IT News

Brave Search, Brave Software’s privacy search engine, just turned one. To celebrate, the company says it is moving the search engine out of its beta phase to become the default search engine for all Brave browser users.

Goodbye, Google? Not entirely.

In May 2015, Mozilla alumni Brendan Eich and Brian Bondy launched Brave Software. Its first product was the Brave Browser, a privacy-friendly, Chromium-based internet browser that automatically blocks ads and site trackers. In March 2021, the company launched Brave Search so it could use its own index to generate search results.

In a recent announcement, the company said its search engine had passed 2.5 billion queries since its release a year earlier. That was a staggering increase in a year, from 8.1 million search queries to 411.7M by May 2022. However, as impressive as that is, Brave Search (and the other privacy search engine, DuckDuckGo) are still lightyears away from challenging Google’s hegemony. While Google enjoys a 92% market share, Brave has yet to break out of the search engine ranking’s miniscule “other” category.

Besides a loyal following, one reason for Brave Search’s fast growth is likely that it (mostly) avoids using third-party search indexes, such as Google and Bing. According to Brave’s blog, 92 percent of queries users receive are directly from Brave’s search index. The company admitted, however, that they will be pulling search results from other providers—Google in particular—if their index doesn’t have enough data of its own.

Search engines that depend too much, or exclusively, on Big Tech are subject to their censorship, biases, and editorial decisions. The Web needs multiple search providers—without choice there’s no freedom.

Brave’s blog

Brave Search is currently ad-free, but the company has plans to work on an ad-supported version of Search. This will involve Brave Ads, Brave’s adtech platform. Users who click these ads are rewarded 70 percent of the ad revenue.

While Brave is quick to claim that its query algorithms are unbiased, The Verge pointed out that all algorithms have inherent biases. But Goggles, a new feature, may help to mitigate this.

Going gaga over Goggles

Brave also announced a new Brave Search results curation feature called “Goggles,” which interested users can start testing out right now. The company has already prepared some demos to try.

“Goggles will enable anyone, or any community of people, to create sets of rules and filters to constrain the searchable space and / or alter the ordering of search results,” the browser company explains. “Essentially, Goggles will act as a re-ranking option on top of the Brave Search index.”

The search team released a white paper on Goggles, detailing its features and showcasing how these work using examples. In a nutshell, Brave is giving its users access to information filtered by their own explicit biases. This means that users’ preferences take precedence over Brave’s preferences.

Brave presented benefits for both the average user and content creator:

“The benefit for the users is that they would be empowered to explore multiple realities in a straight-forward way. The point is to offer people the freedom to choose their own biases while being conscious of them.”

“The benefit for the content creators is that they have multiple options to expose their content, by increasing their potential audience, which will reduce the need to optimize for the single set of biases implicitly encoded in the search engine’s ranking.”

The only downside to Goggles, so far, is that it’s not as easy to use as you might think. You can’t simply enter keywords or personalize preset filters. There is some coding involved, which might put off users without coding experience.

In addition to Goggles, Brave also released Discussions in April. This is a way to augment Brave Search results with actual conversations pulled from popular sites, all related to the search query.

The post Brave Search wants to replace Google’s biased search results with yours appeared first on Malwarebytes Labs.

Microsoft has posted a reminder that Exchange Server 2013 reaches End of Support (EoS) on April 11, 2023.  That’s a little more than 9 months from now. A useful and timely reminder, since we all realize that it takes some time to migrate to a different system.

Every Windows product has a lifecycle. The lifecycle begins when a product is released and ends when it’s no longer supported. Knowing key dates in this lifecycle helps you make informed decisions about when to update, upgrade, or make other changes to your software.

Exchange Server

Microsoft Exchange Server is a groupware solution platform that provides many organizations with a mail server and calendaring server. It runs exclusively on Windows Server operating systems.

A few weeks ago Microsoft announced that the 2021 subscription model version of Exchange Server was not going to happen. So there may have been some questions whether the EoS for Exchange Server 2013 would go forward as planned. Now we know the answer: Yes.

Since the next on-premise version is not expected until the second half of 2025, your upgrade options are Exchange Server 2016 and Exchange Server 2019. Unless you want to migrate to the Exchange Online version.

End of Support

EoS (also called End-of-Life, or EoL) describes the final stage of a product’s lifecycle. Once a product reaches EoS, developers stop creating updates and patches for the product.

For Exchange Server 2013 this means that Microsoft will no longer provide:

• Technical support for problems that may occur.
• Fixes for usability or stability bugs.
• Time zone updates.
• Security fixes.

EoS makes the most basic security hygiene practice, “patch now”, impossible, and vulnerabilities discovered after EoS remain an open wound forever.

Immediate threats

Microsoft has chosen to further develop Exchange Server 2019, rather than come out with a completely new version. It mentioned the fact that state sponsored threat actors, like Hafnium, are targeting on-premises Exchange servers as one of the reasons for the cancellation of Exchange Server 2021.

The number and severity of active threats that target Exchange Server is worrying enough. And this will only get worse when one of the versions is no longer eligible for bug and security fixes.

The most prominent threats for Exchange Servers from last year were:

• ProxyLogon that was used to infect thousands of servers before Microsoft released patches. targets on-premise Exchange servers.
• ProxyOracle is a bit less numerous since threat actors have to trick users into clicking on a malicious link to steal the user’s password.
• ProxyToken allows an unauthenticated attacker to perform configuration actions on mailboxes belonging to arbitrary users.
• ProxyShell another on-premise Exchange Server vulnerability on unpatched servers with Internet access.

By now, all of the above have had patches created for them. Unfortunately that doesn’t mean that all vulnerable Exchange Servers have installed the relevant updates. But new vulnerabilities will be found. And vulnerabilities that work on a server software that no longer receives patches will be critical.

Transition

If you don’t want to get stuck with an unpatchable Exchange Server version, it is time to start planning, find the necessary budget, maybe think through what you are going to use next, and when is the best time for the transition.

Stay safe, everyone!

The post You only have nine months to ditch Exchange Server 2013 appeared first on Malwarebytes Labs.

Today, many Americans will head out to the water—not to swim, but to catch a catfish in time for National Catfish Day.

But when we talk about catfishing in cybersecurity, we mean something different. Here, catfishing refers to someone who assumes someone else’s identity online in order to harass, troll, or scam someone.

But there are ways to protect yourself:

1. Be suspicious

Catfishes and romance scammers prowl social media sites and dating apps.

Usually, scammers will message potential targets privately first, through DMs. And when the target bites, they immediately ask them to switch to a more private chat option, such as email or text.

If you suspect you are being catfished, ask them questions that only someone with their background would know. If they’re hesitant, slow to answer, or try to avoid your questions, then be wary.

2. Don’t fall too quickly for a pretty face

Scammers know that people are likely to respond positively if they’re using an image of someone who looks good. But you can use that pretty picture for your own benefit. Do a reverse-image search to check if the face matches the name, or if anyone has mentioned scams alongside that image.

Take note, though, that scammers can entirely steal the identity of someone and use it. They can also use create a deepfake image, which wouldn’t be caught in reverse-image searches.

3. Take it slow

If a love interest ticks all your boxes, remind yourself to slow down. Scammers will want to get you moving, so they can go on to target someone else.

And, since scammers talk to multiple targets, they can make big mistakes, such as forgetting your or their name. Taking it slow may not seem to be the most exciting thing you’d do, but it gives you a chance to build up a bigger picture of the person you are talking to.

4. Talk to someone you trust

An outsider perspective is invaluable if you’re about to fall head first for a scammer.

Let’s face it, sometimes we see the red flags but choose to ignore them. A second or third opinion from someone you trust might be the jolt you need before it’s too late.

5. Never send them anything

Scammers are quick about everything regarding love, revealing too much about “their personal life,” professing their love, or asking something from you. That could be money, cryptocurrency, personal information, banking details, or gift card numbers.

Occasionally, they might ask you to move money on their behalf. Never do this, even if it sounds like they are desperate for your help.

Finally

If you suspect someone is a scammer, immediately stop contact and report them to the site where you first met, whether that was on social media or a dating app. If you have mistakenly sent someone money, file a report to your bank ASAP. And don’t hesitate to report your experience to your local law enforcement and FBI office.

Stay safe!

The post 5 ways to avoid being catfished appeared first on Malwarebytes Labs.

Microsoft’s PowerShell is a useful, flexible tool that is as popular with criminals as it is with admins. Cybercrooks like it becasue PowerShell is powerful, available almost everywhere, and doesn’t look out of place running on a company network.

In most places it isn’t practical to block PowerShell completely, which raises the question: How do you stop the bad stuff without disrupting the good stuff?

Cybersecurity authorities from the United States, New Zealand, and the United Kingdom have released a joint Cybersecurity Information Sheet (CIS) on PowerShell that attempts to answer that question.

The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom National Cyber Security Centre (NCSC-UK) hope that “these recommendations will help defenders detect and prevent abuse by threat actors, while enabling legitimate use by administrators and defenders.”

PowerShell

Although it’s closely associated with the world of Windows administration, PowerShell is a cross-platform (Windows, Linux, and macOS) automation and configuration tool which, by design, is optimized for dealing with structured data. Initially a Windows component only, known as Windows PowerShell, it was made open-source and cross-platform on 18 August 2016 with the introduction of PowerShell Core.

It allows system administrators and power users to perform administrative tasks via a command line—an area where Windows previously lagged behind its Unix-like rivals with their proliferation of *sh shells.

Threat actors are equally fond of it because it allows them to “live off the land”, and for the options it provides to create fileless malware or to gain persistence on a compromised system.

Reduce abuse

The CIS discusses some security features available in PowerShell which can reduce abuse by threat actors.

Remote connections

Remote connections can be used for powerful remote management capabilities, so Windows Firewall rules on endpoints should be configured appropriately to control permitted connections. Access to endpoints with PowerShell remoting requires the requesting user account to have administrative privileges at the destination by default. The permission requirement and Windows Firewall rules are customizable for restricting connections to only trusted endpoints and networks to reduce lateral movement opportunities. Organizations can implement these rules to harden network security where feasible.

Multiple authentication methods in PowerShell permit use on non-Windows devices. PowerShell 7 permits remote connections over Secure Shell (SSH) in addition to supporting Windows Remote Management (WinRM) connections. This allows for public key authentication and makes remote management through PowerShell of machines more convenient and secure.

AMSI integration

The Antimalware Scan Interface (AMSI) feature, first available on Windows 10, is integrated into different Windows components. It supports scanning of in-memory and dynamic file contents using an anti-malware product registered with Windows and exposes an interface for applications to scan potentially malicious content. This feature requires AMSI-aware anti-malware products (such as Malwarebytes). Basically, AMSI works by analyzing scripts before the execution, so the anti-malware product can determine if the script is malicious or not.

Constrained Language Mode

Configuring AppLocker or Windows Defender Application Control (WDAC) to block actions on a Windows host will cause PowerShell to operate in Constrained Language Mode (CLM), restricting PowerShell operations unless allowed by administrator-defined policies.

PowerShell methods to detect abuse

Logging of PowerShell activities can record when cyber threats use PowerShell, and continuous monitoring of PowerShell logs can detect and alert on potential abuses. Deep Script Block Logging, Module Logging, and Over-the-Shoulder transcription are disabled by default. The authors recommend enabling the capabilities where feasible.

Before you start

If you plan on following the advice in the CIS, there are a few things you may want to consider first.

• Execution Policies do not restrict execution of all PowerShell content.
• AMSI bypasses are found and remediated in a constant whack-a-mole game, and most anti-malware products have different ways of accomplishing the same, or better, results. Therefor you will find that most AMSI-aware anti-malware products do not rely on AMSI alone.
• If you are a customer of a Managed Service Provider (MSP) you may need to contact them before taking any of the actions listed above, since doing so may hinder them in their remote management.
• Windows Remote Management/Remote Shell (WinRM/WinRS) connection limitations can become an obstacle in organizations with numerous administrators performing remote management, or that have multiple monitoring solutions connecting to the environment. By default, Microsoft Server limits the number of concurrent users connected to the WinRM/WinRS session to five and the number of shells per user to five. This can, and has often been modified by using an elevated command prompt.

Disabling PowerShell, if you do not need it, is a lot easier and safer than applying policies to make it safer to use. But looking at the options to make it more secure is certainly a good idea if you do need it.

Stay safe, everyone!

The post Cybersecurity agencies: You don’t have to delete PowerShell to secure it appeared first on Malwarebytes Labs.

Europol has coordinated a joint operation to arrest members of a cybercrime gang and effectively dismantle their campaigns that netted million in Euros. This operation also led the Belgian Police (Police Fédérale/Federale Politie) and the Dutch Police (Politie) to nine arrests, 24 house searches, and the seizure of firearms, ammunition, jewelry, electronic devices, cash, and cryptocurrency.

The group was involved in fraud, money laundering, phishing, and scams.

According to a Europol press release, the group’s modus operandi started with an email, text message, or private message containing a link to a phishing page.

Once recipients opened the link, they would be directed to a bogus bank website. Here, they were encouraged to enter their banking credentials. Money mules then used these credentials to cash out millions in Euros from victim accounts.

On top of fraud, the group was also involved in drug and possible firearms trafficking.

“Europol facilitated the information exchange, the operational coordination and provided analytical support for investigation,” reads the press release, revealing law enforcement involvement in the arrest operation. “During the operation, Europol deployed three experts to the Netherlands to provide real-time analytical support to investigators on the ground, forensics and technical expertise.”

The takedown of this phishing operation came months after Europol shut down the FluBot Android operation and the seizure of RaidForums, a hacking forum.

The post Police seize and dismantle massive phishing operation appeared first on Malwarebytes Labs.

Billboards and digital real world advertising has raised many questions of privacy and anonymity in recent years. Until now, the primary concern has been (mostly) legal, yet potentially objectionable geolocation and user profiling. Bluetooth beacons work in tandem with geofenced billboards to send you offers. Stores follow your movements and tailor products accordingly, occasionally with very bad results. It’s such a common practice that you even see digital advertising used to track appearing in video games.

Attacks we’ve seen in the real world typically involve QR code stickers and take two main forms:

• Letters or emails/chat app conversations which direct victims to Bitcoin ATMs. These attacks can often tie into money mule schemes.
• Real world alteration/tampering of genuine QR codes. This can involve bogus QR code stickers placed over locations you’d expect to see a real code. Parking meters and car parks generally are prime targets for this type of scam.

We can now add rogue billboards to the list.

Beware of the party crashers

NFT NYC describes itself as “the leading annual non-fungible token event”. The 2022 meet-up is the fourth such event to take place. With NFTs hitting boiling point in the media, it’s natural to think scammers would turn their sights on the plundering of incredibly fungible apes and other items of a digital nature.

If you’re up to no good, and you know digital finance is filled with insecure coin-laden wallets and expensive jpegs, this is absolutely something you’re going to take an interest in.

Sure enough:

The screenshot is from a Discord channel, which says:

BE ALERT IF YOU ARE AT NFT NYC

Reports of scam billboards in NYC with QR codes leading to Wallet Drainer sites.

This is probably a good time to explain what a wallet drainer site is.

Of wallets and draining

Sadly, it seems nobody grabbed a photo of what these scam billboards look like. However, a “wallet drainer” is just another way of saying “phishing website”. There are three ways the majority of cryptocurrency phishes take place:

1. Airdrop phishing. This can involve entering your wallet’s recovery phrase onto a fake website (don’t do this), or connecting your wallet directly to the phishing portal (don’t do this either).
2. Bogus giveaways. These claim you’ll double your money, and often say they are endorsed by celebrities or Elon Musk.
3. Rogue adverts. These bogus advertisements could lead you to either of the above, or even some completely unrelated technique.

People have confirmed in the replies to the original tweet that the theft here depended on victims scanning the code, and then clicking through to the phishing page. The phishing component depended on them manually entering their details into the fake website. It is not the case that simply visiting it would immediately drain funds or cause apes to go walkabout.

Rogue cryptocurrency billboards: A growing trend?

I’m wondering if this is the official cementing of rogue billboards as a digital finance scam technique. You may be surprised to learn this isn’t the first time someone has tried this.

Back in May, cryptocurrency exchange Binance warned of a rash of bogus billboards popping up in Turkey. Scam artists “plastered fake Binance billboards throughout the country”, many of which included a phone number answered by criminals behind the scheme.

The tactic used here was to convince unwary investors to hand over their seed/recovery phrases. Others were asked to register new accounts. Cryptocurrency scams involving new accounts tend to have funds deposited over time. Eventually the scammers have the victim transfer the funds to sites run exclusively by them. No matter which tactic is used, someone pulled in by the billboard has a strong chance of losing out.

This is clearly a technique which is working for phishers no matter the location. If you’re at an event or simply out and about and spot a cryptocurrency billboard, play it safe. Does the billboard mention a digital finance organisation? Check with the organisation if the URL is genuine. If you’re asked for seed/recovery phrases, don’t hand them over. Does the billboard make claims of doubling whatever you deposit? This is almost certainly a scam, especially if tied to a promotion from Elon Musk or TESLA.

Stay safe out there!

The post Rogue cryptocurrency billboards go phishing for wallets appeared first on Malwarebytes Labs.

Members of the Cybersecurity Advisory Committee of CISA (Cybersecurity and Infrastructure Security Agency) have proposed an emergency cybersecurity call line for small and medium-sized businesses (SMBs). Should the proposition be approved, SMBs would be able to call 311 in the event of a cybersecurity incident.

CISA’s cyberhygiene subcommittee head, George Stathakopoulos, originally floated the idea that CISA should “launch a 311 national campaign, to provide an emergency call line and clinics for assistance following cyber incidents for small and medium businesses.” The communications subcommittee also floated a similar idea.

CISA and other cybersecurity experts have pushed for more robust incident response reporting. In March, President Joe Biden signed the Strengthening American Cybersecurity Act, a cyber incident reporting bill requiring critical infrastructure operators to report a breach to CISA within 72 hours, and 24 hours if they made a ransomware payment.

CISA Executive Assistant Director for Cybersecurity Eric Goldstein bemoaned how damaging it is for CISA to have little data over ransomware attacks in the US. Speaking to attendees in RSA, Goldstein was quoted saying:

“A tiny fraction of ransomware infections are reported to the government and the problem is getting worse because we don’t even know what that actual number is. We have no idea the actual denominator of ransomware instructions that are occurring across the country on any given day.”

The post Dial 311 for… cybersecurity emergencies? appeared first on Malwarebytes Labs.

The dark web leak site used by the notorious Conti ransomware gang has disappeared, along with the chat function it used to negotiate ransoms with victims. For as long as this infrastructure is down the group is unable to operate and a significent threat is removed from the pantheon of ransomware threats.

Ransomware gangs like Conti use the threat of leaking stolen data on their dark web sites to extort enormous ransoms from their victims, making the sites a vital cog in the ransomware machine.

While the cause of the site’s disappearance isn’t known for sure, and criminal dark web sites are notoriously flaky, there is good reason to suspect that Conti has gone permanently.

However, while anything that stops Conti from terrorising businesses, schools, and hospitals is welcome, the disappearance of its leak site is unlikely to make potential ransomware victims any safer, sadly.

As we explained in our May ransomware review, recent research by Advintel suggests that Conti has spent the last few months executing a bizarre plan to fake its own death. If that is what’s happened, then the gang’s members have simply dispersed to other ransomware “brands” that are either operated by the Conti gang or affiliated to it.

Conti—as bad as they come

The gang behind Conti ransomware (called WizardSpider, although rarely referred to by that name) is believed to be based in Russia, and first appeared in 2020. The FBI recently called it “the costliest strain of ransomware ever documented,” and the US Department of State is offering a reward of up to $10 million for “information leading to the identification and/or location of any individual(s) who hold a key leadership position in the Conti ransomware variant transnational organized crime group.”

Conti has been used in a number of high profile attacks, including a devastating assault on Ireland’s Health Service executive on May 14, 2021. The attack disrupted healthcare in Ireland for months and the recovery effort could end up costing the country more than $100 million.

The real cost of the attack was measured in human suffering though. Speaking to Malwarebytes Labs, a doctor in one of the affected hospitals described how a 21st-century healthcare system deprived of it’s computers is brought to its knees. The attack caused enormous unnecessary suffering for both patients and healthcare professionals, and triggered hundreds of thousands of appointments to be cancelled.

The doctor’s brutal assessment of the Conti gang? “I think they lost their humanity.”

Faking its own death

According to Advintel, the Conti gang sealed its fate in February when it published a message in support of Russia’s invasion of Ukraine, declaring its “full support of Russian government.” By aligning itself to the Russian state it had made itself the subject of sanctions. Victims were not prepared to run the risk that their ransom payments might be treated as sanctions violations and Conti’s income dried up.

Ransomware gangs often react to trouble by going dark, or with ham-fisted attempts to pretend they’ve retired. These retirements are often quickly followed by the sudden appearance of a brand new ransomware gang that is obviously just the old gang working under a new name.

Advintel’s research suggested that Conti was aware of this pattern and determined to try something different. Instead of disappearing and then popping up a week later under a new name, the group created and operated new brands—Advintel names KaraKurt, BlackByte, and BlackBasta as examples—before retiring the Conti name, to make the transition less obvious. In addition to creating these new brands, it also dispersed parts of its workforce into existing gangs it had a relationship with, such as Hive and ALPHV.

To complete the deception, it maintained a skeleton crew that carried out extremely noisy, headline-grabbing attacks on Cost Rica, and continued to operate the leak site until the last moment.

Malwarebytes Threat Intelligence was able to independently confirm that Conti sent an internal announcement about its retirement to affiliates at the end of May, and that its internal chat servers stopped working around the same time.

The site had been inactive for 28 days before it disappeared, with the last new leak appearing on May 25. As our May ransomware report revealed, despite the noise it generated from its attacks on Costa Rica, Conti’s activity was significantly depressed in May, while the activity of gangs with alleged links to Conti increased, driven largely by the rise of BlackBasta.

The post Conti ransomware group’s pulse stops, but did it fake its own death? appeared first on Malwarebytes Labs.

MEGA, the cloud storage provider and file hosting service, is very proud of its end-to-end encryption. It says it couldn’t decrypt your stored files, even if it wanted to.

“All your data on MEGA is encrypted with a key derived from your password; in other words, your password is your main encryption key. MEGA does not have access to your password or your data. Using a strong and unique password will ensure that your data is protected from being hacked and gives you total confidence that your information will remain just that – yours.”

But there’s a problem. A Swiss team of researchers has just proved those claims wrong.

And that’s not all. The research went one step further, finding that an attacker could insert malicious files into the storage, passing all authenticity checks of the client.

Cryptography flaws

Researchers at the Department of Computer Science of the ETH Zurich in Zurich, Switzerland reviewed the security of MEGA and found significant issues in how it uses cryptography.

These findings could lead to devastating attacks on the confidentiality and integrity of user data in the MEGA cloud.

Key hierarchy

The MEGA client derives an authentication key and an encryption key from the password. The authentication key identifies users to MEGA. The encryption key encrypts a randomly generated master key, which in turn encrypts other key material of the user. Every account has a set of asymmetric keys: An RSA key pair for sharing data, a Curve25519 key pair for exchanging chat keys for MEGA’s chat functionality, and an Ed25519 key pair for signing the other keys. Furthermore, the client generates a new key for every file or folder (collectively referred to as nodes) uploaded by the user.

Long story short, all the keys are derived in one way or another from the password. And all the keys get stored on MEGA’s servers to support access from multiple devices.

Ciphertext

Ciphertext is encrypted text transformed from plaintext using an encryption algorithm. The researchers built two attacks based on the lack of integrity protection of ciphertexts containing keys, and two further attacks to breach the integrity of file ciphertexts and allow a malicious service provider to insert chosen files into a user’s cloud storage.

Attacks

Due to the flawed integrity protection, a malicious service provider can recover a user’s private RSA share key (used to share file and folder keys) over 512 login attempts. The number is 512 because of the RSA-CRT implementation used by MEGA clients to build an oracle that leaks one bit of information per login attempt about a factor of the RSA modulus.

As a result the malicious service provider can recover any plaintext encrypted with AES-ECB under a user’s master key. This includes all node keys used for encrypting files and folders. As a consequence, the confidentiality of all user data protected by these keys, such as files and chat messages, is lost.

Based on the first two attacks, a malicious service provider can construct an encrypted file. The user cannot demonstrate that they didn’t upload the forged data because the files and keys are indistinguishable from genuinely uploaded ones. It needs no further explanation that introducing a malicious file in such an attack could further compromise not only the user’s system, but also for those the user has shared their files or folders with.

MEGA’s response

MEGA acknowledged the issue on March 24, 2022, and released patches on June 21, 2022, awarding the researchers a bug bounty. But MEGA’s fix differs greatly from what the researchers proposed, patching only for the first attack alone since the other attacks rely on the first one.

Since that does not fix the key reuse issue, lack of integrity checks, and other systemic problems the researchers identified, this remains a source of concern for them.

As a regular MEGA user there is no reason to worry about these flaws, especially if you haven’t logged in more than 512 times. An attacker would need to have control over MEGA’s API servers or TLS connections without being noticed to perform any of these attacks.

Anyone interested in more technical details, can read the researcher’s paper.

The post MEGA claims it can’t decrypt your files. But someone’s managed to… appeared first on Malwarebytes Labs.

A phishing campaign is using voicemail notification messages to go after victims’ Office 365 credentials.

According to researchers at ZScaler, the campaign uses spoofed emails with an HTML attachment that contains encoded javascript.

The email claims that you have a new voicemail and that you can listen to the message by clicking on the attachment. To add credibility, the name of the attachment starts with a music note character like f.e. ♫ to make it look like a sound clip. In reality, it is an HTML file with obfuscated javascript embedded.

The javascript uses the windows.location.replace method to redirect the target to a specially crafted phishing page. The access to the page is behind a reCAPTCHA, probably to keep out the bots, particularly any automated URL analysis tools.

Spoofed email

Email spoofing basically comes down to sending emails with a false sender address. This can be used in various ways by attackers. Obviously pretending to be someone else can have its advantages especially if that someone else holds a position of power or trust with regards to the receiver.

In this campaign the threat actors use a name in the “From” field of the email aligned with the targeted organization’s name. An internal mail is more likely to be trusted by the receiver. Analysis of the email headers shows that the attacker leveraged email servers located in Japan.

Targets

The final credential phishing page attempts to steal the Office 365 credentials of the users by presenting them with a fake login screen. The redirection URL includes the target’s email address in base64 encoded, likely so the attackers will be able to match the victim and their login credentials.

The researchers found the campaign targeting organizations in the US military, security software developers and providers, healthcare and pharmaceutical, and supply-chain organizations in manufacturing and shipping.

How to avoid being phished

• Do not open unverified email attachments. If someone you know sends you an attachment you’re not expecting, check it is really them via another contact method.
• Do not enter your credentials before checking the actual URL of the site.
• If you use a password manager that autofills your login details, it will not enter your credentials on a phishing site because it will have a different URL. This is a really handy giveaway that something is up.
• Enable 2-factor authentication (2FA). If you hand over your password to a phishing page, the phisher can’t do much with it while you’re protected with 2FA. This isn’t foolproof though, as some phishing sites will also try to steal your 2FA codes.

Stay safe, everyone!

The post Watch out for the email that says “You have a new voicemail!” appeared first on Malwarebytes Labs.