IT NEWS

The number of scams, threats, and malware campaigns taking advantage of public concern over the coronavirus is increasing each day. As a result, we’ve been actively monitoring emails within our spam honeypot to flag such threats and make sure our users are protected.

Yesterday, we observed a phishing campaign similar to malspam previously discovered by MalwareHunterTeam, which impersonates the World Health Organization (WHO) and promises the latest on “corona-virus.” Right off the bat, the incorrect use of a hyphen in “coronavirus” in the subject line could tip off users with a critical eye for grammar. However, since WHO are often touted as a trustworthy and authoritative resource, including by our own blog, many will be tempted to open the email.

In this particular campaign, threat actors use a fake e-book as a lure, claiming the “My Health E-book” includes complete research on the global pandemic, as well as guidance on how to protect children and businesses.

The criminals behind this scheme try to trick victims into opening the attachment, contained in a zip file, by offering teaser content within the body of the email, including:

Guidance to protect children and business centre;

This guidance provides critical considerations and practical checklists to keep Kids and business centre safe. It also advises national and local authorities on how to adapt and implement emergency plans for educational facilities.

Critical preparedness, readiness and response actions for COVID-19;

WHO has defined four transmission scenarios for COVID-19. My Health E-book describes the preparedness, readiness and response actions for each transmission scenario.

The email content goes on to tell readers that they can download and access the e-book from Windows computers only.

Instead, as soon as they execute the file inside the MyHealth-Ebook.zip archive, malware will be downloaded onto their computers. As seen in the previous wave of spam, the malicious code is for a downloader called GuLoader.

GuLoader is used to load the real payload, an information-stealing Trojan called FormBook, stored in encoded format on Google Drive. Formbook is one of the most popular info-stealers, thanks to its simplicity and its wide range of capabilities, including swiping content from the Windows clipboard, keylogging, and stealing browser data. Stolen data is sent back to a command and control server maintained by the threat actors.

While the threat actors are improving on the campaign’s sophistication by building reputable-sounding content within the body of the email, a closer examination reveals small grammatical errors, such as:

You are now receiving this email because your life count as everyone lives count.

This combined with other minor formatting and grammar mistakes, as well as a mix-and-match selection of fonts make this clever phishing scheme, upon closer examination, a dud. Still, many have fallen for far more obvious ploys.

With a huge swatch of the population now confined to their homes but working remotely, the risk of infecting a highly-distributed network is increasing. That’s why it’s more important than ever to use a discerning eye when opening work or personal emails, as employee negligence is one of the top indicators for successful cyberattack/data breach.

Malwarebytes home and business customers were already protected against this malspam campaign and its associated payloads.

Indicators of compromise

GuLoader

de1b53282ea75d2d3ec517da813e70bb56362ffb27e4862379903c38a346384d

FormBook URL

drive.google[.]com/uc?export=download&id=1vljQdfYJV76IqjLYwk74NUvaJpYBamtE

The post Cybercriminals impersonate World Health Organization to distribute fake coronavirus e-book appeared first on Malwarebytes Labs.

In a world where children as young as a single day old can fall prey to fraud, it is more important than ever to educate parents and other caretakers about the dangers of child identity theft. While the hope is that perceptions can be changed and criminals brought to justice, likely the biggest concern for parents is how to reclaim their child’s identity, should they ever be in such an unfortunate position.

That is, unless the parents or guardians are the ones behind the fraud in the first place. In part 1 of our series on child identity theft, we talked about familiar fraud—fraud committed by someone who personally knows the victim—and how children are increasingly being targeted for this crime. We also touched on the repercussions of familiar fraud in the lives of kids and their families.

In part 2 of our series, we look at turning back the tables and reclaiming your child’s identity, whether it’s been stolen by a stranger or someone who knows them. In addition, we highlight the signs your child’s information might be compromised and how parents or guardians can better protect their data.

Signs of child identity compromise

When it comes to figuring out if a child’s identity has been compromised and is being used, thankfully, there are telltale signs that parents and guardians can look out for. These signs are displayed both in the real world and the digital world. They include:

• Physical mail arriving to your home that is addressed to your child. These include card applications, banking statements, and credit card or insurance applications for accounts under their name, and they’re the most obvious sign of compromise. Your child may also receive a notice from the IRS either because of unpaid income taxes or having multiple tax returns filed under their SSN.
• Phone calls received from collection agencies directed to your child.
• If the landline has a caller ID, your child’s name may appear on it. This indicates that someone has stolen and is misusing their information.
• A turned-down application for government benefit for your child. This is because someone with the same SSN as your child may already be benefiting from it.
• Bank turning down an account application for a child due to the negative credit score associated with the child’s SSN.
• Important documents of your child suddenly going missing, including their SSD card and birth certificate.
• In addition, the Identity Theft Resource Center (ITRC) has listed several documents that may suddenly show up—or, in certain cases, not show up—that potentially give away active ID theft activity.

How to reclaim your child’s identity

Reclaiming a stolen identity takes a lot of work. This is true whether the victim is an adult or a child. And the length of time spent undoing the harm to your child’s reputation potentially correlates with how long the fraud has been taking place before it was identified and acted upon.

If you, dear parent or guardian, have seen any of the telltale signs of identity fraud, immediately contact the top credit bureaus to freeze your child’s credit until they are old enough to enter into a contract. Doing so means that these reports will be taken out of circulation.

A credit report for a child is normally non-existent, but if one is found, the parent or guardian should contact an organization that deals with child identity theft, such as the Identity Theft Report. If a parent would only like to take extra precaution, they can ask their credit reporting agencies (CRA), which are Experian, Equifax, TransUnion, or other smaller bureaus to create their child’s credit report and freeze it.

It is equally important for parents and/or guardians to keep the PIN that each of these credit unions have assigned to them.

Beyond freezing and receiving credit reports, other important steps for reclaiming your child’s identity include:

• Contacting any companies where fraudulent accounts in your child’s name were opened. Tell the fraud department about what happened, and ask them to close the account and send a letter confirming your child isn’t liable. If necessary, send a letter explaining your child is a minor who can’t enter into contracts and attach a copy of their birth certificate.
• For parents in the United States, contacting the Federal Trade Commission (FTC) at IdentityTheft.gov or call 877-ID-THEFT to report the fraud.

How to protect your child’s identity

In the Experian survey report mentioned in part 1 of our series, more than half of victims (63 percent) wished that their parents had done more to protect them from potential fraud. Interestingly, 61 percent of parents felt the same way.

Awareness of the risks and underlying dangers of child identity theft is something parents should be actively practicing. To avoid opening an opportunity for fraudsters to take advantage of your child’s information, here are some tips:

• Don’t carry your child’s SSN card. There is no need—keep it safe at home instead.
• Know when your child’s SSN is really needed when applying for something on their behalf. Schools, for example, don’t ask for a child’s SSN, so there is no need to provide it.
• When throwing out mail or documents with your personal information or your child’s, shred them before disposing.
• You may also want to consider getting your child another form of identification, such as a passport or a state identification card.
• If you receive news of your child’s school getting breached, don’t hesitate to call the school and ask for more information.
• Inquire about your child’s school directory information policy. A directory information contains a lot of personally identifiable information (PII) about a child. And sometimes, such information is shared outside of the school. Parents and/or guardians can either inform the school that they shouldn’t share their child’s information without their expressed consent, or opt out of having their information shared.
• Keep all important documents of your child in a safe and secure place.

Early detection is key. Getting acquainted with the red flags and keeping an eye out for them would nip fraud in the bud. Not only that, it’d make reclaiming and restoring a child’s identity back a little easier—emotionally, mentally, and financially.

Half of Experian respondents with children who have been victimized by fraud have learned the hard way not to share personal information with family. Some have also started actively checking credit scores and enrolling for identity theft protection services.

The things we leave behind

It’s easy for adults to forget that, like them, children have data and information that needs protecting, too. And even if their children are too young to use a computing device, they still have digital footprints. The reason? Mom and Dad or other legal guardians leave them behind. Unfortunately, it is unavoidable.

Mom needs to schedule a doctor’s appointment for the little one’s check-up, so she uses her healthcare app. Proud dad shares short clips of his bundle of joy with Aunt Martha, who lives far away and couldn’t visit the newborn in hospital. And before all of this, Mom and Dad announced the pregnancy to all their social media channels.

Sadly, the very activities that give us joy and make tasks convenient can also leave behind breadcrumbs that identity thieves can sniff out and follow. Rarely do parents or guardians stop to think about how their sharing can impact their child’s digital life.

Take, for example, baby pictures you may have shared on social media. They may contain metadata pointing to the location where they were taken. Or when you made that public announcement about your baby on the way: Did you also reveal their name? Fraudsters can easily glean from this information the baby’s full name and location. If they don’t have the child’s SSN yet, they can easily pair it with another SSN to create a synthetic identity.

This isn’t to say that parents and/or guardians should deprive relatives and friends of your little one’s adorable moments, or avoid entering any of their children’s information online. Just be mindful when doing so. Share privately by making use of your social network’s privacy settings. Also caution or remind your relatives and friends to avoid re-sharing media you post to others without your consent.

We’re all in this together

In this age of data breaches, it is easy for us to focus on the security of our own data. But let us be aware that kids and young adults are becoming more of a target, too. Children, especially, are blank slates—a highly-prized quality for someone with access to their information and with malicious intent. Hackers are after them; yet often, it’s those that are closer to them who cause the greatest harm—sometimes without knowing they are doing it. Worse, more than one person could be fraudulently using an innocent child’s identity.

While parents and guardians are advised to be equally vigilant in protecting the data of their children—biological and adopted ones—as much as their own or anyone else’s, we encourage any other responsible adult in the family to take part. If familiar fraud becomes a family problem, it should be a family affair to thwart it off at all costs for the future of the most vulnerable in the household.

The post Child identity theft, part 2: How to reclaim your child’s identity appeared first on Malwarebytes Labs.

Since the coronavirus became a worldwide health issue, the desire for more information and guidance from government and health authorities has reached a fever pitch. This is a golden opportunity for threat actors to capitalize on fear, spread misinformation, and generate mass hysteria—all while compromising victims with scams or malware campaigns.

Profiting from global health concerns, natural disasters, and other extreme weather events is nothing new for cybercriminals. Scams related to SARS, H1N1 (swine flu), and avian flu have circulated online for more than a decade. According to reports from ZDnet, many state-sponsored threat actors have already started to distribute coronavirus lures, including:

• Chinese APTs: Vicious Panda, Mustang Panda
• North Korean APTs: Kimsuky
• Russian APTs: Hades group (believed to have ties with APT28), TA542 (Emotet)
• Other APTs: Sweed (Lokibot)

Recently, the Red Drip team reported that APT36 was using a decoy health advisory document to spread a Remote Administration Tool (RAT).

APT36 is believed to be a Pakistani state-sponsored threat actor mainly targeting the defense, embassies, and the government of India. APT36 performs cyber-espionage operations with the intent of collecting sensitive information from India that supports Pakistani military and diplomatic interests. This group, active since 2016, is also known as Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis.

APT36 spreads fake coronavirus health advisory

APT36 mainly relies on both spear phishing and watering hole attacks to gain its foothold on victims. The phishing email is either a malicious macro document or an rtf file exploiting vulnerabilities, such as CVE-2017-0199.

In the coronavirus-themed attack, APT36 used a spear phishing email with a link to a malicious document (Figure 1) masquerading as the government of India (email.gov.in.maildrive[.]email/?att=1579160420).

We looked at the previous phishing campaigns related to this APT and can confirm this is a new phishing pattern from this group. The names used for directories and functions are likely Urdu names.

The malicious document has two hidden macros that drop a RAT variant called Crimson RAT. The malicious macro (Figure 2) first creates two directories with the names “Edlacar” and “Uahaiws” and then checks the OS type.

Based on the OS type, the macro picks either a 32bit or 64bit version of its RAT payload in zip format that is stored in one of the two textboxes in UserForm1 (Figure 3).

Then it drops the zip payload into the Uahaiws directory and unzips its content using the “UnAldizip” function, dropping the RAT payload into the Edlacar directory. Finally, it calls the Shell function to execute the payload.

Crimson RAT

The Crimson RAT has been written in .Net (Figure 4) and its capabilities include:

• Stealing credentials from the victim’s browser
• Listing running processes, drives, and directories on the victim’s machine
• Retrieving files from its C&C server
• Using custom TCP protocol for its C&C communications
• Collecting information about antivirus software
• Capturing screenshots

Upon running the payload, Crimson RAT connects to its hardcoded C&C IP addresses and sends collected information about the victim back to the server, including a list of running processes and their IDs, the machine hostname, and its username (Figure 5).

Ongoing use of RATs

APT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT, DarkComet, Luminosity RAT, and njRAT.

In past campaigns, they were able to compromise Indian military and government databases to steal sensitive data, including army strategy and training documents, tactical documents, and other official letters. They also were able to steal personal data, such as passport scans and personal identification documents, text messages, and contact details.

Protection against RATs

While most general users needn’t worry about nation-state attacks, organizations wanting to protect against this threat should consider using an endpoint protection system or endpoint detection and response with exploit blocking and real-time malware detection.

Shoring up vulnerabilities by keeping all software (including Microsoft Excel and Word) up-to-date shields against exploit attacks. In addition, training employees and users to avoid opening coronavirus resources from unvetted sources can protect against this and other social engineering attacks from threat actors.

Malwarebytes users are protected against this attack. We block the malicious macro execution as well as its payload with our application behavior protection layer and real-time malware detection.

Indicators of Compromise

Decoy URLs

email.gov.in.maildrive[.]email/?att=1579160420
email.gov.in.maildrive[.]email/?att=1581914657

Decoy documents

876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656
20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a

Crimson RAT

0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010
b67d764c981a298fa2bb14ca7faffc68ec30ad34380ad8a92911b2350104e748

C2s

107.175.64[.]209
64.188.25[.]205

MITRE ATT&CK

https://attack.mitre.org/software/S0115/

The post APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT appeared first on Malwarebytes Labs.

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to two representatives from an Atlanta-based managed service provider—a manager of engineering services and a data center architect—about the daily challenges of managing thousands of nodes and the future of the industry.

Tune in for all this and more on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, on Google Play Music, plus whatever preferred podcast platform you use.

We cover our own research on:

• International Women’s Day: Is awareness of stalkerware, monitoring, and spyware apps on the rise?
• How a Rocket Loader skimmer impersonates the CloudFlare library in a clever scheme
• Securing the MSP: What are the best practices for vetting cybersecurity vendors?
• Remote security, aka RemoteSec, and how to achieve on-prem security levels with cloud-based remote teams
• How the coronavirus has impacted security conferences and events, including which were cancelled, postponed, or switched over to virtual
• The effects of climate change on cybersecurity

Plus, other cybersecurity news:

• FBI warning: Hackers are targeting Office 365, G Suite users with business email compromise attacks. (Source: SiliconAngle)
• How poor IoT security is allowing the 12-year-old Conficker malware to make a comeback. (Source: ZDNet)
• Recently discovered spear phishing emails are using HIV test results as a scare factor. (Source: ThreatPost)
• Talkspace threatened to sue a security researcher over a bug report, and forced him to take down a blog post. (Source: TechCrunch)
• Independent testing found Google’s Play Protect to be poor on malware protection. (Source: Forbes)
• Researchers found thousands of fingerprint files exposed in an unsecured database. (Source: Cnet)
• Researchers discovered a phishing page informing victims about fake Netflix service disruptions, supposedly due to problems with the victim’s payment method. (Source: Sucuri Blog)

Stay safe, everyone!

The post Lock and Code S1Ep2: On the challenges of managed service providers appeared first on Malwarebytes Labs.

Outside the coronavirus pandemic and its related healthcare and economic fallout, climate change and cybersecurity are seen by many as the two most urgent problems facing our planet now and in the near future. They are two distinct and separate problems, to be sure. There are some areas, however, where security and climate change overlap, interlock, and influence one another. Let’s have a look.

To understand how climate change and the methods to counteract its rapid ascent will affect cybersecurity, we first have to look at how computing contributes to global warming. Your first instinct about their relationship is probably right: computing involves energy consumption and heat production. As long as we cannot produce enough “clean energy” to satisfy our needs for electricity, the energy consumed by computing—and security within it—will continue to contribute to global warming.

The big energy consumers

There are a few fields in computing and cybersecurity that guzzle up huge amounts of energy and produce heat as a byproduct:

• Supercomputers
• Blockchain mining
• Data centers
• The Internet as a whole

Before you dismiss the problem of the supercomputers (because you assume there are only a few of them)—even I was astounded to find out that there are over 500 systems that deliver a petaflop or more on the High Performance Linpack (HPL) benchmark. Most of these supercomputers consume vast amounts of electrical power and produce so much heat that large cooling facilities must be constructed to ensure proper performance. But in recent years, vendors have started to produce supercomputers that are more energy efficient.

In 2019, the mining of Bitcoin alone consumed more energy than the entire nation of Switzerland, which equals about one quarter percent of the world’s entire energy consumption. There are many more blockchains and cryptocurrencies, although Bitcoin is by far the largest energy consumer among them. This is mostly due to their operation on the proof-of-work concept and the high value of Bitcoin.

While cybercrime experienced a huge jolt in cryptomining in 2018, the frenzy has mostly died down as Bitcoin value dipped and plateaued. However, cryptomining continues as both a legitimate and illegitimate activity—especially because miners can switch to other cryptocurrencies when Bitcoin drops off.

An even bigger impact on energy consumption are data centers, which already use over 2 percent of the world’s total energy consumption, and that number is expected to rise fast. The prediction is based on the growing number of content delivery networks (CDN), more Internet of Things (IoT) devices, the growth of the cloud, and other colocation services. So, not only do computer centers consume massive amounts of energy, their use is expected to grow astronomically.

The Internet can’t be completely separated from the data centers that enable it. But despite the overlap, it’s still worth mentioning that the total energy consumption of the Internet as a whole lies at around 10 percent, which is more than the world’s total energy production from renewable sources such as wind and solar.

However, it’s fair to note that the Internet has taken over a lot of tasks that would have cost more energy or created a greater carbon footprint if they had been performed in the “old ways.” Consider, for example, the energy saved by working remote: the energy expended on the Internet and inside one’s home is far less damaging than the carbon monoxide released into the atmosphere by fossil fuels from a daily commute to the office.

Global warming’s trickle down effects

Conversely, global warming and its effects on the climate, environment, and economy do have a direct impact on our everyday lives, and that trickles down to cybersecurity. Some of the projected dangers include:

• Flooding of certain areas
• Prolongation of the wild-fire
  season
• Spread of diseases
• Economic costs
• Scarcity of fresh water in
  certain areas

By 2030, climate change costs are projected to cost the global economy $700 billion annually, according to the Climate Vulnerability Monitor. And The International Organization for Migration estimates that 200 million people could be forced to leave their homes due to environmental changes by 2050.

Climate change and its implications will act as a destabilizing factor on society. When livelihoods are in danger, this will spark insecurity and drive resource competition. This does not only have implications for physical security, but in modern society, this also has an impact on cybersecurity and its associated threats.

From a big picture, worst-case-scenario perspective, climate change could trigger profound international conflicts, which go hand-in-hand with cyberwar. Beyond nation-state activity, individuals that have no other means of providing for their families could turn to cybercrime, which is often seen as a low-risk activity with a potentially high yield.

But on a smaller scale, we’re already seeing the impacts of climate change on cybersecurity, whether via social engineering scare tactics embraced by threat actors or disruptions to Internet-connected home heating and cooling devices meant to track energy consumption.

Global warming scams

NO, we’re not saying that climate change is a hoax or a scam. But we want to issue a warning related to the subject. As with any newsworthy topic, there are and will be scammers trying to make a profit using the feeling of urgency that gets invoked by matters like climate change.

For example, the Intergovernmental Panel on Climate Change (IPCC) issued a warning against several scams abusing their name.

“IPCC has been made aware of various correspondences, being circulated via e-mail, from Internet Web sites, and via regular mail or facsimile, falsely stating that they are issued by, or in association with, IPCC and/or its officials. These scams, which may seek to obtain money and/or in many cases personal details from the recipients of such correspondence, are fraudulent.”

Natural disaster scams are increasing in the same frequency as natural disasters themselves, often claiming to be collecting donations for a particular cause but putting money in their own pockets instead. We’ve seen social engineering tricks ranging from phishing emails and malspam to social media misinformation campaigns on hurricanes, tornadoes, fires, and flooding. Expect this sort of gross capitalization on tragedy and fear to continue as the effects of climate change become more dramatic.

Improving efficiency and preparing for changes

The number of datacenters is down, but their size has grown to meet the demand. This is potentially a step in the right direction since it decreases the power needed for the overhead, but not as big as the step that could be made if they would actually work on their power efficiency.

Online companies typically run their facilities at maximum capacity around the clock, regardless of the demand. As a result, data centers are wasting 90 percent or more of their power. Smart management could make a substantial difference in energy consumption and costs.

Cryptomining could improve on energy consumption if the most popular currencies would not be based on proof of work but proof of stake. Proof of work rewards the largest number of CPU cycles with that the highest energy consumption.

NEO and Hyperledger are next generation blockchain technologies with much lower electricity cost. NEO uses what it calls delegated Byzantine Fault Tolerance (dBFT), which is an optimized proof-of-stake model. Hyperledger Fabric centralizes block creation into a single resource pool and has multiple validators in the participants. It’s an enterprise collaboration engine, using blockchain smart contracts, where validation is much easier than creation, and creation will be centralized on a single, optimized platform.

More effective methods of cooling would both help supercomputers and large data centers. At the moment, we are (ironically) using electricity to power cooling systems to control the heat caused by electricity usage. In fact, cooling gobbles up about 35 percent of the total power in high performance computing with air cooled systems. Hot-water liquid cooling might be a key technology in future green supercomputers as it maximizes cooling efficiency and energy reuse.

Interaction between climate change and cybersecurity

As we have seen, there are opportunities for those in security and computing to slow the progression of climate change. But there are also opportunities for those in cybercrime to take advantage of the destabilization caused by climate change, as some already have through related scams and malware campaigns. As long as we don’t drop security in attempts to counteract global warming, we’ll be able to protect against some of the more advanced threats coming down the pike. But while we still can, let’s rein in our carbon footprint, improve on computing efficiency, and remember our cybersecurity lessons when criminals come calling.

Stay safe, everyone!

The post The effects of climate change on cybersecurity appeared first on Malwarebytes Labs.

The world of work is changing—by the minute, it feels these days. With the onset of the global coronavirus pandemic, organizations around the world are scrambling to prepare their workforce, and their infrastructure, for a landslide of remote connections. This means that the security perimeter of businesses small and large has transformed practically overnight, requiring IT leaders to rethink the way they’re protecting their organizations. 

Even before the spread of the virus, preparing business security protocols for a mixture of remote and on-premise work had become a forgone conclusion. With increasing globalization and connectedness, remote work is fast supplementing, if not outright replacing, traditional 9-5 office-based hours. Upwork Global predicts that by 2028, up to 78 percent of all departments will have remote workers. 

This trend is affecting companies of all sizes. In fact, a study by Owl Labs indicates that smaller companies are twice as likely to hire full-time remote workers, and a State of Telecommuting study found that telecommuting grew by 115 percent over the last decade. 

These numbers clearly show that remote work is here to stay, whether in quick response to dire crises or simply as a slow, societal shift. What companies are now grappling with is how to manage a ballooning remote workforce, and more so, the security challenges that come with that growth. 

In the past, traditional work made it easy to create and enforce on-prem security policies. Simple controls like logical and physical access were handled through a centralized command and control hierarchy. As workforces become increasingly distributed, such security hierarchies are starting to underdeliver. Companies are now faced with novel security challenges posed by the diverse work conditions remote workers operate within. 

The rise of RemoteSec

Remote Security, or RemoteSec, is a set of security tools, policies, and protocols that govern the IT infrastructure supporting remote teams. As most remote workers rely heavily on cloud tools and platforms, RemoteSec addresses security challenges that almost always fall under this category, though other tools, such as virtual private networks (VPNs) play a role, as they are often deployed to establish secure connections to the cloud. 

For any business working with remote teams, understanding the role cloud security plays in securing remote teams is crucial to realizing overall remote security. However, one challenge that remains is how to replicate the success of on-prem security within a cloud environment. 

Before we delve into the details of RemoteSec, it’s crucial to note the difference between RemoteSec and overall cybersecurity policy. While both deal with securing networked resources, RemoteSec focuses mostly on securing remote teams and the cloud resources they use. As such, organizations with cybersecurity policies may need to extend them to cover security issues that emerge when remote workers relying on cloud infrastructure are added to the workforce matrix. 

Crucial RemoteSec considerations

Remote workers—which include freelancers, contractors, or in-house employees working from home, in coworking spaces, or at coffee shops—do their jobs under a diverse set of conditions. These unique and unpredictable conditions form the body of challenges RemoteSec addresses. 

For example, 46 percent of staff members admit to moving files between work and personal computers while working from home. A further 13 percent admit to sending work emails via personal email addresses because they are unable to connect to an office network. 

With these challenges in mind, here are some crucial RemoteSec considerations you should focus on to secure your remote teams. 

Global location of employees

Remote workers that are spread across the globe face different security challenges. As each part of the world has its own unique IT infrastructure characteristics, it is essential to standardize remote work environments for your entire team. Using VPNs and virtual desktops can help provide a uniform and secure work environment for your remote team, despite their location in the world. 

Remote data security policies

Data security is a significant challenge when working with remote teams. For example, remote workers may access public unsecured Wi-Fi hotspots, exposing company data to eavesdroppers or cybercriminals. Also, remote workers may use free data storage tools like Google Drive without knowing that such tools are vulnerable to ransomware attacks.

RemoteSec addresses these issues through comprehensive cloud data policies that cover remote data access, public hotspots, USB devices, password management, device management, network compliance, and others. 

IT and network infrastructure

Endpoint security is another area that organizations must address when it comes to RemoteSec. Remote workers tend to use multiple endpoints (devices) to access company resources. However, in many instances, these devices may not be secure or may be connecting through unsecured network channels.

Issuing mobile device management (MDM) policies, using secure VPNs, deploying cloud-based endpoint security on all remote devices, and enforcing secure cloud network protocols can ensure remote workers do not circumvent network or endpoint security measures. 

Remote IT support

Not all remote workers are tech-savvy. As more roles move to remote, non-technical remote workers may face challenges accessing IT support. If a remote worker halfway across the world experiences technical problems, they may turn to non-secure, outside IT support, exposing your company’s confidential resources. Using cloud tools to deliver IT support can help maintain seamless security across your technical and non-technical remote workforce. 

On-prem security tools vs. cloud-based RemoteSec 

Most companies extol the virtues of on-prem security and rightly so. On-prem security is the gold standard of information security. However, that standard falls apart when stood up against today’s hybrid workforce of remote teams and in-house professionals using a diverse range of endpoints—especially when that workforce is quickly ushered back into their homes for safety purposes. Why? Because on-prem security protocols are designed to contain information in an airtight box. 

Cloud and remote teams not only open that box, but they also turn the organization into an open platform with multiple access points and endpoints. So, how can an organization achieve on-prem security levels with remote teams in the cloud? The answer lies in using the right security tools to migrate your organization from an on-prem mindset to one that considers remote security equally. 

Cloud security tools include desktop infrastructure, file system snapshots, remote data and activity monitoring, and remote device encryption and data wipes. Such mechanisms not only safeguard company data, but give more control over IT resources used by remote workers.

In addition, deploying a single-sign on service with multi-factor authentication can better protect company data stored in the cloud, as well as assist in access management. VPNs, both desktop and mobile, can further provide authentication while also encrypting network traffic and obscuring private details, which may be necessary while connecting in public places.

A massive shift

Cloud services, at once the hero and villain of information security, will prove to be an ace up the sleeve for companies transitioning away from underperforming on-prem security standards. While remote work seems to have caught on—and is sometimes necessary—we are only at the beginning of a massive tectonic shift in how work is done. 

RemoteSec, therefore, is an emerging security field in security, one that’s been discussed for years but never quite tested to this degree. As organizations gain more remote workers, the need to embrace RemoteSec at the forefront of cybersecurity policy will only escalate. Addressing the crucial areas outlined above can help organizations mitigate the emerging risks while embracing a remote workforce. 

The post RemoteSec: achieving on-prem security levels with cloud-based remote teams appeared first on Malwarebytes Labs.

With coronavirus starting to take hold globally, international travel restrictions are kicking in and more workplaces are advising to work from home whenever possible. When self-isolation is a potential solution, public gatherings are increasingly looking like a terrible idea. Events are becoming a bit of a hotspot for cases, leading to inevitably bizarre scenarios where coronavirus conferences are cancelled due to coronavirus.

Many major security conferences are already reassessing whether going ahead is worth it. Indeed, some cases of coronavirus have already been confirmed at RSA—one of the biggest security events on the planet. Given the number of attendees and the nature of their jobs (government and private security officials), that alone could have repercussions galore.

Some security events have decided to cancel outright, while others are going with the “temporarily postpone and see what happens at a later date” approach. While it’s tempting to suggest “just going virtual” as some are doing, that’s not always easily achieved.

Cancel, postpone, or virtual

Here’s a short rundown of some problems faced by event organisers in the wake of the current pandemic:

1) Putting on an event costs a lot of money. The venue, advertising, food, setup, safety, insurance, transportation to and from the event for organisers—it all adds up. People pay a ton of cash in advance to secure the event location, and not every venue operator is willing to hand $100,000 back if an event organiser phones up and says, “Actually, about that global pandemic…”

2) Lots of smaller conferences rely on sponsors. If sponsors suddenly bail without considering the impact of vanishing, the event could easily go under, and it won’t get a second attempt the following year. In turn, this (combined with the difficulty in recovering venue fees) could force some events into going ahead or facing financial ruin. It’s in everyone’s best interest to work together as much as possible in those situations, and see if there’s a possibility of going virtual.

3) I’ve helped with a few online events in the past—only small ones—and it was difficult. You can’t just throw up a website and yell “job done!” Streaming can be expensive. Locking down the site and figuring out how to only give content to paying virtual attendees isn’t straightforward. Which time zone are you aiming for when the event happens, and do you even need to stream?

It’s all online anyway, so would it be better to simply record everything and lock it behind a portal somewhere? What software will you use? Does your license accommodate your plans? Can you afford an upgrade if it doesn’t? Will the tech go wrong during the event, and what sort of contingency plans are in place if it does? These are just some of the questions waiting in store for intrepid event folks.

Taking stock of the situation

It’s difficult enough running a virtual event from scratch. I can’t imagine the stress of finding out you suddenly have to switch everything to online or shut everything down at short notice.

While it may end up costing less than a physical event, it may well cause more headaches than planning for the real world, where there’s a fairly solid set of event planning criteria/expectations.

With this in mind, and with a growing collection of security events going into lockdown, we thought it’d be good to pass you a few handy lists that explain what’s going on in security conference land for the foreseeable future. 

The current state of play

In a nutshell, the current state of play is “bad.” Wild West Hackin’ Fest is one such example of an event having to cancel and losing a lot of money in doing so to keep people safe from harm. They’ve decided to go virtual, just like Kernelcon who announced their decision today to do the same thing. Good luck to them both.

Meanwhile, the first major roundup of affected events over on ZDNet grew from nine to 22 in just two days. As per the list itself, some notable changes to your potential event schedule:

• Black Hat Asia and DEF CON China are both postponed
• Notable BSides events, including Budapest and Vancouver, are postponed, though Charm (Baltimore) is giving the option to go virtual alongside real-world presenting
• Kaspersky’s incredibly popular Security Analyst Summit is also postponed
• Infosecurity Belgium, a huge trade event, has been postponed

Those are just some of the big shakeups heading the infosec industry’s way. That list is constantly being updated, as is the comprehensive listing by region over on Infosecurity Conferences.

More disruption is likely

Regardless of which list you use to keep yourself informed, there will absolutely be more events affected in days to come. Your workplace may already have implemented no-travel policies, but even if you’re going it alone, you may wish to give some events a pass this time around.

Of course, that advice isn’t exactly good news for people who make their living from organising these events or even speaking at them. Whatever your involvement in security conferences, it’s going to be a rough old time of it for the foreseeable future. Stay safe and be well.

The post Coronavirus impacts security conferences and events: check your schedule appeared first on Malwarebytes Labs.

Ironically, to keep costs low for their enterprise and mid-market clients, managed service providers (MSPs) are some of the most reliant on third-party vendors—including those providing security. While this is generally not an indication of dysfunction or vulnerability, the responsible MSP will be looking with a critical eye while vetting cybersecurity vendors to evaluate how they might increase the organization’s attack surface—especially with the uptick in targeted attacks over the last few months.

So how should an MSP—or any organization, for that matter—evaluate cybersecurity vendors not just for budget and effectiveness, but also security posture? And how can MSPs continue to monitor their security partners as product features and organizational needs change over time?

What’s concerning from a Chief Security Officer’s (CSO’s) perspective is the veneer of legitimacy many cybersecurity vendors are capable of producing: Scammy security companies generally have slick, professional websites, convincing sales engineers, legions of onshore support administrators, and almost invariably, one or more executives with ties to a government intelligence agency, whether in the US or abroad.

Given that almost all cybersecurity companies on the market strive to project an image of professionalism, how can a CSO sort out companies that are a value add from those with a less than legitimate business model? And what about the companies that are above board, but just not very good? Let’s take a look.

The ugly cybersecurity vendors

Most harmful to a business in the long run are the cybersecurity vendors who either don’t do much, or have a business model that skirts the edge of the law. The simplest and most cost effective way of avoiding these companies is conducting a community temperature check.

Bad vendors tend to acquire a collective disapproval in the infosec community long before their business model fails. A quick Twitter or Google search of the vendor name can often reveal detailed accounts by analysts who have used them and can provide candid assessments.

But the gold standard for a temperature check is to ask your own team. Cross-pollination of infosec personnel is at an all time high. As such, your team most likely has a broad range of experience with multiple vendors on a host of platforms.

Your team can provide invaluable data, like added operations costs over the long term, company billing practices, and interoperability with existing systems. They can also tip you off on issues with vaporware; generally defined as giving the appearance of having a product/feature, which is in reality much more limited or even non-existent.

Like most vendors of higher quality, the ugly will also have former intelligence agency personnel to give themselves a veneer of authority and competence. A question that rarely gets asked, though, is “Which agency?” Is it an agency with a formal mandate for addressing cyberthreats, with an established university pipeline and well-regarded reputation? Is it an agency whose cyber division was stood up relatively recently, with repurposed employees from other departments?

Further, how relevant is that experience to your business needs? If the majority of your security losses are coming from phishing and malvertising, is having access to analysts experienced in state-sponsored intrusions really relevant?

The bad cybersecurity vendors

Some infosec vendors really do try their best to provide a valuable product to the end user, but still fall awfully short of the mark. The problem here isn’t that they’re not trying to deliver a good product—it’s that they don’t necessarily understand what “good” is to you.

In the public sector, intelligence is often defined as information that is timely, accurate, and relevant. This applies to cyberthreat intelligence derived from security products as well. If you kick out any one of the legs on the threat intelligence tripod, you’re left with a platform too unstable to make any reliable judgement on cyber risk.

An organizational threat delivered to SOC personnel in a timely manner that hasn’t been vetted (i.e. is inaccurate) is not intelligence. Threat data that is timely and accurate, but not adapted to your business vertical (i.e is irrelevant) is also not intelligence.

What these threat alerts amount to tends to be a drag on organizational resources, as in-house security personnel are tasked with vetting ever-increasing quantities of data that don’t address business needs. Don’t those tier-two SOC techs have better things to do than retrace vague, un-targeted analysis?

Bad cyberthreat intel vendors often correctly identify the desired end goal of intelligence, but lack an understanding of appropriate methodology. Again, these companies often out themselves as undesirable with a quick community check.

A poorly-sourced, unreviewed report using inflated claims will quickly reveal itself as such when the infosec community reviews the content. Timely, accurate, and relevant threat data will be shared, retweeted, and commented upon much more frequently then less useful sources. Pausing for a moment to see how other organizations have integrated threat data being offered to you can provide a valuable check against letting a bad vendor slip through the cracks.

Some questions to ask the sales engineer:

• How will this data be tailored to my organization?
• How is the data delivered to us, and if it’s a portal, what is your upgrade release schedule?
•  And most importantly: How do you vet your sources?

Note: do not accept “We have to protect our sources and methods.” This is a phrase borrowed from government intelligence, who generally uses it in situations involving threats to human lives. More commonly, it’s used to express sentiments akin to “I’m not going to tell you because I don’t want to, don’t know, or it would embarrass me.”

The good cybersecurity vendors

Here’s the most difficult category and the holy grail for augmenting your security team: a company that delivers well-targeted services to your organization in a manner that is timely, accurate, and relevant. The catch here is that to properly spot the good company, your own organization has to have timely, accurate, and relevant defined down to a T. This brings us to the last and most important aspect of vetting: metrics.

Certain companies can provide an awfully impressive “real-time demonstration” of the product, sometimes offering you a head-to-head with competing products. They might reference the number of threats detected, speed of detections, analysis, or number of endpoints providing data.

There is a barrage of cybersecurity metrics available to benchmark performance, so how do you know which are valuable? The answer is: none of them. The only metric relevant to evaluate security performance is that which has been generated by your own team against a mature risk tolerance posture. Vendor metrics can’t possibly address the various risk tolerances of all their customers and therefore can’t be relevant to how they would perform for you. Once you know your own metrics, evaluating vendors can be a piece of cake. (And requires much fewer meetings.)

Some questions to ask the relationship manager for a great vendor:

• How can I share feedback from my security team?
• When can we revisit my business needs?
• What improvements do you have planned for next quarter?

To sum up, vetting vendors doesn’t have to be painful—as long as you know your own risk tolerance posture, and have a mature communication channel with your own security team.

The post Securing the MSP: best practices for vetting cybersecurity vendors appeared first on Malwarebytes Labs.

Update: The digital certificate issued for https[.]ps has been revoked by GlobalSign.

Fraudsters are known for using social engineering tricks to dupe their victims, often times by impersonating authority figures to instill trust.

In a recent blog post, we noted how criminals behind Magecart skimmers mimicked content delivery networks in order to hide their payload. This time, we are looking at a far more clever scheme.

This latest skimmer is disguised as a JavaScript file that appears to be CloudFlare’s Rocket Loader, a library used to improve page load time. The attackers created an almost authentic replica by registering a specially crafted domain name.

This campaign has been affecting a number of e-commerce sites and shows threat actors will continue to come up with ingenious ways to deceive security analysts and website administrators alike.

Decoy Rocket Loader

On a compromised Magento site, we noticed that attackers had injected a script purporting to be the Rocket Loader library. In fact, we can see two almost identical versions loaded side by side.

If we look at their source code, we find that the two scripts are quite different. One of them is obfuscated, while the other is recognizable as the legitimate CloudFlare Rocket Loader library.

There is a subtle difference in the URI path loading both scripts. The malicious one uses a clever way to turn the domain name http.ps (note the dot ‘.’ , extra ‘p’ and double slash ‘//’) into something that looks like ‘https://’. The threat actors are taking advantage of the fact that since Google Chrome version 76, the “https” scheme (and special-case subdomain “www”) is no longer shown to users.

To reveal the full URL with its protocol, you can double click inside the address bar. In other browsers such as Firefox or Edge, the default is to show the entire URL. That makes this attack a little more obvious and therefore less effective if you were a site administrator investigating this library.

Active skimmer campaign

The Palestinian National Internet Naming Authority (PNINA) is the official domain registry for the .ps country code Top-Level-Domain (ccTLD). The decoy domain http.ps was registered on 2020-02-07 via the Key-Systems GmbH registrar.

In mid-February, security researcher Willem de Groot tweeted about how this domain was being used for credit card skimming in an ongoing campaign with the additional “e4[.]ms” domain.

The skimmer code as well as its exfiltration gate (autocapital[.]pw), were described by Denis Sinegubko, a security researcher at GoDaddy/Sucuri.

There are two ways e-commerce sites are being compromised:

• Skimming code that is injected into a self hosted JavaScript library (the jQuery library seems to be the most targeted)
• A script that references an external JavaScript, hosted on a malicious site

The first version of the skimmer used in this campaign is the hex obfuscated type with data exfiltration via autocapital[.]pw as seen in the decoy Rocket Loader library. As Denis mentioned in his tweet, this skimmer contains an English and Portuguese version (urlscan.io archive here).

The other version of the skimmer (hosted on e4[.]ms) uses a different obfuscation scheme with data exfiltration via xxx-club[.]pw (this domain is on the same server as the autocapital[.]pw exfiltration gate).

We recognize this obfuscation pattern as ‘Radix’, from a previous campaign described and tracked by Sucuri since 2016. Given the naming convention used for the domains and skimmers, we believe the same threat actors may be behind this newest wave of attacks.

Patching and proactive security

This kind of attack reinforces the importance of good website security. The majority of compromises happen on sites that have not been updated or that use weak login credentials. These days, other forms of defense include web application firewalls and general hardening of the CMS and its server.

The majority of consumers that shop on a compromised site will have no idea that something went wrong until it’s too late. Even though it is the responsibility of the merchant to ensure their platform is secure, it is obvious that additional containment needs to be taken by visitors themselves.

Malwarebytes users are protected against this credit card skimming attack via our web protection layer in Malwarebytes for consumers and businesses.

We have reached out to the registrar and certificate authority but at the time of writing the malicious decoy domain is still active.

Indicators of compromise

Skimmers and gates

http[.]ps
autocapital[.]pw
xxx-club[.]pw
e4m[.]s
y5[.]ms

83.166.248[.]67
83.166.244[.]189

The post Rocket Loader skimmer impersonates CloudFlare library in clever scheme appeared first on Malwarebytes Labs.

Nine months ago, Malwarbytes recommitted itself to detecting invasive monitoring apps that can lead to the excessive harm of women—most commonly known as stalkerware. We pledged to raise public awareness, reach out to advocacy groups, and share samples and intelligence with other security vendors.

Now, for International Women’s Day (March 8), we decided to take measure of our efforts, examining the effects of our campaign and outreach, as well as the formation of the Coalition Against Stalkerware, of which we were a founding member. Have we actually made a difference?

As a refresher, or for those that haven’t been following along: Stalkerware and other monitoring apps can allow a user to look through someone else’s text messages, record their phone calls, turn on their phone’s cameras and microphones, rifle through their private files, peer into their search history, and track their GPS location—all without consent.

We know that stalkerware, monitoring apps, and others with spyware-like capabilities present clear potential for privacy violations. However, these apps and other Internet of Things (IoT) devices, such as smart thermostats, doorbells, and locks, have been tied to multiple cases of physical stalking, cyberstalking, and domestic violence. In fact, according to the National Domestic Violence Hotline, victims of digital abuse and harassment are two times as likely to be physically abused, two-and-a-half times as likely to be psychologically abused, and five times as likely to be sexually coerced.

While many stalkerware apps market or classify themselves as parental monitoring apps, their technical capabilities are essentially the same—sometimes on par with the level of surveillance perpetrated by nation-state actors. Worse, when put into the hands of domestic abusers, they can totally dismantle a survivor’s life, revealing their location if they’re trying to escape or uncovering their private messages if they’re attempting to discuss a safety plan.

Yet, for all its potential for emotional and physical harm, stalkerware has often been swept under the rug by many in the cybersecurity community. Most antivirus companies do not detect monitoring apps; or if they do, they use weak language indicating the threat is not as severe as malware.

That’s what caused Electric Frontier Foundation Director of Cybersecurity Eva Galperin to start calling out antivirus companies in April 2019 for better protection. And that’s why we stood up with her—to double down on what we started more than five years ago with our own stalkerware detection efforts.

Let’s take a look at how we’re doing so far. These are the numbers on stalkerware.

Stalkerware public awareness

While we have written about monitoring apps’ potential to be used for domestic abuse since 2014 (and detected those apps in our Malwarebytes for Android program), we first aimed to raise public awareness of stalkerware by publishing more than 10 articles on the topic since June 2019, including how to protect against stalkerware, what domestic abuse survivors should do if they find stalkerware on their phone, and the difficulties of pursuing legal action for stalkerware victims.

In total, our articles have been read nearly 65,000 times. The terms “stalkerware,” “stalkerware app” and “stalkerware Android” have gained a bit of momentum in Google search over the last year, showing signs of life in June 2019, the month we published our first article of the campaign. A small spike in July also coincides with our own coverage, as well as Google Play pulling seven stalkerware apps from its store. The biggest bump in overall awareness was in late October and early November 2019, when National Cyber Security and National Domestic Violence Awareness months coincided with the FTC bringing its first stalkerware case, fining app developers for violations.

Mobile monitor and spyware categories: global detections of stalkerware

Despite the popular “stalkerware” label, Malwarebytes does not use the term to classify app detections within our product, as murky marketing techniques can often make distinguishing between stalkerware, workplace, or parental monitoring apps difficult. Instead, we look at the technical capabilities of the software and detect stalkerware apps as either belonging to the monitor category or spyware.

From March 1, 2019 to March 1, 2020, Malwarebytes detected monitor apps 55,038 times on Malwarebytes for Android user devices. During the same time period the year before, monitor apps were detected 44,116 times. That’s an increase of more than 10,000 detections in a single year. 

We must be clear: The rise in monitor detections does not automatically guarantee a rise in the use of these apps. Because Malwarebytes improved its capabilities to find monitoring apps, our detection volume did increase. We bolstered our data set independently, but also worked with other cybersecurity vendors in the Coalition Against Stalkerware to improve our results.

However, a February 2020 survey by Norton LifeLock on “online creeping” found that 49 percent of respondents admitted to “stalking” their partner or ex online without their knowledge or consent—a number that suggests a general acceptance of online stalking behavior today. Does that mean there are more developers and users of monitoring apps than there were before? We would need to conduct a meta-study and include more data points than our own telemetry to determine that truth. What we do know is that today, Malwarebytes detects 2,745 variants of monitor apps, an increase of nearly 1,000 from the year before.

Interestingly, from March 1, 2019 to March 1, 2020, Malwarebytes for Android registered 1,378 spyware detections on user devices. In the previous year, however, Malwarebytes detected spyware 2,388 times for users in the same group. In fact, although we now detect 318 variants of spyware apps for Android devices—an increase of almost 40 from the year before—our detections still decreased year over year.

The decrease in spyware detections perhaps points to something different—a decision to shy away from making and utilizing these tools. Whereas stalkerware-type apps have seen little enforcement, either from the government or from individuals and companies, spyware apps have received deeper scrutiny. Just this week, WhatsApp moved forward with its lawsuit against one major spyware developer. 

In looking at our data, we also discovered these threats in nearly every part of the world. Malwarebytes detected monitoring APKs in the US, India, Indonesia, the United Kingdom, Brazil, Ireland, France, Russia, Mexico, Italy, Canada, Germany, Bangladesh, Australia, and the United Arab Emirates. The US represented the largest share of detections, but admittedly, it also represents the largest share of our user base.

While our telemetry shows that monitoring apps continue to plague users everywhere, the data does not show the broader relationship between these types of apps and stalking, cyberstalking, and domestic violence.

Monitoring apps and domestic violence

According to Danielle Citron, professor of law at Boston University School of Law, monitoring apps, or what she calls “cyber stalking” apps, have been tied to multiple cases of domestic violence and abuse. As she wrote in her 2015 paper “Spying Inc.”

“A woman fled her abuser who was living in Kansas. Because her abuser had installed a cyber stalking app on her phone, her abuser knew that she had moved to Elgin, Illinois. He tracked her to a shelter and then a friend’s home where he assaulted her and tried to strangle her. In another case, a woman tried to escape her abusive husband, but because he had installed a stalking app on her phone, he was able to track down her and her children. The man murdered his two children. In 2013, a California man, using a spyware app, tracked a woman to her friend’s house and assaulted her.”

Further, according to the NortonLifeLock survey, the use of stalkerware-type apps is just one of several behaviors that Americans engage in to check in on their ex and current romantic partners online.

The Online Creeping Survey, which included responses from more than 2,000 adults in the US, showed that 1 in 10 Americans admitted to using stalkerware-type apps against their ex or current romantic partners. The survey also found that 21 percent of respondents looked through a partner’s device search history without permission, and 9 percent said they created a fake social media profile to check in on an ex or current partner.

Kevin Roundy, technical director for NortonLifeLock, warned
about these behaviors.

“Some of the behaviors identified in the NortonLifeLock
Online Creeping Survey may seem harmless, but there are serious implications
when this becomes a pattern of behavior and escalates, or when stalkerware and
creepware apps get in the hands of an abusive ex or partner,” Roundy said.

As Malwarebytes reported last year, some of these behaviors are closely associated with the crimes of stalking and cyberstalking in the United States. Use of monitoring or spyware apps can create conditions in which domestic abusers can follow their partners’ GPS locations and allow them to look at their private conversations through texts and emails. For domestic abuse survivors trying to escape a dangerous situation, stalkerware can place them at an even greater risk.

Unfortunately, much of the behavior related to stalking and
cyberstalking disproportionately harms women.

According to a national report of about 13,000 interviews
conducted by the Centers for Disease Control and Prevention (CDC), an estimated
15.2 percent of women and an estimated 5.7 percent of men have been stalked in
their lifetime.

Similar data from the Bureau of Justice Statistics showed nearly the same discrepancy. In a six-month period, of more than 65,000 Americans interviewed, 2.2 percent of women reported they had been stalked, while 0.8 percent of men reported the same. 

While stalking victims include both men and women, the data
from both studies shows that women are stalked roughly 270 percent more often
than men.

What else can we do?

The stalkerware problem is tangled and complex. Makers of these types of apps often skirt government enforcement actions—with only two developers receiving federal consequences in the past six years. Users of these apps can vary from individuals who consent to being tracked to domestic abusers who never seek consent.

And the way in which these apps can be used can violate both Federal and state laws, yet, when the apps are used in conjunction with stalking and cyberstalking, the victims of these crimes often shy away from engaging with law enforcement to find help. Even if victims do work with police, they often have one priority—stopping the harm, not filing prolonged lawsuits against their stalkers or abusers.

Though this threat may appear slippery, there is much that we in the cybersecurity community can do. We can better detect these types of threats and inform users about their dangers. We can train domestic abuse advocates about device security for themselves and for the survivors they support—something Malwarebytes has already done and will continue doing. We can gather a growing coalition of partners to share intelligence and samples to collectively fight.

We can work with law enforcement on improving their own cybersecurity awareness and training, demonstrating the ways in which technology can and has been abused or developing a collaborative taxonomy for smart, efficient reporting. Finally, we can partner with domestic violence researchers to better understand what domestic abuse survivors need for digital security and protection—and then implement those changes.

We make the technology. We can make it better protect users
everywhere.

The post International Women’s Day: awareness of stalkerware, monitoring, and spyware apps on the rise appeared first on Malwarebytes Labs.