IT News

We first stumbled upon the nasty Android Trojan xHelper, a stealthy malware dropper, in May 2019. By mid-summer 2019, xHelper was topping our detection charts—so we wrote an article about it. After the blog, we thought the case was closed on xHelper. Then a tech savvy user reached out to us in early January 2020 on the Malwarebytes support forum:

“I have a phone that is infected with the xhelper virus.
This tenacious pain just keeps coming back.”

“I’m fairly technically inclined so I’m comfortable with
common prompt or anything else I may need to do to make this thing go away so
the phone is actually usable!”

— forum user misspaperwait, Amelia

Indeed, she was infected with xHelper. Furthermore, Malwarebytes for Android had already successfully removed two variants of xHelper and a Trojan agent from her mobile device. The problem was, it kept coming back within an hour of removal. xHelper was re-infecting over and over again.

If it wasn’t for the expertise and persistence of forum patron Amelia, we couldn’t have figured this out. She has graciously has allowed us to share her journey. 

All the fails

Before we share the culprit behind this xHelper re-infection, I’d like to highlight the tactics we used to investigate the situation, including the many dead ends we hit prior to figuring out the end game. By showing the roadblocks we encountered, we demonstrate the thought process and complexity behind removing malware so that others may use it as a guide. 

Clean slate

First off, Amelia was clever enough to do a factory reset before reaching out to us. Unfortunately, it didn’t resolve the issue, though it did give us a clean slate to work with. No other apps (besides those that came with the phones) were installed besides Malwarebytes for Android, thus, we could rule out an infection by prior installs (or so we thought).

We also ruled out any of the malware having device admin rights, which would have prevented our ability to uninstall malicious apps. In addition, we cleared all history and cache on Amelia’s browsers, in case of a browser-based threat, such as a drive-by download, causing the re-infection.

The usual suspect: pre-installed malware

Since we had a clean mobile device and it was still getting re-infected, our first assumption was that pre-installed malware was the issue. This assumption was fueled by the fact that the mobile device was from a lesser-known manufacturer, which is often the case with pre-installed malware.  So Amelia tested this theory by going through the steps to run Android Debug Bridge (adb) commands to her mobile device. 

With adb command line installed and the mobile device plugged into a PC, we used the workaround of uninstalling system apps for current user. This method renders system apps useless even though they still technically reside on the device. 

Starting with the most obvious to the least, we systematically uninstalled suspicious system apps, including the mobile device’s system updater and an audio app with hits on VirusTotal, a potential indicator of maliciousness.  Amelia was even able to grab various apps we didn’t have in our Mobile Intelligence System to rule everything out. After all this, xHelper’s persistence would not end.

Triggered: Google PLAY

We then noticed something strange: The source of installation for the malware stated it was coming from Google PLAY. This was unusual because none of the malicious apps downloading on Amelia’s phone were on Google PLAY. Since we were running out of ideas, we disabled Google PLAY. As a result, the re-infections stopped!

We have seen important pre-installed system apps infected with malware in the past. But Google PLAY itself!? After further analysis, we determined that, no, Google PLAY was not infected with malware. However, something within Google PLAY was triggering the re-infection—perhaps something that was sitting in storage. Furthermore, that something could also be using Google PLAY as a smokescreen, falsifying it as the source of malware installation when in reality, it was coming from someplace else.

In the hopes that our theory held true, we asked Amelia to look for suspicious files and/or directories on her mobile device using a searchable file explorer, namely, anything that started with com.mufc., the malicious package names of xHelper. And then…eureka!

The culprit

Hidden within a directory named com.mufc.umbtts was yet another Android application package (APK). The APK in question was a Trojan dropper we promptly named Android/Trojan.Dropper.xHelper.VRW. It is responsible for dropping one variant of xHelper, which subsequently drops more malware within seconds.

Here’s the confusing part: Nowhere on the device does it appear that Trojan.Dropper.xHelper.VRW is installed. It is our belief that it installed, ran, and uninstalled again within seconds to evade detection—all by something triggered from Google PLAY.  The “how” behind this is still unknown.

It’s important to realize that unlike apps, directories and files remain on the Android mobile device even after a factory reset. Therefore, until the directories and files are removed, the device will keep getting infected.

How to remove xHelper re-infections

If you are experiencing re-infections of xHelper, here’s how to remove it:

• We strongly recommend installing Malwarebytes for Android (free).
• Install a file manager from Google PLAY that has the capability to search files and directories.
  • Amelia used File Manager by ASTRO.
• Disable Google PLAY temporarily to stop re-infection.
  • Go to Settings > Apps > Google Play Store
  • Press Disable button
• Run a scan in Malwarebytes for Android to remove xHelper and other malware.
  • Manually uninstalling can be difficult, but the names to look for in Apps info are fireway, xhelper, and Settings (only if two settings apps are displayed).
• Open the file manager and search for anything in storage starting with com.mufc.
• If found, make a note of the last modified date.
  • Pro tip: Sort by date in file manager
  • In File Manager by ASTRO, you can sort by date under View Settings
• Delete anything starting with com.mufc. and anything with same date (except core directories like Download):

• Re-enable Google PLAY
  • Go to Settings > Apps > Google Play Store
  • Press Enable button
• If the infection still persists, reach out to us via Malwarebytes Support.

Mobile malware hits a new level

This is by far the nastiest infection I have encountered as a mobile malware researcher. Usually a factory reset, which is the last option, resolves even the worst infection. I cannot recall a time that an infection persisted after a factory reset unless the device came with pre-installed malware. This fact inadvertently sent me down the wrong path. Luckily, I had Amelia’s help, who was as persistent as xHelper itself in finding an answer and guiding us to our conclusion.

This, however, marks a new era in mobile malware. The ability to re-infect using a hidden directory containing an APK that can evade detection is both scary and frustrating. We will continue analyzing this malware behind the scenes. In the meantime, we hope this at least ends the chapter of this particular variant of xHelper. 

Stay safe out there!

The post Android Trojan xHelper uses persistent re-infection tactics: here’s how to remove appeared first on Malwarebytes Labs.

Malwarebytes Labs today released the results of our annual study on the state of malware—the 2020 State of Malware Report—and as usual, it’s a doozy.

From an increase in enterprise-focused threats to the diversification of sophisticated hacking and stealth techniques, the 2019 threat landscape was shaped by a cybercrime industry that aimed to show it’s all grown up and coming after organizations with increasing vengeance.

The 2020 State of Malware Report features data sets collected from product telemetry, honey pots, intelligence, and other research conducted by Malwarebytes threat analysts and reporters to investigate the top threats delivered by cybercriminals to both consumers and businesses in 2019.

Our analysis includes a look at threats to Mac and Windows PCs, Android and iOS, as well as browser-based attacks. In addition, we examined consumer and business detections on threats to specific regions and industries across the globe. Finally, we took a look at the state of data privacy in 2019, including state and federal legislation, as well as the privacy failures of some big tech companies in juxtaposition against the forward-thinking policies of others.

Here’s a sample of what we found:

• Mac threats increased exponentially in comparison to those against Windows PCs. While overall volume of Mac threats increased year-over-year by more than 400 percent, that number is somewhat impacted by a larger Malwarebytes for Mac userbase in 2019. However, when calculated in threats per endpoint, Macs still outpaced Windows by nearly 2:1.
• The volume of global threats against business endpoints has increased by 13 percent year-over-year, with aggressive adware, Trojans, and HackTools leading the pack.
• Organizations were once again hammered with Emotet and TrickBot, two Trojan-turned-botnets that surfaced in the top five threats for nearly every region of the globe, and in the top detections for the services, retail, and education industries. TrickBot detections in particular increased more than 50 percent over the previous year.
• Net new ransomware activity is at an all-time high against businesses, with families such as Ryuk and Sodinokibi increasing by as much as 543 and 820 percent, respectively.

To learn more about the top threats of the year for Mac, Windows, Android, and the web, as well as the state of data privacy in commerce and legislation, check out the full 2020 State of Malware Report here.

The post Malwarebytes Labs releases 2020 State of Malware Report appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we looked at Washington state’s latest efforts in providing better data privacy rights for their residents, and we dove into some of the many questions regarding fintech: What is it? How secure is it? And what are some of the problems in the space?

We also detailed a new adware family that our researchers had been tracking since late last year and pushed out a piece on performance art’s impact on Google Maps and other crowdsourced apps.

Other cybersecurity news

• A type of malware called Lemon Duck has successfully targeted countless IoT devices running on Windows 7. Quack! (Source: Threatpost)
• Despite years of warnings that technology will not save us, the Iowa Democratic Party relied on a rushed, faulty mobile app to report caucus results. Bedlam ensued. (Source: Motherboard)
• In an ongoing antitrust probe, the European Commission is scrutinizing Facebook’s use of Onavo, an app that tracked users’ behavior. (Source: The Wall Street Journal)
• It’s hard to say this any better than the Gizmodo headline already does: “Oops! Google Might’ve Leaked Your Videos to Another Person.” (Source: Gizmodo)
• A man who twice breached Nintendo security—first when he was a teenager, then later as an adult—pleaded guilty to hacking charges. (Source: ZDnet)
• Cybersecurity researchers discovered a vulnerability in Phillips smart lightbulbs that would allow hackers to spread malware. (Source: HackRead)
• Facebook released a new tool to give users more control into whether the company associates outside data with user accounts. (Source: CNET)

Stay safe, everyone!

The post A week in security (February 3 – 9) appeared first on Malwarebytes Labs.

Panic and confusion about the recent coronavirus outbreak spurred threat actors to launch several malware campaigns across the world, relying on a tried-and-true method to infect people’s machines: fear.

Cybercriminals targeted users in Japan with an Emotet campaign that included malicious Word documents that allegedly contained information about coronavirus prevention. Malware embedded into PDFs, MP4s, and Docx files circulated online, bearing titles that alluded to protection tips. Phishing emails that allegedly came from the US Centers for Disease Control and Prevention (CDC) were spotted, too. Malwarebytes also found a novel scam purporting to direct users to a donation page to help support government and medical research.

All of these threats rely on the same dangerous intersection of misinformation and panic—a classic and grotesque cybercrime tactic. A great defense to these is, quite simply, the truth.

At Malwarebytes, we understand that safeguarding you from cyberthreats goes beyond technological protection. It also means giving you the information you need to make smart, safe decisions. Because of this, we’re presenting verified resources and data about coronavirus that will hopefully steer users away from online threats. If you see a sketchy-looking email mentioning the virus (like the one we found below), don’t open it. Instead, come here. If you want to immediately see what these online scams look like, scroll below.

What is coronavirus?

According to the World Health Organization, the current coronavirus that has infected thousands of people across the world is a single variant of a broader family of viruses, also called “coronavirus.” This particular strain of coronavirus was first identified in the city of Wuhan in central China’s Hubei province. It has the title “2019-nCoV.” Though 2019-nCoV is from the same family of coronaviruses as SARS—which spread to 26 countries between 2002 and 2003—it is not the same virus.

As of February 7, coronavirus has spread to at least 25 countries, including Australia, Vietnam, the United States, the Philippines, Nepal, Sweden, the United Kingdom, India, and more. Mexico has no reported cases—the only country in North America to avoid the virus, it appears. Countries in South America, including Brazil, Colombia, Venezuela, and Chile, have not reported any confirmed cases of the virus, either. While the majority of infections are reported in China, with 31,211 confirmed cases, the highest count of any other country is Singapore, with 30 cases.

Full, daily reports on the virus’ spread can be found at the World Health Organization’s resource page here: Novel Coronavirus (2019-nCoV) situation reports. The situation reports also provide information about every country with confirmed coronavirus cases, and this Al Jazeera article compiles that information up to February 6.

According to a February 6 report in The Wall Street Journal that cites scientists and medical academics in China, the recent coronavirus likely started in bats.

According to the US Center for Disease Control, coronavirus symptoms include fever, cough, and shortness of breath.

How can I protect myself from coronavirus?

Because coronavirus spreads from human-to-human contact, the
best protection methods involve good hygiene. According to the WHO, individuals
should:

• Wash your hands frequently with soap and water or use an alcohol-based hand rub if your hands are not visibly dirty.     
• Maintain social distancing—maintain at least 1 meter (3 feet) distance between yourself and other people, particularly those who are coughing, sneezing and have a fever.
• Avoid touching eyes, nose, and mouth.
• If you have fever, cough, and difficulty breathing, seek medical care early. Tell your health care provider if you have travelled in an area in China where 2019-nCoV has been reported, or if you have been in close contact with someone with who has travelled from China and has respiratory symptoms.
• If you have mild respiratory symptoms and no travel history to or within China, carefully practice basic respiratory and hand hygiene and stay home until you are recovered, if possible. 

The WHO also actively dispelled some current myths about coronavirus. For instance, individuals cannot catch the virus from dogs and cats that are their pets, and vaccines against pneumonia do not protect against coronavirus.

For more information on coronavirus myths, please visit the WHO Myth Busters page here, along with the WHO Q&A page.

What else should I know about coronavirus?

Coronavirus is a serious threat, but it is not the world-ending plague that many fear. As of February 7, the virus has resulted in 637 total deaths. A February 6 notice by the Chinese media service CGTN reported more recoveries, at 1,542.

Individuals should not fear receiving packages from China, the WHO said, as the virus cannot survive long durations on physical objects like packages and letters. Similarly, individuals should not dip into unmeasured fear of all things Chinese. These fears have turned New York’s Chinatown district into a “ghost town,” said one local business owner, and have fueled multiple xenophobic and racist assumptions across the world.

Coronavirus has also received a strong global response. Air travel has been severely limited, Olympic qualifying games were relocated, workers built a hospital in about 10 days, fast food restaurants temporarily closed their locations, and China closed off entire populations—which has come with its own tragic tales of quarantine camps, isolation, and fear.

The spread of the virus is scary, yes, but people are
working day and night to prevent greater exposure.

What should I know about coronavirus scams?

Coronavirus online scams are largely similar to one another. By preying on misinformation and fear, cybercriminals hope to trick unwitting individuals into opening files and documents that promise information about the virus.

However, Malwarebytes recently found an email scam that preys
on people’s desire to help during a moment like this.

The scam email—titled “URGENT: Coronavirus, Can we count on
your support today?”—purportedly comes from the nondescript “Department of
Health.” Inside, the email asks users to donate to coronavirus prevention
causes.

“We need your support , Would you consider donating 100 HKD to help us achieve our mission?” the email says near its end, before offering a disguised link that opens an application, not a website. The link itself begins with neither HTTPS or HTTP, but “HXXP.”

Routine scams that allegedly include information about prevention and protection also come through emails, like this phishing scam spotted by Sophos.

The malicious email informs its recipient to open an
attached document that includes information about “safety measures regarding
the spreading of coronavirus,” which then directs users to a page that asks for
their email address and password.

These scams are becoming a dime a dozen, and we don’t expect them to dwindle any time soon. In fact, threat actors in China were spotted sending malware around through email and through the Chinese social media platform WeChat. Though the exact types of malware were not reported, the Computer Virus Emergency Response Center said the malware itself could be used to steal data or remotely control victims’ devices.

Coronavirus information and data resources

If you’re afraid about the spread of coronavirus, we
understand. But please, do not click any links in any sketchy emails, and do
not donate to any causes you have not already vetted outside of your email
client.

If you want to know up-to-the-date information about the
virus, again, please visit the following resources:

• The World Health Organization’s main information page on the virus
• The WHO’s daily “situation reports”
• The WHO’s “Mythbusters” page
• The WHO’s public advice guide
• The Center for Disease Control and Prevention’s main information page on the virus

Stay safe, everyone.

The post Battling online coronavirus scams with facts appeared first on Malwarebytes Labs.

The places where online life directly intersection with that lived offline will be forever fascinating, illustrated perfectly through a recent performance piece involving Google Maps, a cart, and an awful lot of mobile phones.

Simon Weckert, an artist based in Berlin, Germany, showed how a little ingenuity could work magic on the ubiquitous Google Maps system. Turns out Google hadn’t accounted for what happens when 99 phones go for a relaxing walk down the streets of Berlin. The system was fooled into believing the world’s most aggressive traffic jam was taking place. Let’s see how it happened.

How does Google Maps help with traffic?

Back in the day, Google Maps dived into the world of traffic sensors to get a feel for how commutes and directions were impacted by traffic patterns.

In 2009, they made use of crowdsourcing, and phones with GPS enabled sent anonymous data allowing Google to figure out how vehicles were moving and where any traffic jams happened to be. The more people taking part, the greater the accuracy and benefits for all.

Things kept on moving, and in 2020 it’s a combination of sensors, user data, and satellite technology to keep things keeping on. You’d think a trolley of phones would be no match for this elaborate weave of crowdsourced mobile pocket power and additional data sources.

You would think.

Maps versus trolley

Imagine our surprise when one large jumble of phones trundled its way toward disruption heaven, proudly announcing 99 cars were not going anywhere anytime soon. Whatever failsafes Maps had in place, it simply couldn’t figure out shenanigans were afoot.

https://youtu.be/k5eL_al_m7Q

Streets formerly flagged as green (all clear) would suddenly show as red (traffic jam ahoy), with the knock-on effect of rerouting cars to other roads which may well have been free of cars but would now feel the impact of people trying to avoid the trolley hotspot. I think my favourite part of this story was when the trolley rumbled right past the Maps office. Chaos, then, but artistically done. Not the first time though…

Mapping out an artistic tribute

Art being used to make a point about technology, Google, and even Maps itself is not uncommon. Last year, an artist made use of their Google account to upload weird and wonderful pieces of 360 degree digital art using Google Business View. Sure, you could use it to give potential customers an in-depth look at your eatery before venturing inside—or you could generate chaotic mashups and loosen up the clinical aesthetic of vanilla Google Maps instead. The choice, as they say, is yours (unless someone says “no” and removes it all).

What could cause user generated content to be removed from Maps? Funny you should ask.

When does art become vandalism?

Maps may make use of crowdsourcing to great effect, but crowdsourcing alone is one consistent method to ensure chaos in the end. A few years ago, enthusiastic cartographers had the ability to make edits to Maps using the Map Maker tool. If you had a nice tip or a cool landmark you felt warranted closer inspection, you could add it manually to the map. This was one way to help out in regions where mapping hadn’t taken place, because even Google couldn’t be everywhere at once.

Other users would check and verify before edits went live. If you eventually gained enough kudos from the rest and your edits were constant and legitimate, you eventually bypassed the need for others to make sure you weren’t doing anything problematic.

Step forward, someone doing something problematic. 

Slowly but surely, people started to play pranks on the system and post a variety of spam and other nonsense. It’s possible Map Maker may have carried on if the dubious edits had been small, unnoticed, and otherwise unlikely to end up front page news.

On the other hand, this could happen and Map Maker could be thrown from the highest of cliff edges, never to return. Some features of Map Maker have made their way into regular Maps, but sadly this was lights out for the genuinely useful tool. If I could draw a 300-foot “RIP Map Maker” onto the side of a digitised mountain in the Himalayas, I would, but this written tribute of ours will have to suffice.

Getting down to business

Maps locations for businesses have also been exposed to shenanigans over the years, and not all of it confined to Maps exclusively. Whether it’s restaurant owners going out of business because of wrongly-listed opening hours, or Google+ (remember that?) listings directing hotel chain visitors to third-party websites generating commission, the conflict is nonstop and the repercussions can be enormous for those hit hard. If you’re not online much or familiar with the technology involved, then you have almost no chance of setting things straight.

Trouble in other realms

It isn’t just Google Maps beset by these antics. Other major platforms run into similar issues, and if the platform doesn’t provide the mapping tech directly, then the pranksters/malicious actors will simply go after the third-party suppliers instead. Mapbox found themselves facing a terrible edit, which worked its way into Snapchat, the Weather Channel, and others.

For as long as the ability to make use of the wisdom of the crowds (or, in many cases, the lack of wisdom) exists, these disruptions will continue to happen. A surprising amount of services we take for granted can’t really function well without an element of trust granted to the user base, so this isn’t exactly the easiest to police.

Sure, some of the shenanigans are lighthearted and may occasionally be quite funny. Some of these methods for gaming the system could also be profoundly troublesome and cause maximum discomfort with a little bit of effort.

On this occasion, at least, we can be content that the end result is “cool art project makes us think about online/offline interaction” and not “someone’s drawn a rude picture on the side of the Empire State Building.”

We make no guarantees about next time.

The post Google Maps: online interventions with offline ramifications appeared first on Malwarebytes Labs.

Since late last year, our researchers have been monitoring new methods being deployed by cybercriminals to potentially abuse browser push notifications. Now, an adware family detected by Malwarebytes as Adware.Adposhel is doing just that, taking control of push notifications in Chrome at the administrator level.

What does Adposhel adware do?

The adware uses Chrome policies to ensure that notification prompts will be shown to users ands add some of its own domains to the list of sites that are allowed to push browser notifications. So far nothing new. The recent twist, however, is that Adposhel enforces these settings as an administrator, meaning a regular Chrome user will not be able to change the settings in the notifications menu.

It seems the adware family has now decided to fully deploy this tactic, as we are seeing complaints about it emerging on forums, such as Reddit.

Victims have complained about being unable to remove domains from the list of domains that are allowed to show push notifications, and being unable to change the setting that control whether websites can ask you to allow notifications.

Disabling that setting would stop a user from seeing prompts like these:

If a user were to click Allow on that prompt, this domain would be added to their allowed list of URLs, with the understanding that it could be removed manually in the notifications menu.

Adposhel uses the NotificationsAllowedForUrls policy to block users from removing their entries from the Allow list.

Where you would normally see the three dots (ellipsis) menu icon representing the settings menu, entries submitted to a policy by Adposhel will see an icon telling you the setting is enforced by an administrator.

If you hover over the icon, the accompanying text confirms it.

How do I undo the changes made by Adposhel adware?

This does not mean that you can change that setting just because you are the administrator of the system you are working on, by the way. But if you are the system administrator, you can fix the notification changes made by the Adposhel installer by applying a simple registry fix:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREPoliciesGoogleChrome]
"DefaultNotificationsSetting"=dword:00000001

[-HKEY_LOCAL_MACHINESOFTWAREPoliciesGoogleChromeNotificationsAllowedForUrls]

This is safe to do unless there were legitimate URLs in the list of URLs that were allowed to show notifications by policy, which I doubt. But we always advise to create a backup of the registry before making any changes.

 Backing up Registry with ERUNT

Modifying the registry may create unforeseen results, so we always recommend creating a backup prior to doing that.

Please download ERUNT and save the file to the desktop.

• Install ERUNT by following the prompts, but say No to the portion that asks you to add ERUNT to the startup folder.
• Right-click on the icon and select Run as Administrator to start the tool.
• Leave the default location (C:WINDOWSERDNT) as a place for your backup.
• Make sure that System registry and Current user registry are ticked.
• The third option Other open users registries is optional.
• Press OK to backup and then press YES to create the folder.

This tool won’t generate a report. You may uninstall it after you’re done cleaning.

Protection and detection

Malwarebytes detects the installers as Adware.Adposhel.

The URLs enforced by this Adpohel-induced Chrome policy are detected as Adware.ForcedNotifications.ChrPRST.

IOCs

Domains:

aclassigned.info
chainthorn.com
cityskyscraper.com
concreasun.info
dimlitroom.com
durington.info
efishedo.info
enclosely.info
insupposity.info
nineteducer.info
oncreasun.info
parliery.info
qareaste.info
stilysee.info
suggedin.info

Stay safe, everyone!

The post Adposhel adware takes over browser push notifications administration appeared first on Malwarebytes Labs.

“I have no idea how this app from my bank works, and I don’t trust what I don’t understand.” Josh is not an old curmudgeon or luddite. He’s 42 with a decent understanding of technology. Nevertheless, the changes in fintech have come too fast for him. It’s not that he doesn’t trust his bank. He doesn’t trust himself to use and manage the banking app securely.

The world we live in has gone through some noticeable changes in the last decade. This is certainly true for the banking industry, which has grasped onto the concept of fintech as nearly interchangeable with finance. However, fintech—or computer programs and other technology used to support banking and other financial services—is the fastest-growing sector in venture capital. It may encompass anything from cryptocurrency to mobile payment apps.

The groundwork was laid for the rise of fintech through a series of major incidents over the last 10 years. These include:

• The banking crisis and subsequent Great Recession of 2007–2009. If you had told someone 15 years ago that a number of big-name banks would not survive the decade, they would have laughed at you. Yet, the list is long.
• New currencies introduced into the playing field, especially crypto. Bitcoin started in 2009, and hundreds of other cryptocurrencies have since followed suit.
• Negative interest rates. Cash deposits incur a charge for storage at a bank rather than gaining interest. Some banks have to pay money to store their surplus in funds at national banks because of the negative interest rates. Some banks even charge their customers with this negative interest.
• New players have entered the field that are different from the establishment. Some are related to the development of cryptocurrencies, but others simply look at financial business in a new and unique way.
• Customers are increasingly expecting their payments to reach their destination account on the same day. This also helps the bank itself, as it reduces the amount they need to store against a negative interest.

What is fintech?

The hardware and software used in the financial world is generally referred to as fintech. But the expression is also used to describe the startups in the financial world. In this article it will be used to describe the technology as many of the settled financial institutions feel they need to adapt to the same new technology that the startups offer their customers. Because of this we can find these new features in banking and other financial applications both in the apps of accomplished firms along with those of the new financials.

Fintech security

While it may come as less than a surprise
that Fintech startups are struggling with security, sometimes the established
names surprise us with how easily they fall prey to data breaches, malware
attacks, or compromised apps.

One of the reasons why some of the fintech
startups are so successful lies in their ability to offer alternatives to
conventional financial solutions through cryptocurrencies, online loans, and
P2P. Along comes a variety of challenges and one of these challenges piques our
interest: cybersecurity. To name one aspect, the huge growth in the number and
size of online platforms makes this industry very vulnerable to security
breaches.

Some of the problems

The introduction of new features sometimes looks as if they were done in a rush and without keeping in mind how secure they are and how clever crooks could abuse them. For example, a mobile banking app that allowed users to add an extra phone to control their account by simply scanning a QR code ended up cleaning out a few bank accounts. Clever imposters tricked people into adding their phone leaving the imposter in full control of the account.

Payment requests leading to fake websites
are a quickly rising threat as banks are rolling out this feature. As always with
newer technology, fraudsters benefit from the victim’s unawareness of how
things work exactly. Someone pretending to buy from you on an online market can
send you a payment request for the amount you are expecting. All you have to do
is click “Accept” and enter your pin. And then find out that you paid them
instead of the other way around.

Fake bank websites in general have been a problem for many years and this will probably remain a problem for some time to come. Most of the times these fake sites are designed to harvest login and payment credentials from the visiting victims. And they are very hard to distinguish from the real bank websites as the threat-actors simply copy all the content and layout from the original sites. And urging customers to look for the green padlock is hardly useful advice anymore.

Payment providers and online shops are plagued by web skimmers. As we have reported frequently especially there are several Magecart groups who are very active at this front. Payments are intercepted and payment card information stolen using compromised e-commerce sites.

And then there is virtual money, or since most money nowadays is virtual to some level, let’s talk about cryptocurrencies in particular. While the introduction of cryptocurrencies was intended to open up a whole new world of payment options, it also opened a virtual cesspit of options to be defrauded. The absence of a central authority gave way to types of fraud and robbery that were unheard of in the old school banking world. Huge steals from marketplaces, bank-owners running with the funds entrusted to them, stolen hot wallet credentials, and let’s not forget drive-by-mining. We covered many of these crimes in our blog about Bankrobbers 2.0.

Financials of all kinds have suffered data breaches in all sorts and sizes. From huge ones like Equifax and Capital One to equally painful ones, for those involved, like the one at P&N bank where sensitive account information was spilled.

Ransomware operators are particularly fond of financials as they usually can afford to pay large sums and they are invested in getting operations back up and running in a hurry. Travelex took the high road and refused to pay the ransom demand made after being hit with Ransom.Sodinokibi.

Privacy concerns

With governments asking for full disclosure of savings both offshore and internal, and on the other hand enforcing privacy laws, financial institutions are expected to balance these demands while keeping their customers on board.

With GDPR in Europe leading the way, financials should be ready or get ready to comply with GDPR or similar laws that apply to them and their customer base.

Countermeasures

The financial industry is considered to be vital infrastructure and for good reason. When we lose trust in our financial institutions, it turns our society upside down. When the paper is no longer worth the number printed on it, or you cannot withdraw money from your account, that rattles the bases of our economy.

Fintech needs to adapt a more security focused
approach to developing new features, especially in their mobile apps. It also
wouldn’t hurt to provide customers with elaborate instructions on how to safely
use the new app or new features of the app.

As a financial startup you want to grow fast. But growing fast comes with its own problems. Making sure your security measures can scale along with your growth is a must. Unless you want to find yourself restricted in your growth or notice your security to start cracking at the seams.

However frustrating it may turn out to be, financials need to think about better identity management and control. Is it enough when someone is logged into an account to allow that entity to fully control the account? Or de we need to add another factor for special actions like raising the maximum amount, allowing withdrawals abroad, or even for transactions that are larger than normal.

Fintech startups can’t expect to get away with security mistakes that other startups might. Being in the financial sector brings with it different responsibilities and expectations.

As I’ve written before: It is key that our
financial institutions protect our dollars and our data so that we can keep
investing our money and our trust in them.

Stay safe, everyone!

The post Fintech security: the challenges and fails of a new era appeared first on Malwarebytes Labs.

The steady parade of US data privacy legislation continued last month in Washington with the introduction of an improved bill that would grant state residents the rights to access, control, delete, and port their data, as well as opting out of data sales.

The bill, called the Washington Privacy Act, also improves upon its earlier 2019 version, providing stronger safeguards on the use of facial recognition technology. According to some analysts, when compared to its coastal neighbor’s data privacy law—the California Consumer Privacy Act, which went into effect this year—the Washington Privacy Act excels.

Future of Privacy Forum CEO Jules Polonetsky called the bill
“the most comprehensive state privacy legislation proposed to date.”

“It includes provisions on data minimization, purpose limitations, privacy risk assessments, anti-discrimination requirements, and limits on automated profiling that other state laws do not,” Polonetsky said.

Introduced on
January 20 by state Senator Reuven Carlyle, the Washington Privacy Act would create
new responsibilities for companies that handle consumer data, including the implementation
of data protection processes and the development and posting of privacy policies.

Already, the bill has gained warm reception from corporate and nonprofit actors. Washington-based tech giant Microsoft said it was encouraged, and Consumer Reports welcomed the thrust of the bill, while urging for even more improvements.

“This new draft is definitely a step in the right direction
toward protecting Washington residents’ personal data,” said Consumer Reports
Director of Consumer Privacy and Technology Policy Justin Brookman. “We do hope
to see further improvements to get rid of inadvertent loopholes that remain in
the text.”

What the Washington Privacy Act would do

Like the many US data privacy bills introduced in the past
18 months, the Washington Privacy Act approaches the problem of lacking data
privacy with two prongs—better rights for consumers, tighter restrictions for
companies.

On the consumer side, the Washington Privacy Act would grant several new rights to Washington residents, including the rights to access, correct, delete, and port their data. Further, consumers would receive the right to “opt out” of having their personal data used in multiple, potentially invasive ways. Consumers could say no to having their data sold and to having their data used for “targeted advertising”—the somewhat inescapable practice that results in advertisements for a pair of shoes, a fetching sweater, or an 4K TV following users around from device to device. 

Consumers could exercise their rights with simple requests to the companies that handle their data. According to the bill, these requests would require a response within 45 days. If a company cannot meet that deadline, it can file for an extension, but it is required to notify the consumer about the extension and about why it could not meet the deadline.

Further, unfulfilled requests are not a dead end for
consumers—companies must also offer an appeals process to the consumers whose
requests they deny or do not fulfil. Requests must also be responded to free of
charge, up to two times a year per consumer.

Perhaps one of the most welcome provisions in the bill is its anti-discrimination rules. Companies cannot, the bill says, treat consumers differently because of their choices to exert their data privacy rights. On the surface, that makes dangerous ideas like “pay-for-privacy” schemes much harder to enact.

Concerning new business regulations, the Washington Privacy Act separates the types of companies it applies to into two categories: “controllers” and “processors.” The two terms, borrowed from the European Union’s General Data Protection Regulation (GDPR), have simple meanings. “Controllers” are the types of entities that actually make the decisions about how consumer data is collected, shared, or used. So, a small business with just one employee who decides to sell data to third parties? That’s a controller. A big company that decides to collect data to send targeted ads? That’s a controller, too.

Processors, on the other hand, are akin to contractors and
subcontractors that perform services for controllers. So, a payment processor
that simply processes e-commerce transactions and nothing more? That’s a processor.

The Washington Privacy Act’s new rules focus predominantly
on “controllers”—the Facebooks, Amazons, Twitters, Googles, Airbnbs, and
Oracles of the world.

Controllers would have to post privacy policies that are “reasonably
accessible, clear, and meaningful,” and would include the following
information:

• The categories of personal data processed by the controller
• The purposes for which the categories of personal data are processed
• How and where consumers may exercise their rights
• The categories of third parties, if any, with whom the controller shares personal data

If controllers sell personal data to third parties, or
process it for targeted advertising, the bill requires those controllers to
clearly disclose that activity, along with instructions about how consumers can
opt out of those activities.

Separately, controllers would need to perform “data
protection assessments,” in which the company looks at, documents, and
considers the risks of any personal data processing that involves targeted
advertising, sale, and “profiling.”

The regulation of “profiling” is new to data privacy bills.
It’s admirable.

According to the bill, “profiling” is any form of automated
processing of personal data to “evaluate, analyze, or predict personal aspects
concerning an identified or identifiable person’s economic situation, health,
personal preference, interests, reliability, behavior, location, or movements.”

In today’s increasingly invasive online advertising economy,
profiling is omnipresent. Companies collect data and create “profiles” of
consumers that, yes, may not include an exact name, but still include what are
considered vital predictors about that consumer’s lifestyle and behavior. 

These new regulations make the Washington Privacy Act stand
out amongst its contemporaries, said Stacey Gray, senior counsel with Future of
Privacy Forum.

“The big picture of the bill is that includes the same
individual rights as the California Consumer Privacy Act—of access, sale, et
cetera—and then more,” Gray said. “The right to correct your data, to opt out
of targeted advertising, and out of profiling—that is further on the individual
rights side.”

Gray added that the bill’s business obligations also go further than those in the CCPA, naming the data risk assessments previously discussed.

The Washington Privacy Act includes several more business
obligations, all of which add up to meaningful data protections for consumers.
For instance, companies would need to commit to data minimization principles,
only collecting consumers’ personal data that is necessary for expressed
purposes. Companies would also need to obtain affirmative, opt-in consent from
consumers before processing any “sensitive data,” which is any data that could
reveal race, ethnicity, religion, mental or physical health conditions or
diagnoses, sexual orientations, or citizenship and immigration statuses.

But perhaps most intriguing in the Washington Privacy Act is
its regulation of facial recognition technology.

Facial recognition provisions

In 2019, Washington state lawmakers crafted a bill aimed at improving the data privacy protections of consumers. They called it… the Washington Privacy Act. That original bill, which has now been substituted the 2020 version, included provisions on the commercial use of facial recognition.

On its face, the new rules looked good: Companies that used
facial recognition tech for commercial purposes would have to obtain consent
from consumers “prior to
deploying facial recognition services.”

Unfortunately,
the original bill’s very next sentence made that consent almost meaningless.

According to that
bill, consumer “consent” could be obtained not by actually asking the consumer
about whether they agreed to having their facial data recorded, but instead, by
posting a sign on a company’s premises.

As the bill
stated:

“The placement of
conspicuous notice in physical premises or online that clearly conveys that
facial recognition services are being used constitute a consumer’s consent to
the use of such facial recognition services when that consumer enters those
premises or proceeds to use the online services that have such notice, provided
that there is a means by which the consumer may exercise choice as to facial
recognition services.”

The length of the
explainer is as broad as the exception it allows.

This loophole upset
several privacy rights advocates who, in February 2019, sent a letter to key
Washington lawmakers.

“[W]hile the bill purportedly requires consumer consent to the use of facial recognition technology, it actually allows companies to substitute notification for seeking consent—leaving consumers without a real opportunity to exercise choice or control,” the letter said. It was signed by Consumer Reports, Common Sense, Electronic Frontier Foundation, and Privacy Rights Clearinghouse.

The 2020 bill closes this loophole, instead requiring
affirmative, opt-in consent for commercial facial recognition use, along with
mandatory notifications—such as signs—in spaces that use facial recognition
technology. The new bill also requires processors to open up their
data-processing tools to outside investigation and testing, in an effort to
root out what the bill calls “unfair performance differences across distinct
subpopulations,” such as minorities, disabled individuals, and the elderly.

Moving the
Washington Privacy Act forward

Despite the 2019
Washington Privacy Act gaining swift approval in the Senate two months after
its January introduction, the bill ultimately failed to reach the House.
Multiple factors led to the bill’s failure, including the bill’s definitions
for certain terms, its approach to enforcement, and its treatment of facial
recognition.

Some of those
same obstacles could come up for the 2020 bill, Gray said.

“If this bill does not pass this year, that’s where we might see a source of conflict—is either with the facial recognition provisions, or with enforcement,” Gray said. For enforcement to take hold, Gray said the Attorney General’s office—tasked with regulation—will need increased funding and staffing. Further, there will likely be opposition to the bill’s lack of “private right of action,” which means that consumers will not be able to individually file lawsuits against companies that they allege violated the law. This issue has been a sticking point for data privacy legislation for years.

Still, Gray said, the bill shows improvement from its 2019 version, which could help push it forward.

“All things
aside,” Gray said, “we’re more optimistic than last year about it passing.”

The post Washington Privacy Act welcomed by corporate and nonprofit actors appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we looked at the strengths and weaknesses of the Zero Trust model, gave you the low-down on spear phishing, and took a delve into the world of securing the managed service provider (MSP).

Other cybersecurity news

• UN compromised via Sharepoint hack: An extraordinary tale highlighting that absolutely nobody is safe when bad things happen and are then covered up. (Source: The Register)
• TA505 returns: A well-known financial phishing attack is back from hiatus to cause chaos once again. (Source: Bleeping Computer)
• SMS phishing, aka smishing: Residents of Pitt County are warned to be wary of bogus FedEx notifications sent by text. (Source: News Channel 12)
• Social media booster runs into password mayhem: Another organisation discovers too late that plaintext passwords aren’t a great idea. (Source: TechCrunch)
• Ashley Madison breach returns to haunt us: Five years on, it’s causing problems in all new ways, fueling a new extortion scam. (Source: VadeSecure)
• Hacking in Hong Kong: ESET looks at how the Winnti group are targeting two Hong Kong Universities. (Source: ESET)
• Microsoft launches new bug bounty program: If you’re into gaming, this may be just what you’re looking for. (Source: Help Net Security)
• Big breach, big numbers: A compromise could potentially include a large tally of (more than 30 million) credit card information. (Source: Krebs on Security)
• The real world virus scammers have arrived: Booby-trapped Word documents pushing the Emotet Trojan are being fired out to people’s mailboxes, disguised as warnings about the coronavirus. (Source: TechRepublic)
• Tricky phishing: It may be the case that we’re not as good at detecting scams as we think we are. (Source: ZDNet)

Stay safe, everyone!

The post A week in security (January 27 – February 2) appeared first on Malwarebytes Labs.

We’ve previously discussed threats to managed service providers (MSPs), covering their status as a valuable secondary target to both an assortment of APT groups as well as financially motivated threat groups. The problem with covering new and novel attack vectors, however, is that behind each new vector is typically a system left unpatched, asset management undone, a security officer not hired (typically justified with factually dubious claims of a “skills shortage”) or a board who sees investment in infrastructure—and yes, security is infrastructure—as a cost center rather than a long-term investment in sustainable profits.

In short, malware can be significantly less dangerous to a business than that business’ own operational workflow.

Points of entry

Data on breach root causes is hard to come by, typically because security vendors tend to benefit by not providing industry vertical specific risk analysis. But the data that is available occasionally hints at corporate data breaches starting with some common unforced errors.

The 2019 Verizon DBIR claims that only 28 percent of observed data breaches involve the use of malware for the initial intrusion. While malware plays a significant role in the subsequent exploitation, the numbers suggest the majority of public breaches are not driven by zero-day exploits or outlandishly complex intrusion paths. So if you’re trying to secure an MSP, what are the most common entry points for attackers?

Under the broad heading of “hacking,” the most prominent observed tactics for point-of-entry include phishing, use of stolen credentials, and other social engineering techniques. Subsequent actions to further access include common use of backdoors or compromised web applications. Let’s break these down a little further.

Phishing is a reliable way of gaining a foothold to compromise a system. How would an employee clicking on a phish constitute an unforced error? Frequently, enterprises of all sorts incentivize their workers to click on absolutely everything, while simultaneously limiting their actual reading of messages. The consequences for poorly-designed corporate communications can be huge, as was seen when an MSP lost control of admin credentials via phishing attack that was subsequently used to launch ransomware.

Stolen credentials are a tremendously common attack vector that has been seen in several high profile MSP data breaches. “Stolen” is a bit of a misnomer though, and they would be better considered as “mishandled.”

Setting aside credentials gained via social engineering or phishing, companies can frequently lose track of credentials by keeping old or unnecessary accounts active, failing to monitor public exposure of accounts, failing to force resets after secondary breaches that may impact employees, failing to enforce modern password policies—basically failing to pay attention.

Should any single account with exposed credentials be over-privileged, a significant breach is almost guaranteed. And the consequences for MSPs with sloppy credential handling can be quite severe (1, 2).

Last in the lineup for unnecessary security failures is patch management. Like any other company trying to manage fixed infrastructure costs, MSPs rely heavily on third-party software and services. So when a business-critical support app is discovered to have multiple severe vulnerabilities, it introduces a wide-open channel for further exploitation. On occasion, the vulnerabilities used are brand new. Typically, they are not, and companies that fail to patch or mitigate vulnerable software get predictably exploited.

Mishandled mitigation

These attack entry points have a couple factors in common. First, they are not tremendously technically sophisticated. Even with regards to limited APT examples, the actors relied on compromised credentials and phishing first before deploying the big guns for lateral propagation. Second, mitigating these common entry points are actions that impacted MSPs should have been doing anyway.

Credential management that includes limited external monitoring, timely access control, and periodic privilege review doesn’t simply protect against catastrophic breaches—it protects against a host of attacks at all points of the technical sophistication spectrum.

Anti-phishing system design cues not only defend against employees leaking critical data, they also make for more efficient corporate communications, keep employees safe, and ideally reduce their overall email load.

Appropriate logging with timely human review cuts down time to breach discovery, but also assists in detailed risk analysis that can make for lean and effective security budgets into the future. The relationship between all of these security behaviors and observed MSP data breaches suggests that more attention to industry best practices could have gone a long way toward eliminating or sharply diminishing breach risk.

Finally, a patch management schedule that tracks third party software and services, fixing vulnerabilities in a timely manner is a great way to close some of the largest entry points into an MSP. Subordinating patches to non critical business needs, not having a test network to deploy patches, or simply not patching at all is a large signpost to attackers signifying an easy target.

MSP security: not a luxury

An MSP might be tempted to consider security as an expensive indulgence—something to be considered as a nice-to-have after uptime and availability of resources. Done well, it is neither expensive, nor a luxury.

Adherence to security norms that have been well defined for years can go a long way toward preventing big breaches, and can do so without expensive vendor contracts, pricy consultants, or best-in-class equipment. A managed service provider who chooses to ignore or delay those norms does so at its peril.

The post Securing the MSP: their own worst enemy appeared first on Malwarebytes Labs.