IT News

Sometimes it’s hard to figure out what exactly is going wrong with your computer. What do you do if you’ve run all the scans, checked all the files, and everything says the PC is malware free? Here’s a list of common problems that resemble cybersecurity issues, but could be caused by something hardware-related instead.

My computer is overheating

Some types of malware try very hard to go unnoticed, but others can be CPU hogs capable of turning your keyboard into a waffle iron. The encryption routines in ransomware demand a lot of resources, for example. But there are other, far more obvious signs of a ransomware problem, so if you’ve got this far, it’s not that. So perhaps it’s a cryptominer grinding away in your browser or System32 folder. If your antivirus says “no” though, it’s more likely to be one of the problems below:

• One or more of your fans aren’t working. If you have a PC, you should be able to follow the wire connecting the problem fan to the motherboard / associated socket. Sometimes there’s so many wires in there, they can get nudged out of place. This is especially common when removing the panel on the side of the motherboard to clean behind the wires.
• A software change has affected your fan profile. A fan profile is software that exerts a specific amount of control over your fans. It tells them when to ramp up, and how. Sometimes updates to your fan control program or associated hardware can do odd things to settings. You’ll have to go back in and set them to your liking.
• Your thermal paste needs a refresh. A layer of thermal paste sits between your heat sink and your processor and conducts the heat—that would otherwise engulf the CPU—into the heat sink. It’s possible your paste needs replacing. This is quite a precise process however, so watch a few tutorial videos before attempting it.
• Your graphics card is about to die. This is the worst case scenario. If you’re lucky, a good clean may solve the issue, though you should be looking to regularly clean everything inside your PC anyway. Dust build up? Get rid of it sooner rather than later. Contacting your PC / parts supplier at this stage is also a good idea.

My computer keeps restarting / Blue screen of death

Plenty of malware files make PCs restart or trigger the dreaded blue screen of death (BSOD). Plenty of other things do too though. Here are some alternative causes to think about:

• Loose or faulty RAM sticks. I’ve had machines which restarted, popped a BSOD, or simply stuttered and staggered while on the desktop. Check to make sure all of your RAM sticks are in securely. If one seems a little loose, remove and reinsert it correctly. You can also run diagnostic tests on your sticks if the machine runs long enough for you to do so. If not, the long-winded approach is to remove one stick at a time and see if the problem magically goes away. If it does, there’s a good chance you’ve identified the problem.
• Peripheral devices left in at shutdown can cause odd issues when you boot up. There’s no real rhyme or reason to this. I’ve seen USB sticks, cameras, phones, and even a digital keyboard cause a PC to not load correctly or act strangely after booting up. I’ve also seen PCs refuse to boot because of a peripheral one minute, and ignore it entirely the next. If in doubt, just take it out.
• You might have a Windows-specific issue going on under the hood. You should consider sorting out various recovery tools and backup plans now.
• Your PSU (power supply) may not be working correctly, or on the verge of failure. This is a bit of a tricky one to test, because messing around with PSUs and electricity can be incredibly dangerous. If the thought of paperclip tests or getting out the multimeter fills you with dread, you’re better off asking the company you bought the PC from for help or switching it out for a different PSU.

I can’t see my files / my hard drive is missing

Yes, some malware will happily scrub all of your saved documents. Most won’t. There can be other explanations:

• Check your wires. I’ve seen PCs where the caddy holding the drive has broken, the hard drive has fallen to the bottom of the case, and a wire has been dislodged. Reattaching the wire and securing the caddy was all that was needed to stop the drive randomly disappearing and reappearing whenever it felt like it.
• Check your Windows. Some people reported files going missing after upgrading to Windows 10, or (occasionally) other updates. Considering Windows 11 is on the way, it might be worth revisiting what happened.
• The files might be hiding, or somewhere else. If files aren’t where they’re supposed to be but your hard drive usage suggests everything is still present, never fear. Fire up an app which tells you exactly how much space is being used, and what is using it. A relative of mine had some files go walkabout after a system update, and they were able to find them with a third party tool.
• Check the drive for signs of corruption or imminent failure. Sometimes hardware just fails. This is a mechanical issue and not something you can hope to prevent. Back everything up as soon as you can, if you aren’t already.

Conclusion

Computers are often surprisingly delicate, and their rugged cases don’t accurately reflect the 24/7 juggling operation taking place down on the motherboard. There are many other hardware problems, but the ones listed above tend to be the first port of call for budding hardware fixers.

If you can deal with both software and hardware issues as they arise, there’ll be no stopping you the next time a relative gives you a call at Christmas with a “small problem..”

The post How to troubleshoot hardware problems that look like malware problems appeared first on Malwarebytes Labs.

Nearly one year after the exclusive app Clubhouse launched on the iOS store, its popularity skyrocketed. The app, which is now out of beta, lets users drop into spontaneous audio conversations that, once they are over, are over. With COVID lockdown procedures separating many people around the world last year, Clubhouse offered its users immediate, unplanned, conversational magic that maybe they lost in shifting to a work from home environment.

At the time, it was perhaps an app to find a feeling.

And in 2021, Luta Security CEO and founder Katie Moussouris found a crucial vulnerability in it. But when she tried to tell Clubhouse about the flaw—which let her hide her presence inside a listening “room” so she could eavesdrop on conversations—the company failed to listen to her for weeks. Her emails went unanswered, and the vulnerability that she discovered could be exploited with a simple trick. Perhaps most frustratingly of all was that Clubhouse had actually set up what’s called a “bug bounty” program, in which the companies pay independent researchers to come forward with evidence and reporting of vulnerabilities in their products.

With a bug bounty program in effect, why then did Clubhouse delay on fixing its flaw?

“[Clubhouse] is too large, too popular, and too well-funded to be in the denial stage of the five stages of vulnerability response grief,” Moussouris said on the most recent episode of Lock and Code, with host David Ruiz.

Tune in to learn about the vulnerability itself, how Moussouris discovered it, how Clubhouse delayed in moving forward, and whether bug bounty programs are actually the right tool for developing secure software.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Katie Moussouris hacked Clubhouse. Her emails went unanswered for weeks: Lock and Code S02E15 appeared first on Malwarebytes Labs.

In an extensive report about a phishing campaign, the Microsoft 365 Defender Threat Intelligence Team describes a number of encoding techniques that were deployed by the phishers. And one of them was Morse code.

While Morse code may seem like ancient communication technology to some, it does have a few practical uses in the modern world. We just didn’t realize that phishing campaigns was one of them!

Let’s look at the campaign, and then we’ll get into the novel use of an old technology.

The campaign

Microsoft reports that this phishing campaign has been ongoing for at least a year. It’s being referred to as the  XLS.HTML phishing campaign, because it uses an HTML file email attachment of that name, although the name and file extension are modified in variations like these:

• xls.HTML
• xslx.HTML
• Xls.html
• .XLS.html
• xls.htML
• xls.HtMl
• xls.htM
• xsl_x.h_T_M_L
• .xls.html
• ._xslx.hTML
• ._xsl_x.hTML

The phishers are using variations of XLS in the filename in the hope the receiver will expect an Excel file if they open the attachment. When they open the file, a fake Microsoft Office password dialog box prompts the recipient to re-enter their password, because their access to the Excel document has supposedly timed out. This dialog box is placed on a blurred background that will display parts of the “expected” content.

The script in the attachment fetches the logo of the target user’s organization and displays their user name, so all the victim has to do is enter the password. Which will then be sent to the attacker’s phishing kit running in the background.

After trying to log in the victim will see a fake page with an error message and be prompted to try again.

It is easy to tell from the information about the target used by the phishers, like the email address and company logo, that these phishing mails are part of a targeted campaign that needed some preparation to reach this step.

And this phishing campaign is another step to gather more data about a victim. In the latest campaigns the phishers fetch the user’s IP address and country data, and send that data to a command and control (C2) server along with the usernames and passwords.

Encoding

The phishing campaign has been seen using different types of encoding, and combinations of encodings. For example, in one of the waves the user mail ID was encoded in Base64. Meanwhile, the links to the JavaScript files were encoded in ASCII before being encoded again, with the rest of the HTML code, in Escape.

Encodings seen in the campaign included:

• ASCII, a basic character encoding standard for electronic communication. ASCII codes represent text in computers, telecommunications equipment, and other devices.
• Base64, a group of binary-to-text encoding schemes that represent binary data in an ASCII string format. By using only ASCII characters, base64 strings are generally URL-safe, and allow binary data to be included in URLs.
• Escape or URL-encoding, originally designed to translate special characters into some different but equivalent form that is no longer dangerous in the target interpreter.
• Morse code, more about that below.

Not that encoding is different from encryption. Encoding turns data from one format into another, with no expectation of security or secrecy. Encryption transforms data in a way that only be reversed by somebody with specific knowledge, such as a password or key.

So, encoding methods won’t hide anything from a security researcher, so why bother? Changing the encoding methods around is designed to make it harder for spam filters trained on earlier versions of the campaign to spot the later versions.

Morse code

Morse code is a communication system developed by Samuel Morse, an American inventor, in the late 1830s. The code uses a combination of short and long pulses, which can be represented by dots and dashes that correspond to letters of the alphabet.

Famously, the Morse code for “SOS” is . . . - - - . . ., for example.

The International Morse Code encodes the 26 letters of the English alphabet, so the phishers had to come up with their own encoding for numbers. Morse code also doesn’t include special characters and can also not be used to distinguish between upper and lower case, which makes it harder to use than other types of encoding.

So, technically they didn’t use Morse code but an encoding system that used some base elements from Morse code using dashes and dots to represent characters.

This is how the javascript section for the morse code decoding looked.

In one wave, links to the JavaScript files were encoded using ASCII, then Morse code. In other cases, the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code.

Addendum

During our own research for this article we also came across files that used the pdf.html filename and similar variations on the theme we saw with the xls.html extension. These html files produced the same prompt to log into Outlook because the sign-in timed out.

These samples were named using the format: {company}-payroll-{date}-pdf.HtmL

For more information about phishing and how to protect yourself and your company please have a look at our page about phishing. For a full description of the phishing campaign, take a look a the Microsoft blog.

… – .- -.– / … .- ..-. . –..– / . …- . .-. -.– — -. . -.-.–

The post Phishing campaign goes old school, dusts off Morse code appeared first on Malwarebytes Labs.

At some point in our lives, we have likely either been bullied, stood back and watched others bullying, or participated in the act. Playing the role of offender, offended, and by-stander has become easier, thanks to the Internet and the technologies that make it possible to keep up connected.

In this article, we aim to arm you with the basics. From there you can decide for yourself if you want to further expand your knowledge so you know what to do to help someone—a family, a peer—who might be involved in incidents of cyberbullying.

What is cyberbullying?

Cyberbullying is a term used to describe the act of bullying someone using electronic and digital means. Bullying involves two things: intent and persistence. An offender intentionally says or does something negative to the offended and does so for a period of time. This sets cyberbullying apart from, say, a one-time encounter with someone being mean or rude to them.

Cyberbullying is often used interchangeably with the terms “online bullying”, “digital bullying”, “online aggression”, or “electronic aggression”.

Note that cyberbullying and physical bullying could happen to an individual at the same time.

Examples of cyberbullying

Cyberbullying can take many forms, can happen anywhere online, and can target anyone, including adults in the workplace. It is probably most commonly associated with kids and teens who send hurtful text messages to their victims, or spread rumors about them on social media. Some bullies share non-consensual images and video recordings of victims doing something in private.

Again, we’d like to stress that what classifies something as bullying isn’t a specific act or platform, but the wilfulness of the bully, and the repeated harm they inflict on their victim.

What are the effects of cyberbullying?

The effects of bullying can manifest in someone physically, emotionally, mentally, and socially. And cyberbullying doesn’t just affect the victim and the offender, it also affects those who stand by and watch as the bullying takes place.

Studies have shown that those involved in bullying—whether they’re the abuser, the abused, or a by-stander—can experience headaches, recurring stomach pains, and difficulty sleeping. They can also have problems concentrating, behavioral issues, and can find it difficult to get along with others. Emotionally and mentally, those who are abused can feel sad, angry, frustrated, scared, and worthless, and can cause suicidal thoughts.

The effects of bullying can manifest as depression or a sudden change of attitude, such as not wanting to go to school or avoiding smartphones for example.

Is cyberbullying the same as cyber violence?

Cyber violence appears to be short for “cyber violence against women and girls (VAWG)”. It is a term used to describe violent online behaviors aimed specifically at women and girls. Usually, they are victims of domestic abuse done to them by a former or current partner.

According to UNESCO (United Nations Educational, Scientific and Cultural Organization) [PDF], “Violent online behaviour ranges from online harassment and public shaming to the desire to inflict physical harm including sexual assaults, murders and induced suicides.”

In UNESCO’s eyes, the tragic case of Amanda Todd, the 15-year old Canadian teen who committed suicide after posting an emotional video on YouTube about the bullying she had suffered in the hands of a pedophile, is a crime rooted in cyber violence.

Is cyberbullying illegal?

All US states have some form of law that covers or addresses bullying behavior. You can learn and explore more about this by visiting Cyberbullying Research Center’s Bullying Laws Across America map.

How do you report cyberbullying?

Reporting an individual or a group for cyberbullying is a way for online harassment to stop.

If you or someone you know is experiencing negative behavior that could escalate to cyberbullying, let a trusted adult know. Take evidence of the online bullying, such as screenshots, and keep it them in a secure place. If the platforms where the bullying takes place allows it, block the bully.

You can also reach out to the websites and platforms where the bullying is taking place. The Cyberbullying Research Center has a huge list of contact details that direct you to the right place for reporting bullying on a wide variety of different platforms, including social media sites and games.

If you’re anywhere in the US or Canada, remember that you have the Crisis Text Line where you can reach a Crisis Counselor at any time, 24/7. Simply text HOME to 741-741. This free support can also be reached via WhatsApp at 443-SUPPORT. Additionally, residents in Canada can also contact Kids Help Phone by texting CONNECT to 686-868.

Residents in the UK and Ireland can text SHOUT to 85-258 and HELLO to 50-808, respectively.

The post Cyberbullying 101: A Primer for kids, teens, and parents appeared first on Malwarebytes Labs.

The primary function of a Virtual Private Network (VPN) is to enhance your online privacy and security. It should do this without slowing your Internet too noticeably. Performing a VPN test or two can help you ensure that it’s up to the mark.

VPN privacy test

Your Internet Service Provider (ISP) assigns a unique IP address to your router, the device that connects the computers, phones, and tablets in your house to the Internet. Every device in your home that connects through that router uses its IP address on the Internet. The IP address is allocated from a pool of addresses your ISP controls, so it can change from time to time, but it probably doesn’t change very often.

IP addresses are necessary for getting your Internet traffic to the right place, and getting the responses back to you, but they have a couple of drawbacks:

• They are allocated geographically, so they can be used for a form of crude geolocation.
• Because you have to tell all the websites and services you use what your IP address is, it can be used by advertising and tracking services to track you across the web, either on its own or as part of a fingerprint.

When you use a VPN, you create an impenetrable, encrypted tunnel between your computer and your VPN provider, and then join the Internet from one of your VPN provider’s computers. This protects your privacy in a few different ways.

• Because your connection joins the Internet from your VPN provider, you use an IP address assigned by your VPN provider, rather than your router’s, on the Internet.
• The encrypted tunnel between you and your VPN provider stops your ISP, rogue Wi-Fi hotspots or other interlopers snooping on your traffic. In particular it stops them looking at your DNS traffic, which can reveal which websites you’re visiting.

VPN leaks

Part of a VPN’s privacy protection comes from hiding your real IP address, so it’s important to understand that IP addresses can “leak”. You can leak your IP address via DNS, if your DNS traffic passes through the encrypted tunnel where your ISP can’t see it, exits your VPN, and the goes back to your ISP’s DNS servers for resolution.

You can also leak your IP address via WebRTC, a real-time communication protocol your web browser uses for things like video calls.

An IP leak is rare on a reputable and secure VPN service because the best VPN companies have workarounds to reduce their likelihood. Please avoid free VPNs. Your privacy is often not their priority.

Checking for basic IP address leaks

1. Ensure that your VPN is disconnected and visit a search engine like DuckDuckGo. Type “what is my IP address.” Hit enter and then note down your IP address.
2. Launch your VPN client and connect to a VPN server. Double-check to see that you’re connected and note down your the IP address the VPN has given you (if it tells you).
3. Repeat step one and note down what your IP address is now. If your IP address hasn’t changed from step one, your IP address is not being masked. If it matches the one you picked in step two, your IP address is being masked.

Testing for DNS and WebRTC leaks

Even if your VPN passes the basic IP leak test, you should run tests for DNS and WebRTC leaks. You can test for IP address leaks via DNS on websites like DNSLeaktTest or DNSLeak. You can test for IP leaks via WebRTC on websites like browserleaks.com. You may have to disable WebRTC to stop the leak.

The post VPN Test: How to check if your VPN is working or not appeared first on Malwarebytes Labs.

A fair few cryptocurrency scams have been doing the rounds across 2021. Most of them are similar if not identical to tactics used in previous years with an occasional twist. Here’s some of the most visible ones you should be steering clear of.

Recovery code theft

Many Bitcoin wallets make use of something called recovery codes. These are, as the name suggests, codes allowing you to regain access to wallets you’ve locked yourself out of. These are the last roll of the dice for anyone unable to view their funds, and not a situation people would wish to find themselves in. As a result, they’re a fantastic target for scammers wanting to do some wallet plundering.

One of the sneakiest ways to grab a code is to jump into customer support discussions on social media. Scammers set up fake customer support style accounts, then direct potential victims to phishing pages hosted elsewhere. If you lose a recovery code or its equivalent in this manner, it’s almost certainly gone for good. Always ensure the entity you’re talking to is:

• The official support channel and
• you haven’t inadvertently started talking to someone else entirely.

By doing this, your digital funds should be kept safe from this technique.

Fake Elon Musk cryptocurrency scams

Another social media shenanigan involving cryptocurrency? You bet. This tactic involves stealing verified Twitter accounts, making them resemble Elon Musk, and then spamming bogus Bitcoin offers in replies to viral tweets.

This has been happening for quite some time now, and refuses to go away. It’s not pocket change, either. The FTC estimates at least $2 million has been stolen from cryptocurrency investors. It’s not just happening on Twitter, either. Rogue SpaceX crypto scams were doing the rounds back in June of this year.

If in doubt, remember that Elon is not going to make you rich beyond your wildest dreams with Bitcoin.

Covert container mining

This one is a bit more technical than most, and relies on bad things happening behind the scenes. There’s no direct social engineering aspect, because that’d give the game away.

If you’re a developer working on a project, it’s common to make use of pre-made code libraries. There are all kinds of ways to give your project a leg up, but one of the most popular is Docker. Docker bundles up all the things your project needs (including operating systems, applications, and other people’s projects it depends upon) in a “container”, a self-contained, portable environment. Because why write code if somebody’s already written it for you?

Turns out this area of work wasn’t safe from crypto-antics either. Rogue mining images involved in cloud-based mining attacks were discovered sitting on Docker Hub. The images contained software people might want to include in their Docker project, along with a cryptominer that would churn away in the background, making cryptocoins for somebody else at your expense.

This is a tricky one to avoid, but you can make a start by checking out the list of image names which could indicate bad files ahoy here. 30 malicious images downloaded roughly 20 million times(!) equals an awful lot of potential mining activity taking place.

419 crypto scam

Advance fee fraud scams involve sending dubious chunks of cash to / from a victim’s bank account. The money vanishes without trace, and the victim becomes a money mule, and is left carrying the blame.

We recently saw a mail along these lines. Nothing new there. However, this one asks victims to install a wallet app and transfer funds.This is not something you want to be doing. The scammers wants people to get in touch on WhatsApp, where they may well ask for additional personal information. This could easily be used elsewhere in other scams.

Conclusion

There’s many more crypto-scams waiting in the wings, but these are the ones we tend to see the most of. Give yourself a head start and learn to spot the signs of attempted compromise out there in the wild. Your digital wallet will thank you for it.

The post Crypto-scams you should be steering clear of in 2021 appeared first on Malwarebytes Labs.

I doubt if there has ever been a more appropriate nickname for a vulnerable service than PrintNightmare. There must be a whole host of people in Redmond having nightmares about the Windows Print Spooler service by now.

PrintNightmare is the name of a set of vulnerabilities that allow a standard user on a Windows network to execute arbitrary code on an affected machine (including domain controllers) as SYSTEM, allowing them to elevate their privileges as far as domain admin. Users trigger the flaw by simply feeding a vulnerable machine a malicious printer driver. The problem was made worse by confusion around whether PrintNightmare was a known, patched problem or an entirely new problem. In the end it turned out to be a bit of both.

What happened?

In June, Microsoft patched a vulnerability in the Windows Print Spooler that was listed as CVE-2021-1675. At first it was classified as an elevation of privilege (EoP) vulnerability. Which means that someone with limited access to a system could raise their privilege level, giving them more power over the affected system. This type of vulnerability is serious, especially when it is found in a widely used service like the Windows Print Spooler. A few weeks after the patch Microsoft raised the level of seriousness to a remote code execution (RCE) vulnerability. RCE vulnerabilities allow a malicious actor to execute their code on a different machine on the same network.

In a rush to be the first to publish a proof-of-concept (PoC), researchers published a write-up and a demo exploit to demonstrate the vulnerability. Only to find out they had alerted the world to a new 0-day vulnerability by accident. This vulnerability listed as CVE-2021-34527 was introduced under the name PrintNightmare.

Ominously, the researchers behind PrintNightmare predicted that the Print Spooler, which has seen its fair share of problems in the past, would be a fertile ground for further discoveries.

At the beginning of July, Microsoft issued a set of out-of-band patches to fix this Windows Print Spooler RCE vulnerability. Soon enough, several researchers figured out that local privilege escalation (LPE) still worked. This means that threat actors and already active malware can still exploit the vulnerability to gain SYSTEM privileges. In a demo, Benjamin Delpy showed that the update failed to fix vulnerable systems that use certain settings for a feature called Point and Print, which makes it easier for network users to obtain the printer drivers they need.

On July 13 the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-04, “Mitigate Windows Print Spooler Service Vulnerability” because it became aware of multiple threat actors exploiting PrintNightmare.

Also in July, CrowdStrike identified Magniber ransomware attempting to use a known PrintNightmare vulnerability to compromise victims.

An end to the nightmare?

In the August 10 Patch Tuesday update, the Print Spooler service was subject to yet more patching, and Microsoft said that this time its patch should address all publicly documented security problems with the service.

In an unusual breaking change, one part of the update made admin rights required before using the Windows Point and Print feature.

Just one day later

On August 11, Microsoft released information about CVE-2021-36958, yet another 0-day that allows local attackers to gain SYSTEM privileges on a computer. Again, it was security researcher Benjamin Delpy who demonstrated the vulnerability, showing that threat actors can still gain SYSTEM privileges simply by connecting to a remote print server.

Mitigation

The workaround offered by Microsoft is stopping and disabling the Print Spooler service, although at this point you may be seriously considering a revival of the paperless office idea. So:

• Disable the Print Spooler service on machines that do not need it. Please note that stopping the service without disabling may not be enough.
• For the systems that do need the Print Spooler service to be running make sure they are not exposed to the Internet.

Microsoft says it is investigating the vulnerability and working on (yet another) security update.

Like I said yesterday: To be continued.

The post Microsoft’s PrintNightmare continues, shrugs off Patch Tuesday fixes appeared first on Malwarebytes Labs.

The largest crypto-robbery in history is rapidly turning into the most bizarre as well. Let’s start at the beginning…

In an apparent scream for mercy, 21 hours ago the Poly Network Team reached out via Twitter to “hacker(s)” that had managed to transfer roughly $600 million in digital tokens out of its control and into separate cryptocurrency wallets.

It alerted the world to what looks like the biggest crypto-heist in history, dwarfing even the landmark Mt. Gox theft in 2014.

Dear Hacker,

We are the Poly Network team.

We want to establish communication with you and urge you too return the hacked assets.

The amount of money you hacked is the biggest one in the defi history. Law enforcement in any country will regard this as a major economic crime and you will be pursued. It is very unwise for you to do any further transactions. The money you stole are from tens of thousdands of crypto community members, hence the people.

You should talk to us to work out a solution.

Poly Network Team

Poly Network describes itself as a project to “implement interoperability between multiple chains” and says it has already integrated Bitcoin, Ethereum, Neo, Ontology, Elrond, Ziliqa, Binance Smart Chain, Switcheo, and Huobi ECO Chain. What really matters though, is that underneath all that, it’s a website users can join their cryptocurrency wallets to. Something that makes both legitimate trading and theft much easier.

Insecure code

As with any exchange type of robbery (and they are many, and frequent) there are screams about inside jobs. The Poly Network team says hackers have exploited a vulnerability in its system to steal about $267m of Ether currency, $252m of Binance coins, and roughly $85 million in USDC tokens. According to Poly Network a preliminary investigation found a hacker exploited a “vulnerability between contract calls” (contracts are code stored on blockchains).

Not long after the heist, SlowMist published a post on Medium explaining the vulnerability. Cutting to the chase, the important part of the analysis is this bit: “After replacing the address of the keeper role, the attacker can construct a transaction at will and withdraw any amount of funds from the contract.” In other words, the Poly Network code had a bug that allowed attackers to make themselves the owner of other people’s money.

Freezing accounts

Poly Network has blocklisted the addresses of the cryptocurrency was transferred into. It said it is also working with its partners to freeze the hackers’ accounts. This is a step that can make it harder for the thieves to use stolen money. Cryptocurrency payments are pseudonymous but they are not private: Every transaction is traceable and if everyone agrees not to trade with blocklisted accounts they are essentially frozen.

Making it impossible for the thieves to move the stolen cryptocurrency would certainly make them more admissible for negotiations. After all, what is your full bank account worth if you can never hope to spend the money?

A rough time for cryptocurrencies

Like any technology, cryptocurrencies are neutral, neither intrinsically good or bad, but they do have a way of attracting bad news. Poorly-secured exchanges, exit scams, pump-and-dump scams, inside jobs, and colossal thefts are part of the furniture. Cryptocurrencies are also popular for tax evasion and, of course, an essential part of the recent boom in ransomware.

Recently, we have seen a call to action from governments that want more oversight and control over cryptocurrencies. Their concern isn’t following where the money goes, that’s easy, but linking real identities to the anonymous IDs used in blockchain transactions.

Among those contributing to the mood music that “something must be done” about cryptocurrencies, the US senate is getting ready to vote on a bipartisan infrastructure package, which would impose more federal regulation on cryptocurrencies; the director of the Dutch economic advisory Centraal Planbureau (CPB) has argued that all cryptocurrencies should be banned; Turkey has banned cryptocurrencies as a legal from of payment; India is considering whether to make the mining and possession of cryptocurrencies illegal; and China has banned initial coin offerings and announced a crack down on Bitcoin mining and trading.

Listening to the plea?

Poly Network provided the hacker with three addresses and as it seems the hackers have been busy returning some funds. At the time of writing they had returned less than 1 percent of the money,

You should be able to follow the developments in this thread on Twitter.

Update 11 August, 15:10 UTC. It gets weirder

Elliptic reports that the crypto-robber has now returned $258 million worth of cryptocurrency, suggesting that the crypto-robber may be serious about returning all the stolen money.

Negotiations between Poly Network and the thief started early and appear to be going well. Communicating via metadata on Ether transactions, the thief declared early on (about 12 hours ago) they were “NOT SO INTERESTED IN MONEY, NOW CONSIDERING RETURNING SOME TOKENS”.

In response, Poly Network offered an undisclosed “security bounty”, and dangled the carrot of notoriety, saying: “We want to offer a security bounty and we hope it will be remembered as the biggest white hat hack in the history.”

Seeming to prefer the role of hero over villain, the thief replied “IT’S ALREADY A LEGEND TO WIN SO MUCH FORTUNE. IT WILL BE AN ETERNAL LEGEND TO SAVE THE WORLD”.

As if that wasn’t weird enough, in a further bizarre twist, the thief has also declared they are taking donations, should anyone wish to thank them for returning all the money, or finding the bug, or something.

The post Thief pulls off colossal, $600m crypto-robbery …and gives the money back appeared first on Malwarebytes Labs.

Rogue QR code antics have been back in the news recently. They’re not exactly a mainstay of fakery, but they do tend to enjoy small waves of popularity as events shaped by the real world remind everyone they still exist.

The most notable example where this is concerned is of course the pandemic. With the spread of Covid-19, people and organisations naturally wanted to move away from physical contact. Contactless cards were in, and so too were QR codes. This was fertile ground for scammers to move back into a pact they may have long since abandoned.

Even outside of scams, the use of QR codes as a safe way to do important things is questionable. The problem with QR codes stems from how easy they are to use. Point your smartphone’s camera at a QR code and your phone will happily read it, convert it to a URL, and then open the URL in your browser. Very trusting.

What’s happening this time?

The Better Business Bureau are warning us to be on the lookout for QR code scams. The latest example they give is of a student sent a letter about loan consolidation. The letter contained links to an official .gov site, and also included “a barcode and QR code that looked legitimate”. Unfortunately once the victim contacted the scammers by phone, they were tricked into an eventual loss of just over a thousand dollars. You can see an older example of such a scam tactic here. Whether by QR code and bogus website or plain old unsolicited telephone call, the outcome is typically the same. Monthly fees going out of the victim’s bank account until they notice something is wrong.

Tracker tricks

We took a look at some of the recent examples listed in the BBB scam tracker. This is where people essentially crowdsource scams they encounter, adding them into the tracker database.

There was no common pattern between scam types, which ran the range of phishing and identity theft to employment fakouts and bank imposters. With that in mind, here’s the ones which caught our eye:

Trading for QR codes

One person claims they lost $5,100 after a stranger reached out on Instagram and convinced them to get into the wild world of forex (Foreign Exchange) trading. The discussion was moved to WhatsApp where a “withdrawal fee” of $4,102 was sent to a supplied QR code. When more requests for cash happened, the victim became suspicious.

A scam of utility

Another scam of note was related to utility services. A victim claims they were told their electricity would be turned off within 20 minutes. The only way to fix this was to pay an unpaid bill by going to a nearby gas station and sending $900 or so dollars via a QR code. The QR code downloaded a Bitcoin app, and at that point they presumably became suspicious and went no further.

Of employment, supplies, and money muling

As you’ve seen, sending potential victims to gas stations to use Bitcoin ATMs is a popular technique. Perhaps the most shocking example we saw was along these same lines. The victim didn’t lose any money, but they did lose an awful lot of time, and experienced what must have been a lot of stress.

Our subject applied for a virtual job at a new organisation, after uploading their resume to a job hunt website. The entire job interview was performed using the secure messaging app Telegram, which is somewhat unusual. They sent their supposed new employers a copy of their driving license and other personal information. The victim was then sent $5,000 to “purchase equipment” for their job, and instructed to send $4,800 to their “software vendor’s” Bitcoin address via a gas station ATM.

It wasn’t long before they were given the cold shoulder by the people asking them to receive and send money. They had almost certainly been used as a money mule: Laundering dubious funds by breaking the link between the sender and the recipient, thanks to the gas station ATM.

In most cases, the QR code isn’t some sort of surprise gotcha. Nothing leaps out at the victim and drops malware, or pops something terrible on the desktop. No, the scammers are using them the same way regular folks do—for convenience. They’re simply a means of getting the victim in front of an ATM machine. From there, they set the ball rolling to part them from their money (or have them act as the conduit for ill-gotten gains).

Avoiding QR scams

If you’re dealing with QR codes in public, on ads or posters, check that they haven’t been tampered with (look for stickers with a new QR code placed over an original).

QR codes in correspondence can be trickier. The trick is to remember that a QR code is easy to create and is no more trustworthy than any other word or web address. When dealing with codes from businesses you’ve dealt with, try to confirm the code is genuine. If the code opens a website asking for login details, confirm that it’s the company’s legitimate address. Asking for logins from QR codes is risky behaviour and should really be avoided whether a real code or not.

And if anyone tries to steer you towards a Bitcoin ATM, move swiftly in the opposite direction.

Follow these rules and you’ll hopefully avoid any code-based pitfalls.

The post If a QR code leads you to a Bitcoin ATM at a gas station, it’s a scam appeared first on Malwarebytes Labs.

An investigation by Twitter into racist tweets levied against three Black players on the English football team following the national hopefuls’ loss against Italy last month revealed that anonymity played almost no role in whether users posted abusive comments from their accounts.

The analysis, which revealed that 99 percent of the accounts that Twitter suspended were not anonymous, provides the latest evidence that requiring real identities on social media platforms will not lead to any measurable decrease in online abuse.

“While we have always welcomed the opportunity to hear ideas from partners on what will help, including from within the football community, our data suggests that ID verification would have been unlikely to prevent the abuse from happening – as the accounts we suspended themselves were not anonymous,” Twitter UK wrote in a blog post. “Of the permanently suspended accounts from the Tournament, 99% of account owners were identifiable.”

According to Twitter, its own automated tools to find and remove abusive content are working: The company’s internal tech tools found and removed 1,662 harmful tweets during the UEFA Euro 2020 Final and in the 24 hours following the match. By July 14—three days after the final—that number grew to 1,961, though the total included 126 tweets that were removed due to non-automated reporting by “trusted partners,” Twitter said.

The racism directed against England’s players drew immediate attention after the team’s loss in one of the most anticipated football matches in the country’s recent history. As the match closed with a 1 – 1 tie, three of England’s players shot penalty kicks. All three missed.

According to Vice, the three penalty kickers were called racist slurs on Instagram, faced racist comments on Twitter, and received “direct threats to their safety, in far-right and neo-Nazi channels” on Telegram.

The proposed solutions to this type of abuse are as old as the abuse itself. As we discussed on the Lock and Code podcast with Electronic Frontier Foundation Director of Cybersecurity Eva Galperin, commentators often suggest that social media companies require a person to provide their real identity when creating an account and using a platform.

“The premise is that if people used their real names that they would not post this kind of harassing content,” Galperin said. “That if your name was next to every opinion you had, that you would be more careful about the things that you say online.”

But, Galperin said, the premise falls apart when looking at the real world.

“This assumes a level of shame that is simply not there,” Galperin said. “People are willing to be tremendous jerks online. And the more powerful that they are offline, the more likely it is that they will act as bullies online and that they will put their names next to it and feel no shame whatsoever.”

Now, after decades of this dynamic being recognized by online privacy experts, it appears that Twitter has joined the crowd that says that, thankfully, anonymity is not worth destroying.

The post Twitter says it out loud: Removing anonymity will not stop online abuse appeared first on Malwarebytes Labs.