IT News

The UK’s top cybercops are urging owners of small online shops to “protect their customers and profits” by guarding against card skimmers in the frenetic shopping period that starts with Black Friday, which lands on November 26 this year.

The warning comes from the National Cyber Security Centre (NCSC)—which is part of GCHQ, the UK’s equivalent to the NSA—which says it identified 4,151 compromised online shops up to the end of September.

Card skimmers, also know as web skimmers, are bits of malicious software that are injected into legitimate websites, so they can steal shoppers’ credit card details. The skimmers read the details as users type them into the sites’ payment forms, or replace the payment forms with convincing fakes.

The longer that cybercriminals can keep their card skimmers on a website before its customers or owners notice, the more money they will make, so they take care to be as unobtrusive as possible. Unsurprisingly, Malwarebytes’ own research has shown that card skimming activity tends to ramp up on the busiest shopping days, when the most money changes hands. And some of the biggest shopping days of the year are nearly upon us, starting with Black Friday, the biggest of them all.

For the uninitiated, Black Friday is the annual celebration of peak capitalism that commemorates the symbolic moment that retailers go “in to the black” for the year and start to make a profit. If you’re wondering why shoppers would be so keen to celebrate the mechanics of retail accountancy, it’s because shops mark the occasion (the Friday that follows Thanksgiving in the US) with extravagant sales, offers, and deals.

The NCSC is rightly concerned that with record amounts of money expected to slosh about on the Internet in the next few days, cybercriminals will be hard at work, spoiling everyone’s fun.

Yes, you

It is worth noting that the NCSC’s announcement uses the word “small” no less than four times— “small online shops”; “small business sites”; “small online retailers”; “small and medium-sized online retailers”—in a short announcement that also mentions “SMEs” twice, and says it is written for “small & medium sized organisations”.

On the off-chance the point still hasn’t landed, let me spell it out for you: The NCSC would like you to know that no online business is small enough to ignore the threat of card skimmers.

I will add a personal note to that too. If you assume you are too small to be attacked by a card skimmer and your customers later find out their card details were stolen while on your site, they will expect you to have cared a great deal more. At least that’s how I felt when it happened to me.

Not just Magento

Although its guidance is aimed at all e-commerce retailers, the NCSC makes specific mention of sites built on the Magento platform, which it says has been particularly popular with cybercriminals lately:

The majority of the online shops used for skimming identified by the NCSC had been compromised via a known vulnerability in Magento, a popular e-commerce platform.

However, your takeaway after reading that should not be “Magento” so much as “known vulnerability”. Cybercriminals do not care that you’re running Magento, they only care that you are running a system they can exploit because it contains a known vulnerability, and any system with a known vulnerability will do, thanks. It so happens that Magento has been a prime target recently, but every decent e-commerce system has known vulnerabilities. Not using Magento is no protection whatsoever.

What really matters is whether or not ecommerce sites are patched promptly when fixes for vulnerabilities are made available. Which is why the NCSC’s headline guidance is “Retailers are urged to ensure that Magento—and any other software they use—is up to date”.

Keeping website software up to date will certainly take you a very long way indeed in terms of protecting against card skimmers, but there is more to it than that.

For the “more to it than that”, the NCSC point readers to the British Retail Consortium’s Cyber Resilience Toolkit for Retail, and its own website, which is full of useful cybersecurity advice, although neither resource is specifically about card skimming.

I would like to humbly suggest that readers should also consult our own guidance on how to defend your website against card skimmers. Our easy-to-digest advice is aimed at preventing card skimming specifically and explains how card skimming gangs find victims; why everyone is a potential target; how to avoid a website breach; how to protect your customers from a card skimmer if you are breached; and how to detect card skimmers as quickly as possible.

The post Beware card skimmers this Black Friday appeared first on Malwarebytes Labs.

As Microsoft’s Head of Deception, Ross Bevington is responsible for setting up and maintaining honeypots that look like legitimate systems and servers.

Honeypot systems are designed to pose as an attractive target for attackers. Sometimes they are left vulnerable to create a controllable and safe environment to study ongoing attacks. This provides researchers with data on how attackers operate and enables them to study different threats.

In Bevington’s words:

“I develop and lecture on these technologies with emphasis on the human behind the keyboard and how to integrate Deception into general security posture.”

Now, Bevington has released information gathered from Microsoft honeypots of over 25 million brute force attacks against SSH.

SSH and RDP

Secure Shell (SSH) is a protocol optimized for Linux server access, but it can be used across any operating system’s server. Remote Desktop Protocol (RDP) is almost exclusively used for accessing Windows virtual machines and physical Windows servers. Based on data provided by Bevington, which were taken from more than 14 billion brute-force attack attempts against Microsoft’s network of honeypot servers until September this year, attacks on Remote Desktop Protocol (RDP) servers have seen a rise of 325%.

RDP is one of the most popular targets because it is a front door to your computer that can be opened from the Internet by anyone with the right password. And because of the ongoing pandemic, many people are working from home and may be doing so for a while to come. Working from home has the side effect of more RDP ports being opened.

The data

What the research data analysis looked at were the credentials that were attempted during more than 25 million brute force attacks against the Microsoft honeypot systems, which roughly represents a period of 30 days.

Some highlights of these results:

• 77% of the passwords were between 1 and 7 characters long
• Only 6% of the passwords were longer than 10 characters
• 39% of the passwords contained at least one number
• None of the attempted passwords contained a space

Passwords

The data above can help you determine whether a password is more secure than another. But, there are some caveats. Passwords need to be long and complex because it’s their length, complexity and uniqueness that determines how difficult they are to crack.

However, you can have the longest password in the world, but if it has been leaked in a breach there is a chance that an attacker will add it to their dictionary. This is the reason we tell you not to re-use your passwords. It’s inconvenient to lose one in a breach, but if that means having to change your password on multiple sites and services, it’s a major inconvenience.

In an older study by Microsoft, it was determined that users should spend less effort on password management issues for don’t-care and lower consequence accounts, allowing more effort on higher consequence accounts. Unless you are using a password manager doing the work for you, of course. Your efforts to come up with a strong password are wasted at sites that store passwords in plaintext or reversibly encrypted.

Sites that require minimum length and/or use other complexity standards have always been a major annoyance. Not only because every site uses a different standard, some of which have been made obsolete, they also encourage users to come up with simple passwords that just barely meet the standard. Am I right, MyDogsName1 and P@$$w0rd?

One of the recommendations of the earlier Microsoft study was that organizations should invest their own resources in securing systems rather than simply offloading the cost to end users in the form of advice, demands or enforcement policies that are often pointless.

The fact that none of the attempts contained a space looks favorable for insights that recommend using three random words separated by spaces. Easy to remember, type in (especially on smaller devices) and harder to guess.

Passwordless future

Not too long ago, Microsoft announced that as of September 15, 2021 you can completely remove the password from your Microsoft account and use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to Microsoft apps and services. We talked that over with a world expert on passwords, Per Thorsheim, and while we will welcome the passwordless future, there are some concerns when it comes to account recovery and what may happen when people lose access to their choice of authenticator.

How to protect your organization from brute force attacks

The ground rules of protecting against remote online attacks are basically:

• Limit the number of open ports
• Restrict the access to those that need it
• Enhance security of the port and the protocol

There are applications that can help you accomplish these basic tasks if you feel the built-in tools are too hard to configure.

Restricting the access is the point of this post. Telling us that a password alone is not always enough. And when you rely on passwords make sure to choose them wisely.

Stay safe, everyone!

The post Password usage analysis of brute force attacks on honeypot servers appeared first on Malwarebytes Labs.

Facebook recently announced it would give up on its facial recognition system. Facebook, or Meta, was using software to automatically identify people in images posted to its social network. Since facial recognition has become an increasingly toxic concept in many circles and Facebook was having enough to deal with as it is, it shut the “feature“ down.  But that doesn’t mean that the technology no longer exists, or even that it isn’t used anymore.

Let’s establish first what we consider facial recognition to be.

By definition: A facial recognition system is a technology capable of matching a human face from a digital image or a video frame against a database of faces, typically employed to identify and/or authenticate users.

In layman’s terms, facial recognition is technology to recognize a human face.

How does facial recognition work?

There are different systems and algorithms that can perform facial recognition, but at the basic level they all function the same—they use biometrics to map facial features from a photograph or video. The image is captured and reduced to a set of numbers that describes the face that needs to be identified. The software analyses the shape of the face by taking certain measurements that, all put together, provide a unique characteristic for the face. The shape of the face is reduced to a mathematical formula, and the numerical code of that formula is called a “faceprint.” Such a faceprint can be quickly compared to those stored in a database in order to identify the person.

You can compare this to a person leafing through an enormous book of portraits to find a suspect. Only much faster because now it’s a computer comparing sets of numbers.

How is facial recognition used?

The most well-known example of facial recognition is the one that can be used to unlock your phone or similar. In those cases, your face is compared to the ones that are authorized to use the phone.

Another convenient method of facial recognition can be found in some major airports around the world. An increasing number of travelers hold a biometric passport, which allows them to skip the long lines and walk through an automated ePassport control to reach their gate faster. This type of facial recognition not only reduces waiting times but also allows airports to improve security.

A lot less consensual is the fact that in some countries mobile and/or CCTV facial recognition is used to identify any person, by immediately comparing an image against one or more face recognition databases. In total, there are well over 100 countries today that are either using or have approved the use of facial recognition technology for surveillance purposes. This has brought up a lot of questions about our privacy.

What is bad about facial recognition?

As we can see from the above, facial recognition is not always bad. And it can be used to improve our personal and public security. It becomes a privacy issue when the consensus from the person in the database is missing. People, especially in large cities, have become used to being monitored a lot of the time that they spend outside. But when facial recognition adds the extra layer of tracking, or the possibility to do so, it becomes worrying.

China, for example, is already a place deeply wedded to multiple tracking/surveillance systems. According to estimates, there are well over 400 million CCTV cameras in the country, and they do not shy away from using facial recognition in public shaming to crack down on people that are jaywalking and other minor traffic offenders.

It’s because of the privacy implications that some tech giants have backed away from the technology, or halted their development. Many groups like American Civil Liberties Union (ACLU) and Electronic Frontier Foundation (EFF) have made objections against facial recognition technology as it is considered a breach of privacy to use biometrics to track and identify individuals without their consent. Many feel that there is already more than enough technology out there that keeps track of our behavior, preferences, and movement.

Can I use facial recognition to find someone?

For an individual to identify another individual would require access to a large database or an enormous amount of luck. As we explained, the faceprints are compared with those in a database. And that database has to contain a pretty large subset of the population you are looking in.

But there are other ways to identify an individual if he is nowhere to be found in the database. A picture can be compared to one that is openly posted on social media. Some organizations have built quite the databases just from harvesting pictures from social media. And you might be amazed about what a reverse image search could bring up. In essence, your chance of success finding a person based on a picture depends on how sophisticated your search algorithm is and how many pictures of your subject can be found on the Internet.

The other way around, if you do not want to be found, make sure that you don’t post your pictures everywhere, and when you do, make sure they are not publicly accessible. And stay out of the databases.

If you are interested in the subject of facial recognition, you may also want to listen to S1Ep6 of the Malwarebytes podcast Lock and Code where we talk with Chris Boyd about “Recognizing facial recognition’s flaws”

The post What is facial recognition? appeared first on Malwarebytes Labs.

Sometimes the ways in which malicious code gets in the hands of cybercriminals is frustrating for those in the industry, and incomprehensible to those on the outside.

A quick summary of the events in the history of this exploit:

• A researcher found a flaw in Windows Installer that would allow an attacker to delete targeted files on an affected system with elevated privileges.
• Microsoft patched the vulnerability in November’s Patch Tuesday update.
• The researcher found a way to circumvent the patch and this time decided not to engage in responsible disclosure because he got frustrated with Microsoft’s bug bounty program.
• The researcher’s PoC is being tested in the wild and cybercriminals could be preparing the first real attacks exploiting this vulnerability.

Let’s have a look at what is going on and how it came to this.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

The vulnerability in question was listed as CVE-2021-41379 and is a local Windows Installer Elevation of Privilege (EoP) vulnerability. If successfully exploited, the bypass could give attackers SYSTEM privileges on up-to-date devices running the latest Windows releases, including Windows 10, Windows 11, and Windows Server 2022.

By exploiting this zero-day, threat actors that already have limited access to compromised systems can elevate their privileges and use these privileges to spread laterally within a target network.

The patch

Microsoft patched the vulnerability in the November Patch Tuesday updates. But according to the researcher, the bug was not fixed correctly. He discovered a new variant during the analysis of the CVE-2021-41379 patch.

With the new variant, an attacker will be able to run programs with a higher privilege than they are entitled to. To be clear, an attacker using the new variant must already have access and the ability to run code on a target victim’s machine, but now they can run the code with SYSTEM privileges thanks to the exploit.

The frustration

The researcher appears to have been so disappointed in Microsoft after he responsibly disclosed the vulnerability by means of the Trend Micro zero-day initiative, that he decided to skip that path altogether when he found the new method to bypass the patch. The researcher published a new version of the proof of concept (PoC) exploit, which is even more powerful than the original exploit.

Apparently the main reason for his frustration was the reward level.

““Microsoft’s rewards have been very bad since April 2020; the community wouldn’t make these kinds of decisions if Microsoft took its rewards seriously.”

In the wild

Several security vendors have noticed malware samples in the wild that are attempting to take advantage of this vulnerability. A quick search on VirusTotal showed dozens of different files that tried to do this. This may be some threat actors testing the exploit code to turn it into something they can use in their attacks, along with some researchers trying out different ways to use and stop the exploit. It is worrying nonetheless to see once again how quick attackers are able to weaponize publicly available exploit code.

Mitigation

The researcher recommends users wait for Microsoft to release a security patch, due to the complexity of this vulnerability, although he doesn’t seem confident that Microsoft will get it right this time.

“Any attempt to patch the binary directly will break windows installer. So you better wait and see how Microsoft will screw the patch again.”

Microsoft says it is working on it. In the meantime, Malwarebytes Premium and business users are protected, because our programs detect the files using this vulnerability as Exploit.Agent.

Stay safe, everyone!

The post Windows Installer vulnerability becomes actively exploited zero-day appeared first on Malwarebytes Labs.

Gamers are a hot target for scammers, especially in the run up to Christmas. Major games are released throughout the last few months of any year, and the FOMO (fear of missing out) is strong. Especially if said titles offer pre-order exclusive bonuses, or deals and discounts for a few weeks after the game launches.

There’s a lot of big titles hitting digital storefronts at the moment. In the last few weeks alone we’ve seen the release of:

• Skyrim Anniversary Edition
• Forza Horizon 5
• Jurassic World Evolution 2
• Halo Infinite (portions of it, with more to come)
• Myth of Empires
• Battlefield 2042

Add other upcoming titles and older ones updated for the festive season into the mix, and it’s fertile ground for people up to no good.

Bogus YouTube videos promise much, deliver little

We’ve seen a lot of activity on YouTube in the last 24 hours in relation to dubious videos. They ride on the coat tails of common searches for “free” versions of popular titles like Skyrim, CSGO, PUBG, Cyberpunk, and more. Other videos focus on Call of Duty, GTAV, Fallout 4, and DayZ.

In all cases, “free Steam keys” are the name of the fake out game. No matter which of the many accounts post up these videos, they all typically link to the same download hosting site.

When free games lead to Malware

The file offered up for download is SteamKeyGeneration.rar, weighing in at 4.19MB. YouTube pages containing the link offer the following instructions:

“Download the ExLoader, open the RAR file, open the EXE file”

The .RAR is password protected, with the password being supplied in the YouTube description. Once the executable runs on the target system, it’s infected by the owner’s own hand.

We detect the file as Trojan.Malpack. This is a generic name given to files which have been packed suspiciously. The actual payload can be anything at all, but this form of packing files is not typically used for legitimate purposes. We’ve seen similar attacks like this previously. In 2018, Fortnite gamers were targeted by scammers pushing Trojan.Malpack files as Fortnite freebies. If the files were downloaded and run on the target system, the reward for doing so was data theft.

Part of a bigger campaign, or a standalone?

YouTube has definitely had some trouble along these lines recently. Researchers at Cluster25 spotted similar activity, targeting a multitude of interests including how-to guides, cryptocurrency, VPN software, and more. In those cases, activity seems to be primarily geared towards two infection paths.

Videos with bit(dot)ly links send victims to download sites such as Mega. Unshortened links redirect to taplink(dot)cc to push Racoon Stealer. Target machines are scanned for card details, passwords, cryptocurrency wallets and other forms of data. This is all harvested and sent on to the attacker.

There are similarities, despite the final destination links being different to those mentioned – such as the password requirement, the similarities in scam setup. Of course, this isn’t a particularly new or novel tactic for YouTube attacks. Including a link to an off-site compressed file on free file hosting, and disabling comments so nobody can point out they’ve had things stolen is video portal shenanigans 101.

You also tend to see one major campaign hit and enjoy success, and then lots of smaller would-be scammers jump on the bandwagon and before long everybody is doing it.

Tips to avoid scams

Whether this is part of the same campaign, a spin-off, or is simply inspired by it, you should avoid any promise of free games deploying these techniques on YouTube. The warning signs are:

1. Too good to be true claims of Steam (or another platform) being “hacked”, with free games being the end result.
2. Brand new accounts with no other content than these videos. Much older accounts which have been dormant until now, or display a sudden shift in content produced. Were they making videos of their cats until last week and now they’re all about hacked Skyrim downloads? Beware.
3. Comments disabled. Anybody linking to off-site files and turning off the comments may not have your best interests at heart.

Getting your hands on a cool new game at a discount is always good news, but sometimes the hidden cost is just too high.

The post “Free Steam games” videos promise much, deliver malware appeared first on Malwarebytes Labs.

With the holiday season around the corner, and Black Friday at the end of the week, we thought it was a good time to look at the dangers that come with gift cards.

Gift cards can be a an easy win in cases where you don’t know the receiver well enough to decide on a fitting gift, or when their wishes are out of your price range. But there are a few things to consider before you hand over your cash.

1. Fake gift cards

You will almost always need to pay full value for legitimate gift cards, so gift cards being offered for significantly less than the face value should be treated with extreme caution. Of course, it could be that they are from people that have no use for the gift cards they received, but it’s hard to tell who and who isn’t genuine. If you see websites offering all kinds of discounts on gift cards, you can be assured that these will turn out to be fakes or they have been acquired in an illegal way and you could be acting as a fence.

2. Gift card generators

One step up on the “scale of scammery” from fake gift cards are gift card generators. There are quite a few websites that claim to provide gift card generators that you can use to generate the code for all kinds of gift cards. Some of the major brand names that are used include Amazon, Roblox, Google, Xbox, PS5.

If you download a gift card generator and you are lucky, it will inform you just before you try it that it does not generate valid gift card codes, but only random codes for “educational purposes.” That is, after you have filled out endless surveys, and maybe even after given up some of your personal information.

In the worst case scenario, you will end up downloading a piece of malware to your system. In one case, researchers found a file titled “Amazon Gift Tool.exe” that was being marketed on a publicly available file repository site as a free Amazon gift card generator. In reality, the malware watched a user’s clipboard to find text that matches the normal length of a certain type of cryptocurrency wallet address. If other criteria were met, to ensure that the victim was involved in a Bitcoin Cash transfer, the malware replaced the string on the clipboard with the attacker’s Bitcoin Cash wallet address. The attacker was hoping that the victim wouldn’t notice the overwritten crypto wallet address when pasting it during the crypto transaction, and that the transfer would go to that of the cybercriminal instead of the intended recipient.

It always helps to keep in mind that if something sounds too good to be true, it is probably not true at all. This definitely applies to a tool that would allow you to create gift cards for free. That’s pretty much like having a money press in your basement.

3. Scammers like your gift cards

There is one group of people that does have a taste for gift cards, and that is scammers. Whether they claim to be with the IRS, Microsoft, or your service provider, if someone asks you to pay for something by putting money on a gift card, like a Google Play or iTunes card, you can safely assume that they’re trying to scam you. No real business or government agency will ever insist you pay them with a gift card.

We have seen live examples of business email compromise (BEC) attempts that ask for gift cards, like the one below:

Business Email Compromise (BEC) is a catch all term for a spoofed email pretending to come from an authority figure, with the intent to use social engineering to reach an outcome, usually financial gain, by convincing you to do something that you normally wouldn’t.

Not forgetting those gift cards that go unspent…

According to a Juy 2021 survey by Bankrate, more than half of US adults (51%) currently have unused gift cards, vouchers, or store credits totaling roughly $15 billion in outstanding value. Additionally, 49% of US adults have lost gift card/voucher/store credit value at some point because they let at least one of these expire (29%), they lost at least one (27%), or they failed to use at least one before the business closed permanently (21%).

Basically what it boils down to, is you are paying full value for something that only gets used roughly half of the time.

Conclusion

As one of my friends in the US used to say:

“The best gift cards have a number and a president on them.”

Even though it may seem unpersonal to give money as a present, the chance that the receiver will get something that they need or like is so much bigger than with a gift card. Should you still want to buy a gift card, make sure to get them from a reliable source and check that the receiver will make good use of it.

Stay safe, everyone!

The post Please don’t buy this! 3 gift card scams to watch out for this Black Friday appeared first on Malwarebytes Labs.

Domain name registrar giant and hosting provider GoDaddy yesterday disclosed to the Securities and Exchange Commission (SEC) that it had suffered a security breach.

In the notice, it explained it had been compromised via an “unauthorized third-party access to our Managed WordPress hosting environment.” The unknown culprit behind the attack stole up to 1.2 million active and inactive customer data, including email addresses, original WordPress admin passwords, Secure File Transfer Protocol (sFTP) and database credentials, and SSL private keys.

The company said it has taken measures to secure accounts and the environment, such as resetting passwords and blocking the unauthorised third-party from accessing its system, and said it will be issuing new certificates for specific customers.

GoDaddy first detected suspicious activity in its Managed WordPress hosting environment on Wednesday last week. According to initial investigations, the intruder used a compromised password to access legacy code in GoDaddy’s environment to steal data. Investigations are ongoing.

“We are sincerely sorry for this incident and the concern it causes for our customers,” wrote Demetrius Comes, GoDaddy’s Chief Information Security Officer (CISO), “We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”

According to researchers from Defiant Inc, developers of Wordfence—a plugin for securing WordPress sites—GoDaddy has been handling sFTP in a way that doesn’t follow standard practices: “It appears that GoDaddy was storing sFTP credentials either as plaintext, or in a format that could be reversed into plaintext. They did this rather than using a salted hash, or a public key, both of which are considered industry best practices for sFTP. This allowed an attacker direct access to password credentials without the need to crack them.”

GoDaddy customer? Here’s what to do

If you use GoDaddy’s hosting service and are unsure if your account might be one of those affected, do not leave this to chance. Act now before someone takes the opportunity to take over your account.

GoDaddy has provided a good list of steps to take to lock down an account that might be potentially compromised:

• Change your password and your PIN
• Enable two-factor authentication (2FA) if you haven’t already
• Change the payment methods you have stored in your account, and delete those you don’t use. It would also be good to keep an eye on your bank account transactions and be ready to flag those that are fraudulent.
• Remove delegate access for anyone you’ve allowed into your account
• Remove any unknown API keys by deleting them.
• Verify your domain contact information is correct to avoid someone taking it over
• Remotely log out of your GoDaddy account, which will sign you out of all devices and browsers.

Stay safe!

The post Millions of GoDaddy customer data compromised in breach appeared first on Malwarebytes Labs.

A few short weeks ago, Microsoft launched the very latest version of its desktop operating system (OS), Windows 11. In security terms, Windows 11 is very much Windows 10 with knobs on. Or what Spinal Tap’s Nigel Tufnel might describe as Windows 10 turned up to 11.

Unlike Tufnel’s description of his infamous “one louder” amps though, the Redmond software giant’s approach to security shows signs of intelligence at work. And its reassuringly sensible, evolutionary approach indicates that Microsoft thinks it is on the right track.

Its aim for Windows 11 is much the same as it was for Windows 10: To make changes that take entire classes of vulnerabilities off the table for attackers. In broad terms, its approach is to use virtualization to create safe, protected environments for sensitive operations, and to build trust from the ground up, on top of trustworthy hardware specs.

In fact, a lot of what makes Windows 11 better for security than Windows 10 is that Microsoft is simply making things that are optional in Windows 10 mandatory (or at least a default) in Windows 11.

So, unlike some of the previous transitions between major versions of Windows, there is a very obvious continuity between the two most recent versions, and a sense that Windows 11 is just the latest version of Windows 10.

And it seems that continuity is now flowing upstream as well as down.

Last week Microsoft used its announcement about the availability of the Windows 10 November 2021 Update to reveal that Windows 10 is ditching its twice-yearly release schedule and moving to the calmer annual release cycle of its sibling:

“We will transition to a new Windows 10 release cadence to align with the Windows 11 cadence, targeting annual feature update releases … The next Windows 10 feature update is slated for the second half of 2022.”

This is not a security announcement per se—sysadmins will still have to digest enormous patch furballs on the second Tuesday of every month when the LCU (Latest Cumulative Update) is released—but we reckon it is good for security.

I asked Malwarebytes’ Windows expert Alex Smith, the brains behind our recent, detailed assessment of whether or not Windows 11 is any good for security (spoiler alert: yes, it is) for his thoughts.

Smith’s take: This switch can only help security.

It will be a welcome change by most, especially software developers, IT admins, technicians, help desks, Microsoft itself, and end users. Having to plan for and support a new Windows OS build every six months was a chore and led to lots of late adoption or deferment, which could impact security.

Smith says the new release schedule should give everyone a little more breathing space to prepare, adopt, and react to Windows releases, which could lead to:

• Higher adoption rates of the latest builds.
• Reduced build fragmentation in the ecosystem.
• More time for Microsoft to stabilize its updates before releasing them.
• Fewer “headaches” for software developers, IT admins, support staff, and users.

Of course it is just breathing space, and there is no guarantee it will be used productively. Most businesses are more than capable of over-committing security and IT staff, and the window of opportunity will close quickly, but there is a window.

Perhaps it will provide an opportunity for some organizations to run the rule over Windows 11.

Alongside revealing its changes to the Windows 10 release schedule, Microsoft also announced it was increasing the pace of the Windows 11 rollout, “making the Windows 11 upgrade more broadly available to eligible Windows 10 devices”. This is also good news. Microsoft can only achieve its lofty aim of making classes of vulnerability obsolete when Windows 11 is predominant, but the operating system’s beefed-up security comes at the cost of eye-watering hardware demands, which seem likely to chill the pace of adoption.

Anything that gives them a bit of warming sunshine is to be welcomed.

The post Windows 10 chills out, gives sysadmins a break appeared first on Malwarebytes Labs.

It’s not been a great time for ransomware authors recently. Well, some ransomware authors at any rate. While many are making huge amounts of money from their device-locking antics, it’s not a profession without risk. Every so often something can and does go wrong, and ransomware groups get into all manner of trouble. Sometimes they aim too high and generate a huge amount of heat. At that point, the solution is to go into hiding or claim to be leaving the business forever.

Elsewhere, it can be a case of accidentally leaking the decryption key, or making it so that third parties can figure it out.

Sometimes, an incident is just a disaster from start to finish.

Setting the scene

Conti ransomware is perhaps most well known for its use in the HSE healthcare attacks back in May. More than 80,000 endpoints were shut down and the health service had to revert to the pen and paper approach. Providers in the US and New Zealand were also affected.

Conti is created and distributed by “Wizard Spider”, a group which also created the well-known Ryuk ransomware. Conti, offered to affiliates as Ransomware as a Service, ran wild in the first quarter of 2021. RDP brute forcing, phishing, and hardware / software vulnerabilities are the chosen methods for Conti compromise.

Where it gets interesting is that Conti directs victims to Dark Web “support portals” where they talk through the steps to unlocking impacted devices. This is where the current Conti issues have arisen.

A lack of support

Security firm Prodaft discovered a vulnerability in the servers Conti uses for recovery. Essentially, the place they tell victims to go. They discovered the real IP address of the hidden service and were able to monitor network traffic for connections to the server. This is particularly ironic considering the slightly confusing stance on free keys, which still come with a ransom attached. There was also a flurry of news recently when word dropped that they were selling access to victims.

All in all, having access to a support portal swiped is probably not high on the Conti gang’s list of “cool things to have happen”.

Down for the count?

Once word broke that a security firm accessed the server for more than a month, the people behind the ransomware scrambled to fix things. What this meant in practice, is a support portal missing in action, and no way for victims to pay.

In total, the Conti infrastructure here was mostly offline for something like two days. This sounds great in practice. However, it’s worth noting that while the ransomware edifice has temporarily toppled, individuals and organisations affected couldn’t communicate with the attackers. If they decided to pay, they wouldn’t be able to. If they wanted to appeal to their better nature, it’s not a possibility.

To add to this sense of uncertainty, the victims would have no way of knowing if the people responsible for their locked files would even come back. They could have simply cut their losses.

Not a great time to be compromised by ransomware, and that’s taking into account that there’s never a great time to be compromised by ransomware.

An increasingly creaky comeback?

Conti has now, of course, returned with a combative air of defiance:

This isn’t the first thing to go wrong for them recently, however. In August, an ex-pentester for Conti decided to spill several gallons worth of beans on Conti activities. This individual, unhappy with the money they were making, dumped files allegedly handed to affiliates on a forum. Rival factions go to war with one another all the time, but it’s still somewhat unusual to see insider documents posted quite like this.

Still, despite the wheels coming off, it doesn’t seem to stop ransomware groups for long. There’s simply too much money at stake and (probable) decent odds against getting caught by law enforcement. In the game of ransomware whack-a-mole, the mole is most definitely king.

The post Security researchers play peek-a-boo with Conti ransomware server appeared first on Malwarebytes Labs.

Black Friday and the holiday season are approaching, and shoppers are forecast to spend record amounts again this year. Retail websites big and small can expect a lot of interest from shoppers looking for deals, and a lot of interest from cybercriminals looking to cash in on those shoppers, by stealing their credit card details with stealthy card skimmers.

Card skimmers, or web skimmers, are pieces of malicious software that criminals piggyback on to legitimate websites, so they can steal shoppers’ credit card details. The skimmers read the details as users type them into the sites’ payment forms, or replace the payment forms with convincing fakes. Attackers have even been seen adding entire checkout pages to sites that don’t take payments. Skimmers can steal card details in real time, as they are typed, even before the victim clicks “submit” on the payment form.

Skimmers allow criminal hackers to silently rob every customer that makes a purchase on an infected website, until they are discovered and removed. Malwarebytes products detect card skimmers, and our Threat Intelligence team tracks and investigates them. We know that card skimming activity tends to increase inline with busy shopping days, and shop owners need to be extra-vigilant heading in to the holiday season.

In this article we will explain the basic steps you should take to secure your website against card skimmers. Getting these basics right will also protect your website against a range of other cyberthreats too.

But before we look at how to secure your site, let’s look at why you should, if you’re only running a small mom-and-pop shop.

Why you aren’t too small to get hacked

If you think your website is too small to be of interest to cybercriminals, think again. They don’t care how small your site is. Really. In fact, they don’t care about you at all and may never even look at your website.

Cybercriminals don’t break into websites one by one, using their best guess to figure out your password like they do in the movies. They use computer programs to scan the Internet for vulnerable websites. There are millions of vulnerable websites out there, and scanning the entire Internet to find them is fast, cheap, and easy.

When they find a site they can break into, they inject a card skimmer, automatically.

Their objective is to break into thousands of websites at a time and the process is automated and can run continuously. It effectively costs criminals nothing to break into even the smallest website, so every website—no matter how small—is an attractive target.

Websites without a payment form can be still be targeted, or monetised in other ways, so even if your site doesn’t sell anything, it is still at risk.

Securing your website

With an Internet full of potential targets to choose from, you don’t have to do much to make your website less attractive to attackers. As the old saying goes, you don’t have to outrun the bear that’s chasing you, you just have to outrun the other people running away from the bear!

So, how do you move a little faster than the others?

Step 0, keep your computer secure

The first step in keeping your website secure is to make sure that your computer, and computers belonging to anyone else who administers the site, are secure. If your computer has malware on it, it doesn’t matter how secure your website is, because criminals can just steal your password or login in to your website from your computer, pretending to be you.

Keep your software up to date with security fixes, and install a modern antivirus solution, a password manager, and a securiity plugin for your browser, like BrowserGuard.

Set strong passwords. Never share them, never reuse them

One of the easiest ways to break into a website is to guess an administrator password for the software that runs the website—its Content Management System (CMS). If an attacker can do that, they can do anything they like to the website, including adding a card skimmer and dismantling any defences you have.

Just as they don’t search for websites manually, attackers don’t guess passwords manually either. They have computer programs for that too. And once their scanner finds your website, another computer program will happily plug away 24/7, trying to guess your password. They will move on eventually, but they may have made thousands of attempts before they do.

The good news is that you can seriously sharpen up your password game by avoiding a few bad habits:

• Bad passwords. Cybercrooks don’t guess passwords randomly, they use lists of popular passwords. The ten thousand most common passwords are full of easy-to-type sequences like 123456, 1111, and qwertyuiop, or they are made from names and common words like monkey, michael or trustno1. If your password is on that list, or looks like the passwords on that list, your website is in trouble.
• Shared passwords. If you share a password with somebody you have no idea if they are storing it securely, or who they might be sharing it with. The only way to ensure passwords stay secret is to never share them. Give everyone their own account, with their own password, and tell them not to share.
• Passwords you’ve used elsewhere. Alongside common passwords, criminals also use lists of usernames and passwords exposed in data breaches (this is called credential stuffing). Chances are you’ve lost at least one password in a data breach. If you never use the same password twice, you can’t be caught by credential stuffing.
• Everyone’s an admin. It’s often convenient to give everyone who works on a site an administrator account, so their work isn’t interrupted by being denied access to something. But every separate administrator login gives criminals another potential way in. Save administrator-level access for the people that need it, and aim for the smallest number of administrators you can get away with.

You can get to grips with most of these bad habits by adding two-factor authentication (2FA) to your site. 2FA forces users to provide another piece of information with their password when they log in, such as a one-time code from an app. Any decent website CMS will have a 2FA option built in, or 2FA plugins that are easy to find and install.

If your company uses a Virtual Private Network (VPN) to provide secure, remote access to company systems, you could limit access to your website login screen to company VPN users too.

Keep website software up to date, every day

Another easy way to break into a website is by exploiting a software vulnerability in the web server, CMS, or plugins your website uses. A vulnerability is a coding flaw that lets attackers do things they aren’t supposed to be able to do, such as adding files to your website, or accessing its back end without logging in. When software vendors find vulnerabilities in their software they provide a security patch that fixes the problem.

Your website is only secure against that problem when you apply the patch.

Criminals often reverse enginer patches to find out what vulnerabilities they fix, and then attempt to use those vulnerabilities to break in to websites that haven’t been patched yet. They can do this extremely quickly.

In 2014, Drupal, a very popular CMS, released an update for a serious security flaw. Criminals reverse engineered the update and were using it to take over websites within hours. Later, the Drupal security team made the extraordinary announcement that if you hadn’t updated your website within seven hours of the patch being released then you should “consider it likely your site was already compromised”.

Make sure you know whose job it is to keep the website patched. This may be something that the people who built and maintain your website will do for you, or a job you need to do yourself. Whatever you do, don’t just assume that somebody else must doing it.

If you use WordPress, it should update itself automatically with security fixes. You can check this by logging in and going to Dashboard > Updates. Note however, that WordPress will not update most plugins automatically. Vulnerabilities in plugins are common, and probably the biggest threat to your website, so if nothing else, you will need to make a point of logging in regularly to check for and apply plugin updates.

The same is true for other CMSes: You should log in regularly to see if there are updates that need to be applied. We suggest you also go to your CMS vendor’s website (and any plugin vendor’s sites too) and see if they have a mailing list where they announce patches. Sign yourself up so you are alerted if anything urgent needs your attention.

Finally, this advice applies to every website under your control. It is quite common for companies to run a number of websites on the same server. These could be different websites for different purposes, or test and staging versions of your principal site. If any one of those websites is compromised, it gives attackers a potential route to cross-contaminate all the other sites on the server. Test and staging sites are often neglected, and often exposed to the Internet accidentally, making them a particularly soft underbelly.

Use a Web Application Firewall (WAF)

A Web Application Firewall (WAF) is an appliance or Cloud-based service that filters the data that’s sent to your website, weeding out things that look malicious, such as XSS or SQLi attacks. They can also prevent unauthorized data (like credit card details from a server-side skimmer) from leaving your website if it is compromised.

WAFs use a rulebook to recognize malicious or unauthorized inputs and outputs, which means they can often provide protection far sooner than patching. All a WAF vendor needs to know to create a new rule is what input the attackers are using to compromise websites. To create a patch, a vendor needs to know what input the attackers are using, but also how that input affects their software, and how to fix it without breaking anything.

WAFs add complexity to your environment and may require regular updates, but they provide a useful extra layer of defence for your website. You should never use a WAF as an alternative to patching, but using one could save you if you miss a patch, are too slow to apply one, or if attackers are using a zero-day technique that your CMS or plugin vendor hasn’t patched yet.

Protecting users from rogue dependencies

Web pages are typically made up of multiple separate elements, such as scripts, images, like buttons, sharing widgets, and so on, drawn from multiple different places. In fact it is not uncommon for individual pages to have tens or even hundreds of such dependencies, and for them to be drawn from many different domains: Analytics and advertising code from Google perhaps, a Tweet button from Twitter, images pulled from a Content Delivery Network (CDN), and so on.

The different elements are only assembled into a single page at the last minute when it’s viewed in a web browser, and that process is repeated in each user’s machine, each time the page is viewed.

Each dependency is a potential backdoor into your web pages. If an attacker can compromise a site hosting one of your dependencies, they can use it to inject a card skimmer into your page when it is assembled by a web browser, without ever compromising your website. You can’t control the passwords or patching on the sites you depend on, so instead you must take steps to protect your users from compromised dependencies.

Subresource integrity

Subresource integrity is a form of tamper protection for scripts and stylesheets. If an attacker compromises a third-party script your website relies on, they can use it to inject a card skimmer into your pages.

In June 2019, Malwarebytes Threat Intelligence discovered exactly this kind of attack on the official Washington Wizards page of the NBA.com website. Attackers had managed to alter a script the site used that was hosted on an Amazon S3 storage website.

Subresource integrity protects against this kind of attack by using fingerprints (cryptographic hashes) to verify that elements loaded by <script> or <link> tags haven’t been altered.

For example, let’s say your website uses version 3.6 of the popular jQuery JavaScript library. Without Subresource Integrity, the script tag for it would look like this:

<script src="https://code.jquery.com/jquery-3.6.0.js">

With Subresource Integrity, the script tag looks like this:

<script src="https://code.jquery.com/jquery-3.6.0.js" integrity="sha256-H+K7U5CnXl1h5ywQfKtSj8PCmoN9aaq30gDh27Xc0jk=" crossorigin="anonymous">

When a browser assembles your page it will download the jQuery code and create its own cryptographic fingerprint from it, and match it against the fingerprint in the tag. If the fingerprints don’t match, the browser will assume the jQuery code has been compromised and won’t run it.

Content Security Policy

Sometimes, instead of changing an existing dependency, attackers can find enough leverage to add a new dependency to your site, from a website they control.

Content Security Policy (CSP) is a simple addition to your website that can protect against this form of attack. It works by sending web browsers a list of the domain names your website trusts, and what it trusts them to do.

For example, let’s say your website is example.com, and your website includes Google Analytics code, which is loaded from the analytics.google.com domain. Your CSP header would say you trust your own site to provide all forms of content, and it trusts Google Analytics to provide scripts, and nothing else. The actual instruction looks like this:

Content-Security-Policy: default-src 'self'; script-src analytics.google.com

If a cybercriminal sneaks a card skimming script on to your site that’s loaded from example.xyz, web browsers will refuse to run the card skimmer. So, even though your website has been compromised, it will not affect your users.

CSP isn’t perfect. In a serious hack, an attacker might gain enough access to your site to remove the CSP instructions altogether, but in many situations they won’t.

You can see if your website already has a CSP header (and other useful security headers too) by checking it on securityheaders.com.

Pulling it all together

Securing your site and its dependencies against attack are vitally important, but sometimes you don’t realise you’re vulnerable until it’s too late, or your Subresource Integrity and CSP silently block a rogue dependency and you don’t ever learn about it

In both cases you want something that tells you as soon as the problem starts. So the last step in securing your site is to use a third-party integrity monitoring service that sees your site from your users’ point of view. These services can find card skimmers that slip through the net and, most importantly, tell you that there’s something you need to fix.

Automated integrity checking services are like users that work on your behalf, periodically visiting important web pages, like your checkout, pulling in all the dependencies in real time, looking for anything that shouldn’t be there, and alerting you if they find anything.

Although we have gone into a lot of depth in this article, keeping websites secure is mostly a matter of setting up a few services, and then doing a some simple things, over and over again. By making these things a habit, you will strengthen your site enormously against card skimmers and other attacks, and keep your users safe through the holiday season and beyond.

* The fake checkout is on the left.

The post How to defend your website against card skimmers appeared first on Malwarebytes Labs.