 1,000 barrier.

I’m not sure if this giveaway approach is something which coincided with the release of the app, or an additional perk which came later. As far as encouraging players to make use of additional security features, I’d give this effort 10/10.

Final Fantasy Online

Square Enix are big on One Time Passwords. They use various options like physical security tokens or software authentication to get the lockdown job done. Their in-game reward is free teleportation. Many MMORPGs charge nominal amounts to fast travel, which adds up very quickly. This is a fantastic way to get buy-in from an MMORPG audience.

Gaming platform account bonuses

It’s not just individual games handing out the freebies. Gaming platforms like the Epic Store are getting in on the act too. In 2018, if you added 2FA to your Epic Games account, you received a free skin.

This may not sound like much but trust me, kids love free gaming skins.

As of 2019, the offer had broadened out considerably. In addition to a skin, players also received armory slots, backpack slots, and a free legendary troll stash Llama because hey, why not.

Interestingly, the 2FA reward program isn’t just limited to platform logins and Fortnite. If you want to keep claiming the endless selection of free titles offered on the Epic Store, you now need 2FA up and running. No additional security? No free games.

This is smart in a realm where Steam arguably still rules the roost in terms of most established PC gaming platform. By carving out chunks of the Epic Store’s most impressive platform offerings and placing them behind good security practices, the pull factor is no doubt strong. There have to be a good chunk of Epic users now sporting much better protected accounts, and that’s a win-win.

Closing thoughts

While some gamers will quibble about the value of giveaways on some titles, ultimately the devs are doing them a favour. When the worst case scenario is “You don’t lose your account to compromise”, that sounds like a pretty good deal to me. Receiving some free goodies to feed back into your gameplay loop is the icing on the cake. An easy win for everybody apart from account thieves is surely the best Game Over screen we can hope for.

The post Gamers level up with rewards for better security appeared first on Malwarebytes Labs.

Recently, we have seen an increasing number of reports from iPhone users about their calendars filling up with junk events. These events are most often either pornographic in nature, or claim that the device has been infected or hacked, and in all cases they contain malicious links. This phenomenon is known as “calendar spam.”

Calendar spam became a big problem for Apple’s iCloud calendars back in 2016. At that time, Apple put some protections in place on iCloud to prevent these issues. Whatever they did was working, up until recently. Let’s take a look at how the scammers have changed their tactics.

Fake captcha page example

Users will encounter a scam web page like the following one (though this is just an example). These pages are reached via a number of techniques, including malvertising, compromised WordPress sites, and Search Engine Optimization (SEO) tricks. In this case, the page displays a fake captcha that users are expected to tap in order to prove they’re not a bot.

For this particular page, tapping the “I’m not a robot” box (or, really, anywhere else on the page) results in a prompt attempting to trick the user into subscribing to a calendar.

Normally, this prompt would ask the user if they want to subscribe to a particular calendar by name. In this case, the scammers have given the calendar a name containing whitespace and the “Tap OK to Continue” / “Tap Cancel to Close Browser” message. Clicking Cancel will return you to the page, and if you do this a couple times, you’ll trigger a redirect. (More on that shortly.)

Clicking OK results in the spam calendar, and all its events, being added to the user’s Calendar app. These events all have alerts that cause notifications to appear in the Notification Center. Tapping a notification will take you into Calendar, which will display the content of the event. In all cases, the content is a scam message trying to get you to open a link.

At this time, the links go to a 404 page, but we believe they would have linked out to apps in Apple’s App Store.

Redirects to “security” apps

Whether you do or don’t subscribe to the calendar, the page will go back to the fake captcha. Tapping the captcha a second time, and clicking either OK or Cancel, will result in your browser being redirected to a scam page claiming your iPhone is infected or that hackers are watching you.

These pages will redirect to a variety of App Store apps. Mostly, these are junk VPNs or supposed security apps. They mostly have high ratings, and have been around for 4+ years, but the total number of ratings given is low. This could be an indication that the ratings have been reset periodically.

Worse, many of these apps have high price, short duration subscriptions. In most cases, prices are around $8.99 or $9.99 per week.

Removing the subscribed calendar(s)

If you have been impacted, your iPhone has fortunately not actually been hacked or infected (regardless of what the messages claim), and there is a simple solution. You can just delete the subscribed calendars.

First, open your Calendar app, and then tap the Calendars button at the bottom center of the screen, shown below.

This will result in seeing a view like the following, showing all the calendars loaded on your iPhone. Note the odd item with a green tick and no title, under the heading “SUBSCRIBED”.

The calendar name appears blank here, but that may not be true in every case. You’ll want to remove all subscribed calendars, except those that you are certain are legitimate. To do this, tap the button showing the letter i in a circle next to the subscribed calendar. (If you have more than one, you’ll have to repeat for each one.)

On the next screen, tap the Delete Calendar button at the bottom of the screen. (On some devices, you may have to scroll down to see it.)

How to prevent the issue

First and foremost, if you find yourself seeing a strange message in Safari on your iPhone, don’t believe it, and don’t do what it tells you to do. Don’t click any buttons consenting to whatever the site is asking, such as OK, Allow, Install, etc. If you can close the tab or navigate to another page in the browser, do so. If an alert is preventing that, click Cancel if that’s an option.

If there is an alert preventing you from taking action until you tap a button, and you don’t know what to do, just restart your iPhone.

You can also use the Web Protection feature in Malwarebytes Security for iOS. This should prevent you from visiting malicious pages in Safari. Of course, as with all things, nothing is infallible, so if you find that a malicious site has slipped past, please copy the address of the page from Safari’s address bar and submit it via a support ticket to Malwarebytes support. A screenshot would help as well.

Unfortunately, since users are essentially consenting to this scam via existing Apple-provided mechanisms for obtaining consent, there may not be much that Apple can do to stop this particular wave of calendar spam. However, we’ve notified Apple anyway, and hope it can at a minimum take action against the apps promoted by these scams.

What about other platforms?

Although we’re seeing a lot of this on iOS right now, the scam affects other platforms as well. On macOS, for example, it will attempt to add a calendar, though the process is far less convincing.

The same is also true on Windows.

You may also be offered a browser extension by some variants of this scam, depending on your browser. (Google Chrome is a common target.)

Regardless of the platform, if you see something odd like this in the browser, do not allow it, and close the page.

The post iPhone calendar spam attacks on the rise appeared first on Malwarebytes Labs.

Someone has found an extraordinary way to exfiltrate data by piggybacking data on the backs of unsuspecting iPhones.

Say what?

A researcher has found out that it is possible to upload arbitrary data from non-internet-connected devices by sending Bluetooth Low Energy (BLE) broadcasts to nearby Apple devices that will happily upload the data for you. To demonstrate their point, they released an ESP32 firmware that turns the micro-controller into an (upload only) modem. They also created a macOS application to retrieve, decode and display the uploaded data.

How AirTags are involved

The investigation was triggered by the release of AirTags. AirTags are marketed by Apple as a super-easy way to keep track of your stuff. Basically, you attach an AirTag to your valuables and you can find out where they are using Apple’s Find My app. Unlike a GPS tracker, which requires cell service and can drain batteries quickly, AirTags rely on the popularity of Apple products. The iPhones, iPads, and Macs used by hundreds of millions of people around are nodes in a distributed “Find My” network, joined by BLE signals.

Research theory and practice

Building on previous work by TU Darmstadt, the researcher was curious whether Find My’s Offline Finding network could be (ab)used to upload arbitrary data to the Internet, from devices that are not connected to Wi-Fi or mobile internet. The data would be broadcasted via BLE and hopefully picked up by nearby Apple devices on the Find My network. Then, if those devices were later connected to the Internet, the devices could forward the data to Apple servers, from where it could be retrieved. In theory, such a technique could be used to avoid the cost and power-consumption of mobile Internet access. More interesting from our point of view, it could also be interesting for exfiltrating data!

Sometimes theoretical ideas like this get shot down by practical issues, like the bandwidth restrictions in the AirTag system, for example. But as it turned out, some security and privacy decisions in the design of the Offline Finding mechanism enabled the goal quite efficiently, and, according to the researcher, make it almost impossible to protect against.

Security through obscurity

The Apple Find My Offline Finding system is designed so that:

• There are no secrets on the AirTag.
• There is no access for Apple to the user’s location.
• Tracking protection against nearby adversaries is achieved by rolling public keys

The consequence of this for the research lies in the fact that Apple does not know which public keys belong to your AirTag, and therefore which location reports were intended for you. This means that any device with an Apple ID can get location reports from any AirTag. The security solely lies in the encryption of those location reports: The location can only be decrypted with the correct private key, which is on the owner’s device.

Device

Since there is no way for Apple to check what kind of device is sending out the signal, for the sending side the researcher chose the ESP32, as it is a very common and low-cost microcontroller. Using firmware based on the TU Darmstadt research, the device can broadcast a hardcoded default message and then listens for any new data to broadcast in a loop until a new message is received.

Designing a protocol

To make the sender and receiver understand each other took some tinkering. If you are interested in the more technical aspects, I advise you to read the researcher’s post. But the end goal to set arbitrary bits in the shared key-value store and query them, was reached. Once both the sender and receiver agree on an encoding scheme, it is possible to transfer arbitrary data.

To send properly authenticated retrieval requests the researcher used an AppleMail plugin, a trick that was also described in the German research.

Bridging the air gap

Because devices on the Find My network will cache received broadcasts until they have an Internet connection, this technique can be used to upload data from areas without mobile or Wi-Fi coverage, as long as iPhone owners pass by from time to time. The easiest to imagine use case would be uploading data from remote IoT devices without a broadband modem, SIM card, data plan or Wi-Fi connectivity, but it could also be used in sneakier ways.

In the world of high-security networks, where exotic techniques like blinking server lights and drone cameras are noteworthy techniques for bridging air gaps, visitors’ Apple devices might also be a feasible method for exfiltrating data.

Air-gapped systems where considered the holy grail of security a decade ago. An air-gapped network is one that is physically isolated and not connected to any other network. The idea was that the only way data can be transferred into or out of such a network is by physically inserting some sort of removable media, such as a USB or removable disk, or by connecting a transient device like a laptop. Since then, a lot of research has gone into methods to exfiltrate data from air-gapped networks. It seems this researcher has found another one.

Mitigation

As mentioned earlier, it would be hard for Apple to defend against this kind of misuse if they wanted to. Apple designed the system on the principle of data economy. They cannot read unencrypted locations and do not know which public keys belong to your AirTag, or even which public key a certain encrypted location report belongs to (as they only receive the public key’s SHA256 hash).

However, the researcher points out that hardening of the system might be possible in the following two areas:

• Authentication of the BLE advertisement.
• Rate limiting of the location report retrieval.

The authentication could be used to exclude anything other then an AirTag from sending data to Finder devices. The rate limiting could enforce the 16 AirTags per AppleID and make abuse to send large amounts of data a lot harder.

This technique looks more like interesting research than a pressing, real-world problem and it remains to be seen how seriously Apple treats this threat. In the meantime, the company is well aware that data exfiltration isn’t the only nefarious activity that AirTags can be repurposed for.

The post Using iPhones and AirTags to sneak data out of air-gapped networks appeared first on Malwarebytes Labs.

We use WiFi to connect to the Internet, but what is it, and what does it stand for? How does it have such a catchy name, and why do we sometimes have a weak Internet connection with a strong WiFi signal and vice versa? Read on to answer these questions and more.

What does WiFi mean?

Many people assume that WiFi is short for “wireless fidelity” because the term “hi-fi” stands for “high fidelity.” Some members of the WiFi Alliance, the wireless industry organization that promotes wireless technologies and owns the trademark, may even have encouraged this misconception.

The reality is that WiFi is a made-up marketing term that doesn’t really stand for anything. The Alliance tasked marketing company Interbrand with creating a palatable term that they could trademark because “Institute of Electrical and Electronics Engineers (IEEE) wireless communication standard 802.11 technology” doesn’t quite roll off the tongue.

How does WiFi work?

In a nutshell, WiFi is a wireless network that allows wireless-capable devices like computers, tablets, smartphone, modems, microwaves, fridges, and routers to connect with each other through radio frequency signals. Any suitably equipped device can connect to a WiFi network, regardless of whether it, or the network its connecting to, have an Internet connection or not.

What is the difference between WiFi and Internet? Can you have WiFi without Internet?

Your computer can communicate with your router through a WiFi signal (or a cable) even if your router isn’t online. That’s why you can have a strong WiFi signal with a weak or nonexistent Internet connection. Similarly, your Internet router can have a healthy Internet connection which feels like it’s slow to you, because of a less than ideal WiFi signal between you and your router.

How did WiFi become an official standard?

Until 1997, the world couldn’t quite agree on a common and compatible WiFi standard. Then, a group of industry experts formed a committee to decide. Think of them like the council from Lord of the Rings but tech-savvy and with less pointy ears.

Not only did the committee agree on a wireless communication standard, but they formed an alliance called the Wireless Ethernet Compatibility Alliance (WECA). In 2002, WECA was rebranded to WiFi Alliance, which features hundreds of renowned member companies today. Pointy ears still isn’t a requirement for joining.

What is a WiFi hotspot?

A WiFi hotspot is any physical location where a device can connect to the Internet through a Wireless Local Area Network (WLAN). Nowadays, you can easily create a WiFi hotspot with a modern smart device. For example, most smartphones can produce a WiFi hotspot, which effectively turns them into an Internet-connected WiFi router. Any wireless-capable device in range can use it to connect to the Internet (using the phone’s connection to the cellular network) in the same way as they would use an Internet router at home.

When is it safe to use WiFi?

A WiFi connection’s safety depends on its security settings and the source of the WiFi connection. In public, using shared WiFi carries risks (more on that below). If you have to use public WiFi hotspots, it’s wise to also use a VPN to keep your activity private while you use that connection.  A VPN wraps your network traffic (including web browsing, email, and other things) in a protective tunnel and makes up for any weaknesses in their encryption.

For home WiFi, here are some tips that can help you improve your network security settings:

• Update your router’s firmware to the latest version to patch any vulnerabilities.
• Use a modern router if you can because an old router can be a security risk.
• Change the default SSID to a different WiFi network name. A hacker can sometimes determine the make and model of your router from the SSID and use the information to exploit known weaknesses and breach your network.
• Use the latest version of your WiFi Protected Access (WPA) protocol to enhance security. It’s advisable to avoid using the Wired Equivalent Privacy (WEP) algorithm because it’s outdated and easier to crack.
• Enable your router and operation system’s respective firewalls to raise a network barrier that monitors traffic.
• Set a long password for your router and your WiFi network. Always change default passwords.

How can I enhance my WiFi signal?

The strength of your WiFi signal depends on the distance between your router and your device, what’s between them, and other radio interference. Of course, it’s not always possible to keep your device near your router. That’s why it’s a good idea to keep your router in a central location in your home, away from impediments.

You can also purchase a range extender to improve your WiFi signal across your home or buy a more technologically advanced router.

Is it unsafe to use public WiFi connections?

Public WiFi connections are undoubtedly convenient. When you’re on the move, you can connect to the Internet at the airport, shopping mall, café, or restaurant through a public WiFi connection. However, many public networks are unsecured, to make it easy for people to connect. It is also impossible to tell who is operating the hotspot and whether they are benign, malicious or careless.

Because they are a bottleneck to lots of traffic, WiFi hotspots create an ideal place for committing identity theft, financial fraud, and other cybercrimes. Here are some common public WiFi attacks you should watch out for:

• Person-in-the-middle attack: Hackers intercept communications on a public WiFi network and modify them to steal sensitive data like credit card data, emails, messages, pictures, and videos, or to inject or malicious code . This attack has also been known as a Man-in-the-Middle or MitM attack.
• Fraudulent Hotspot: A hacker may create a compromised WiFi network with a plausible name (perhaps the same name as an existing hotspot that’s very popular) to trick users into connecting to the fake network. The hacker can use it to conduct a person-in-the-middle attack, or deploy malicious code like the new AgentTesla variant into the devices connected to the fraudulent hotspot.

How to reduce public WiFi security risks

Although the encryption that is widely used in web browsing and email delivery will help protect you from attacks, it isn’t perfect and isn’t used everywhere. It can be hard to see when it isn’t used, where it’s weak, or where it might be vulnerable to downgrade attacks, particularly in mobile apps, all of which can be exploited by attackers.

You can also use a Virtual Private Network (VPN) to secure your traffic when using public WiFi connections. By wrapping your imperfectly-encrypted traffic in a single, impenetrable tunnel, the best VPN services will keep your data safe from rogue WiFi hotspots and attempts to intercept your communications. You can also read up on VPN protocols to learn about how they secure your connection.

A top VPN service also protects your privacy by cloaking your IP address. Privacy threats can sometimes come from unlikely sources. For example, a Dutch city was recently fined for trailing its citizens with a WiFi tracking system.

Turn WiFi off on your devices when you don’t need them. It’ll make your battery last longer and it stops your device being used as a tracking beacon.

The post What does WiFi stand for? appeared first on Malwarebytes Labs.