IT NEWS

Google is coming under scrutiny after people discovered transcripts of conversations with its AI chatbot Bard are being indexed in Google search results.

Bard is Google’s answer to ChatGPT, and allows users to have conversations with an AI. Services like these have attracted a lot of attention, because with a bit of tweaking and getting used to they can be really helpful in speeding up tasks. However, many are worried about the security and privacy implications of using services like Bard and ChatGPT.

As an illustration of why people might be worried, after an update to Bard, users found Google Search had begun to index shared Bard conversational links into its search results pages. 

“Haha Google started to index share conversation URLs of Bard don’t share any personal info with Bard in conversation, it will get indexed and may be someone will arrive on that conversation from search and see your info Also Bard’s conversation URLs are ranking as snippets for some queries as well” 

As it turns out, this happens only if the user chooses to share the conversational link with someone. That means that if you share your Bard conversation with a co-worker or relative by sending them the link, your conversation can be scraped by Google’s crawler. And when they’re scraped by the crawler then—you’ve guessed it—they show up as search results, spilling information you never meant to make public.

If you are curious and want to have a peek at the sort of conversations that have been scraped, you can type ‘site:bard.google.com/share‘ into the Google Search bar and hit enter. At the time of writing I got 464 results, some of which really don’t look as if they were intended to be public knowledge.

Google says that sharing chats with Search was an accident and is currently working on a fix:

“Bard allows people to share chats, if they choose. We also don’t intend for these shared chats to be indexed by Google Search. We’re working on blocking them from being indexed now.”

For those that actually find damaging content in the search results, you can file a removal request with Google. 

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

We released version 1.2 of the Malwarebytes Admin app for iOS and Android last week, adding new Detection features make it easier to see and manage threats.

Designed as a companion to the Nebula console, Malwarebytes Admin allows administrators to quickly review, investigate, and resolve security issues in just a few taps. The latest version of the app features major new additions such as a Detections Screen, a Detections details screen, and dashboard filters.

With this update, customers get a detailed look at malicious activity in their environment so they can quickly spot and take action on infected endpoints. Let’s take a look at the new additions!

Dashboard View

In the dashboard view, scroll down to see the widget for latest Detections by category. 

Detections Screen

The Detections Screen feature allows Nebula administrations to see all of the detections in their environment. For each item in detections list, admins can see:

• Threat Name
• Action Taken Category (Malware, PUP, etc)
• Endpoint Name

Administrators are also able to filter detections by Endpoint Name, Threat Name, Action Taken, Category, and more. Filtering by date options, such as Today, Yesterday, Last 7 days, and so on, are also available.

Detections Individual Screen

On the Detections Individual Screen, Nebula administrators can view further details for individual detections by tapping on one of them. Endpoint actions are also available on the Detections Individual Screen.

Detections on Individual Endpoint Screen

Admins are able to navigate from the individual endpoint screen to a list of detections for that endpoint. The same filters from the Detections screen apply here.

Try Malwarebytes Admin today

No more having to make a beeline out of the bathtub to resolve critical alerts. Receive instant notifications on your phone and quickly review, investigate, and resolve issues in just a few taps—now with new Detection features to further streamline threat management.

Download the app for iOS or Android today and experience the convenience of having the power of Nebula right in your pocket.

Malwarebytes Managed Detection and Response (MDR) earned a placed in 12 new reports on G2’s Fall 2023 reports, winning badges for “Easiest to do Business With,” “Best Est. ROI,” “Easiest to Use,” and “Easiest Admin.”

Purpose-built for resource constrained teams, Malwarebytes MDR provides IT staff with high-focus alert monitoring and prioritization with flexible options for remediating threats.

Each quarter, the peer-to-peer review source G2 releases reports highlighting MDR products with the highest customer satisfaction and strongest market presence. Badges are awarded to products that receive the highest overall ratings among certain categories, including the most satisfied customers. 

Let’s take a closer look at what real users said about using Malwarebytes MDR.

Easiest to Use, Easiest Admin

Malwarebytes MDR builds on the award-winning user experience of Malwarebytes Endpoint Detection and Response (EDR), enabling customers to seamlessly communicate with Malwarebytes MDR Analysts for recommendation and guidance.

On the Mid-Market Usability Index for Managed Detection and Response (MDR) in Fall 2023, G2 users rated Malwarebytes MDR customers several points above the industry average on the “Ease of Use” and “Ease of Admin” sub-scores.

“Malwarebytes MDR is simple to deploy and manage. They increase our security posture, meet cyber security insurance requirements, and make a great partner to augment my small IT team.”

Steve S.

“Malwarebytes MDR enables us to meet the need for 24×7 coverage with professional security experts who work in the industry every day.”

Matthew Verniere, IT Project Manager

Best Est. ROI

Malwarebytes MDR earned a “Best Estimated ROI” badge on the Mid-Market Results Index for Managed Detection and Response (MDR) in Fall 2023. Based on the survey results, customers with Malwarebytes MDR wait half as long as the industry average to go live and see ROI.

“Cyber threats are 24/7, and my team needs to sleep. The MDR team watching our network around-the-clock gives us a chance to sleep without worry. With Malwarebytes MDR backing us up, I also finally got to step away and take a two-week vacation. I’m just glad to know that we have a security team watching over our shoulders and making sure it’s all clear.” 

Dennis Davis, IT Systems Manager

Experience Malwarebytes MDR: Award-winning ROI, user-friendly, and effective threat defense

Malwarebytes MDR provides IT staff with award-winning business protection, offering 24×7 alert monitoring and guidance, active remediation, and threat hunting across endpoints. 

Try Malwarebytes MDR today and join the ranks of those who have already discovered the amazing results, support, and ROI of our exceptional managed service solutions: https://try.malwarebytes.com/mdr-consultation-new/

Get a Malwarebytes MDR quote

Cryptocurrency owners should take heed of warnings related to Xenomorph malware—Bleeping Computer reports that the most recent version of Xenomorph now targets various cryptocurrency wallets using fake browser update messaging as bait.

Xenomorph is roughly a year old, first springing to prominence after an installation campaign via the Google Play store resulted in more than 50,000 hijacked Android phones. At the time, Xenomorph crept into the official Android store via false pretences.

As with so many mobile scams, pretending to be a system cleaning tool worked like a charm and it bypassed some security measures by grabbing the rogue component only after installation. In other words: Google Play wouldn’t have noticed anything untoward, because at time of initial installation, everything looked normal.

The malware abused permissions to log SMS, intercept notifications, and use overlays to grab login details for up to 56 different banks.

This on its own is already very malicious behaviour. A year later, Xenomorph is back with an impressive sequel in tow. It would be more accurate to say that this is part 5, after several revisions over the past 12 months which have seen Xenomorph be distributed in new ways and include new features, like multi-factor authentication bypass and cookie stealing.

The new attack involves the use of that well-worn tradition, the fake browser update landing page. Bogus “Your Chrome needs updating” pages convince visitors to download and install the new rogue Android file.

At this point, Xenomorph deploys its most favoured tactic: That of the bogus overlay. These overlays mimic various banks and (now) logins for multiple cryptocurrency services like Metamask.

We’ve warned of the dangers of handing over your cryptocurrency secret recovery phrase to random websites and extensions many times. Even folks who are well versed in these kinds of scams may not realise a genuine looking overlay is coming from an entirely unrelated Android installation.

This latest version is said to target “more than 100 different targets” making use of crafted pages to try and swipe the user’s details. It also includes a so-called “mimic” feature which allows the malware to launch bogus activity from otherwise legitimate services. As Bleeping Computer notes, this technique means the fraudsters don’t need to hide icons from the app launcher which many security tools would note as potentially dubious behaviour.

Xenomorph does a lot of this, like simulating user taps at specific screen locations and preventing the system from going to sleep, which is a boon for staying in contact with the Command & Control setup issuing orders.

The researchers who made these discoveries also mention that the infrastructure hosting the rogue files contained additional malware, malware loaders, and Windows information stealers.

There’s a good chance some of these other files may already be in circulation, or could be at some point in the near future. If you receive browser update warnings while looking at websites, don’t hit that download button.

Browser updates don’t typically announce the need to do so in the middle of your browser, and especially not when surfing. Notifications for updates are placed away from the browser window, typically inside the user interface of the browser itself. For example, to the right of your URL bar. Browsers will also tend to update automatically without you doing anything. If you want to know whether or not an update is needed, clicking into “Help” or “About” will usually get the job done.

Whether on mobile or desktop, we strongly recommend keeping your updates set to automatic. Let the browser do its job and help to keep you secure, and do your bit by ignoring any popups or in-browser messaging with an urgent notification about supposed browser updates.

We don’t just report on Android security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today.

Recent events have demonstrated very clearly just how persistent and wide-spread the Pegasus spyware is. For those that have missed the subtle clues, we have tried to construct a clear picture. We attempted to follow the timeline of events, but have made some adjustments to keep the flow of the story alive.

On September 12, 2023 we published two blogs urging our readers to urgently patch two Apple issues which were added to the catalog of known exploited vulnerabilities by the Cybersecurity & Infrastructure Security Agency (CISA), and to apply an update for Chrome that included one critical security fix for an actively exploited vulnerability.

The vulnerabilities were discovered as zero-days by CitizenLab, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices. The exploit chain based on these vulnerabilities was capable of compromising devices without any interaction from the victim and were reportedly used by the NSO Group to deliver its infamous Pegasus spyware.

Both of the vulnerabilities, CVE-2023-41064 and CVE-2023-4863 were based on a heap buffer overflow in Libwebp, the code library used to encode and decode images in the WebP format. This library can be used in other programs, such as web browsers, to add WebP support.

Security expert Ben Hawkes figured out that the vulnerability was to be found in the “lossless compression” support for WebP, sometimes known as VP8L. A lossless image format can store and restore pixels with 100% accuracy, and WebP does this using an algorithm called Huffman coding.

As we saw in the vulnerability descriptions, both vulnerabilities were buffer overflow issues. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.

The vulnerable versions of libwebp use memory allocations based on pre-calculated buffer sizes from a fixed table, and then construct the necessary Huffman tables directly into that allocation. By creating specially crafted image files that tricked libwebp into creating tables that were too small to contain all the values, the data would overflow into other memory locations.

Even a weathered security expert like Ben Hawkes, who figured out where the problem was, had a hard time finding a way to exploit this issue. Let alone how hard it must have been when there was no clue that a vulnerability even existed. It helps that libwebp is an open source library, so anyone interested can review the code. Ben explained that even extensive fuzzing had never revealed the problem.

Someone, or a group of people, must have taken it upon themselves to really dive into the code. Ben wrote:

“In practice, I suspect this bug was discovered through manual code review. In reviewing the code, you  would see the huffman_tables allocation being made during header parsing of a VP8L file, so naturally you would look to see how it’s used. You would then try to rationalize the lack of bounds checks on the huffman_tables allocation, and if you’re persistent enough, you would progressively go deeper and deeper into the problem before realizing that the code was subtly broken. I suspect that most code auditors aren’t that persistent though — this Huffman code stuff is mind bending — so I’m impressed.”

Then again, seeing the amount of money that one could cash in for a fully functional exploit chain, there should be more than enough people willing to put in the work and shove their conscience aside.

20 million dollar for top-tier full-chain mobile exploits

And although Google and Apple have issued updates to patch this vulnerability, libwebp is used in many other applications. And it may take a while before the Android update trickles down to every make and model. Regular readers may know that when there is an update for the Android operating system—software that sits at the core of about 70% of all mobile devices—it can take a very long time to reach end users due to a patch gap. This is because many mobile phone vendors sell their devices with their own tweaked versions of Android and the patches need to be tested before they can be rolled out on those versions.

The NSO group that markets the Pegasus spyware have shown they are interested in acquiring such exploits. As we wrote years ago, the Pegasus spyware has been around for years and we should not ignore its existence.

Our own David Ruiz wrote:

“Pegasus is reportedly instrumental to several governments’ oppressive surveillance campaigns against their own citizens and residents, and, while NSO Group has repeatedly denied allegations that it complicitly sells Pegasus to human right abusers, it is difficult to reconcile exactly how the zero-click spyware program—which non-consensually and invisibly steals emails, text messages, photos, videos, locations, passwords, and social media activity—is at the same time a tool that can, in its very use, respect the rights of those around the world to speak freely, associate safely, and live privately.”

Pegasus is not new. The company behind it launched in 2010, and it reportedly gained its first overseas customer just one year later. For years, Citizen Lab has been tracking the spread of Pegasus, searching for government clients and tracking down mobile devices that were hacked by the spyware. Back in 2016, the group’s investigations helped spur MacOS updates to fix severe vulnerabilities that could have been exploited by Pegasus. In 2018, Citizen Lab also identified 45 countries that were potentially relying on Pegasus to conduct surveillance.

After learning about the findings from The Pegasus Project, former NSA defense contractor and surveillance whistleblower Edward Snowden warned that spyware is not a small problem. It is, he said, everywhere.

“When I look at this, what the Pegasus Project has revealed is a sector where the only product are infection vectors, right? They don’t—they’re not security products. They’re not providing any kind of protection, any kind of prophylactic.”

Snowden said.

“They don’t make vaccines. The only thing they sell is the virus.”

We don’t just report on Android and iOS security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today. And keep threats off your iOS devices by downloading Malwarebytes for iOS today.

Staff in the hospitality industry are trained to accommodate their guests, and when they have a few years of experience under their belt you can be sure they’ll have received some extraordinary requests.

Which is something that clever cybercriminals are taking advantage of. Researchers at Perception Point recently documented a sophisticated phishing campaign targeting hotels and travel agencies.

The campaign raised alarm because of the clever scheme deployed to trick staff into installing an information stealer. This part of the campaign is made up out of highly targeted attacks.

The first stage of the attack typically sees the attackers send a query about a booking or make a reservation. The bookings will always have low or no cancellation costs so the attackers can minimize their investment.

Once the attackers receive a response, they’ll come up with a persuasive reason for the hotel staff to print or study something ahead of their arrival. Examples include medical records for a child or an important map they would like to print out for their elderly parents.

To add a touch of legitimacy and to evade detection, they even provide the hotel representative with a password to unlock these so-called “important files.”

Image courtesy of Perception Point

In reality, the document contains malware hosted on a file sharing platform, such as Google Drive. The file is encrypted but is decrypted when the victim enters the password. The main executable file often has a misleading icon, such as one that makes it look like a pdf. Once the victim double-clicks on the file, the information stealer (or InfoStealer) is then unleashed.

The second step in this attack targets the customers, and was discovered by Akamai researchers. 

After the InfoStealer is executed on the original target’s (hotel/travel agent’s) systems, the attacker then begins messaging legitimate customers. The message used in this campaign contains a link to what it says is an additional card verification step. In reality, the link triggers an executable on the victim’s machine which gathers information about the browser and presents the recipient with several security validation questions.

Once the victim passes the tests, they are forwarded to a credit card phishing site masquerading as a Booking.com payment page. 

Tips for hospitality organizations

Besides having adequate up-to-date real-time protection on your systems, there are some general tips that can keep you out of trouble.

• Always confirm the identity of anyone requesting sensitive information or access to internal systems.
• Educate your team so they know how to recognize phishing attempts and where to report potential threats.
• Invest in an email security solution which makes it harder for phishing emails and unknown malware to reach the intended target.
• Never click on unsolicited links. 
• Be cautious of messages that create a sense of urgency or threaten negative consequences if you don’t take immediate action.

Tips for consumers

These phishing schemes are exceptionally well thought out and tailored so victims are more likely to click. Still, there are some red flags that can help you prevent falling victim.

• Double check unexpected communications which ask for additional payments or payment details. There is no harm in asking for clarification or confirmation.
• Inspect links before you click on them to see whether they lead to where you expect.
• Do not send information that the booked accommodation should already have or shouldn’t need at all.
• Be suspicious of urgent or threatening messages asking for immediate action.

Identity theft victims

If you suspect you are a victim of credit card identity theft, the FTC recommends you contact your bank or credit card company to cancel your card and request a new one. If you get a new card, don’t forget to update any automatic payments with your new card number.

To find out if you are a victim:

• Review your transactions regularly to make sure no one has misused your card, and consider credit monitoring.
• If you find fraudulent charges, call your bank’s fraud department to alert them.
• Check your own credit report at annualcreditreport.com.
• Consider freezing your credit report. This stops new creditors and potential thieves from accessing your credit report.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Canadian healthcare organization Better Outcomes Registry & Network (BORN) has disclosed a data breach affecting client data.

BORN—an Ontario perinatal and child registry that collects, interprets, shares, and protects critical data about pregnancy, birth, and childhood—says it was attacked on May 31, 2023.

A subsequent investigation has shown that during the breach, unauthorized copies of files containing personal health information were taken from BORN’s systems. The personal health information that was copied was collected from a large network of mostly Ontario health care facilities and providers regarding fertility, pregnancy, newborn and child health care offered between January 2010 and May 2023.

BORN says that the data breach happened as a result of a vulnerability in some software it uses for file transfers, Progress MOVEit. This vulnerability was exploited by a ransomware gang known as Cl0p, before Progress was even aware a vulnerability existed.

Sadly, it’s not just BORN that has had children’s data stolen as a result of that vulnerability. The National Student Clearinghouse (NSC) has also reported that nearly 900 colleges and schools across the US also fell victim to the Cl0p ransomware gang, as a result of using MOVEit to transfer files.

As we have mentioned before, identity theft is a serious problem, especially when it affects children. Identity thieves love preying on minors, simply because it usually takes longer before the theft is noticed.

Countermeasures

BORN states that there are no additional steps you need to take. Its incident summary says:

“At this time, there is no evidence that any of the copied data has been misused for any fraudulent purposes. We continue to monitor the internet, including the dark web, for any activity related to this incident and have found no sign of BORN’s data being posted or offered for sale.”

However, you have every right to become anxious that your child might start receiving credit offers in the mail or unexpected activity on their email, phone or bank accounts.

So, if you become aware of anything suspicious, or even just for peace of mind, you can request a security freeze for your child at each of the three national credit bureaus (Experian, TransUnion and Equifax).

When you request a security freeze, the bureau creates a credit report for your child and then locks it down, so that any lender who attempts to process an application that uses your child’s credentials will be denied access to their credit history. This prevents any loans or credit cards being issued in the child’s name. When the child becomes an adult you’ll have to lift the freeze by contacting each credit bureau individually.

Read our tips on how to protect your identity, or, if you believe you are already the victim of on identity crime, contact the Identity Theft Resource Center. You can speak to an advisor toll-free by phone (888.400.5530) or live-chat on the company website idtheftcenter.org.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Digital transformation may be revolutionizing businesses and the way we operate, but it also presents notable challenge: How can organizations stay secure amidst the ceaseless tide of change? Our latest Byte Into Security webinar has the answers.

Meet the Experts

• Marcin Kleczynski, CEO of Malwarebytes, teams up with
• Chris Brock, Drummond’s Chief Information Officer. Chris shares how his 15-person IT team balanced dramatic organizational changes with maintaining a robust security posture.

On-the-Ground Insights

In the webinar, Chris details:

• The specific challenges digital transformation posed to his IT team and the broader organization.
• How Drummond prioritized resources for maximum efficiency and impact.
• The role of Managed Detection and Response (MDR) in fortifying security, while saving IT time, resources, and budget.

What to Expect

• Forward-thinking security strategy: Learn about tools and tactics that transition businesses from reactive security measures to proactive protection amidst digital shifts.
• Tailored training: Security awareness training best practices for businesses of all sizes.
• Leveraging MDR: Real examples showcasing how MDR was instrumental in Drummond’s digital evolution, helping to close security holes across multiple categories.
• True IT downtime: How IT professionals can take well deserved vacations without interruption.

If you’re seeking to understand how digital transformation, security, worker productivity and business growth evolve in tandem, this webinar is your roadmap.

Watch on-demand now

This week on the Lock and Code podcast…

When you think of the modern tools that most invade your privacy, what do you picture?

There’s the obvious answers, like social media platforms including Facebook and Instagram. There’s email and “everything” platforms like Google that can track your locations, your contacts, and, of course, your search history. There’s even the modern web itself, rife with third-party cookies that track your browsing activity across websites so your information can be bundled together into an ad-friendly profile. 

But here’s a surprise answer with just as much validity: Cars. 

A team of researchers at Mozilla which has reviewed the privacy and data collection policies of various product categories for several years now, named “Privacy Not Included,” recently turned their attention to modern-day vehicles, and what they found shocked them. Cars are, to put it shortly, a privacy nightmare. 

According to the team’s research, Nissan says it can collect “sexual activity” information about consumers. Kia says it can collect information about a consumer’s “sex life.” Subaru passengers allegedly consent to the collection of their data by simply being in the vehicle. Volkswagen says it collects data like a person’s age and gender and whether they’re using your seatbelt, and it can use that information for targeted marketing purposes. 

But those are just some of the highlights from the Privacy Not Included team. Explains Zoë MacDonald, content creator for the research team: 

Sites and apps frequently gamify their products and experiences to grow their user base. It’s a relatively easy way to have their customers become more involved thanks to whatever incentives may be on offer. A game here, a rewards program there, and everyone is happy.

Well, almost everyone. If scammers insert themselves into the process then it may not all be plain sailing. Unfortunately, Bleeping Computer is reporting a wave of dubious Temu referral scams pretending to offer up salacious leaks of private celebrity photos.

These scams are being posted to video platform TikTok, where high visibility and the desire for good deals runs the risk of making these fake ads go viral.

Temu, in operation since 2022, is known for offering a wide selection of goods at cheap prices. The site makes use of a rewards system, where users can generate referral numbers and send them to friends and family. The referral links are frequently shared in places like Facebook groups, which offer a combination of discounts. Mobile games tied to the referral process can often increase the discounts still further. This feedback loop of gaming and rewards is quite the successful combination in most instances.

So far, so good. Where this goes horribly wrong is a nasty wave of spam cluttering TikTok with the promise of fake celebrity nudes taking up space on the social network. Using the tagline “If you search it up, be prepared” along with common hashtags like “#anime, #manga, #art”, a variety of photos of celebrities are overlaid with text saying things like “I thought she was innocent”. It’s all very sleazy, tricking the viewer to install the Temu app and enter the referral number to see the supposedly leaked images.

But these images don’t exist, it’s just the main bait for the scam. As we’ve seen in the past, leaked photographs and celebrity deepfakes are a potent mix and guaranteed to drive clicks, traffic, or installations. Bleeping Computer cites Jenna Ortega, Brooke Monk, Hailie Deegan, and Olivia Rodrigo as just some of the celebrities used for this scam campaign.

The only good thing we can really say here is that the links don’t lead to phishing or malware. So far, it’s “just” scammers racking up store credit. However this is still a big problem for many reasons, not least of which for Temu which is faced with the possibility of people gaming its system.

Bogus celebrity nude promos posted to TikTok aren’t good for the platform or the users, and both services will have to try and take these fraudsters to task. Meanwhile, users can also do their bit and report any such videos they spot on their feeds. Nobody is posting genuinely leaked imagery to TikTok, and most definitely not for the purposes of store credit.

The promise of fake stolen imagery is one of the oldest tactics in the book, and yet remains a very effective resource in the scammer’s toolkit. Whether you hear about such a thing by email or social media, our advice is to steer clear. Apart from it being incredibly distasteful and quite possibly illegal depending on where you reside, you run a major risk of falling victim to a more serious form of scam.

Is a quick clickthrough for store credit or some other reward really worth putting your system at risk? We’d suggest that the answer is most definitely a resounding no.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.