IT NEWS

The IT security researchers at AdaptiveMobile have called out what looks like an important vulnerability in the architecture of 5G network slicing and virtualized network functions. They warn that the risks, if this fundamental vulnerability in the design of 5G standards had gone undiscovered, are significant.

What is 5G?

5G is the 5th generation mobile network. It is the fifth new global wireless standard after (you’ll never guess) 1G, 2G, 3G, and 4G. 5G enables a new kind of network that is designed to connect virtually everyone and everything together, including machines, objects, and devices. 5G is based on OFDM (Orthogonal frequency-division multiplexing), a method of modulating a digital signal across several different channels to reduce interference.

What is 5G network slicing?

5G network slicing is a network architecture that enables the multiplexing of virtualized and independent logical networks on the same physical network. Basically, the actual 5G network is compartmentalized into multiple virtual networks that function independently.

This allows the infrastructure providers to divide their network up into several independent ones for separate mobile network operators. A mobile operator can create specific virtual networks that cater to different clients and use cases.

The vulnerability

Network functions are services available within a network, and in 5G they can be dedicated to single slice, or shared between multiple slices. AdaptiveMobile Security looked at 5G networks that contain both shared and dedicated network functions.

What it learned was that when a network has network functions that support several slices there is a lack of mapping between the application and transport layers identities, which allows rogue slices to do more than they are allowed. The separate networks were not as separate as they should be.

The fundamental vulnerability has the potential to allow data access and denial of service attacks between different network slices on a mobile operator’s network.

5G networks are complex, and so are the attacks. AdaptiveMobile sets out a few examples in its report, but the easiest to explain is an example of a Denial of Service (DoS) attack.

Imagine a network carved into two slices that can both have access to the same shared network function (“the shared service”). We’ll call the slices “Victim” and “Aggressor”, just to make it really obvious! In our example, the Aggressor network slice is under the control of a rogue operator who wants to run a DoS attack against the Victim network slice.

In simple terms, the Aggressor slice sends a message to the shared service, claiming that it is the Victim slice, and that it’s overloaded and does not want to receive any communication from the shared service, thereby denying that service to Victim.

The attack works because although the shared service checks that the Aggressor slice is permitted to speak to it (correctly), it does not have to check that the messages it sends actually relate to it and not a different one.

Or, as the report puts it:

Currently, there is no requirement in the 3GPP specifications to validate if the slice identity in the 3GPP-Sbi-Oci header matches the slice identity in the token for the service API usage.

How can this be abused?

According to AdaptiveMobile, an attacker could gain access to data and launch denial of service attacks across multiple slices if they have access to the 5G Service Based Architecture.

• The operator and their customers would be exposed and risk the loss of sensitive location data.
• Denial of service against another network function on the same network.
• Access to a network function and related information of another vertical customer.

Is there any real danger?

To pull off a successful attack you would have to get accepted as a mobile operator and get assigned a “slice” of the 5G network. Which would set you back by a significant amount. Probably a lot more than you could ever hope to gain by successfully exploiting the flaw. The only real and current danger would be if two competitors on the same network decided to spy on one another. Given the limited amount of network operators and the cost involved in becoming one, the danger to customers seems non-existent.

But, once a flaw has been found, there is a good chance more will follow, and it is better to expose these flaws than to discard them just because they are harmless now. Because, as the head of 5G Security Research at AdaptiveMobile Security, Dr. Silke Holtmanns, put it:

“Having brought this to the industry’s attention through the appropriate forums and processes, we are glad to be working with the operator and standards communities to highlight this issue and promote best practice going forward.”

In short, it’s good to be aware of existing vulnerabilities, but we have seen much more effective DoS attacks against 5G.

The post 5G slicing vulnerability could be used in DoS attacks appeared first on Malwarebytes Labs.

For years, Apple has marketed its iPhone as the more secure, more private option when compared to other smart phones, which do not, by default, include an end-to-end encrypted messaging app, warn users repeatedly about app location requests, or provide a privacy-forward Single Sign-On feature.

But, while Apple has taken several, commendable steps into protecting users, the company’s reach only goes so far, which means that it alone cannot stop threat actors from snooping on users’ unencrypted web traffic, poorly configured apps from leaking user data to rogue WiFi networks, or mobile phone carriers from selling user data to make money.

For those problems, iPhone users would greatly benefit from using a Virtual Private Network (VPN). A VPN creates an encrypted “tunnel” between your phone and somebody you trust, such as the company you work for, or your VPN provider. Your phone traffic is routed through the tunnel, where it’s protected from surveillance, before joining the internet.

Using a VPN on an iPhone can bolster the overall privacy and security that users have come to expect from the Cupertino-based phone maker, which has literally gone to court to fight back against efforts to downgrade its mobile operating system’s security.

If there’s one reason users need to use a VPN with their iPhones, it’s this: A VPN can protect where Apple cannot. Below are a list of reasons why you need a VPN on your Apple iPhone:

VPNs encrypt your iPhone’s web activity

The Internet is a complex place, with countless servers hosting trillions of web pages, visited by billions of machines every day. When you use the Internet, there are some safeguards in place for protecting your online activity, but those safeguards are incomplete and they aren’t the work of Apple. Expecting Apple to protect all of your Internet traffic is like expecting Ford to make safer highways.

Because of this, when you use an iPhone to browse online, you could still be vulnerable to threat actors snooping on your Internet traffic when you use a public WiFi network, like when working at a café, staying at a hotel, or waiting for a flight at the airport.

Using a VPN on your phone can protect you against those attacks, in exactly the same way it would if you were browsing the web on your laptop or desktop machine. You get the same security and the same privacy boosts, no matter the device. This is crucial because, as users begin to spend more time navigating the Internet on their phones, they are spending more time connecting to it from untrusted environments, over somebody else’s WiFi.

The good news for Internet users is that there is a long-standing effort to encrypt the entirety of the web. But although great strides have been made in the last decade, it’s important to remember that the Internet today is not yet reliably private or secure. Whilst lots of web pages are served over HTTPS (the secure form of HTTP) many are not, and most DNS lookups—which reveal the names of the websites you’re visiting—are vulnerable to snooping.

The better news is that, until the entirety of the web is encrypted, a VPN will fill in the gaps and provide much of the security online that Apple can’t control. Remember, the iPhone’s security can only go so far.

VPNs encrypt your iPhone’s app traffic  

Encrypting your iPhone’s web activity while browsing online is good, but realistically, many of your iPhone apps are connecting to the Internet on a near round-the-clock basis, crunching data in the Cloud, and refreshing in the background to check for notifications and updates. Just because these connections aren’t happening through a browser doesn’t mean that threat actors are any less interested in it.

In fact, the vulnerabilities of many poorly configured apps are likely too many to count. Time after time, studies of different types of apps have shown too many are either missing the encryption necessary to protect you, or that it exists in a weak, flawed or broken state. And, most alarmingly, there is no way for users to tell the good apps from the bad ones without specialist knowledge and equipment.

Just like the web, there is only so much that Apple can do to protect you from apps that communicate insecurely. But, again, a VPN can help plug the gaps in your apps’ encryption by wrapping it all in a protective tunnel.

VPNs stop your carrier from monetizing your data

Protecting your Internet activity from eavesdropping doesn’t just defang threat actors, it also prevents your mobile service carrier from making an extra buck at your expense of your privacy. At least in the United States, mobile service carriers like Verizon, AT&T, and T-Mobile can look at your Internet activity—including what you look at, what apps you’ve downloaded, and how you interact with certain services— and then bundle that activity into profiles that it can then sell for advertising purposes.

If this sounds wrong to you, you’re not alone. And if you think that mobile carriers wouldn’t abuse your data, think again. Last year, the US Federal Communications Commission announced a collective $200 million in fines against Verizon, AT&T, Sprint, and T-Mobile for those companies’ sale of user location data without users’ consent.

A VPN on iPhone will hide a great deal of your Internet activity from your mobile carrier, in the exact same way that it hides your online activity from your Internet Service Provider. Your carrier is on the outside of the VPN’s tunnel and can’t look inside it. Take a stand for your privacy and reclaim your Internet activity for yourself.

By now, it should be clear that using a VPN with an iPhone isn’t futile, or redundant, or useless. In fact, it’s a great way to bolster your security and your privacy.

The post The one reason your iPhone needs a VPN appeared first on Malwarebytes Labs.

Suppose that, out of the blue, a Steam user tells you they’ve accidentally reported you for something you didn’t do, like making an illegal purchase, and that your Steam account is going to be suspended.

They ask you to message a Steam admin, whose profile they kindly provide, to help you sort out this dilemma.

What do you do?

There are some scams on Steam which have stood the test of time. Their tactics and target have remained generally consistent for years. Phishing campaigns aimed at harvesting as many user credentials as possible, for example, are a dime a dozen. And let’s not forget the many ways a fraudster can dupe Counter Strike: Global Offense (CS:GO) players.

Like Steam phishing campaigns, this particular Steam scam—referred to loosely as the “I accidentally reported you” or “I accidentally reported your account” scam—has been coming and going since initial reports of it emerged in late 2018. To date, it has no other target apart from Steam users. And, based on its new latest iteration, it targets Steam users with a Discord account.

For those who aren’t aware of this scam and its variants, below is a breakdown of how the scam works. On the other hand, if you’re quite acquainted with it, dear Reader, then feel free to skip to the next section.

The Steam scam playthrough

The hello

The fraudsters behind the “I accidentally reported you” scam usually approach their targets under the pretext that they need something, or they have something to say. Anything to suggest that it’s something important and that they should be heard out.

They may already be a Steam “friend”, from a couple of days or years ago, someone in the same Steam group as you, or a user who wants you to add them to your friends list.

I’m so sorry but I accidentally reported your account to the steam admin for scamming me and duping items instead of someone who impersonated your profile and that impersonator is a scammer who scammed me

There is no word-for-word script that scammers stick to, but the gist is this: someone posing as you scammed them, but they reported you instead of the impostor.

Note that other variants of this scam will claim that they have reported you for “doing illegal purchases”—another reason to cause a degree of alarm but flawed, nonetheless.

The help

I’m worried about your account now bro because the steam admin already ban his account

if my report on your account gets process you will get ban too just like the scammers account

At this point, the scammer drives the point that your account will get banned next, unless something is done. The scammer then insinuates that help is on the way: a “Steam admin” that will cancel the report and remove the target’s account from the ban pile. However, they should confirm that the report against them was a mistake first.

ok so here is the profile of the steam admin if he accept just file a ticket to him that you are not involved in the report

The sharing of a legitimate profile—or what appears to be legitimate—that is connected to Steam or its developer, Valve, is one of the tactics scammers employ to make their claims look more truthful.

If you raise the possibility that this Steam admin might not accept your friend request, the scammer suggests that you contact them via Discord.

can you add him on discord? so that if he cannot notice your req on steam maybe he will notice it on discord.

anyway I need to show you something

Oh no, what now?

this is a reply about my report on your account

It’s another reinforcement tactic, to erase any doubts you may still have. Frankly, it’s overkill at this point.

The hogwash

Convinced of what you must do and who you need to contact, you get in touch with the Steam admin. Of course, this admin is fake and likely either the scammer or an accomplice.

Note that the tone of the conversation changes here. The scammer’s concerned and helpful front is gone once you start chatting with the fake admin:

Hello there, Please state the reason why did you add me?

After you briefly explain the situation, the fake admin asks for a screenshot of the chat that transpired between you and the scammer.

I received the report according to our coordinator’s review about illegal activity for Illegal Purchased but you don’t have to worry here if you’re not really involved in the said issue. I will remove the banned report issue in your account. All you need to do is to prove that your account is in good condition and it was a false accusation so that Valve Report Assistance Team will cancel the Banned report charge on your account

The proof they ask for is a screenshot of your purchase history. They will also ask you to log out of your Steam account on your computer and/or mobile so they can “start the scanning of your account status”. Of course, there is no scan. The fake admin asks this as a lead in to asking for more information—for starters, the email address tied to your Steam account.

An email address is needed when a Steam user finds themselves locked out of their account and they forgot their account name or password.

The fake admin asks you to get the verification code sent by Steam to your email address. If you happen to have Steam Guard enabled, the fake admin will ask for the code as well.

Never give anybody your Steam Guard password.

In some cases, the fake admin will ask you to send them the reported duplicate item to check if it was, indeed, a duplicate via the Steam trading function. This is framed as “borrowing” the item, but you won’t be getting it back.

If you comply with the fake Steam admin you can lose your accounts, your game items, and even money.

Targets who question any of the tasks the fake admin asks them to do are met with the pressure to respond quickly because they’re “running out of time”, they are presented with a fake certificate, or they are threatened with having their accounts deleted.

Although several Steam users will not reach this part of the scam, many aren’t so lucky. Some, despite knowing that something is off, aren’t 100 percent sure if they’re dealing with a scammer or not.

True social engineers, or just desperate?

What we believed to be the first variant of this scam in 2018 was simple and solely focused on misusing the Steam trading function. This scam is now highly evolved and, one can say, has branched out into other nefarious acts, such as hijacking accounts, rare item theft, and other ways scammers can milk victims of their (or their parents’) hard-earned money.

Like most scams, the “I accidentally reported you” scam relies heavily on social engineering tactics that aim at gaps in a Steam user’s familiarity with how things work within the platform’s ecosystem.

Scammers want to appear believable, so it’s no surprise they use already hijacked accounts that have a good standing on Steam when reaching out to targets. The same can be said about Discord accounts under their control.

The scammers behind this scheme also come prepared. Not only do they have the materials—screenshots and a guide script—they need to counter frequent questions raised about their credibility, they are also not afraid to play on Steam users’ fears, even at the risk of losing the credibility they already built up with their target.

Familiarize and exercise

Steam has always put the onus of not getting scammed onto the shoulders of its users. If you did get scammed, Steam Support will assist to the best of their abilities, including getting your hijacked account back. But beyond this, like retrieving a stolen rare item, refunding money if your account has been used to purchase Steam gift cards (for example), they likely won’t be able to help.

That said, it’s crucial for Steam users to realize that they may have blind spots and may not be as well acquainted with some aspects of the platform as they think. Filling in these blind spots can help you spot scams.

Know that:

• There is no such thing as “Steam admin”, false report, or a “Certificate of Eligibility”.
• There are Valve employees with Steam profiles. And they proudly display a legitimate badge to prove this. They are top-tier moderators (mods) who have full administrator privilege in Steam.
• Real Valve employees belong to two invite-only groups, which are Valve and Steam.
• There are Steam Community Moderators. Like Valve employees, current and retired moderators have their own badges, too. Community moderators can ban users, among other things.
• Real Steam Community Moderators, both active and inactive, belong to the invite-only group, STEAM Community Moderators (SUFMods).
• There is a page where you can look up all Steam Community Moderators.
• Scammers link back to legitimate profiles of Valve employees or Steam moderators to hook targets into reaching out to through Discord. These Discord accounts are not manned by Valve employees but by scammers.
• There is no such thing as an illegal item. That said, there is no need for anyone to review an item.
• If an item does need inspection, Valve employees would not require you to hand them over. They will just look it up in their database.
• Duplicate items (or dupes) exist, but they are not illegal. Duplication was done years ago by Steam Support to restore scammed or stolen items for hijacked victims. Steam Support doesn’t do this anymore.
• If you have handed over an item to someone claiming to be a “Steam admin”, consider it gone forever. The current policy is that Steam Support does not restore items that have left an account, including scammed ones.
• If there is a problem with your account, or you have an impending ban, Steam will let you know either via email, a Support ticket, or account alerts. Here is an example [link to account-alert-sample] (taken from Steam on Reddit).
• A Steam moderator will never contact you via chat or a third-party app like Discord for any reason.
• A Steam moderator will never mediate between you and another user.

Secure your Steam account by using a strong password, taking full advantage of Steam Guard—Steam’s two-factor authentication method—and be aware of the latest scams that are targeting you as a Steam user. Keep the above points in mind, and stay safe!

The post Steam users: Don’t fall for the “I accidentally reported you” scam appeared first on Malwarebytes Labs.

This week on Lock and Code, we discuss the top security headlines generated right here on Labs. In addition, we speak to Malwarebytes senior security researcher JP Taggart about the importance of trusting your VPN.

You’ve likely heard the benefits of using a VPN: You can watch TV shows restricted to certain countries, you can encrypt your web traffic on public WiFi networks, and, importantly, you can obscure your Internet activity from your Internet Service Provider, which may use that activity for advertising.

But obscuring your Internet activity—including the websites you visit, the searches you make, the files you download—doesn’t mean that a VPN magically disappears those things. It just means that the VPN itself gets to see that information instead.

Tune in to hear about what your VPN can see, why it is important for that information to be secured, and how you can safely transfer your trust to a VPN, on the latest episode of Lock and Code, with host David Ruiz.

https://feed.podbean.com/lockandcode/feed.xml

You can also find us on the Apple iTunes store, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

We cover our own research on:

• Report goes “behind enemy lines” to reveal SilverFish cyber-espionage group
• Six social media safety sins to say goodbye to
• The human impact of a Royal Mail phishing scam
• Software renewal scammers unmasked
• How to enable Facebook’s hardware key authentication for iOS and Android
• Safe Connections Act could help domestic abuse survivors take control of their digital lives
• When contractors attack: two years in jail for vengeful IT admin
• Slack hurries to fix direct message flaw that allowed harassment
• Perkiler malware turns to SMB brute force to spread

Other cybersecurity news:

• Hades ransomware has been linked to the Evil Corp cybercrime gang who uses it to evade sanctions. (Source: BleepingComputer)
• Researchers discover two dozen Chrome extensions that are being used to serve up unwanted adds, steal data, and divert users to malicious sites. (Source: DarkReading)
• An advisory for two high-severity flaws has been issued by the OpenSSL project. (Source: SecureBlink)
• A $50m ransomware demand made against PC manufacturer Acer by the REvil/Sodinokibi cyber crime syndicate sets a nw record. (Source: ComputerWeekly)

Stay safe!

The post Why you need to trust your VPN: Lock and Code S02E05 appeared first on Malwarebytes Labs.

If you or anyone you know is committing the below social media sins, it’s time to change that habit of an online lifetime. Even the most innocuous of things can cause trouble down the line, because everyone’s threat model is different. Unfortunately, people tend to realise what their threat model is when it’s already too late.

With this handy list, you’ll hopefully avoid the most common mistakes which are served up to social media with a dash of eternal regret.

Don’t post: credit card information

Yes, people do this. Someone is issued a new credit card. Perhaps it’s their first and they’re really excited. They want to tell the world…and they do it by posting up un-redacted shots of the front and back of the card. If they’re really unlucky, they’ve left bits and pieces of personal information on the same profile or elsewhere. I’m not sure why, but these posts often stay online long after hundreds of people have replied with “Delete this!”

It’s a mystery we may never get to the bottom of.

Don’t post: medical information

This is quite a timely one. Various forms of medical data are very popular on social media right now, especially due to the pandemic. Got a nice health and wellbeing story? Off it goes into Twitter or Facebook. This can bring problems, however. Back in 2017 we looked at the trend of posting X-Rays to social media. Even where people thought they’d redacted everything, some details still slipped through the net.

Wind forward to 2021, and we have people posting vaccination selfies. Those are fine. However, close ups of the sheets / slips detailing patient info in relation to their vaccine are not. There’s plenty of folks posting these images up from all over the world, which is to be expected. We beg you to ask yourself if you really need to post it and, if you do, please redact most if not all the information on these cards. You really don’t need it online.

Don’t post: visas and passport photos

Many immigration advice firms post to social media whenever they manage to obtain visas for their clients. That’s great! Well done. What’s not so great? Posting images of the client’s passport to social media, usually along with the visa, or other entry document.

Occasionally they’ll redact some of the data…but not all of the time. And even when name / address / D.O.B. is obscured, other elements are left visible. That could be their biometric residence permit number, or something else specific to their identity in their new country of residence. Given these are Government issued documents, it’s best not to post any of it online at all. There’s often steep fees for replacement documents, and I’m not sure if it’s any better if they need replacing due to negligence as opposed loss.

Let’s say “It’s probably worse” and resolve to never do it again.

If you’re a customer of organisations helping arrange visas and you know they have social media accounts? Feel free to keep an eye on their feeds, especially if you see they already do this. You’ll probably find yourself posted online at some point, and even with redactions applied this feels like a very uncomfortable practice.

Don’t post: personal information in customer service chats

Interacting with customer service reps on Twitter is something people do 24/7. It’s often one of the fastest ways to resolve an issue, but trouble beckons when people post the inner workings of their problem. Something wrong with an order? Missing screws for your DIY table? Milk expired 3 weeks ago?

Okay, but you don’t need to post everything to go with it. Order numbers tied to public accounts, screenshots of your order summary complete with home address listed, telephone numbers, we’ve seen them all down the years.

Is your delivery driver disputing that someone was in when they rang the doorbell? It happens, but you don’t need to post up a shot of the GPS indicator from their website showing exactly where you live.

All of this information is usable to some degree by people up to no good. It could be phishing, it could be doxxing, it might be stalking. Bottom line: start from a position of total redaction and only show what you absolutely need to.

If you’re taking the conversation to direct messages? Don’t post anything sensitive in there either, and that includes things like passwords.

Don’t post: vacations in real-time

Given it’s an age since anyone likely went on holiday, it’s worth dusting off one more golden oldie. If and when we’re all able to go on vacation, remember to control your travel experience ruthlessly.

We strongly suggest you post about your trip after you get back home. It may be appealing to get everything online as it takes place, but “I’m hundreds of miles away from my empty home” seems a bit dangerous to us.

This is especially the case if any of your profiles make use of geolocation, or you happily tag your home address in any geolocation service. You may as well hire someone to fly a plane over your house with a big banner that says “We’re empty for 14 days, come on in”. This isn’t a very catchy marketing slogan, but people up for a bit of burglary will love it.

Don’t post: the TMI selfie

This probably isn’t what you’re expecting it to be. However.

Something we regularly see on social media is the TMI selfie. This is an entirely boring and normal photo, with one major exception lurking. That pic of your nice new sofa in the front room? There’s a letter on the shelf with your bank statement on it. The Instagram-worthy snap of your meal? You can see a reflection of confidential work information on your laptop in the mirror. Finally received that delivery you’ve been waiting on and Tweeted it out? You left the label with your address on the box.

We let out guard down in places we trust. This often proves disastrous for people who prefer to remain a little bit anonymous on social media. The TMI selfie is usually brought to light by helpful followers of whoever happens to post it. Interestingly, unlike the credit card snaps, these usually get deleted swiftly. That’s definitely a good thing.

Keeping it safe on social

These are the social media sins which frequently have a negative impact on people’s lives when they least expect it. By avoiding them, you’re encouraging solid security and safety practices in all aspects of your life both offline and on. If you can think of others, we’d love for you to add some of your own in the comments.

The post Don’t post it! Six social media safety sins to say goodbye to appeared first on Malwarebytes Labs.

The enormous work messaging platform Slack quickly reversed course yesterday, promising to revise a brand-new direct message feature that could have been misused for harassment.

Added to the company’s “Slack Connect” product—which lets enterprise users share messages with contract workers and third-party partners outside their company—the new “direct message” feature allowed paying Slack users to message anyone outside of their company or organization, so long as they had another person’s email address. The messages came attached to an invite, but as many tech news outlets and concerned online users noted, there was no way for recipients to block the invites, or to block the content of the messages that came attached to the invites.

As Twitter product employee Menotti Minutillo said on Twitter, the implementation of Slack Connect DMs meant that malicious users could send repeated DM invites with harassing language, and that Slack would also email the DM’s recipient with the invite, including the harassing language. DM recipients would also have trouble blocking those emails as they came from a generic email address, too, Minutillo said.

Further, according to TechCrunch, the Slack Connect DM feature is opt-in at the organizational level, meaning that individual employees could not, alone, overwrite their company’s decision, should it choose to enable the feature.  

Less than 24 hours after Slack Connect DM’s full release, Slack realigned. According to Slack Vice President of Communications and Policy Jonathan Prince, the company will disable the capability to customize messages that are attached to Slack Connect DM invites.

Prince’s full statement is as follows:  

 “After rolling out Slack Connect DMs this morning, we received valuable feedback from our users about how email invitations to use the feature could potentially be used to send abusive or harassing messages. We are taking immediate steps to prevent this kind of abuse, beginning today with the removal of the ability to customize a message when a user invites someone to Slack Connect DMs. Slack Connect’s security features and robust administrative controls are a core part of its value both for individual users and their organizations. We made a mistake in this initial roll-out that is inconsistent with our goals for the product and the typical experience of Slack Connect usage. As always, we are grateful to everyone who spoke up, and we are committed to fixing this issue.”

Slack’s quick work to fix the problem is appreciated, but it is curious that the company did not catch the problem before the full rollout. The company has already faced complaints about the limited features in the free version of its platform, which allows users to visibly show harassing language without even having to actually write and send messages. This is because Slack automatically sends notifications when new users join a thread, so if those new users stylize their username to be an insult, then the users in that thread will receive a notification that includes that language.

Further, the problem of harassment on messaging platforms is far from new. On the Lock and Code podcast, when we spoke with Electronic Frontier Foundation’s Director of Cybersecurity Eva Galperin, Galperin warned about this very issue.

“Primarily, the onus for making safe platforms, is on the makers of the platforms,” Galperin said. “And so, if there are people who are listening to this podcast, who are developing software or who are developing platforms or services for commercial use, I encourage them to think about how their tool will be used for harassment.”

Galperin provided specific guidance for any platform with messaging capabilities. She said that those platforms should make it possible for users to not use their real names, and for users to block other users or to mute certain keywords. This setup, Galperin said, is beneficial for both the user and the company.

“If you give the power to the users, then they can decide what is harassment and what is abuse, and it really takes the onus off the platform to be judge, jury, and executioner for every communication that somebody has online.”

Unfortunately, Slack users could not block users—and in fact the company has pushed back against such a feature for years—or mute keywords, and users would have trouble filtering out emails from Slack’s generic email addresses that included the DM invites and the accompanying messages.

These may sound like high-level discussions that are difficult to forecast, but there is actually a far simpler way to look at the problem. To borrow the words of Twitter user @geekgalgroks, a developer and accessibility advocate:

“Seriously with every new messaging system and feature ask yourself if people can send unsolicited dick pics and if those receiving them can block the sender.

Because it will happen.”

The post Slack hurries to fix direct message flaw that allowed harassment appeared first on Malwarebytes Labs.

Researchers at Guardicore have identified a new infection vector being used by the Perkiler malware where internet-facing Windows machines are breached through SMB password brute force.

Perkiler is a complex Windows malware with rootkit components that is dropped by the Purple Fox exploit kit (EK) and was spread by phishing campaigns.

What is SMB?

Server Message Block (SMB), aka Common Internet File System (CIFS), is the network-protocol that enables file exchanges between Microsoft Windows computers. You will find it wherever Windows computers are sharing printers, files, and sometimes remote control. By default, SMB is configured to use the ports 139 and 445.

SMB vulnerability history

SMB has a history of being used by malware (coupled with a history of being enabled by mistake and exposed to the Internet by accident). The most famous example of SMB-exploiting malware is WannaCry. This worm-like outbreak spread via an operation that hunted down vulnerable public facing SMB ports and then used the EternalBlue exploit to get on the network, chained with the DoublePulsar exploit to establish persistence, and allow for the installation of the WannaCry ransomware.

What are brute force attacks?

A brute-force password attack is a relentless attempt to guess the username and password of one or more systems. As it sounds, a brute-force attack relies on force rather than cunning or skill: It is the digital equivalent of throwing everything and the kitchen sink at something. Some attacks will try endless combinations of usernames and passwords until finding a combination that works, others will try a small number of usernames and passwords on as many systems as possible.

Brute force attacks are usually automated, so they don’t cost the attacker a lot of time or energy. Certainly not as much as individually trying to figure out how to access a remote system. Based on a port number or another system-specific property, an attacker picks the target and the method and then sets his brute force application in motion. He can then move on to the next target and wait to get notified when one of the systems has swallowed the hook.

Not a new infection method

The fact that the researchers found the Perkiler malware attacking Windows machines through SMB password brute force came as something of a surprise. Not because of the SMB brute force per se. SMB has always been brute forced, but why would you bother when you have:

• EternalBlue that allows you to own every single unpatched SMB server without going through the brute force routine.
• A few million RDP ports you can brute force with a potentially bigger gain. Remote desktop is exactly what the name implies, an option to remotely control a computer system. Which is much more interesting to an attacker than just being able to drop a file on an SMB server.

The answer to this question remains a mystery for now. Maybe they are planning ahead for when the number of vulnerable RDP servers dries up.

Using compromised machines

Perkiler uses a large network of compromised servers to host its dropper and the payloads. These servers appear to be compromised Microsoft IIS 7.5 servers. Most of these Windows Servers are running IIS version 7.5 and Microsoft FTP, which are known to have multiple vulnerabilities with varying severity levels.

The rootkit

Once a machine is infected with the new variant of Perkiler, it reboots to load the rootkit that’s hidden inside the encrypted payload. The purpose of this rootkit is to hide various registry keys and values, files, etc. Ironically enough, the hidden rootkit was developed by a security researcher to conduct various malware analysis tasks and to keep the research tasks hidden from the malware.

Infected machines

Once the machine is restarted, the malware will be executed as well. After its execution, the malware will start its propagation process: the malware will generate IP ranges and start scanning them on port 445. When a machine responds to the SMB probe on port 445, it will try to authenticate to SMB by brute-forcing usernames and passwords, or by trying to establish a null session.

One interesting detail is that the malware will install an IPv6 interface on the infected machine to allow the malware to port scan IPv6 addresses as well as to maximize the efficiency of the spread over (usually unmonitored) IPv6 subnets.

Mitigation

In theory, brute force password attacks conducted over the Internet can be defeated by even moderately strong passwords (six characters should be enough). However, even the threat of big-game ransomware using RDP brute force attacks hasn’t been enough to get people using stronger passwords. And if the prospect of facing a $50 million ransom isn’t enough motivation, it’s hard to see anything else working.

Luckily there are other, easier ways to blunt brute force attacks. The best defence of all is to remove the SMB (or RDP, or anything else) service from the Internet entirely, if possible, or to put it behind a VPN protected by two-factor authentication if it isn’t possible.

The post Perkiler malware turns to SMB brute force to spread appeared first on Malwarebytes Labs.

We’ve been tracking a fraudulent scheme involving renewal notifications for several months now. It came to our attention because the Malwarebytes brand as well as other popular names were being used to send fake invoices via email.

The concept is simple but effective. You receive an invoice for a product you may or may not have used in the past for an usually high amount. Feeling upset or annoyed you call the phone number provided to dispute the charge and ask for your money back.

That was your first mistake. The second is letting strangers access your computer remotely for them to uninstall the product in order to avoid the charge. Before you know it your computer is locked and displaying random popups.

In this blog, we follow the trail from victim to scammer and identify one group running this shady business practice.

Fake renewal notifications

We’ve received a number of similar reports from people that have been scammed or simply wanted to alert us. It starts from an email using branding from a number of security companies, although in this blog we will focus on those that impersonate Malwarebytes.

The email includes an invoice renewal for the product stating that it has already been processed via credit card. The amount usually is in the $300 to $500 range, which is a lot more than what we normally charge.

The scammers are hoping victims will call them to dispute the automatic renewal. In the heat of the moment, most people would not think to check their bank or credit card statement instead.

This scheme is essentially a lead generation mechanism, just like what we see with fake browser alerts (browlocks). It just happens to use a different delivery vector (email) and is perhaps just as, if not more effective.

Remote access and sales pitch

Victims are instructed to visit a website to give the ‘technician’ access to their computer. The reason given is that the service needs to be uninstalled first before a refund can be granted.

In this instance, the scammers asked us to visit zfix[.]tech, a website linking to a number of remote access programs. They asked us to download TeamViewer and share the ID and password so they could connect.

They also quietly downloaded and installed another program (SupRemo) to maintain unattended access. This means that even if you shutdown TeamViewer, the scammers can still connect to your computer when they feel like it.

The next part of the scheme is interesting because it shows how the fraudsters are able to extort money from their victims. Since the renewal email is fake they have to find a way to trick you into paying them even if you refuse to.

The scammers take to their favorite tool, notepad, to start typing away about the risks of not renewing the service. They particularly insist on the fact that the computer may not work anymore if they proceed.

Locking up the machine

Scammers have been known to lock victims’ machines on numerous occasions. They typically use the SysKey Windows utility to put a password that only they know.

In this case, they used a different technique. Working behind the scenes, they downloaded a VBS script onto the machine which they placed into the Startup folder.

The Startup folder location is a loading point that can be abused easily because it can trigger code to run when the system loads Windows. Unsurprisingly, before parting ways, the scammers asked us to restart the machine to complete the uninstallation process.

After a restart, we see an alert dialog about the Windows license being out of date. This message keeps on showing despite clicking the OK button and also starts to open a number of browser windows to mimic some kind of malware infection.

At this point, you might be tempted to call the number for help but this would end in paying hundreds of dollars to fraudsters. There is a way to restore your computer safely which we cover in the next section.

Disabling the locking script

The first thing to do is disconnect your machine from the Internet. If it’s using a wired cord to the modem unplug it, otherwise simply turn off the modem or your WiFi access point.

Then proceed to disable the script:

• Ctrl+Alt+Delete
• Select Task Manager
• Select Microsoft Windows Based Script Host
• Click ‘End task’

Then delete the script:

• Click ‘More details’ (if needed) in Task Manager
• Choose ‘Run new task’
• Type explorer in the box

Your Desktop will be visible again, allowing you to browse to:

C:Users[your username]AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup

From there, delete the WIN LICENSE.vbs file

Identifying the scammers

We don’t always get too many details from scammers that could help us to identify who they are, but sometimes with luck, skill and tools like HYAS Insight we can shed light on adversary infrastructure. Here the scammers left a few trails with the VBS script but more importantly the first website we visited to download remote access software.

We were able to identify the registrant behind the zfix[.]tech domain as being Aman Deep Singh Sethi using the aman.techsquadonline@gmail[.]com email address. Pivoting on the associated phone number [+9]19810996265 we uncovered a larger piece of their scamming infrastructure as well as an associate named Swinder Singh.

Both individuals are registered as directors of a company in New Delhi called Lucro Soft pvt located at 14/28, F/F SUBHASH NAGAR NEW DELHI West Delhi DL 110027.

Although this company was incorporated in 2018, the scammers have been active since at least 2015 and used several different domain names and identities. We are blocking this infrastructure and reporting it for takedown as well. If you would like more information about this group, please get in touch with us.

An active scheme

This particular scheme has been very active for the past few months and it is difficult to estimate how many people fell victim to it.

Tech support scams have been around for many years and continue to be a huge problem in part because of the lack of action on the field where they are known to take place.

However, there is also a strong community out there that is pursuing scammers and giving back to victims. The likes of Jim Browning who made headlines for his hacking into the CCTV of a call centre are doing a tireless job. For this investigation, we used a Virtual Machine that was made by @NeeP that mimics a normal user desktop.

If you are a Malwarebytes customer and have any questions about your renewal, please visit our official page here.

Indicators of Compromise

Phone numbers:

1[-]833[-]966[-]2310
1[-]954[-]800[-]4124
1[-]909[-]443[-]4478 
1[-]877[-]373[-]2393
1[-]800[-]460[-]9661
1[-]325[-]221[-]2377
1[-]800[-]674[-]5706
1[-]855[-]966[-]6888
1[-]877[-]373[-]2393
1[-]866[-]504[-]0802

Emails:

aman.techsquadonline@gmail[.]com
aman.bigrock1@gmail[.]com
aman.bigrock2@gmail[.]com
aman.bigrock3@gmail[.]com

Domain names:

help-live[.]us
live-support[.]us
quick-help[.]us
network-security-alerts[.]com
cyberonservices[.]com
zfix[.]tech
2fix[.]tech
cybersmart[.]xyz
live-support[.]us
safebanking[.]biz
classifiedlookup[.]com
quickhelpdesk[.]in
cyberonservices[.]com
support247live[.]us
help-live[.]us
2fix[.]tech
cmdscan[.]info
rrlivehelp[.]com
delvelogic[.]us
quickhelpdeskk[.]us
quick-help[.]us
quickhelpdeskk[.]us
amazondevicesupports[.]xyz
live-online-support[.]info
help365[.]us
cyberonservices[.]com
rightassists[.]com
yahoomailhelplinenumber[.]com
hotmailhelplinenumber[.]com
webroot-support-number[.]com

The post Software renewal scammers unmasked appeared first on Malwarebytes Labs.

Last week, we looked at a Royal Mail themed scam which has very quickly become the weapon of choice for phishers. It’s pretty much everywhere at this point. Even one of my relatives with a semi-mystical ability to never experience a scam ever, received a fake SMS at the weekend.

The problem with common attacks is we grow complacent, or assume it isn’t really a big deal. Sadly, they’re always going to be a problem for someone. It doesn’t matter how tech-savvy you are, nothing is bulletproof. Anybody, including myself, can be caught out by a momentary lapse in concentration.

People who lose out to internet fakery often feel guilty, or assume that they messed up somehow. Nobody wants to be laughed at via internet shenanigans. I’d like to think most folks are sympathetic when people are brave enough to speak out.

“Surely people don’t fall for these things” is a well worn refrain. Sadly they do, and one such person spelt out the awful cost last Sunday. They had indeed received a bogus Royal Mail text, and entered their payment details into the phishing page. How bad could things get?

We’re about to find out.

Things have gotten: very bad

The victim was asked for a bogus £2.99 postage fee last Friday, having not seen the scam warnings circulating online. Below is an example of the scam that Malwarebytes Labs received:

Royal Mail: Your package Has A £2.99 shipping Fee, to pay this now please visit www[dot]royalmail-shippingupdate[dot]com. Your package will be returned if fee is unpaid

In our last post about it, we pointed out that these scams work because with so much online ordering going on during this cardboard-laden pandemic, people aren’t 100% sure what’s due to arrive. And that means speculative messages about fake parcels have a good chance of success.

A similar thing happened here. If the target wasn’t due a birthday, the scam may not have worked on them. But the message will have gone to lots of people, and one of them, perhaps many, will have been expecting a delivery. As it was, they were expecting “a couple of packages” and so “thought nothing else of it”.

This is absolutely the key moment where the battle was already lost.

The scam asks recipients to pay a £2.99 GBP fee, but of course the scammers are after much more. To pay the fee, the victim has to enter their personal details, and credit card details.

Scammers get to work

The victim’s bank accounts were compromised very quickly, and the phishers wasting no time at all in going for gold. A day or so after they paid the bogus fee, the bank contacted the victim to let them know what had gone wrong. As it turns out, quite a lot:

• Multiple direct debits (recurring billing) for mobile phone companies and technology stores
• Transactions of £300 for the Argos store
• Debit cards for banking cancelled, with new ones issued as replacements
• Brand new sort code / account numbers for her bank account, as those had been given to the phishers too

This is really bad news for the victim, and a massive inconvenience. Don’t forget the pandemic impact here, either. At a time when the ideal option is cashless / card payments only, this person now has no cards and no easy way to withdraw money either.

If this had been where it ended, that would be bad enough. However, things were sadly about to get worse.

Phished by phone

The bank phoned the victim asking them to transfer their money into their “replacement” account. I’m sure you can already see where this is going wrong. No bank is going to cold call a scam victim, and also ask them to start transferring money. Why can’t the bank do it?

The answer, unfortunately, is that the bank can do it. This cold caller was a scammer armed with details gathered from the scam page a day or so prior. The follow up strike gave the individual, who was already reeling from rapidly losing lots of money, no time to regain some balance or get their game face on. If this call had come a week or so after the initial phish, the next few paragraphs would possibly look quite different.

From bad to worse

Good news: the victim asked the person on the call to verify their bank credentials. Bad news: they forgot the phisher already had access to everything in their account. As a result, they listed account balances and other information to keep everything nice and convincing.

Two smaller transactions were sent to the “new” account, at which point the victim realised they were being scammed all over again. Every penny they had to their name was gone.

Having wool pulled over your eyes once is bad enough. To then hand over cash to the scammers by telephone is the icing on a very bitter cake. So-called safe account scams are quite the pain, and this is what caught them out second time around.

A simple phish, a massive problem

There is no real happy ending to this tale currently, outside some reassurance the victim will probably get most or all of their money back. Consider that this person’s nightmare scenario began with a simple, believable, SMS message claiming a package was being held.

A few keystrokes, some brief personal information entered on a phishing site with Royal Mail branding, and they’ve been plunged into a situation which could take weeks or more to resolve. All that stress, in the middle of the never-ending pandemic. It’s an awful story, and a chilling insight into how much is at stake every single time a throwaway phish lands in your mailbox or SMS tray.

We wish Emmeline all the best in recovering her money and commend her for her courage in coming forward and showing the true cost of these scams.

The post The human impact of a Royal Mail phishing scam appeared first on Malwarebytes Labs.

An IT contractor working for an IT consultancy company took it upon himself to perform an act of revenge against the firm he worked at, after they complained about his performance. The charge he faced was breaking into the network of a company in Carlsbad, California. And it got him two years in prison.

What happened?

Deepanshu Kher was helping a client to transition to a Microsoft Office 365 environment. But apparently the client company was so displeased with Kher’s performance that they complained about it to the consultancy company that despatched him. As a consequence, Kher got laid off and went back to India.

Some two months later, once he was outside of the US, Kher decided to infiltrate the California firm’s servers and deleted over 80% of employee Microsoft Office 365 accounts.

The aftermath

As employees were suddenly unable to access emails, contacts, calendars, stored documents, as well as Microsoft’s Virtual Teams remote management platform, they were unable to do their jobs. It took the company two days to get back in full swing. But all kinds of IT-related issues persisted for three more months after the cyberattack.

The arrest

The company informed the FBI about the incident and it wasn’t all that hard to figure out who the culprit was. Unaware of the outstanding warrant for his arrest, Kher was arrested while flying from India to the US. US District Court Judge Marilyn Huff charged Kher with intentional damage to a protected computer, a crime which can lead to up to 10 years in prison and a $250,000 fine.

Insider threat

The CERT Definition of an insider threat is:

 “Insider Threat – the potential for an individual who has or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.”

Kher did have credentialed access to the network and the Office 365 environment as part of his job, and he certainly acted in a way that negatively affected the company. So we see this as an insider threat, even though he was no longer working for the victim.

Controlling insider incidents

While cybersecurity education and awareness are initiatives that every organization must invest in, there are times when these are simply not enough. Such initiatives may decrease the likelihood of accidental insider incidents, but not for negligence-based incidents, professional insiders, or other sophisticated attack campaigns. Organizations must implement controls and use software to minimize insider threat incidents.

The controls

Controls keep an organization’s system, network, and assets safe. They also minimize the risk of insider threats. Below are some controls organizations may want to consider adopting:

• Block harmful activity. This includes preventing access to particular websites, or stopping employees from downloading and installing certain programs.
• “Allow list” applications so that everything is blocked until and unless it is specifically allowed. This includes the file types of email attachments employees can open.
• Use the principle of least privilege and give employee accounts the access they need, and nothing more.
• Apply the same principle to data access, so data is only available to people whose job requires it—organizations should focus on this, too, when it comes to their telework or remote workers.
• Put flags on old credentials. Former employees may attempt to use the credentials they used when they were still employed.
• Create an employee termination process.

The last two points in particular could have helped prevent this incident. Both the consultancy company, and the victim, could have looked at this, or taken steps when they realised that Kher was unhappy about being laid off. But often when two entities are supposed to do something, they expect the other to do it. With the end result that neither did.

Worst case scenario

This was not a worst-case scenario. The contractor had access to one specific, albeit vital, part of the organization. I’m sure you can imagine someone in your organization that can do a lot more harm than that if they wanted to. Remember that when your roads part in the future. If they no longer work for you, they should not have access to your network.

Stay safe, everyone!

The post When contractors attack: two years in jail for vengeful IT admin appeared first on Malwarebytes Labs.