IT NEWS

Malwarebytes Managed Detection and Response (MDR) earned a placed in 12 new reports on G2’s Fall 2023 reports, winning badges for “Easiest to do Business With,” “Best Est. ROI,” “Easiest to Use,” and “Easiest Admin.”

Purpose-built for resource constrained teams, Malwarebytes MDR provides IT staff with high-focus alert monitoring and prioritization with flexible options for remediating threats.

Each quarter, the peer-to-peer review source G2 releases reports highlighting MDR products with the highest customer satisfaction and strongest market presence. Badges are awarded to products that receive the highest overall ratings among certain categories, including the most satisfied customers. 

Let’s take a closer look at what real users said about using Malwarebytes MDR.

Easiest to Use, Easiest Admin

Malwarebytes MDR builds on the award-winning user experience of Malwarebytes Endpoint Detection and Response (EDR), enabling customers to seamlessly communicate with Malwarebytes MDR Analysts for recommendation and guidance.

On the Mid-Market Usability Index for Managed Detection and Response (MDR) in Fall 2023, G2 users rated Malwarebytes MDR customers several points above the industry average on the “Ease of Use” and “Ease of Admin” sub-scores.

“Malwarebytes MDR is simple to deploy and manage. They increase our security posture, meet cyber security insurance requirements, and make a great partner to augment my small IT team.”

Steve S.

“Malwarebytes MDR enables us to meet the need for 24×7 coverage with professional security experts who work in the industry every day.”

Matthew Verniere, IT Project Manager

Best Est. ROI

Malwarebytes MDR earned a “Best Estimated ROI” badge on the Mid-Market Results Index for Managed Detection and Response (MDR) in Fall 2023. Based on the survey results, customers with Malwarebytes MDR wait half as long as the industry average to go live and see ROI.

“Cyber threats are 24/7, and my team needs to sleep. The MDR team watching our network around-the-clock gives us a chance to sleep without worry. With Malwarebytes MDR backing us up, I also finally got to step away and take a two-week vacation. I’m just glad to know that we have a security team watching over our shoulders and making sure it’s all clear.” 

Dennis Davis, IT Systems Manager

Experience Malwarebytes MDR: Award-winning ROI, user-friendly, and effective threat defense

Malwarebytes MDR provides IT staff with award-winning business protection, offering 24×7 alert monitoring and guidance, active remediation, and threat hunting across endpoints. 

Try Malwarebytes MDR today and join the ranks of those who have already discovered the amazing results, support, and ROI of our exceptional managed service solutions: https://try.malwarebytes.com/mdr-consultation-new/

Get a Malwarebytes MDR quote

Cryptocurrency owners should take heed of warnings related to Xenomorph malware—Bleeping Computer reports that the most recent version of Xenomorph now targets various cryptocurrency wallets using fake browser update messaging as bait.

Xenomorph is roughly a year old, first springing to prominence after an installation campaign via the Google Play store resulted in more than 50,000 hijacked Android phones. At the time, Xenomorph crept into the official Android store via false pretences.

As with so many mobile scams, pretending to be a system cleaning tool worked like a charm and it bypassed some security measures by grabbing the rogue component only after installation. In other words: Google Play wouldn’t have noticed anything untoward, because at time of initial installation, everything looked normal.

The malware abused permissions to log SMS, intercept notifications, and use overlays to grab login details for up to 56 different banks.

This on its own is already very malicious behaviour. A year later, Xenomorph is back with an impressive sequel in tow. It would be more accurate to say that this is part 5, after several revisions over the past 12 months which have seen Xenomorph be distributed in new ways and include new features, like multi-factor authentication bypass and cookie stealing.

The new attack involves the use of that well-worn tradition, the fake browser update landing page. Bogus “Your Chrome needs updating” pages convince visitors to download and install the new rogue Android file.

At this point, Xenomorph deploys its most favoured tactic: That of the bogus overlay. These overlays mimic various banks and (now) logins for multiple cryptocurrency services like Metamask.

We’ve warned of the dangers of handing over your cryptocurrency secret recovery phrase to random websites and extensions many times. Even folks who are well versed in these kinds of scams may not realise a genuine looking overlay is coming from an entirely unrelated Android installation.

This latest version is said to target “more than 100 different targets” making use of crafted pages to try and swipe the user’s details. It also includes a so-called “mimic” feature which allows the malware to launch bogus activity from otherwise legitimate services. As Bleeping Computer notes, this technique means the fraudsters don’t need to hide icons from the app launcher which many security tools would note as potentially dubious behaviour.

Xenomorph does a lot of this, like simulating user taps at specific screen locations and preventing the system from going to sleep, which is a boon for staying in contact with the Command & Control setup issuing orders.

The researchers who made these discoveries also mention that the infrastructure hosting the rogue files contained additional malware, malware loaders, and Windows information stealers.

There’s a good chance some of these other files may already be in circulation, or could be at some point in the near future. If you receive browser update warnings while looking at websites, don’t hit that download button.

Browser updates don’t typically announce the need to do so in the middle of your browser, and especially not when surfing. Notifications for updates are placed away from the browser window, typically inside the user interface of the browser itself. For example, to the right of your URL bar. Browsers will also tend to update automatically without you doing anything. If you want to know whether or not an update is needed, clicking into “Help” or “About” will usually get the job done.

Whether on mobile or desktop, we strongly recommend keeping your updates set to automatic. Let the browser do its job and help to keep you secure, and do your bit by ignoring any popups or in-browser messaging with an urgent notification about supposed browser updates.

We don’t just report on Android security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today.

Staff in the hospitality industry are trained to accommodate their guests, and when they have a few years of experience under their belt you can be sure they’ll have received some extraordinary requests.

Which is something that clever cybercriminals are taking advantage of. Researchers at Perception Point recently documented a sophisticated phishing campaign targeting hotels and travel agencies.

The campaign raised alarm because of the clever scheme deployed to trick staff into installing an information stealer. This part of the campaign is made up out of highly targeted attacks.

The first stage of the attack typically sees the attackers send a query about a booking or make a reservation. The bookings will always have low or no cancellation costs so the attackers can minimize their investment.

Once the attackers receive a response, they’ll come up with a persuasive reason for the hotel staff to print or study something ahead of their arrival. Examples include medical records for a child or an important map they would like to print out for their elderly parents.

To add a touch of legitimacy and to evade detection, they even provide the hotel representative with a password to unlock these so-called “important files.”

Image courtesy of Perception Point

In reality, the document contains malware hosted on a file sharing platform, such as Google Drive. The file is encrypted but is decrypted when the victim enters the password. The main executable file often has a misleading icon, such as one that makes it look like a pdf. Once the victim double-clicks on the file, the information stealer (or InfoStealer) is then unleashed.

The second step in this attack targets the customers, and was discovered by Akamai researchers. 

After the InfoStealer is executed on the original target’s (hotel/travel agent’s) systems, the attacker then begins messaging legitimate customers. The message used in this campaign contains a link to what it says is an additional card verification step. In reality, the link triggers an executable on the victim’s machine which gathers information about the browser and presents the recipient with several security validation questions.

Once the victim passes the tests, they are forwarded to a credit card phishing site masquerading as a Booking.com payment page. 

Tips for hospitality organizations

Besides having adequate up-to-date real-time protection on your systems, there are some general tips that can keep you out of trouble.

• Always confirm the identity of anyone requesting sensitive information or access to internal systems.
• Educate your team so they know how to recognize phishing attempts and where to report potential threats.
• Invest in an email security solution which makes it harder for phishing emails and unknown malware to reach the intended target.
• Never click on unsolicited links. 
• Be cautious of messages that create a sense of urgency or threaten negative consequences if you don’t take immediate action.

Tips for consumers

These phishing schemes are exceptionally well thought out and tailored so victims are more likely to click. Still, there are some red flags that can help you prevent falling victim.

• Double check unexpected communications which ask for additional payments or payment details. There is no harm in asking for clarification or confirmation.
• Inspect links before you click on them to see whether they lead to where you expect.
• Do not send information that the booked accommodation should already have or shouldn’t need at all.
• Be suspicious of urgent or threatening messages asking for immediate action.

Identity theft victims

If you suspect you are a victim of credit card identity theft, the FTC recommends you contact your bank or credit card company to cancel your card and request a new one. If you get a new card, don’t forget to update any automatic payments with your new card number.

To find out if you are a victim:

• Review your transactions regularly to make sure no one has misused your card, and consider credit monitoring.
• If you find fraudulent charges, call your bank’s fraud department to alert them.
• Check your own credit report at annualcreditreport.com.
• Consider freezing your credit report. This stops new creditors and potential thieves from accessing your credit report.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Canadian healthcare organization Better Outcomes Registry & Network (BORN) has disclosed a data breach affecting client data.

BORN—an Ontario perinatal and child registry that collects, interprets, shares, and protects critical data about pregnancy, birth, and childhood—says it was attacked on May 31, 2023.

A subsequent investigation has shown that during the breach, unauthorized copies of files containing personal health information were taken from BORN’s systems. The personal health information that was copied was collected from a large network of mostly Ontario health care facilities and providers regarding fertility, pregnancy, newborn and child health care offered between January 2010 and May 2023.

BORN says that the data breach happened as a result of a vulnerability in some software it uses for file transfers, Progress MOVEit. This vulnerability was exploited by a ransomware gang known as Cl0p, before Progress was even aware a vulnerability existed.

Sadly, it’s not just BORN that has had children’s data stolen as a result of that vulnerability. The National Student Clearinghouse (NSC) has also reported that nearly 900 colleges and schools across the US also fell victim to the Cl0p ransomware gang, as a result of using MOVEit to transfer files.

As we have mentioned before, identity theft is a serious problem, especially when it affects children. Identity thieves love preying on minors, simply because it usually takes longer before the theft is noticed.

Countermeasures

BORN states that there are no additional steps you need to take. Its incident summary says:

“At this time, there is no evidence that any of the copied data has been misused for any fraudulent purposes. We continue to monitor the internet, including the dark web, for any activity related to this incident and have found no sign of BORN’s data being posted or offered for sale.”

However, you have every right to become anxious that your child might start receiving credit offers in the mail or unexpected activity on their email, phone or bank accounts.

So, if you become aware of anything suspicious, or even just for peace of mind, you can request a security freeze for your child at each of the three national credit bureaus (Experian, TransUnion and Equifax).

When you request a security freeze, the bureau creates a credit report for your child and then locks it down, so that any lender who attempts to process an application that uses your child’s credentials will be denied access to their credit history. This prevents any loans or credit cards being issued in the child’s name. When the child becomes an adult you’ll have to lift the freeze by contacting each credit bureau individually.

Read our tips on how to protect your identity, or, if you believe you are already the victim of on identity crime, contact the Identity Theft Resource Center. You can speak to an advisor toll-free by phone (888.400.5530) or live-chat on the company website idtheftcenter.org.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Digital transformation may be revolutionizing businesses and the way we operate, but it also presents notable challenge: How can organizations stay secure amidst the ceaseless tide of change? Our latest Byte Into Security webinar has the answers.

Meet the Experts

• Marcin Kleczynski, CEO of Malwarebytes, teams up with
• Chris Brock, Drummond’s Chief Information Officer. Chris shares how his 15-person IT team balanced dramatic organizational changes with maintaining a robust security posture.

On-the-Ground Insights

In the webinar, Chris details:

• The specific challenges digital transformation posed to his IT team and the broader organization.
• How Drummond prioritized resources for maximum efficiency and impact.
• The role of Managed Detection and Response (MDR) in fortifying security, while saving IT time, resources, and budget.

What to Expect

• Forward-thinking security strategy: Learn about tools and tactics that transition businesses from reactive security measures to proactive protection amidst digital shifts.
• Tailored training: Security awareness training best practices for businesses of all sizes.
• Leveraging MDR: Real examples showcasing how MDR was instrumental in Drummond’s digital evolution, helping to close security holes across multiple categories.
• True IT downtime: How IT professionals can take well deserved vacations without interruption.

If you’re seeking to understand how digital transformation, security, worker productivity and business growth evolve in tandem, this webinar is your roadmap.

Watch on-demand now

This week on the Lock and Code podcast…

When you think of the modern tools that most invade your privacy, what do you picture?

There’s the obvious answers, like social media platforms including Facebook and Instagram. There’s email and “everything” platforms like Google that can track your locations, your contacts, and, of course, your search history. There’s even the modern web itself, rife with third-party cookies that track your browsing activity across websites so your information can be bundled together into an ad-friendly profile. 

But here’s a surprise answer with just as much validity: Cars. 

A team of researchers at Mozilla which has reviewed the privacy and data collection policies of various product categories for several years now, named “Privacy Not Included,” recently turned their attention to modern-day vehicles, and what they found shocked them. Cars are, to put it shortly, a privacy nightmare. 

According to the team’s research, Nissan says it can collect “sexual activity” information about consumers. Kia says it can collect information about a consumer’s “sex life.” Subaru passengers allegedly consent to the collection of their data by simply being in the vehicle. Volkswagen says it collects data like a person’s age and gender and whether they’re using your seatbelt, and it can use that information for targeted marketing purposes. 

But those are just some of the highlights from the Privacy Not Included team. Explains Zoë MacDonald, content creator for the research team: 

Sites and apps frequently gamify their products and experiences to grow their user base. It’s a relatively easy way to have their customers become more involved thanks to whatever incentives may be on offer. A game here, a rewards program there, and everyone is happy.

Well, almost everyone. If scammers insert themselves into the process then it may not all be plain sailing. Unfortunately, Bleeping Computer is reporting a wave of dubious Temu referral scams pretending to offer up salacious leaks of private celebrity photos.

These scams are being posted to video platform TikTok, where high visibility and the desire for good deals runs the risk of making these fake ads go viral.

Temu, in operation since 2022, is known for offering a wide selection of goods at cheap prices. The site makes use of a rewards system, where users can generate referral numbers and send them to friends and family. The referral links are frequently shared in places like Facebook groups, which offer a combination of discounts. Mobile games tied to the referral process can often increase the discounts still further. This feedback loop of gaming and rewards is quite the successful combination in most instances.

So far, so good. Where this goes horribly wrong is a nasty wave of spam cluttering TikTok with the promise of fake celebrity nudes taking up space on the social network. Using the tagline “If you search it up, be prepared” along with common hashtags like “#anime, #manga, #art”, a variety of photos of celebrities are overlaid with text saying things like “I thought she was innocent”. It’s all very sleazy, tricking the viewer to install the Temu app and enter the referral number to see the supposedly leaked images.

But these images don’t exist, it’s just the main bait for the scam. As we’ve seen in the past, leaked photographs and celebrity deepfakes are a potent mix and guaranteed to drive clicks, traffic, or installations. Bleeping Computer cites Jenna Ortega, Brooke Monk, Hailie Deegan, and Olivia Rodrigo as just some of the celebrities used for this scam campaign.

The only good thing we can really say here is that the links don’t lead to phishing or malware. So far, it’s “just” scammers racking up store credit. However this is still a big problem for many reasons, not least of which for Temu which is faced with the possibility of people gaming its system.

Bogus celebrity nude promos posted to TikTok aren’t good for the platform or the users, and both services will have to try and take these fraudsters to task. Meanwhile, users can also do their bit and report any such videos they spot on their feeds. Nobody is posting genuinely leaked imagery to TikTok, and most definitely not for the purposes of store credit.

The promise of fake stolen imagery is one of the oldest tactics in the book, and yet remains a very effective resource in the scammer’s toolkit. Whether you hear about such a thing by email or social media, our advice is to steer clear. Apart from it being incredibly distasteful and quite possibly illegal depending on where you reside, you run a major risk of falling victim to a more serious form of scam.

Is a quick clickthrough for store credit or some other reward really worth putting your system at risk? We’d suggest that the answer is most definitely a resounding no.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Newcomer ransomware group RansomedVC claims to have successfully compromised the computer systems of entertainment giant Sony. As ransomware gangs do, it made the announcement on its dark web website, where it sells data that it’s stolen from victims’ computer networks.

The announcement says Sony’s data is for sale:

Sony Group Corporation, formerly Tokyo Telecommunications Engineering Corporation, and Sony Corporation, is a Japanese multinational conglomerate corporation headquartered in Minato, Tokyo, Japan

We have successfully compromissed [sic] all of sony systems. We wont ransom them! we will sell the data. due to sony not wanting to pay. DATA IS FOR SALE

Sony has yet to comment on the matter, and it’s important to understand that we only have one side of the story—and the side we have comes from a group of criminals. The claims of Sony’s compromise may yet prove false or, perhaps more likely, exaggerated.

If RansomedVC is to be believed though, Sony has not caved into the group’s demands for a ransom, so good for Sony, bravo. Sometimes businesses feel they have to pay their extortionists, and we aren’t going to judge anyone for making that choice. However, we’re definitely happy to applaud loudly when they don’t pay.

If Sony has been breached then its customers will be understandably concerned to safeguard their data. With information so thin on the ground it’s too early to offer specific advice, but we suggest you read our guide to what you need to know if you’re involved in a data breach.

Should it confirm the breach, Sony will join a fairly lengthy list of games and entertainment companies that have had data stolen or ransomed. Games companies are prime targets for theft and extortion because of the high value and high profile of their intellectual property.

Notable victims have included Capcom and Ubisoft in 2020, and CD PROJEKT RED, makers of Cyberpunk 2077 and Witcher 3, in 2021, the same year that FIFA 21 source code stolen from Electronic Arts. In 2022 Bandai Namco was attacked by ransomware, and Rockstar Games suffered a serious breach at the hands of the short-lived Lapsus$ gang.

RansomedVC is a new ransomware group, first tracked by Malwarebytes in August 2023 after it published the details of nine victims on its dark web site. The only departure it makes from the usual cut ‘n’ paste criminality of ransomware groups is that it threatens to report victims for General Data Protection Regulation (GDPR) violations. It describes itself as a “digital tax for peace”, but of course it isn’t. We’ve heard this a million times before, and it’s always just a cash grab.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week on Malwarebytes Labs:

• Emergency update! Apple patches three zero-days
• T-Mobile spills billing information to other customers
• Involved in a data breach? Here’s what you need to know
• Steer clear of cryptocurrency recovery phrase scams
• DoppelPaymer ransomware group suspects identified
• The privacy perils of the Metaverse
• The mystery of the CVEs that are not vulnerabilities
• Microsoft AI researchers accidentally exposed terabytes of sensitive data
• Compromised Free Download Manager website was delivering malware for years
• ThemeBleed exploit is another reason to patch Windows quickly
• Ransomware group steps up, issues statement over MGM Resorts compromise

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Some T-Mobile customers logged into their accounts on Wednesday to find another customer’s billing and account information showing on their online dashboards.

T-Mobile denied there was an attack, but confirmed there had been a data leak. It said a “temporary system glitch” had misplaced some subscriber account information, causing it to appear on other subscribers’ profile pages.

“There was no cyberattack or breach at T-Mobile. This was a temporary system glitch related to a planned overnight technology update involving limited account information for fewer than 100 customers, which was quickly resolved.”

Given the great number and the nature of the complaints on social media, one might suspect that T-Mobile is underplaying or underestimating the situation. Some users said they could access the information of several other subscribers and that they had complained about the issue before.

Multiple users who reported the issue online said they were seeing the same alternate account as others. These T-Mobile app users discovered that thei Bill tab was displaying someone else’s account information, and allowed users to view and access the bill pages and profile settings of other customers.

To worsen the problem, some users started changing the information they saw, believing they were correcting errors in their own details. Many payments were made on these accounts as well. This was likely also done by users unaware of the fact they were accessing someone else’s account.

The exposed information included customers’ names, phone numbers, addresses, account balances, and the expiration dates and last four digits of credit cards.

Victims should monitor their credit reports and be on alert for scammers using leaked information to trick them into giving up additional information, like bank account credentials.

Credit card companies have sophisticated fraud detection and alert systems. One way to be alerted to possible fraudulent activity on your account is to opt in to text message, call or email alerts. When you discover a fraudulent charge, call your credit card issuer right away to report the unauthorized charge. In most cases, if you report suspected fraud right away, you will not be liable for any unwanted charge, no matter the amount.

We will keep you posted here if more information about the issue becomes available. So, stay tuned!

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

Don’t become a victim of identity fraud. Keep your identity, finances, and devices safe by using Cyrus.