IT NEWS

Google has announced an important update for Chrome to help fend off a zero-day. The update fixes several issues, and readers are advised to ensure they’re using the latest version of the browser.

Mitigation

If you’re using Chrome on Mac, Windows, or Linux, you need to update as soon as you possibly can. If you’re using a standard Chrome setup then updates should be applied automatically. However, this won’t happen if you never close your browser, or if the update is blocked by something like a fault in an installed extension.

It’s always good to check, especially when something bad is floating around potentially helping to compromise devices. One easy way to do this is navigate to chrome://settings/help or clicking Settings > About Chrome.

Chrome will notify you of the version you’re on and if there’s an update available. Once you’ve downloaded the update, reload the browser and everything should be good to go. If everything has worked as it should, your version should in theory be running the latest version. At the time of writing the most recent update being offered is now 112.0.5615.138.

This will fix eight vulnerabilities, although the update is only currently available for both Mac and Windows. The Linux version is still being worked on.

Vulnerability

The exploit page for CVE-2023-2136 has few details available, as is the usual pattern followed by Google when something like this happens. Details are generally held back to give people time to patch, without offering any clues to cybercriminals about how they might exploit the vulnerability. So far, the only information we have is:

Integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

An integer overflow is a programming error that allows an attacker to manipulate a number the program uses in a way that might be harmful. If the number is used to set the length of a data buffer (an area of memory used to hold data), an integer overflow can lead to a buffer overflow, a vulnerability that allows an attacker to overloaded a buffer with more data than it’s expecting, which creates a route for the attacker to manipulate the program.

Skia is a graphics library (a set of reusable code) used by Google Chrome. In this case the error allows an attacker to escape the shackles of Chrome’s “sandbox”, a security feature that should prevent malicious code from affecting the system that Chrome is running on.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A member of the Air National Guard is facing federal charges after applying for a job online as an assassin. According to a Justice Department press release, Josiah Ernesto Garcia from Hermitage, Tennessee, was arrested by an undercover federal agent at a park on April 12, 2023.

The FBI affidavit says Garcia was looking for a good-paying job to support his family. He reportedly told the undercover agent:

“Im [sic] looking for a job, that pays well, related to my military experience (Shooting and Killing the marked target) so I can support my kid on the way. What can I say, I enjoy doing what I do, so if I can find a job that is similar to it, (such as this one) put me in coach!”

He is alleged to have started looking for “contract mercenary jobs” in mid-February, eventually coming across RentAHitman.com, a website for a cybersecurity startup that later turned into a parody site, after receiving inquiries about murder-for-hire services. The site contains false testimonials, a form where people can request hit services, and a career inquiry page for anyone wanting to apply as a hired killer.

Completely missing numerous red flags, Garcia reportedly applied to become a hitman. He then made several follow-up messages to the site’s administrator, and provided his identification documents and a resume that indicated he had been in the Air National Guard since 2021, where he reportedly earned the nickname “Reaper” for his excellent marksmanship.

The FBI eventually intervened and set up a sting to capture Garcia. An undercover agent disguised as a recruiter offered Garcia a hit on an individual for $5,000. They meet at a park, and the agent handed Garcia information about a fictitious target that included photographs, fake information, and a downpayment of $2,500.

“Defendant met with an FBI undercover agent and participated in detailed discussions expressing his interest in torturing and killing people for money,” the affidavit says. “After being offered many opportunities to withdraw from the employment offer, [D]efendant accepted payment to kill a person.”

After receiving the packet and the money, Garcia asked the agent if he needed to provide a photo of the dead body. He was swiftly arrested and charged with “the use of interstate facilities in the commission of murder-for-hire.” Subsequently, the FBI searched Garcia’s home and recovered his AR-15 rifle.

After waiving his Miranda rights, Garcia reportedly told investigators “he had second thoughts about the hitman job and changed his mind,” after getting a job offer from Vanderbilt University Medical Center. The affidavit says that “Garcia stated that he was meeting the UCE [undercover employee] to tell him he had changed his mind and did not want to do this kind of work. Garcia stated that he was going to call the UCE when he got to his car and leave the money on the curb for the UCE to pick up.”

According to the charge, Garcia faces up to 10 years in prison if convicted.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

US-based Facebook users can now claim a piece of the enormous settlement payment by Meta, Facebook’s parent company, over the Cambridge Analytica scandal. This news follows Meta agreeing to pay $725 million in December 2022 to settle the longstanding class action lawsuit filed by Lauren Price in 2018.

Price accused the company of unlawful business practices concerning its use and distribution of users’ personal data. Price was a Facebook user for eight years before the scandal happened. Her lawsuit asked for $500 million.

As part of the settlement, US Facebook users—those still active and those who have already deleted their accounts—will be compensated financially. CNN points potentially affected and eligible users to this claim form.

It takes only a few minutes to complete. Although the form asks for personal information, it clarifies that what users provide “will be processed only for purposes of effectuating the settlement.”

Because of the amounts of money involved, and the personal information required to make a claim, readers are advised to be careful of imposter claim forms and websites asking for their details.

Furthermore, claimants are advised to whitelist the email address, confirmation@facebookuserprivacysettlement.com, to ensure they receive future correspondence from the settlement administrator should they need to get in touch.

As to how much each claimant might get, it depends on the number of submitted valid claims and how long claimants were Facebook users.

“We pursued a settlement as it’s in the best interest of our community and shareholders,” said Dina Luce, Meta spokesperson, in a statement following the settlement agreement in December. “Over the last three years we revamped our approach to privacy and implemented a comprehensive privacy program. We look forward to continuing to build services people love and trust with privacy at the forefront.”

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

In a joint advisory, the UK National Cyber Security Centre (NCSC), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released information about APT28’s exploitation of Cisco routers in 2021.

Now please don’t stop reading because you think this is old news. If you think 2021 is long ago, maybe you will be surprised to learn that the vulnerability used in these attacks was actually discovered in 2017.

Cisco published workarounds and updates for this vulnerability in June of 2017. Nevertheless, the advisory says that the mentioned tactics, techniques, and procedures (TTPs) may still be being used against vulnerable Cisco devices.

APT28 (also known as Sofacy and Fancy Bear), is the name for an advanced group of cybercriminals of Russian origin which are commonly believed to be part of the Russian Staff Main Intelligence Directorate (GRU). Previous activities include cyberattacks against the German parliament in 2015, and an attempted attack against the Organization for the Prohibition of Chemical Weapons (OPCW) in April 2018, to disrupt independent analysis of chemicals weaponized by the GRU in the UK.

The Simple Network Management Protocol (SNMP) is an application-layer protocol that provides a standardized framework and a common language for monitoring and managing devices in a network. SNMP is designed to allow network administrators to monitor and configure network devices remotely, but it can also be abused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network. In 2021, APT28 used infrastructure to masquerade SNMP access into Cisco routers worldwide.

This was possible because the SNMP subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. These vulnerabilities affect all releases of Cisco IOS and IOS XE Software prior to the first fixed release and they affect all versions of SNMP-Versions 1, 2c, and 3. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6.

Enter Jaguar Tooth, the name of the malware that APT28 used to obtain further device information and enabled unauthenticated access via a backdoor. The actor obtained this device information by executing a number of commands via the malware and send them out over trivial file transfer protocol (TFTP). The information includes discovery of other devices on the network.

Discovery and countermeasures

Should you be worried about this threat? That depends on your threat model. If there is a reason for state actors to be interested in you in some way, then the answer is yes. This is the type of threat that the UK’s Minister and Secretary of State for National Investment Security, Mr Dowden, is referring to when he talks about groups that are ideologically motivated, rather than financially motivated.

If you suspect your router has been compromised, you can follow Cisco’s advice for verifying the Cisco IOS image. If that does not take away your suspicion, you should:

• Revoke all keys associated with that router. When replacing the router configuration be sure to create new keys rather than pasting from the old configuration.
• Replace both the ROMMON and Cisco IOS image with an image that has been sourced directly from the Cisco website, in case third party and internal repositories have been compromised.

To prevent falling victim to this specific threat there are some steps you should take:

• Patch devices as advised by Cisco
• Do not use SNMP if you are not required to configure or manage devices remotely. If you do need it, use a limiting allow list for SNMP messages to prevent unauthorized users from accessing your router.
• Review your password policy and adapt it where necessary.
• Use logging tools to record commands executed on your network devices.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

A multinational payment processing company and two of its executives are facing a potential $650k fine as a result of allegedly processing credit card payments for tech support scammers. While this fine isn’t exactly massive in comparison to some of the privacy breaches and other incidents seen down the years, the original fine the company was handed was an eye-watering $49.5m. The fine was reduced alongside an agreement to court orders which involve close monitoring of “high-risk clients”.

From the FTC release:

The Federal Trade Commission has acted to stop Nexway, a multinational payment processing company, along with its CEO and chief strategy officer, from serving as a facilitator for the tech support scammers through credit card laundering.

The FTC’s complaint against Nexway (and several of its subsidiaries and an associated company known as Asknet), its CEO Victor Iezuitov, and its chief strategy officer Casey Potenzone charges that the defendants were at the center of several offshore tech support scams, processing tens of millions of dollars in charges and giving the scammers access to the US credit card network.

A big part of the complaint is in relation to the so-called “premium tech support” customers using the Nexway system for credit card payment processing. The FTC alleges that a Nexway leadership meeting indicated that it was “strongly dependent” on its premium tech support clients, which represented 25% of Nexway’s revenue.

Additionally, the complaints related to the individual tech support scammers were in great supply. So much so that chargebacks (a way for people to dispute charges they feel to be wrong, like realising they’ve been hit by a tech support scam) and cancellations were in no short supply. From the complaint, in relation to one support scam outfit using Nexway for payment processing:

…on February 10, 2017, the Senior Key Account Manager at Nexway sent Potenzone an email titled “Nexway/TechLiveConnect: Chargeback & Cancellation rates”. The February 10, 2017 email included a table showing Tech Live Connect had (1) chargeback rates of 2.2% in November 2016, 2.6% in December 2016, and 1.5% in January 2017; and (2) cancelation rates of 23.2% in November 2016, 27% in December 2016, and 21.8% in January 2017.

Credit card companies keep a sharp lookout for signs of repeated dubious transactions happening via fraud monitoring programs. From the complaint:

Nexway had such high chargebacks that Visa placed the company in its Chargeback Monitoring Program in December 2017.

Something was clearly amiss here, and complaints from consumers related to pop-ups, locking up the screen while a siren plays, and bogus virus warnings made to the Better Business Bureau and elsewhere leads us to where we are today.

Tech support scams have been around forever, and often ride on the coattails of established brands to sell their wares. This kind of scammer has imitated everything from Microsoft to genuine security firms down the years. If you’re an organisation unfortunate enough to be imitated, you can also expect to field support calls from understandably annoyed people who think that you’ve ripped them off, as opposed to the genuine culprits.

Tips for avoiding tech support scams

There’s a huge amount to cover with this style of attack, but here’s a few of the basics to get you up to speed:

• Beware the lock up. If your browser or mobile device “locks up”, as in you’re no longer able to navigate away from a virus warning, you’re on a tech support scam. If something claims to show the files and folders from inside of your browser, this is another signal that you’re on a fake page. Close the browser if possible (for example, by pressing CTRL+ALT+DEL on a Windows PC) or restart your device if this doesn’t work.
• Screenlocker issues. These are typically fake Windows Blue Screen of Death error pages, except they come with the tech support scammer’s phone number included. You may need one of our removal self-help guides to resolve this.
• Beware of someone wanting to connect to your computer remotely. One of the tech support scammer’s biggest weapons is their ability to connect remotely to their victims. If they do this, they essentially have total access to all of your files and folders. 
• Did you already pay? Contact your credit card company or bank and let them know what’s happened. You may also need to file a complaint with the FTC, or contact your local law enforcement agency depending on your region.

For a very detailed breakdown of tech support scams, how they operate, and more suggestions to keep yourself safe from harm, please check out our dedicated tech support scams page.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

QBot, an infostealer-turned-dropper that aids criminal gangs in their malicious campaigns, is now being distributed as part of a phishing campaign using PDFs and Windows Script Files (WSF), according to recent discoveries by malware hunter Proxylife (@pr0xylife) and the Cryptolaemus group (@Cryptolaemus1).

The last time QBot (aka QakBot) had its modus operandi changed was in November. Campaign operators adopted tactics from Magniber’s playbook to successfully exploit a Mark of the Web (MotW) zero-day flaw to run a JavaScript (JS) that executed QBot.

The latest QBot phishing campaign is illustrated simply in the diagram below:

The QBot campaign illustrated (Source: Jerome Segura | Malwarebytes Labs)

The attack starts with a reply-chain phishing email, when threat actors reply to a chain of emails with a malicious link or attachment. BleepingComputer has noted that these phishing emails use a variety of languages. This means the language barrier is absent in such an attack, so any business from any part of the world could be affected.

A sample reply-chain phishing email in French, carrying a PDF attachment disguised as a cancellation letter. (Source: BleepingComputer)

Once someone in the email chain opens the attached PDF, they see a message saying, “This document contains protected files, to display them, click on the ‘open’ button.” Clicking the button downloads a ZIP file containing the WSF script.

The heavily obfuscated script contains a mix of JS and VBScript code that, when run, triggers a PowerShell that then downloads the QBot DLL from a list of hardcoded URLs. This script tries each URL until a file is downloaded to the Windows Temp folder (%TEMP%) and executed.

Once QBot runs, it issues a PING command to check for an internet connection. It then injects itself into wermgr.exe, a legitimate Windows Error Manager program, to run quietly in the background.

Because QBot is said to be used by operators of ransomware-as-a-service (RaaS) offerings, its presence in company systems could be disastrous. Therefore, any organization must take its QBot-infected systems offline as soon as possible and thoroughly scan and review network logs for unusual behavior.

The DFIR Report in February 2022 showed QBot collecting data from a compromised system 30 minutes after infecting it. Within an hour, QBot can be spread to adjacent systems.

Malwarebytes detects the malicious DLL (QBot).

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Navigating the world of endpoint security is challenging, with numerous vendors stoking FUD and making bold claims that are difficult to verify. In times like these, the honest opinions of real users are invaluable for busy IT teams.

Enter G2, an industry-leading peer-to-peer review site. Each quarter, G2 releases reports highlighting the products with the highest customer satisfaction and strongest market presence.

In the G2 Spring 2023 Grid Reports, Malwarebytes earned the title of ‘Leader’ in 24 categories, including the #1 spot in Endpoint Protection, the Best ROI for EDR, and #1 for EDR implementation in the mid-market segment.

Let’s take a closer look at how organizations evaluated solutions and what they said about using Malwarebytes.

#1 Endpoint Protection: Highest Rated for Results, Relationship, and More

Malwarebytes Endpoint Protection (EP), the essential foundation of our EDR and MDR offerings, won dozens of awards based on receiving the highest customer satisfaction score across a range of areas, including “Ease of setup,” “Ease of admin,” “Quality of support”, and more.

Dashboard for Nebula, the cloud-hosted security platform for EP and EDR

For example, Malwarebytes EP won the “Best Results” badge (highest overall Results score) by having the highest combination of estimated ROI, meets requirements, and likelihood to recommend scores. What some of our customers had to say:

“Malwarebytes is easy to install and configure. It integrates with Windows 10 and runs silently in the background. Infection rate of Malware has dropped dramatically. If I run across a machine that has Malware, installing it cleans it up almost 100% of the time.”

Chris S.

“Malwarebytes was able to detect and block a virus that our previous AV was not able to. Wish we had moved to this product sooner.”

Robert S.

“I consider myself faithful to this software because Malwarebytes has taken me out of problems that other antivirus programs have not been able to solve. It is not a very heavy software and can run in the background without even noticing it thanks to the updates.”

Verónica M.

Customers also praised Malwarebytes for its friendly staff and exceptional support, for which we won the “Best Relationship” badge by having the highest combination of “Likely to Recommend” , “Ease of business,” and “Quality of Support” ratings. Here’s what some of our customers had to say:

“The support team started us off on the right track by getting us up and running in no time. Any questions I had before and after setup were answered quickly and thoroughly.”

Gary P.

“Highly recommended, and their support team is the best you can ask for!.”

Rifaat K.

Best ROI for EDR: Rapid Return on Investment

Our EDR solution delivers an impressive return on investment by quickly enhancing your organization’s security posture. Malwarebytes EDR is designed to be both efficient and cost-effective, allowing your team to see the benefits of your investment immediately.

By focusing on ease of use, quick implementation, and powerful security features without requiring an IT security army, Malwarebytes ensures that your organization is maximizing resources and receiving the best ROI in the industry.

Malwarebytes had the best estimated ROI (payback period in months) on the Enterprise Grid® Report for Endpoint Detection & Response (EDR) at just 14 months, compared to Crowdstrike at 22 months.

“The best part about Malwarebytes is the set it and forget it. It has saved us so much time on deployment and remediation that it pays for itself in no time at all.”

Ron M.

“It keeps our working environment much more secure than our previous solution. Much easier to manage in real time. This thing is a money saver and pays for itself.”

Tyson B.

Most Implementable EDR: Seamless Setup and User-Friendly Experience

On the Mid-Market Implementation Index for Endpoint Detection & Response (EDR) Malwarebytes EDR clutched the #1 spot. With a seamless setup process, your team can spend more time focusing on what matters most: protecting your organization from cyber threats. Here’s how we won:

• Malwarebytes EDR has an Implementation Score of 89%, which is higher than the industry average of 82%.
• Ease of Setup: Malwarebytes EDR scores 95% in ease of setup, compared to the industry average of 90%.
• Average User Adoption: Malwarebytes EDR has an average user adoption rate of 91%, surpassing the industry average of 85%.
• Time to Go Live (Months): The average time it takes for Malwarebytes EDR to become fully operational is just 0.49 months, over 2X shorter than the industry average of 1.41 months.

“If you are purchasing Malwarebytes, then you have made the correct choice. You will quickly see how easy it is to implement, and how great their support is.”

Mauro B.

“Very easy to install and deploy, setup, and configure – for instance – a 5 machine setup would take roughly ~10 mins from start to finish.”

Verified User

“Easy to use and implement, along with great support and support tools at your disposal, along with courses to help you become more familiar with the inner workings.”

Doug C.

Two options to easily begin deployment with your endpoint users in Nebula

Experience Malwarebytes for Business: Award-winning ROI, user-friendly, and effective threat defense

Malwarebytes provides IT staff with award-winning business solutions, offering unmatched threat protection, a lightning-fast return on investment, and a smooth, speedy implementation.

Try Malwarebytes EDR today and join the ranks of those who have already discovered the amazing results, support, ROI, and more of our exceptional endpoint security solutions.

Upgrade to Enterprise-Grade Protection

There’s a new ransomware gang in town, stitched together from members of well known threat creators to push a new kind of malware focused on punishing unwary organisations. The malware family, called “Domino”, is the brainchild of FIN7 and ex-Conti ransomware members.

Domino has been seen in attacks since at least February 2023 according to researchers at IBM Security Intelligence. Domino is being used to further the spread of backdoors like Cobalt Strike and information stealers such as Project nemesis.

This specific group has previously been seen making use of a malware loader called “Dave Loader”, serving up a variety of well known files like IcedID (a modular banking trojan) and the infamous Emotet. The latter, another banking trojan which branched out into delivering additional malware files, was most recently seen in an IRS themed spam campaign. As the IBM researchers note, both of these are often used as a starting point for ransomware attacks.

Recently, the Dave Loader attacks have been observed including what has now come to be known as Domino files, and the Domino Backdoor in particular. Along with gathering “basic system information”, it receives an encrypted payload once the initial system data has been sent to the command and control center.

The file placed on the target PC was found to be similar enough to the original Domino Backdoor that it’s been named the Domino Loader. This Loader drops a payload called Nemesis Project, a .NET infostealer.

This “project” stealer has been around for a couple of years now, and tries to grab data from numerous browsers and applications including gaming platforms, VPNs, and cryptocurrency wallets. The researchers note that the stealer in question was originally advertised on forums with a sale price of $1,300 and in terms of data theft, the author of the file has this to say:

• Collection of data from Chromium browsers (passwords, cookies, bookmarks, history)
• Collection of data from Gecko browsers (cookies, passwords, history)
• Grabbing links from the desktop
• Collection of system information in HTML format
• Telegram sessions
• Collection of Discord tokens

It can also be set to block startup inside of a virtual machine (often used to test malware files), lock the startup if found to be running in a CIS country, and self-delete after sending the stolen data. Alongside all of this, Nemesis comes with a control panel, operated online, where the data can be accessed. All in all, it’s not something you’d want lurking on your network.

Bleeping Computer highlights that many ransomware groups and malware authors often work together, as it’s frequently an easier way to get a head start on compromising a network. The constant mashing up of files and intrusion tactics makes it harder for organisations to get to grips with the latest wave of attacks and also keeps security researchers on their toes. This current campaign is, sadly, no different.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

If you’re on the beach sipping piña coladas, the last thing you probably want to do is rush to your desktop and address a critical security issue.

And yet, this is the reality for many IT security professionals today. Regardless of the time or current location, security pros are expected to drop everything at a moment’s notice and swoop in to save the day.

But being tethered to a desktop workstation can blur the boundaries between work and personal life. This inflexibility not only leads to additional stress and pressure on IT professionals, but also can delay response times as they scramble back to their workstation to put out fires. Even just taking a break is hard without the fear of leaving the system unattended.

Enter the Malwarebytes Admin app.

Designed as a companion to the Nebula console, the mobile app now allows administrators to manage alerts and perform essential tasks right from their iOS devices. No more being tied to a computer–you can now handle incidents and execute administrative functions wherever you are.

So sit back, relax, and enjoy an interrupted piña colada as we will delve into the key features of the Malwarebytes Admin App.

Getting started: Setting up the Malwarebytes Admin app

1. Download the Malwarebytes Admin app from the App Store. It is available for free for all Nebula users.
2. Log in with your Nebula console credentials. The app is accessible to users with admin or read-only privileges on the Nebula console.

‎NOTE: Malwarebytes Admin is an enterprise solution intended for IT admins. Malwarebytes Admin will not operate on your device without the required license for Nebula.

Navigating the app: Dashboard and features

Once logged in, the first screen you will see is the Dashboard.

Here, you can quickly assess the protection status of all endpoints, view detections by type, and view your license usage.

Managing endpoints: Endpoint list and actions

The Endpoint List displays all the endpoints you are managing.

The badges let you know which endpoints need immediate attention. The list can be filtered by status, OS, OS version, group, or policy, and you can search for specific endpoint names.

Selecting the “Actions” button lets you take various actions on the chosen endpoints, such as scanning, isolating, updating agents, checking for updates, and remediating endpoints.

Viewing endpoint information

Tapping on a specific endpoint allows you to view its general information, such as host, location, operating system, and network interfaces.

Adding users

With the Malwarebytes Admin app, you can add new users to the console by sending email invitations. You can assign roles (Super Admin, Admin, Read-only), add users to existing groups, delete users, resend invites, and edit user roles or group membership.

Future developments

While the Malwarebytes Admin app currently offers a wide range of features, there are some functionalities reserved for future updates. For example, while the app is only available for iOS right now, an Android app will be coming out soon. Additional features include detailed information on detections, push notifications on alerts, and more.

A game changer for IT security professionals

There’s no question that having to be attached to a desktop when managing threats and challenges faced by IT security professionals can exacerbate the stress they experience daily. That’s why we released the Malwarebytes Admin app, a game-changer for endpoint security management.

No more having to make a beeline out of the bathtub to resolve critical alerts. Receive instant notifications on your phone and quickly review, investigate, and resolve issues in just a few taps.

Download the app today and experience the convenience of having the power of Nebula right in your pocket!

GET THE MALWAREBYTES ADMIN APP 

We’re seeing a number of complaints on Reddit and elsewhere regarding a scam which flares up every so often. It’s called the “Muse scam”, and targets users of Instagram.

Let’s hear from one of the Reddit posters impacted:

An artist approached me on Instagram asking if they could use one of my photos for their up and coming project at a legitimate art museum. The profile looked good too. Actual photos of the person messaging me and photos of their work in a well laid out time line as well. I told them they could use my photo but they had insisted I needed to be paid in order to show the museum the proof of my consent. And that my payments were through the museum as well. I was a bit uncomfortable but they assured me everything was safe and even showed me screenshots of other people doing this as well. I thought “what could go wrong?”

What could go wrong, indeed.

Then a third party started messaging me after I had given the artist my phone number and full name. The messages were coming from an email. They quickly pressured me into doing a mobile check deposit and that everything was legit. It all happened so fast. I didn’t even have time to fully think it through but I guess that is exactly what they want. I did the deposit.

“Luckily” for this person, the payment amount in this example ($100 for art supplies) is not typical for this scam, and significantly lower than usual. The most common approach involves the scammer sending you a check, often in the region of $2,500. This is supposed to be your “payment”. From this, you’re supposed to take something in the region of $500 and forward this money on to the artist for the cost of materials. From another recent Reddit example:

Someone said that they’ll want some muse for an art thing, and so she send me a check of $2500 to pay me $500 with the remaining $2000 sent to her. Is this a scam?

It is indeed. At this point, if you pay up then you’re $500 down from your own money. You also have a check pending against your account. After a few weeks, with the scammer long gone, the check will eventually bounce and you’ll absorb the cost of the remaining check money from your own finances.

Some of the scammers also include attachments with their messages. Some recipients were convinced they’d received some sort of malware and have, in extreme cases, formatted their device just to be on the safe side.

She sent me an email with an image of a cheque, I stupidly opened the image and 5 seconds later my email closed the image and sent it to my junk folder. I checked windows virus protection and it said threat detected, I tried resolving the treat but the button wasn’t doing anything, so I promptly shut down my computer and unplugged my router.

This scam is all a spin on the much older fake check scam, covered in detail by the FTC. Some of the variations include:

• Personal assistant scam. Fraudsters make you think a personal assistant job is for the taking, then send you a check to buy gift cards for your “boss”. They get the card codes, you’re left with the remnant of a fake check.
• Car wraps. Fraudsters offer to cover your car with ads, for a price. Sadly, that price is “You’ve been ripped off”.
• Overpayments. If you sell items online, people will occasionally send you too much as if by accident. If they do this by check, beware: it may well be a scam.

Avoiding the fake muse scam

• Beware of uncommon art practices. It’s tough out there for an artist. Nobody is going to randomly approach you with the promise of free money and work for the cost of materials alone.
• Avoid checks. The moment someone offers to send you money by check and have you forward some of that cash somewhere else, it’s high alert time. If you see people warning about this type of attack online, they usually reference somewhere in the region of $2,000 to $2,500 as the scammer sweet spot. While the actual amount referenced could be anything, this does serve as a useful first glance indicator.
• Fix the damage. Call whichever wire transfer company was used to send the money and lodge a complaint. You may be able to get the money back so it’s worth asking, although very unlikely. Do the same for money orders. Contact your bank and let them know what’s happened.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW