IT News

Yandex, a European multinational technology firm best known for being the most-used search engine in Russia, has revealed it had a security breach, leading to the compromise of almost 5,000 Yandex email accounts.

The company says it spotted the breach after a routine check by its security team. They found that one of their system administrators with access to customer accounts was allowing third-parties to see some of these accounts “for personal gain”. Yandex made it clear in its official press release that no payment details were compromised.

With so much attention paid to eye-catching external threats like ransomware and BEC, it’s easy to forget that one of the biggest threats organisations face isn’t trying to force its way into their network, it was invited in.

Insider threats

Current and former employees, contractors, business partners, suppliers, third-party vendors, and service providers are all potential insiders. And they don’t have to be technologically savvy to pull off an “inside job”.

In fact, some insiders aren’t even intentionally malicious. The most common cause of incidents is employee negligence, such as the misuse of access privileges or a general inattention to keeping sensitive information private and secure, can cause employers a lot of headaches. This can be further compounded by a lack of effective cybersecurity and privacy training programs or an utter absence of an intentional culture of security.

Negligent and careless employees (or what others call “accidental insider threats”), more often than not, have zero intention to hurt their organizations; malicious employees, on the other hand, knowingly act against their employers for personal gain.

According to the 2020 Cost of Insider Threats: Global Report from the Ponemon Institute, the costliest insider threat is credential theft, which averages to nearly $875,000 USD to remediate. Not only that, incidents of credential theft have tripled in the last 5 years. With a booming demand for employees who are willing to share company secrets with criminals, it wouldn’t be a stretch to expect that cases involving this would be popping up more frequently. They pay well after all.

“Employees are always a prime target for adversaries, whether it is targeting them to leverage their machine or identity or recruiting them actively on a closed source forum,” said Brandon Hoffman, chief information security officer at Netenrich, an IT service management company, in an interview with Threatpost. “There has been several cases where we have seen a disgruntled employee posting messages on the dark web aiming to make a contact where they can ‘cash out’ their leverage as an employee.”

Organizational breaches have become a mainstay in news outlets, with many of them about outside parties forcing themselves inside private networks either by force (hacking) or social engineering (phishing). With the current pandemic and everyone working remotely, spotting insider threats has become more challenging than ever. This should make businesses more vigilant and determined in curbing insider threats before it happens. For those who don’t know where to start, here’s a good place: look at the zero trust model, and see how you can adapt it within your organization.

The post Yandex sysadmin caught selling access to email accounts appeared first on Malwarebytes Labs.

The audio-chat app Clubhouse is the latest rage in the social media landscape. What makes it so popular and, now it’s part of the social media landscape, can we trust it?

The Clubhouse app

Clubhouse was launched about a year ago and was initially only used by Silicon Valley’s rich and famous. It is different from other social media in that it focuses on the spoken word. Clubhouse members can enter virtual rooms to listen in or participate in live conversations. The conversations can only be joined when they are live and the people having the conversation determine who is allowed to listen and who can talk.

The Clubhouse app is freely available for download to every iPhone user, and an Android version is in the pipeline, but participation is kept exclusive by making it invitation only.

Every new user only gets a few (initially only two) invitations to give away. The developers claim it was done this way to allow for a controlled growth, so as not to overload the server infrastructure. Whether by design or coincidence, this also seems to work as a clever marketing scheme. Deep down, we all want to be part of the club of cool kids.

As a member you can select the subjects you are interested in and apply to be allowed in on conversations about those subjects. The conversations are not saved by the app, so the idea is that you “had to be there” to know what they talked about. But in the digital world thinking that some information is gone for good is very often an illusion. What’s to stop someone from recording a conversation they’re in?

Chinese servers

Recently Clubhouse went viral among Chinese-speaking audiences. But as soon as the Chinese government became aware of political discussions on the app, it was abruptly blocked by the country’s online censors, on Monday February 8, 2021. This line of events made some researchers wonder how private the conversations really were.

An investigation by the Stanford Internet Observatory found that some of the back-end infrastructure for the Clubhouse App was provided by Agora. Agora is a Shanghai-based start-up, with US headquarters in Silicon Valley, that sells a “real-time voice and video engagement” platform for other software companies to build upon. Exactly what Clubhouse needed to roll out their app.

The Stanford Internet Observatory

In their blog Clubhouse in China: Is the data safe? the Stanford Internet Observatory (SIO) team unravels the ties between Clubhouse and Agora and speculates not why the Chinese government banned the app, but rather why it took them so long.

According to the article “SIO has determined that a user’s unique Clubhouse ID number and chatroom ID are transmitted in plaintext, and Agora would likely have access to users’ raw audio … It is also likely possible to connect Clubhouse IDs with user profiles.”

In a series of tweets one of the team members, Alex Stamos, adds:

“We found Chinese servers being used even for conversations that only involved Americans.”

He goes on to say that neither Agora, nor another Chinese supplier, EnjoyVC, are listed as data sub-processors in the Clubhouse privacy policy.

Alex Stamos is adjunct professor at Stanford University’s Center for International Security and Cooperation. He is also the former chief security officer at Facebook, so he does know a thing or two about social media.

Clubhouse statement

Clubhouse’s reaction to the analysis done by the Stanford Internet Observatory was:

“Clubhouse is deeply committed to data protection and user privacy.

We designed the service to be a place where people around the world can come together to talk, listen and learn from each other. Given China’s track record on data privacy, we made the difficult decision when we launched Clubhouse on the App Store to make it available in every country around the world, with the exception of China. Some people in China found a workaround to download the app, which meant that—until the app was blocked by China earlier this week—the conversations they were a part of could be transmitted via Chinese servers.

With the help of researchers at the Stanford Internet Observatory, we have identified a few areas where we can further strengthen our data protection. For example, for a small percentage of our traffic, network pings containing the user ID are sent to servers around the globe—which can include servers in China—to determine the fastest route to the client. Over the next 72 hours, we are rolling out changes to add additional encryption and blocks to prevent Clubhouse clients from ever transmitting pings to Chinese servers. We also plan to engage an external data security firm to review and validate these changes.

We welcome collaboration with the security and privacy community as we continue to grow. We also have a bug bounty program that we operate in collaboration with HackerOne, and welcome any security disclosures to be sent directly to security@joinclubhouse.com.”

Countered by Alex Stamos with:

“We found that the use of Shanghai-based Agora is fundamental to the function of the app and building logical and technical controls between the US and PRC infrastructure will be extremely complicated.”

Meaning that not only is the Chinese infrastructure essential for Clubhouse at this point, but it will also prove to be hard to keep the US traffic away from it.

So, is it safe?

As TikTok discovered last year, popularity comes with scrutiny. The Stanford Internet Observatory report is interesting but it isn’t a poof of malice. It should help Clubhouse improve its privacy and security though, and Clubhouse will be under no illusion that people are watching it closely on both sides of the Great Firewall.

Our advice is to treat Clubhouse the same way you do with every social media app. Once you release information on social media it is out of your control and you should treat it as if it’s freely available. It is up to each user to decide much information they are willing to share about themselves. It is not always easy to balance the scales between privacy and social interaction. But it is better to be aware of the risks and not invest your trust in a social media app, just because it is cool to be a part of. Or just because they claim to value data protection and user privacy.

Stay safe, everyone!

The post Clubhouse under scrutiny for sending data to Chinese servers appeared first on Malwarebytes Labs.

Last year, threat actors took advantage of the COVID-19 public health crisis in a way previously considered unimaginable, not only preying on uncertainty and fear during the initial months of the global pandemic, but retooling attack methods, reneging on promises, strengthening malware, and extorting victims to the tune of $100 million—and that was without the threat of ransomware encryption.

In short, in 2020, cyberthreats evolved.

Today, we are showing readers just what that evolution looked like, in our State of Malware 2021 report. This report provides our most comprehensive analysis of last year’s malware trends, with breakdowns by malware category, malware type, operating system, region, industry, and more.

Here are key takeaways of what we learned in 2020:

• Malware detections on Windows business computers decreased by 24% overall, but detections for HackTools and Spyware on Windows increased dramatically—by 147% and 24%, respectively
• Among the top five threats for both businesses and consumers were the Microsoft Office software cracker KMS, the banking malware Dridex, and BitCoinMiners; business detections for KMS and Dridex rose by 2,251% and 973%, respectively
• Detections for the most notorious business threats Emotet and Trickbot fell this year by 89% and 68% respectively, although the operators behind these threats still pulled off several big attacks in 2020
• A new ransomware called Egregor came onto the scene in late 2020, deployed in attacks against Ubisoft, K-Mart, Crytek, and Barnes & Noble
• Overall Mac detections decreased by 38%, though Mac detections for businesses increased 31%
• Malware accounted for just 1.5% of all Mac detections in 2020—the rest can be attributed to Potentially Unwanted Programs (PUPs) and Adware
• ThiefQuest tricked many researchers into believing it was the first example of ransomware on macOS since 2017, but the malware was hiding its real activity of massive data exfiltration. It accounted for more than 20,000 detections in 2020
• On Android, HiddenAds—which aggressively pushes ads to users—racked up 704,418 detections, an increase of nearly 149%
• We twice uncovered pre-installed malware on phones provided by Assurance Wireless through the US government-funded Lifeline Assistance program
• Stalkerware-type app detections—which include detections for Monitor apps and Spyware apps on Android—surged in conjunction with shelter-in-place orders that governments began implementing in February and March: Monitor app detections rose from January to December by 565%; Spyware app detections rose across the same time period by 1,055%
• The agriculture industry suffered through a 607% increase in malware detections, while detections in the food and beverage industry increased by 67%
• More traditional targets, such as manufacturing, healthcare and medical, and automotive all experienced drops in detections by varying degrees—education fell 17%, healthcare dropped 22%, and the automotive industry decreased by 18%

As you can see from these findings, 2020 proved to be a tumultuous year.

When COVID-19 cases first began spiking in several countries, cybercriminals preyed upon people’s fears mercilessly, with an avalanche of coronavirus phishing emails and scams.

Around the world, governments tried to stop their hospitals from being overwhelmed by ordering lockdowns, stay-in-place orders, and school closures. By April 2020, half the world’s population had been asked or ordered to stay at home. As entire businesses switched to remote working, IT teams found themselves trying to fit months-long projects into days, with security an unfortunate but understandable casualty.

Faced with a new landscape, cybercriminals ditched some old tactics and placed a new emphasis on gathering intelligence. And as people adapted to their “new normal,” scammers exploited their isolation with a resurgence in tech support scams. New adversaries crawled out of the woodwork, too. April’s global shutdown was accompanied by a staggering rise in the use of stalkerware, a short-hand term for the type of mobile monitoring and spyware apps that are sometimes deployed by abusive partners.

The pandemic also created new challenges to online privacy. As countries turned to digital contact tracing to contain outbreaks, a stark dichotomy emerged: It is possible for people to have personal privacy or effective contact tracing, but probably not both. Around the world, the progress of privacy-preserving legislation slowed to a crawl.

And what began as a global health crisis soon became a global economic crisis too, with almost no business left unscathed. The fate of different industry sectors was mirrored in the number of cyberattacks they suffered. As the manufacturing and automotive sectors contracted, attackers simply turned their faces to agriculture and other essential industries instead. Ransomware gangs reneged on early promises to stay away from hospitals and hit new lows instead, attacking hospitals and medical facilities in organized campaigns

Through it all, there is one form of business that seems to have thrived in 2020 though—the creation and operation of malicious software. The pace of innovation picked up in 2020 as many entirely new malware families emerged. Ransomware gangs continued to learn from each other too, with successful tactics spreading quickly between them. Perhaps the most important new tactic that emerged was “double extortion,” which saw cybercriminal groups extorting more money with threats to leak sensitive data than from decrypting compromised computers.

If 2020 taught us anything, it’s that cybercrime stops for nothing. There are no targets, and no opportunities for exploitation, that are beyond the pale.

Thankfully, the year had another lesson for us too: That there are heroes everywhere. The healthcare professionals, teachers and other essential workers rightly deserve the loudest acclaim, but heroes emerged in all areas of life. So, we want to offer an enormous thank you to the unsung army of sysadmins and security professionals who moved mountains in 2020 to keep millions of people safe online as the world around them was turned on its head.

To get the full story, read the State of Malware 2021 report.

The post Extortion, precision malware, and ruthless scams. Read the State of Malware 2021 report appeared first on Malwarebytes Labs.

In a collaboration between French and Ukranian law enforcement, arrests have been made that might put a dent in one of the world’s most sophisticated ransomware operations.

As reported first by France Inter, law enforcement made the arrests after French authorities traced ransom payments to individuals located in Ukraine. While the arrests have not been formally tied to Egregor the statements and circumstances surrounding it have led to a lot of speculation. Let’s start with the basic background information.

What is Egregor ransomware?

Egregor is a ransomware-as-a-service (RaaS) operation with multiple affiliates. A great number of Egregor affiliates were formerly tied to the Maze ransomware. Many believe Egregor is a follow up to Maze, because of:

• The similarity of their business models—both used the data exfiltration and extortion method that was introduced at a large scale by Maze.
• The transfer of affiliates from Maze to Egregor before the Maze group announced its retirement.
• The timing of the Maze retirement and the explosive growth of Egregor led security experts to believe that at least some of Maze’s team members created Egregor in cooperation with Egregor’s predecessor Sekhmet. Egregor is considered a variant of Ransom.Sekhmet based on similarities in encryption, obfuscation, API-calls, and its ransom note.

Tracing ransom payments

Some people still believe that Bitcoin payments are completely anonymous and untraceable. This is not true.

The Bitcoin blockchain is an open and transparent ledger. Every payment is publicly visible to anyone and it’s easy to see how coins move from one address to another. Users are pseudonymous, meaning that their activity is visible, but their identity isn’t. Unmasking the flow of money is a matter of tying a real identity to one or more of the Bitcoin addresses in the chain. Successful cybercriminals know this and use mixers or tumblers to hide their tracks.

Usually, the most precarious moment for criminals is when their illegally obtained virtual currency is exchanged for a fiat currency, often referred to as a cash-out point.

Were the arrested people key players?

In the original report the arrested people were mentioned as individuals that provided logistical and financial support. In another report they were said to be people whose job was to hack into corporate networks and deploy the ransomware. But that last bit is usually what the affiliate does, which would suggest they weren’t members of the Egregor crew.

However, some parts of the Egregor infrastructure have been offline for a few days, which may indicate the people arrested played a more important role in the organization. The offline parts are mainly their extortion site, where they published exfiltrated data, and the command and control (C2) infrastructure. For now, it remains unclear what the lasting damage might be.

Arrests follow Egregor attacks in France

France Inter said French authorities got involved in the investigation after several major French companies were hit by Egregor last year, such as game studio Ubisoft and logistics firm Gefco. As a result, an investigation was started last year, and French police, together with European counterparts, were able to track down Egregor members and infrastructure to Ukraine.

This does not mean however that Egregor focused on French victims. The group is active worldwide and has achieved estimated earnings between $40 million and $50 million according to a Chainalysis report. This is since their arrival on the scene in September of last year and makes them one of the five most active and best earning ransomware groups.

The arrests come hot on the heels of the recent, dramatic takedown of Emotet and the surprise retirement of the Fonix ransomware group.

Let’s hope that Egregor is on the way to joining them.

Stay safe, everyone!

The post Egregor ransomware hit by arrests appeared first on Malwarebytes Labs.

The year 2020 will certainly be remembered as one of the most difficult and tragic years humankind has faced in modern times. The global pandemic changed the way we live and work in ways unimaginable, perhaps forever.

It also altered the cybersecurity landscape dramatically. The FBI reported a 300 percent increase in cybercrime in the first quarter of that year, and the rate and cost of ransomware attacks escalated at an unprecedented rate. Almost thirty attacks were reported in December 2020 alone, including the infamous $34 million demand levied against electronics giant Foxconn.

One of the primary reasons these attacks are growing rapidly is due to a shift from secure office locations to less secure remote work environments. Prior to the global pandemic, less than 4 percent of the population worked from home. The genie is out of the bottle now though, and there’s no going back. It’s no surprise then, that a recent Gallup poll found that 82 percent of business leaders plan to maintain a larger work-from-home (WFH) posture well after the pandemic.

While many organizations can benefit from a wider selection of job candidates and reduced maintenance and facility costs, for security professionals, work-from-home environments expand the attack surface they have to protect, and increase the risks for phishing, malware, and ransomware.

The target for today’s organized and sophisticated cybercriminals, like the ones operating Maze or Ryuk, isn’t a single computer, but an organization’s entire network. A majority of all ransomware attacks gain access to a victim’s network  through a “backdoor” approach that exploits weaknesses in Remote Desktop Protocol (RDP) software, or the way it is deployed.

The threat of RDP brute forcing has been widely reported, and brute force protection for RDP has been a “must have” for several years, and yet these attacks continue to succeed. The truth is that simply telling people to harden RDP isn’t working fast enough. Brute force protection needs to be more than just another item in an overworked system administrator’s ever growing task list. Instead, we need to see RDP brute forcing for what it is, an endpoint detection and response (EDR) problem, and handle it there.

Less well publicized are the vulnerabilities that continue to be turn up in popular RDP software. In 2020, security researchers found twenty-five vulnerabilities  in some of the most popular RDP clients used by businesses. These include:

• FreeRDP, which is the most popular open-source RDP client on Github
• Microsoft’s built-in RDP client with the executable file mstsc.exe
• Rdesktop, another open-source RDP client and a default RDP client in Kali distributions of Linux

Many security professionals may not be aware of the reverse RDP vulnerabilities that can affect a remote machine rather than the host where the user is connected. The grunt work of inventory taking and patching remains as vital as ever.

The post RDP, the ransomware problem that won’t go away appeared first on Malwarebytes Labs.

The UK’s National Crime Agency (NCA)—working alongside the US Secret Service, Homeland Security, the FBI, Europol, and the District Attorney’s Office of Santa Clara California—spearheaded the arrest of eight British citizens in the UK and Scotland, aged between 18 to 26, for a string of SIM swapping attacks that occurred in 2020. These attacks targeted thousands of people and netted some high-profile victims such as online influencers, sports stars, and musicians.

SIM swapping, also known as SIM jacking, is the act of illegally taking over a target’s cell phone number. This can be done in a number of ways, but perhaps the most common involves a social engineering attack on the victim’s carrier.

Claiming to be the number’s owner, attackers call the carrier and persuade them to transfer it to their own SIM card. Because these attacks don’t scale up easily, they are typically used in a targeted way. Before an attack like this is carried out, it is expected that an attacker has already done extensive research about their target, to the point of eliminating any doubt from third-parties.

After an attacker has successfully hijacked their victim’s mobile number, they can use it to send and receive calls and messages (and the victim can’t). For that reason, SIM swapping can be used to circumvent two-factor authentication (2FA) that requires a manually-entered code, sent by SMS message. The consequences can be particularly bad if the victim has an online cryptocurrency account protected by SMS 2FA codes sent to their phone.

According to Europol, the gang used the SIM swaps to “steal money, cryptocurrencies and personal information, including contacts synced with online accounts”. It said that the gang went away with more than $100M USD worth of crypocurrency.

“SIM swapping requires significant organization by a network of cyber criminals, who each commit various types of criminality to achieve the desired outcome,” says Paul Creffield, Head of Operations in the NCA’s national Cyber Crime Unit, in a statement, “In this case, those arrested face prosecution for offences under the Computer Misuse Act, as well as fraud and money laundering as well as extradition to the USA for prosecution.”

The gang also took over the social media accounts of their high-profile targets “to post content and send messages masquerading as the victim.”

As 2FA has become more widely used, SIM swapping stories have become a mainstay of the computer security news. Jack Dorsey, CEO of Twitter, had his Twitter account hijacked in 2019, and when a Florida teen gained access to Twitter’s backend systems and took over the accounts of Bill Gates, Elon Musk, Barrack Obama, and Kanye West in 2020.

While SMS-based 2FA is better than no 2FA protection at all, there are a number of more secure forms available now. Where users have a choice, we encourage them to use hardware keys or FIDO2 devices, or app-based 2FA instead.

The post Gang arrested for SIM-swapping celebrities, stealing $100 million appeared first on Malwarebytes Labs.

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Adam Kujawa, security evangelist and director of Malwarebytes Labs, about Emotet, the former public enemy No. 1 in the cybercrime world.

What began in 2014 as a simple banking Trojan evolved into one of the most sophisticated malware types in the world, able to insert itself into ongoing email threads between coworkers, recognize and evade virtual environments, and serve as a first step into infecting a corporate network, only to deliver separate malware at a later date. It was bad, bad news.

But on January 27, Emotet got knocked out.

Tune in to hear about Emotet’s past, its evolution, its eventual takedown through an international law enforcement effort, and what the upcoming malware power vacuum means for malware development, on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on:

• How NOT to fail at PDF redaction
• Android devices caught in Matryosh botnet
• Cyberpunk 2077 developer hit by ransomware
• Hackers try to poison drinking water at a facility in Florida
• Microsoft and Adobe fix in-the-wild exploits
• What Google learned from 1 billion evil email scams
• Researcher demonstrates new type of supply-chain attack

Other cybersecurity news:

• Eight Britons arrested over hacking phones of US celebrities (Source: Sky News)
• Scammers are selling fake COVID19 vaccination cards for $20 (Source: InfoSecurity Magazine)
• 223 vulnerabilities identified that were used in recent ransomware attacks (Source: SC Magazine)
• Malicious extension abuses Chrome sync to steal users’ data (Source: BleepingComputer)
• Junior leaders need to move past the discourse surrounding digital media (Source: Modern War Institute)

Stay safe, everyone!

The post Talking Emotet’s takedown with Adam Kujawa: Lock and Code S02E01 appeared first on Malwarebytes Labs.

In our last blog, Barcode Scanner app on Google Play infects 10 million users with one update, we wrote about a barcode scanner found on the Google Play store that was infected with Android/Trojan.HiddenAds.AdQR. All initial signs led us to believe that LavaBird LTD was the developer of this malware, but since then, a representative from LavaBird reached out to us.  They claimed it was not them who was responsible for uploading malicious versions of Barcode Scanner, package name com.qrcodescanner.barcodescanner, but an account named “The space team.” 

Upfront, we must also say that though we attempted to reach “The space team” when writing this story, we received no response.

Here, we will show the evidence of the case presented by LavaBird.

LavaBird pleading its case

Below we have the original message from LavaBird from February 10, 2020. We have provided minor editing to conceal and remove sensitive information:

“Good day.

We have read the article and are outraged no less than you. We were the intermediary between the seller and the buyer in this situation.

And the application was transferred to the account “The space team”

Herewith the following account details:

Here is their official email (as listed in Google Play) – digitalapp@yahoo.com

We have written them a letter so they should remove their Google Play account.

Also, we reported that account and app to Google.

Lavabird LTD develops and sells applications, and sometimes we buy and sell applications.

We have a lot of useful apps on our account, who always complied to all Google Policies – https://play.google.com/store/apps/developer?id=LAVABIRD+LTD

The update that we published from our account was made by the buyer to verify the key and password from the application.

The buyer was given access to the Google Play console of this application and he updated it himself. After that in a week, we transferred an application to buyer Google Play account – it was 7th of December.

We attached a screenshot, from our developer computer the app is visible – probably because he still has got Barcode app on his device. The app is unpublished, probably, since, for people, who do not have the app installed, you can see only “We’re sorry, the requested URL was not found on this server.”

We are very sorry that the application has become a virus, for us it is not only a blow to our reputation.

We hope users will remove the app with a virus from their phones.

We ask you to change the name of the developer to the real “The space team” and attach actual screenshots if needed.

Regards LAVABIRD LTD”

Transferring of ownership

Let’s start with LavaBird’s claim of transferring ownership to The space team on December 7^th, 2020.  To verify LavaBird’s claims, we search for our own cache Google PLAY webpage of the Barcode Scanner with The space team as owner. Although we’ve included screenshots from the Italian version of the site, here is evidence of ownership to The space team of Barcode Scanner on the date of transfer, December 7, 2020:

Although this may be true, this raises another question. Why did we find evidence of LavaBird being the owner during our last blog prior to the transfer date?  The screenshot from our last blog is December 4, 2020:

Was the malware code really added on December 7, or did it exist before? Did we make a mistake of accusing the wrong developer? Further investigation was needed to verify. Thereupon, we turn to third-party app stores that grab APKs from Google Play the date they upload to Play. Keep in mind these types of app stores do not scan APKs for malware like Google Play does. We assume this is due to them trusting Google Play to do that job in advance. Thus, if malware is later revealed to have gotten onto Google Play, third-party app stores do not remove the APKs from their sites. In other words, use third-party app stores at your own risk. (But for purposes of grabbing old versions of apps, malware versions and all, third-party app stores are great.)

The following shows our findings of analyzing multiple versions of Barcode Scanner, package name com.qrcodescanner.barcodescanner, from third-party app stores. The first version containing malware is Barcode Scanner v1.67. The timestamp is November 28, 2020, before the transfer. Grabbing yet another cache Google Play webpage, we prove that v1.67 ownership belonged to LavaBird LTD at that time:

Furthermore, analyzing Barcode Scanner v1.68, the one in our last blog’s screenshot, we prove it contains malware as well. Hence, our accusation is true. LavaBird is indeed the owner during the time of infection. We then went on to analyze the previous version of Barcode Scanner—v1.62—from August 11, 2020. Lo and behold, this version is clean. This is how we can conclude that the infection starts with Barcode Scanner v1.67.

Clarifications from LavaBird

With many unanswered questions, it was time to reach out to LavaBird. I would like to state upfront that LavaBird was quick to respond to all inquiries and proved very helpful during this process.

The transfer to LavaBird

LavaBird stated originally, “We were the intermediary between the seller and the buyer in this situation.” Not being the original developer, LavaBird was transferred ownership of Barcode Scanner on November 23, 2020.

It is important to note that we were unable to find any cache Google Play webpages to find the previous owner but we can verify that previous app versions did exist based off third-party app store data.

Transferring of keys

The big question for LavaBird is this: If “The space team” is the bad actor here, why is the that first version of Barcode Scanner that contains malware, v1.67, lists its ownership to LavaBird? 

LavaBird explains: 

“To verify the authenticity of the app signing key and password, we gave them (The space team) the option to update the app. As soon as they were convinced of the correctness of the keys, the transaction took place on December 7, the application was transferred to their account.”

The quoted “app signing key” needs some explaining. App signing is setup via Google Play when an app developer first creates an app and wants to upload it onto the digital store. In this process, Google assigns them a keypair. The keypair comes with a public key and a private key.

Every app that is installed from Google Play onto a mobile device is signed with a public key. When an app developer uploads a newer update of the app to Google Play, they sign it with the assigned private key. This is due to the fact that mobile devices will only accept an update of an already installed app when its public key matches the private key. This is done to prevent others from uploading a malicious version of your app to Google Play with a different private key. For this reason, transferring of the app’s signing key when transferring ownership of the app is a legitimate part of process.  Therefore, the request by “The space team” to verify that the private key works by uploading an update to Google Play seems plausible.

Updating the analytics

LavaBird went to on to explain:

“We also agreed to update the app with their analytics (according to them it was just analytics) for half of the sum, before transferring the application.

Our agreement included the conditions that they would check the operation of the application with their analytics, as you can see there were 2 updates. One on November 27 and another on December 4. All updates were made by them. We were in the process of selling the application, so we tested the application only manually.”

Now we know the second reason for the updates is for “The space team” to modify the analytics code. Note that every Android app has some type of analytics in the code which gathers simple data points. Nothing unusual there. Looking at the code of Barcode Scanner versions for myself, there certainly is modification to the analytics code. However, during this same time period is when the adding of the malicious code occurred.

Keep in mind that allowing a developer to modify code, even analytics, before transferring is not common practice. When asked why they did not check the code themselves before allowing the update they replied:

“Usually we do not check the code, because the application will go to another publisher and if he makes mistakes, then it will be a minus for him and not for us.”

LavaBird continued, stating, “We are very sorry that this did not arouse suspicion, again, we thought that the application would be on their account soon and it would not affect us … We were very wrong.”

I also went on to ask if there was any research done on “The space team” to verify trust in them. LavaBird responded that “Unfortunately, we did not have such practice, but this lesson will remain with us for life.” LavaBird apparently found The space team as a buyer through word of mouth.

Thereafter, both updates containing malicious code on November 28 and December 4 are shown with LavaBird LTD being the owner:

It is not until December 7, the date of the transfer, that the owner shows as “The space team.”

Breaking down the timeline

For simplicity, here is a breakdown of the timeline:

• August 11, 2020: Barcode Scanner v1.62 is uploaded to Google Play and is a clean version from owners prior to LavaBird LTD
• November 23, 2020: LavaBird purchases a clean version of Barcode Scanner
• November 25, 2020: LavaBird enters agreements with “The space team”
  • “The space team” claims they need to, according to LavaBird, “verify the authenticity of the app signing key and password” and “update the app with their analytics” which led to updates on Google Play
• November 27, 2020: Barcode Scanner v1.67 is uploaded to Google Play with malicious code added with LavaBird shown as owner
  • LavaBird claims this was done by “The space team” prior to purchase, according to their agreement
• December 4, 2020: Barcode Scanner v1.68 is uploaded to Google Play still containing malicious code
• December 7, 2020: LavaBird transfers ownership of Barcode Scanner to “The space team”
• December 7, 2020: Barcode Scanner v1.69 is uploaded to Google Play with “The space team” as the owner and still contains malicious code

Here is the timeline after the transfer to “The space team”:

• December 21, 2020: Malwarebytes forum patrons first report an instance of infected Barcode Scanner
• December 24, 2020: Malwarebytes for Android adds detection originally as Android/Adware.AdQR.FBG
• December23, 2020: Barcode Scanner v1.71 obfuscates malicious code to evade detection
• December31, 2020: Barcode Scanner v1.73 further obfuscates malicious code to evade detection
• December31, 2020: Barcode Scanner v1.75 further obfuscates malicious code to evade detection
• January 5, 2020: Barcode Scanner v1.75 is last known malware-infected version released on Google PLAY
  • Somewhere thereafter Google Play must have removed the app from the store
• February 1, 2020: Malwarebytes for Android detection updated with increased severity to Android/Trojan.HiddenAds.AdQR which detects all versions
• February 5, 2020: We publish Barcode Scanner app on Google Play infects 10 million users with one update with a screenshot of a Google Play webpage showing LavaBird as owner of the infected Barcode Scanner
• February 10, 2020: We received the original message from LavaBird

More information about the The space team

Alright, so who is “The space team”? The only evidence of them on Google Play is from the Barcode Scanner mentioned and an app called Alarm Clock – Loud and Accurate Alarm, package name com.alarm.clock.wake.up. This app was only on Google Play briefly in December 2020, and is a legitimate, clean app. No other apps appear to exist under the developer’s name.  Because there is only evidence of “The space team” existing from December 2020 to January 2021, we can only assume that the developer account was created in December 2020.

When asking LavaBird of any additional information about “The space team,” they said they “do not have any other information.”

“Also,” LavaBird added, “I think that this is not a company and they can easily create account.” 

In effect, this confirmed my assumptions of them creating an account at the time of transfer. For the purpose of being fair, we did attempt to reach out to “The space team” to comment on the allegations set forth by LavaBird.  They did not respond.

Here is the only information on the “The space team” that we have:

Publisher:
The space team

Email:
digitalapp@yahoo.com

Address:
Ukraine, Krivoy Rog, Kalinina 35

Final Thoughts

From my analysis, what appears to have happened is a clever social engineering feat in which malware developers purchased an already popular app and exploited it. In doing so, they were able to take an app with 10 million installs and turn it into malware. Even if a fraction of those installs updates the app, that is a lot of infections.  And by being able to modify the app’s code before full purchase and transfer, they were able to test if their malware went undetected by Google Play on another company’s account.

There is an important lesson here. To all app sellers, be weary to who you sell. If at all possible, verify their credibility. Furthermore, be skeptical if they are asking unreasonable requests such as modifying code, even analytics, before transfer.

Ultimately, I believe LavaBird’s claims. Unfortunately, LavaBird came in our crosshairs after firing off a blog about this malicious Barcode Scanner. As the evidence shows, we were in right in doing so. Regardless, now knowing the full story we apologize it led to this. We write this in hopes of clearing LavaBrid’s name.

The post Who is to blame for the malicious Barcode Scanner that got on the Google Play store? appeared first on Malwarebytes Labs.

Two former college graduates are in a lot of trouble after breaking into other students’ accounts and stealing sensitive personal data. They’re facing some serious charges with restitution payments of $35,430, potential jail time, and the threat of very big fines thrown into the mix.

What happened?

A man from New York has pleaded guilty to one count of aggravated identity theft, and one count of computer intrusion causing damage. Working with another former graduate, he accessed the school email accounts of dozens of college students and stole private nude photographs. Many of the images were then shared.

The maximum term of imprisonment for one count of computer intrusion causing damage is 10 years, and a fine of $250,000. The maximum term and fine for one count of aggravated identity theft is 2 years and $250,000.

As we said, big trouble and bigger fines.

How did they do it?

The prosecution documents [PDF] make for some eye-opening reading. The defendant targeted accounts belonging to both random students and students he’d known personally. He requested that other people break into the accounts and accessed a number himself without permission. With those, he broke into social media profiles / web storage and stole nude images and movies, and traded them with others.

To gain access to the email accounts, he appears to have reset account passwords by correctly guessing password reset questions. He also used lists of compromised passwords to break into one account, and discussed social engineering tricks related to Snapchat. This involved sending texts from fake numbers to potential victims claiming to have accidentally signed up with their number. They then offered to “fix” it for the potential victim by asking for the “code to reset the password”.

The more you read, the worse it gets. For example, collages featuring students in private, intimate situations were placed next to images of them at graduation time and then distributed. This is clearly going to have a severe impact on those involved, especially as graduation photos would likely contain identifiable information. A college robe or identifiable badge / name / anything else would tie individuals to images in no uncertain terms.

This Register article also mentions falsification of “good character” documents in relation to the second person involved, and they seem to be in quite the pickle generally.

Anything is a target

Talking about security threats and people’s threat models is a tricky business. When a big story hits the news like a nation state attack, people worry they’re in the firing line. The reality is that incredibly expensive and complicated compromises target very specific people for a reason. It quickly becomes a waste of money if your tailor-made targeted attack is randomly spammed out to a cast of millions. A well known finance journalist faces some different threats and challenges than a primary school teacher, and that teacher faces some different issues to someone running a digital payment method in a store. Not every threat is out to get everyone, in other words.

The flipside is that when people don’t stagger into a blitzkrieg of high-level corporate espionage, complacency can set in. People can assume “my data is nothing special, I won’t be targeted”. As we can see here, that’s not the case. You just end up with threats more attuned to your personal situation and lifestyle.

The story above is a really nasty, insidious and sustained attack on people where the defendant knows some of them personally. Such familiarity may have helped the perpetrator in their social engineering efforts, and it may also have made guessing passwords and security questions easier.

Defending yourself

Nothing is 100% foolproof, but basic measures work wonders when it comes to keeping email accounts secure. The first thing to keep in mind is that every password you use should be unique. At least one of the victims in this case was undone because they protected their email using a password they’d used elsewhere. The easiest way to do this is by letting a password manager do it for you.

If your mail service has two-factor authentication (2FA) available, enable it. If you have the choice of 2FA codes sent by text or generated by an authenticator app, use the app. Scammers can use SIM swap fraud to compromise accounts protected by SMS codes. Apps also have the advantage of working offline, so it won’t matter if you have no mobile signal.

Some other tips for keeping data safe

• Securing your nudes: A good rundown of where to start locking down your most sensitive files.
• Safe storage in the cloud: Some advice for locking things down in the digital ether.
• Sending information securely: Have important files / information which needs to be sent somewhere? This is a great place to start.

With enough time and effort a determined attacker can potentially bypass any security. The idea is to present them with enough obstacles that their time is better spent elsewhere. If enough of us do the same thing, hopefully they’ll abandon all plans of compromise and do something more productive.

Until then, remember that awful people are happy to do terrible things with your most personal data. While a few of them run into the full force of the law, a more sizeable portion likely never feel any consequences whatsoever. Whatever you’re doing with your files, we wish both them and your good self many compromise-free years to come.

The post Nude photo theft offers lessons in selfie security appeared first on Malwarebytes Labs.

Threat actors involved in tech support scams have been running a browser locker campaign from November 2020 until February 2021 on the world’s largest adult platforms including PornHub.

The same group behind this campaign has been active for much longer and we believe is tied to previous schemes we’ve identified before, making it one of the most prolific tech support scam operations to date.

In late January, we heard several complaints of fake Microsoft alerts and started to investigate them. We discovered a number of decoy dating sites used by fraudulent advertisers on TrafficJunky, the advertising company for brands such as PornHub, RedTube and YouPorn owned by MindGeek.

The scammers created those fake identities to redirect traffic away from the adult platforms onto pages showing bogus alerts claiming users were infected with pornographic spyware. This well-known scheme attempts to scare victims into calling so-called technicians for assistance but in fact defrauds them for hundreds of dollars.

We reported our findings to MindGeek and continue to track and share new incidents as they arise. We believe this threat actor will keep on tricking new victims until fully exposed and individuals apprehended by law enforcement.

Redirection chain

We were able to capture the malvertising redirection chain several times and the flow is almost identical. We know from our telemetry that the malicious advertiser is targeting victims from the U.S. and the U.K.

• User clicks to play a video
• A new browser window opens
• A request is sent to the TrafficJunky ad platform
• An ad is served and makes a request to a decoy dating site
• A redirect immediately loads the browser locker

This sequence of events can be summarized in the traffic capture below:

A key part of this malvertising chain is the use of many different fake dating portals that are hiding the redirection mechanism for the browser locker.

Beginnings

This browser locker campaign started well before showing up on PornHub[.]com and went undetected for a long time perhaps due to a clever typosquatting trick. In fact, we were fooled ourselves for a while before seeing what is obvious in hindsight.

On May 21 2020, the threat actor registered the domain name sassysenssations[.]com which contains a voluntary typo (two ‘s’) to mimic sassysensations[.]com which belongs to a legitimate business.

The real domain was registered in 2014 and we even found a billboard advertisement for it tweeted out on April 26 2019, long before the scammers had registered their copycat domain.

What was clever is that the threat actor didn’t seem to set up an actual site for that fake domain, but instead redirected all traffic to the real one if the visitor did not match the parameters from their malvertising campaign.

However, the malvertising chain shows that they leveraged that domain to perform conditional redirects, such as the one seen below:

(1) pornhub[.]com/_xa/ads?zone_id=[removed]
  (2) ads.trafficjunky[.]net/click?url=https%3A%2F%2Fsassysenssations[.]com%
    (3) sassysenssations[.]com/track.php?CampaignID=[removed]&Sitename=Pornhub
     (4) errorhelpline24x7msofficialsoftwareerrorcodex12[.]monster

Later on, it appears the threat actor started diversifying their scheme by creating a number of fake dating sites to use as redirects in addition to using the sassysenssations identity.

Fake dating sites

The malicious advertiser is using a model that has been tried before and consists of setting up fake identities in order to gain access to the ad platform. In this instance, we cataloged dating and romance sites. However, the majority of them did not look authentic or functional and even still had the ‘Lorem ipsum’ text filler.

If you were to visit one those sites directly, you may not see anything else of interest, at least nothing malicious in nature. However, the fraudulent advertiser can easily redirect traffic based on factors such as IP geolocation, referer and other artifacts.

In all, we detected close to 100 decoy domain names set up as “advertising landing pages” used to redirect victims to browser locker scams. Even though the templates are half finished, the threat actor is spending time creating a large inventory they can cycle through in their redirects towards browser lockers.

Browser locker

The browser locker is using a common theme of a fake Microsoft Windows Defender scanner. There is some browser profiling to serve the right template based on whether the user is on Windows or Mac.

While browsing one of the many decoy sites, we found the HTML source code in an exposed directory showing a few additional variations of the browser locker:

Fake advertising infrastructure

Because this is a long running campaign, the infrastructure is fairly large but tends to reuse the same naming convention for domains. The graph below only shows the domains created to abuse the TrafficJunky ad platform. It does not include domains used for the browlock itself.

There was a domain (recipesonline365[.]com) whose naming convention differed from the other dating sites. In fact it is the only one with a non-adult theme.

(1) youporn[.]com/_xa/ads?zone_id=[removed]
  (2) ads.trafficjunky[.]net/deep_click?adtype=pop&url=https%3A%2F%2Frecipesonline365[.]com
    (3) recipesonline365[.]com/?aclid=[removed]
      (4) oopi3.azurewebsites[.]net/Winhelpxcode161616winHelpSecurity0nlineCH007

Back in June 2019, we had identified an ad campaign targeting recipe keywords. The threat actor was using decoy recipe and food sites to lure victims via web searches. Those sites performed the same redirect mechanism as the decoy dating sites, and most of the time lead to a browlock hosted on Azure as well.

There are a number of other parallels between that campaign and the adult one such as the predominant use of NameCheap hosting and a large volume of decoy sites. For this reason we believe this is likely the same threat actor.

Protection

Browser lockers are not dangerous in and out of themselves. They are simply a fake warning which may be disrupting and annoying but one that does not indicate a computer problem.

In recent years they have become very common and affect all browsers, even mobile ones. In the past, we have seen browser lockers that were effectively giving the impression the machine was locked due to how they abused the user interface. As of know, most of them can be closed normally without requiring the use of special commands.

Malwarebytes users were already protected against this campaign. Our Browser Guard extension can detect and stop browser lockers using heuristic techniques that do not require to use a blacklist of known domain names or IP addresses.

Indicators of Compromise

The list of IOCs can be downloaded from our GitHub here.

The post Malvertising campaign on PornHub and other top adult brands exposes users to tech support scams appeared first on Malwarebytes Labs.