Techie Feeds

Google delays Chrome third party cookie sunsetting…again

Malwarebytes - Fri, 07/29/2022 - 15:49

We’ve seen many examples of third-party cookies being tackled by browsers recently. It’s not so long ago that Firefox effectively locked down third-party tracking by isolating cookies into so-called jars. By doing so, their “Total Cookie Protection” seeks to prevent all those cookies on your PC communicating with one another. This means advertisers can’t fully build up shadowy profiles following you around the net.

Increasingly, more browsers are going down this same route. Google has a huge hand in online advertising. This role often sits uneasily alongside issues of privacy and security, for example rogue ad campaigns misusing Google’s own ads.

Despite this, Google has also talked about killing off tracking cookies for some time now (including a pilot effort to introduce a type of tracking technology called “FLoC” which would allegedly preserve privacy by categorizing users into “groups” of behavior sets). The hammer was supposedly falling sometime this year, with the basic idea being that traditional third-party tracking cookies would no longer be functional in Chrome. That slice of potentially invasive advertiser pie would shrink down just a little bit further.

However, we’re now faced with the second pushback of cookie tracking lockdown where Chrome is concerned. Did Google jump the gun on this allegedly privacy-enhancing announcement?

Delaying an inevitable sunset

You probably won’t see any sunsetting of third party tracking cookies until the second half of 2024. The reason is detailed in a recent Google Blog posted by Anthony Chavez, the VP of Privacy Sandbox.

The Privacy Sandbox Initiative aims to replace tracking across sites and apps. It also wants to limit how far your data can be shared. According to the company initiative, advertising IDs and third party cookies are out; more sophisticated technologies which block invasive tracking are in.

At least, they would be but for the constant delays and pushbacks. As the Privacy Sandbox site puts it:

Billions of people around the world rely on access to information on sites and apps. To provide this free resource without relying on intrusive tracking, publishers and developers need privacy-preserving alternatives for their key business needs, including serving relevant content and ads.

In other words: organisations still need to make money from adverts, so here’s a very wobbly tightrope which we’ll all be inching down. It seems this potentially contradictory aim is causing inevitable delays.

More time for advertisers means more time for advertising

The specifics boil down to advertisers needing more time to figure out the new technologies replacing third party tracking. From the blog:

Improving people’s privacy, while giving businesses the tools they need to succeed online, is vital to the future of the open web. That’s why we started the Privacy Sandbox initiative to collaborate with the ecosystem on developing privacy-preserving alternatives to third-party cookies and other forms of cross-site tracking.

He goes on to say:

The most consistent feedback we’ve received is the need for more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome. This feedback aligns with our commitment to the CMA to ensure that the Privacy Sandbox provides effective, privacy-preserving technologies and the industry has sufficient time to adopt these new solutions. This deliberate approach to transitioning from third-party cookies ensures that the web can continue to thrive, without relying on cross-site tracking identifiers or covert techniques like fingerprinting.

You can view a timeline of the Privacy Sandbox work, which details at length what is happening and when. Third party cookie phaseout currently says support will be phased out “over a two month period”. There is no further information available on this at time of writing. Of course, potentially invasive tracking and advertising techniques will still be in use until sunsets finally come into play.

Major platforms are trying whatever they can to make it harder for people to extricate themselves from tracking. Most recently, Facebook was seen to be altering links designed to track clicks. By the time Google finally sunsets tracking cookies and other potentially invasive technologies, we may find that the new normal is another entirely set of invasive technologies to contend with.

The post Google delays Chrome third party cookie sunsetting…again appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The Wren Eleanor story: Why you should keep your kids’ images off social media

Malwarebytes - Thu, 07/21/2022 - 17:57

TikTok moms have started a movement: Calling out potential creeps who follow child influencer accounts on the platform. The latest account in the spotlight is @wren.eleanor, a TikTok account with a massive 17.3 million followers. It’s an impressive number and one that got the attention of armchair sleuths.

@hashtagfacts, another account, posted a video about what other people on TikTok have observed about this account’s followers. They’ve noted the number of times specific clips of 3-year-old Wren have been saved. Perhaps, more surprisingly, they’ve taken note of the pre-filled texts that appear in TikTok’s search box when one starts searching for “wren”.

And that’s just the tip of the iceberg. Many also found a lot of “disgusting comments left by men” in certain videos about Wren.

Keep your children off the internet!

— Deirra | Net Eng/Cyber Sec  (@ccieby30) July 19, 2022

“My daughter is 12 and a half,” @hashtagfacts said in her video post, “The issue with all of these saves and the follows are that people are watching your children. And doing disgusting things.”

“Protect your children.”

Regardless of your intentions when you post pictures and videos of your children publicly, realize and accept the fact that the Internet, with all its awesomeness, also harbors creeps who follow social media accounts featuring kids for disturbing reasons. It’s safe to assume they’re everywhere: Facebook, Instagram, YouTube, TikTok, Omegle, and others.

The simplest way to protect your children from the harms you know, and especially the harms you don’t, is to keep them off social media entirely. Let them decide how they want to use it when they are old enough to understand and navigate the risks they face. That means no social media accounts for them, and no posting images of them on your own accounts.

If that simply isn’t an option for you, for whatever reason, there are ways that you can still safely share photos and videos of your kids on social media while keeping them far away from the hawking eyes of online child predators. In reality, there are many things we can’t control when it comes to protecting our children. However, as one TikTok commenter correctly pointed out, we can control what we post online about our kids.

So, parents and carers, let’s take control.

Take your social media accounts private

If you need to act quickly but don’t have the time now to weed through all the media to pick which ones to delete and keep, consider protecting your tweets or making your Instagram account private.

Doing this also gives you time to think about what to consider before deciding on where you stand with the sharing of your child’s photos and videos. Because at the end of the day, you, the responsible parents and carers, get to decide, not people on the internet.

Limit access to the child’s photos and videos

Even though your entire account is public, some social media platforms allow you to pick and choose who among your contacts can see specific things you share. Better yet, share to a Private group on Facebook and Instagram comprising only of close family members and friends you’ve known and trusted for long enough you consider them as family.

The smaller the circle of trust, the better.

Yes, share via secure messengers and private albums

Social media platforms aren’t the only places where you can safely share pictures and videos of your kids. Secure messengers like iMessage, WhatsApp, or Signal can also do this for you, so make good use of them.

If your family and friends all have Apple devices, or if you use Google Photos, you can also set up a private, shared photo album where you can share media of all family members safely.

Prepare your kids for a life with social media

Posting media of your kids on social media is one thing. Creating social media accounts for them, whether they meet a social network’s minimum age requirement or not, is quite another. Because for children, especially girls aged 11 to 13, who are targeted by online predators more than other groups, just being online is already a huge risk.

Don’t assume they know enough to look after themselves. Make sure they do. We suggest you adopt T.A.L.K., a series of comprehensive and actionable steps parents and carers can take to help guide kids through a safe online experience as they grow up.

T.A.L.K. stands for:

  • Talk to your child about online sexual abuse. Start the conversation—and listen to their concerns.
  • Agree on ground rules about the way you use technology as a family.
  • Learn about the platforms and apps your child loves. Take an interest in their online life.
  • Know how to use tools, apps and settings that can help to keep your child safe online.

Age shouldn’t be the only indicator for when you can allow your kids to start exploring the wider Internet more. Maturity of mind should be considered, too.

We also believe that part of keeping kids secure online is developing their self-esteem. So no matter what negativity the online world throws at them, they will rise above it. An insecure child will easily succumb to criticisms, want to be famous, or feel the need to get approval and acceptance from everyone.

Putting them in front of the camera for millions of people to watch and look at won’t build up the self-esteem your child needs.

The post The Wren Eleanor story: Why you should keep your kids’ images off social media appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The winding road to compliance

Malwarebytes - Thu, 07/21/2022 - 16:24

“Here are the keys. Buy milk and bread. Drive safely.”

These are important instructions for a new driver tasked with running an errand. But unless the driver knows where they are going, a bit of guidance on how to get to the store can only help. Without it, the driver may complete the errand successfully, or at least make a good effort; but they might not complete the errand or be inefficient in the attempt.

For IT and security teams, aiming for compliance feels eerily similar to running errands without

Like the driver, these users want to accomplish the task at hand (in this case, regulatory
compliance) but are often stymied by the ambiguity or lack of direction on how to do so. Often,
compliance standards define the ultimate objectives, but give organizations the flexibility to determine
for themselves the path they take to get there.

Consequently, some users experience the equivalent of making three left turns when they didn’t know they could have just made a right.

Navigating by the stars

Freedom to define your own path has some benefits, of course. So, how do you reach the goal
efficiently to optimally protect your organization against breaches?

If you’re working through this question, you’re not alone. In fact, data from earlier this year suggests more cybersecurity decision-makers are focused on ensuring governance and compliance standards are met (56%), topping the list of priority projects during the first quarter of 2022.

It’s no secret that complying with leading standards in your industry protects your business in several
ways – some more obvious than others.

Immediately, there is the imperative protection for corporate data, personally identifiable information (PII), intellectual property, etc., and mandatory compliance with these protections to operate in certain industries or countries. Then there are the expanded values gained from compliance, such as assurances you can provide to executives and Boards about the organization’s cybersecurity posture, or your improved stance for cyber insurance.

Overriding all of these benefits is the primary reason compliance programs exist: to increase organizations’ level of prevention against an attack (akin to the “drive safely” instruction to a new driver).

Help along the journey

With the freedom to choose how you meet compliance requirements, a navigator who is easy to travel
with and able to help guide you efficiently can be the best kind of travel companion. You need a solution
partner who can help you check off some of those distance-markers along the compliance highway.

Malwarebytes EDR includes essential threat prevention capabilities to keep nefarious actors from
entering your environment.

These are complimented by threat detection and remediation tools to help you identify threats that get past the gate, so your IT or security team can respond effectively and efficiently. The platform aligns nicely with NIST and ENISA attack response frameworks, which include guidelines for best practices that help you achieve compliance.

Compliance may not be the pinnacle of your journey, either; perhaps your organization’s focus is
reinforcing specific attack surfaces. In cases like these, the value of an expandable, cloud-based platform becomes apparent.

Malwarebytes EDR is built to run in our Nebula cloud platform, which empowers you to easily add
modules that fortify specific vectors. For example, adding our Vulnerability Assessment and Patch
Management (VPM
) modules to your Malwarebytes EDR deployment helps protect against software exploits.

Connecting our DNS Filtering module yields greater control over internet browsing and content
access, providing end users a safer, more secure web experience. In addition to their inherent enhanced
protection value, these modules help businesses with specific HIPAA, PCI and GDPR compliance criteria,
and public sector entities meet additional requirements of CJIS compliance, for example.

Drive safely!

The path to compliance is easier with an informed companion. Malwarebytes EDR helps you navigate
the compliance highways and byways, like a travel companion with experience in and expert knowledge
of the routes to optimal protection. Our platform is easy to learn and use and can effectively help you
reach your compliance destination (and beyond). Get started with an EDR demo or trial today.

The post The winding road to compliance appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Vulnerabilities in GPS tracker could have “life-threatening” implications

Malwarebytes - Thu, 07/21/2022 - 09:57

Researchers at BitSight have discovered six vulnerabilities in the MiCODUS MV720 GPS tracker, a popular vehicle tracking device.

The vulnerabilities are severe enough for the Cybersecurity & Infrastructure Security Agency (CISA) to publish a Security Advisory titled ICSA-22-200-01: MiCODUS MV720 GPS Tracker.

What’s happened?

The MiCODUS MV720 is a hardwired GPS tracker that offers anti-theft, fuel cut off, remote control and geofencing capabilities. In total, there are 1.5 million of these devices in use today across 420,000 customers, including government, military, law enforcement agencies, and Fortune 1000 companies.

If the vulnerabilities are successfully exploited, an attacker could take control of the tracker, giving them access to location, routes, and fuel cutoff commands, as well as the ability to disarm various features like alarms. The found vulnerabilities are very diverse and would imply that the application was not built with security in mind. Or certainly not top of mind.

The vulnerabilities Hard coded credentials

CVE-2022-2107: The API server has an authentication mechanism that allows devices to use a hard-coded master password. This may allow an attacker to send SMS commands directly to the GPS tracker as if they were coming from the GPS owner’s mobile number.

Improper authentication

CVE-2022-2141: SMS-based GPS commands can be executed without authentication.

Improper neutralization of input during web page generation

CVE-2022-21999: The main web server has a reflected cross-site scripting (XSS) vulnerability that could allow an attacker to gain control by tricking a user into making a request.

Authorization bypass through user-controlled key

CVE-2022-34150: The main web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification.

Another authorization bypass through user-controlled key

CVE-2022-33944: The main web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter “Device ID,” which accepts arbitrary device IDs.

Exploiting these vulnerabilities could potentially put drivers in danger and disrupt supply chains. In fact, there are many possible scenarios which could result in loss of life, property damage, privacy intrusions, and threaten national security.


Since MiCODUS has not provided updates or patches to mitigate these vulnerabilities, users are advised to turn the vulnerable devices off.

The researchers first contacted MiCODUS about the vulnerabilities in September 2021, and due to a lack of response CISA and BitSight decided to publish their research.

The post Vulnerabilities in GPS tracker could have “life-threatening” implications appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Google ads lead to major malvertising campaign

Malwarebytes - Wed, 07/20/2022 - 20:10

Fraudsters have long been leveraging the shady corners of the internet to place malicious adverts, leading users to various scams. However, every now and again we see a campaign that goes mainstream and targets some of the world’s top brands.

Case in point, we recently uncovered a malvertising chain abusing Google’s ad network to redirect visitors to an infrastructure of tech support scams. Unsuspecting users searching for popular keywords will click an advert and their browser will get hijacked with fake warnings urging them to call rogue Microsoft agents for support.

What makes this campaign stand out is the fact that it exploits a very common search behavior when it comes to navigating the web: looking up a website by name instead of entering its full URL in the address bar.

Hijacking traffic from on a specific user flow

The threat actors are abusing Google’s ad network by purchasing ad space for popular keywords and their associated typos. A common human behavior is to open up a browser and do a quick search to get to the website you want without entering its full URL. Typically a user will (blindly) click on the first link returned (whether it is an ad or an organic search result).

Let’s say you want to load YouTube and type ‘youtube’ instead of entering the full address ‘’ in the browser’s address bar. The first result that appears shows ‘’ so you are likely to trust it and click on it:

Hijacking traffic in such a way is a clever and likely profitable scheme outlining some of the issues and abuses associated with the placement of ads versus organic search results.

The top searches we have seen for malware-laden ads in this campaign are:

  • youtube
  • facebook
  • amazon
  • walmart

Victims were simply trying to visit those websites and relied on Google Search to take them there. Instead, they ended up with an annoying browser hijack trying to scam them.

Cloaking and other violations

The technique used to divert traffic for malicious purposes is known as cloaking and is based on two prerequisites:

  • User looks fake (non residential IP address, wrong user-agent string or simply a crawler)
    • A redirect to the requested website will take place
  • User looks legitimate
    • A redirect to a different site and different content happens

As per Google, “Cloaking is considered a violation of Google’s Webmaster Guidelines because it provides our users with different results than they expected.” Again, based on Google’s policy violation a buyer that uses a creative (ad) containing malware can be suspended for a minimum of three months.

Traffic and redirects

There is a short chain of redirects leading to the browser locker. In this section we will take apart another malicious ad for Facebook this time. The ad is of course quite misleading as there is nothing that indicates that clicking on it would redirect anywhere else but to the requested website. Note how it appears before the top organic search result, guaranteeing a higher click rate.

The redirection mechanism is engineered in such a way that static analysis of the HTML code is difficult and does not give away the browser locker URL easily.

First redirect

This page determines whether to load decoy content (in this case the legitimate Facebook website) or a secondary script on the same attacker-controlled infrastructure.

Second redirect

This is where the browser locker URL is found and we can see that the threat actors don’t actually want to make a formal redirect but instead are loading it within an iframe.

When the page is rendered, the main address bar still shows the .com (cloaking domain) while the content is actually loaded from an iframe (100% width and height) from a disposable CloudFront URL.

Multiple cloud platforms affected

Below are examples of malvertising chains we have observed using slightly different variations but that we believe are related to the same threat actor. They used a clever approach by adopting different flows for the cloaking and browser locker such that detecting and taking down one would not impact the overall campaign.

Specifically, we see the threat actor using more expensive domains mixed with disposable domains on shady TLDs. For infrastructure, again they diversified between paid VPS on hosting companies and free cloud providers (PaaS).

Traffic flow – case 1 : throwaway domains

  1. Google search:{…}
  2. DoubleClick ad network:{…}
  3. Cloaking domain: ssgvbcxcc[.]ga/?url={…}
  4. Browser locker: prolesscodenet856[.]ml/erxczzxEr0rgdxvngEr0hjhvhhxEr0cbchk0252infoyxZdzc

Traffic flow – case 2: IP address

  1. Google search:{…}
  2. Ad platform:{…}
  3. Cloaking domain: gettouy[.]org/t2/?url={…}
  4. Browser locker: 159.203.183[.]136/windowsecurity/

Traffic flow – case 3: Digital Ocean PaaS

  1. Google search:{…}
  2. Ad platform:{…}
  3. Cloaking domain: playcrpm[.]com/?url={…}
  4. Browser locker: starfish-app-irxap.ondigitalocean[.]app/{…}&number=1-866-896-0189{…}

Traffic flow – case 4: Azure cloud

  1. Google search:{…}
  2. Ad platform:{…}
  3. Cloaking domain: vlt[.]me/.2zqd4/?url={…}
  4. Browser locker: wdq23r2fdadqwdqwdfwedadasasd.azurewebsites[.]net/fC0deJdfd008f0d0CH888Err0r80dBG88/index.html
Reporting and protection

As far as we can tell, these different campaigns have been going on for several weeks already. Although we don’t have statistics to figure out how many people were exposed, we can infer that the number was high based on a couple of factors:

  • The ads target popular keywords (which also indicates that the threat actors are not opposed to paying a premium)
  • We were able to replay the malvertising chains in our lab multiple times (live replays of malvertising on high profile sites is usually difficult)

We reported the malicious ads and flagged them under the “An ad/listing violates other Google Ads policies” category.

We also shared and are currently sharing the cloaking domains infrastructure with relevant parties. The browlock domains themselves have such a short lifespan that it is practically useless to act upon them.

Meanwhile, Malwarebytes users were already protected against this campaign thanks to our heuristic detection of the browser locker pages that force a fullscreen and auto play an audio warning.

Indicators of Compromise


The post Google ads lead to major malvertising campaign appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Another ransomware payment recovered by the Justice Department

Malwarebytes - Wed, 07/20/2022 - 15:50

The Justice Department today announced a complaint filed in the District of Kansas to forfeit cryptocurrency paid as ransom to North Korean hackers or otherwise used to launder such ransom payments. The seized funds amounting to half a million US dollars, include ransoms paid by health care providers in Kansas and Colorado.

Maui ransomware

Deputy Attorney General Lisa O. Monaco said at the International Conference on Cyber Security:

“Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui.’”

Malwarebytes recently reported on the North Korean APT that targets US healthcare sector with Maui ransomware. The FBI started responding to incidents involving Maui in May 2021. Unlike the ransomware we usually see that plagues organizations and regularly hits the news, Maui is never sold or offered to affiliates as a ransomware-as-a-service (RaaS) tool. It is, instead, developed and used privately for state-backed actors.

New at the time

According to court documents, in May 2021, North Korean hackers used a ransomware strain called Ransom.Maui to encrypt the files and servers of a medical center in the District of Kansas. After more than a week of being unable to access encrypted servers, the Kansas hospital paid approximately $100,000 in Bitcoin to regain the use of its computers and equipment. Because the Kansas medical center notified the FBI and cooperated with law enforcement, the FBI was able to identify the never-before-seen North Korean ransomware and trace the cryptocurrency to China-based money launderers.

Follow the money

In April 2022, the FBI observed a payment of approximately $120,000 in Bitcoin into one of the seized cryptocurrency accounts identified thanks to the cooperation of the Kansas hospital. The following investigation confirmed that a medical provider in Colorado had just paid a ransom after being hacked by actors using the same Maui ransomware strain. In May 2022, the FBI seized the contents of two cryptocurrency accounts that had received funds from the Kansas and Colorado health care providers. The District of Kansas then began proceedings to forfeit the hackers’ funds and return the stolen money to the victims.

Not the first time

We’ve seen ransomware recoveries in the past and we hope to see many more in the future. The most well known and probably one of the first was when the US Department of Justice recovered much of the ransomware payment that Colonial Pipeline paid to free itself from the attack that derailed the oil and gas supplier’s operations for several days.

Another example: The University of Maastricht in the Netherlands was hit by ransomware in December 2019 and paid a ransom of 197,000 Euro in Bitcoin. A part of this ransom was recovered in 2020 from a laundering operation in Ukraine. Due to the difference in Bitcoin prices, the University received a return payment of 500,000 Euro. The “profit” will be donated to disadvantaged students.


Even though ransom recovery is a good thing, it only happens on rare occasions and the general advice is to refrain from paying ransoms. It doesn’t guarantee you will get your data back, nor does it free you from recovery costs (because you still have to harden your system against the next attack), and it marks you as a target for repeat attacks.

Although Maui may be a little different from run-of-the-mill ransomware, the steps to protect against it are not:

  • Maintain offsite, offline backups of data and test them regularly.
  • Create a cybersecurity response plan.
  • Keep operating systems, applications, and firmware up to date.
  • Disable or harden remote desktop protocol (RDP).
  • Require multi-factor authentication (MFA) for as many services as possible.
  • Require administrator credentials to install software.
  • Report ransomware incidents to your local FBI field office.

Stay safe, everyone!

The post Another ransomware payment recovered by the Justice Department appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Facebook gets round tracking privacy measure by encrypting links

Malwarebytes - Wed, 07/20/2022 - 14:35

A form of individual tracking specific to your web browser is at the heart of a currently contested privacy battle, and one which Facebook has just got the upper hand to.

This type of tracking involves adding additional parameters to the URLs that you click on a daily basis. When you click one of these parameter-laden links, the organisation which added the parameter to the URL knows that you’ve clicked it.

Sites make use of the added parameters in order to track your clicks across a range of sites or services, an activity which can be monetised for marketing or analytics. A company may also be able to know where you visit away from their own website. The marketing possibilities are endless, and so too are the privacy implications.

Browsers tackle the problem of tracking parameters

Major browsers have been looking at this issue for a while, and some now strip the tracking from urls.

At the end of June, Firefox rolled out something called “Query parameter stripping“. Now, when you click a link or copy and paste it, Firefox removes all forms of tracking appended to the URL you wish to visit. When you click the link and arrive at the other end, it’s as though the tracking aspect added to the URL was never there in the first place. It’s worth noting that this feature is disabled by default unless you’re using private browsing, and needs to be enabled in the Privacy & Security section of the browser options for it to work.

Firefox isn’t alone in this fight. Other browsers, like Brave, have been addressing this issue for some time already.

As Brave explains, removing and blocking other aspects of a site for security or privacy purposes can prevent the site from working correctly. For example, disabling JavaScript may reduce the risk of attacks in your browser, but it may also break the websites that you visit. Blocking cookies may steer you away from invasive tracking, but it could also prevent you from logging in.

However, unlike the two examples above, stripping tracking parameters from a link doesn’t generate usability issues. If you take one of them out, the site carries on working as intended.

So far, so good.

Unfortunately for those with a fondness for removing tracking parameters, this may not be the case for much longer. Some organisations which make use of added parameters are presenting browsers and surfers with a stark choice.

Keep the tracking…or break the site.

Facebook: A knock-out blow?

Up until now, Facebook was using “Fbclid” in its URLs for parameter tracking. You may well have seen this appear in your URL bar as part of the addresses you’ve been clicking on. Web browsers keep track of all the additional parameters added to URLs, and strip them out as they appear. If a site changes the text of their additional parameter, the browser would have to update its own lists to be able to continue stripping them out.

Instead of playing a never-ending game of changing their parameter additions, Facebook is trying something very different, which is sure to cause the browser developers some headaches on the parameter stripping front.

Facebook has now switched to encryption for its parameter tracking needs. What this means is that the encrypted part of the URL is essentially part of the whole URL. If you remove it, you won’t be directed to the specific page you’re looking for. As per the example given on this Ghacks article: You’ll arrive on the main landing page for a site, but not the article you’re looking for.

The only real workaround for this at present is to try and avoid as much as Facebook’s tracking as possible. This isn’t always something you’re easily able to do. At the bare minimum, you’d want to consider signing out of Facebook and blocking all Facebook-centric domains. This doesn’t solve the issue of encrypted URLs though, and it’s likely that anyone already happy to strip URLs may have been doing this in the first place.

Browser developers: your move.

The post Facebook gets round tracking privacy measure by encrypting links appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Ring shares data with police without consent (but it’s in good faith), says Amazon

Malwarebytes - Wed, 07/20/2022 - 12:12

Ring, the Amazon-owned company behind the popular smart doorbells, has admitted to giving doorbell data to law enforcement willy-nilly. All they have to do is fill out a form called the Amazon Law Enforcement Request Tracker—no need to ask for the data owner’s consent, give a warrant or court order. The company revealed this in response to a letter Senator Edward Markey (D-Mass.) sent Amazon in June 2022.

Senator Markey’s letter contains a request for updates regarding the steps Ring has taken “to remove private policing agencies from its Neighbors Public Safety Service (NPSS), reduce the potential for its products to be misused in harmful ways, and protect individuals’ right to privacy.” The NPSS is a means for public safety agencies, which include law enforcement, to connect with their local communities that can publicly share posts or video recordings to the Neighbors App feed.

Amazon responded in writing to Senator Markey’s letter, but the response was only revealed to the public recently. Below are some takeaway points from the response:

  • Ring refuses to change the default setting of automatically recording audio when recording videos via its doorbell camera.
  • Ring currently doesn’t have a voice recognition feature. But that doesn’t mean it won’t in the future.
  • There are currently 2,161 law enforcement agencies and 455 fire departments on the NPSS platform.
  • Ring generally doesn’t allow private security companies on NPSS, and it will only onboard such companies “if they are peace officers under state law and subject to constitutional restrictions.”
  • Ring affirms its right to respond immediately to law enforcement requests under emergency circumstances involving imminent danger of death or serious bodily harm. At times like these, it says, it will share details without asking for consent. And it has done so in 11 incidents this year.

Brendan Daley, Ring’s spokesperson, told Politico that although Ring doesn’t need user consent when handing footage to law enforcement with warrants, it does notify the owners of the video footages.

Speaking with Ars Technica, Policy Analyst for Electronic Frontier Foundation (EFF) Matthew Guariglia said, “There are always going to be situations in which it might be expedient for public safety to be able to get around some of the usual infrastructure and be able to get footage very quickly.”

But the problem is that the people who are deciding what constitutes exigent circumstances and what constitutes the type of emergency, all of these very important safeguards, are Ring and the police, both of whom, as far as I know, don’t have a great reputation when it comes to deciding when it’s appropriate to acquire a person’s data.

~ Matthew Guariglia, EFF

The Policing Project at New York University (NYU) School of Law recently concluded its two year audit of Ring to improve its products and services, focusing on NPSS. Ring admitted to making more than 100 changes to its products, policies, and legal practices. This includes the introduction of Requests for Assistance, which ensures transparency on the part of public safety agencies when asking for assistance from communities in the form of information or video as part of ongoing investigations. The company deliberately created Requests for Assistance to keep control of owners’ hands, not the requesting agencies.

When it comes to sharing private data, both the NYU and Guariglia have landed on the same conclusion: Policymakers need to lay more ground rules on how much private surveillance data police can rely on.

The post Ring shares data with police without consent (but it’s in good faith), says Amazon appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fraudulent cryptocurrency investment apps are duping investors

Malwarebytes - Tue, 07/19/2022 - 13:29

Together with the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA), the FBI has released a warning about cybercriminals creating fraudulent cryptocurrency investment apps in order to defraud cryptocurrency investors.

The threat actors convince investors to download fraudulent mobile apps with the promise of huge opportunities and even larger gains.

And this new type of fraud turns out to be very profitable indeed, for the criminals at least—the FBI has identified 244 victims and estimates the approximate loss associated with this activity to be $42.7 million.

Mobile apps

It’s common for financial institutions to have a mobile app. These apps enhance the user experience and increase legitimate investment. Needless to say, threat actors sniffed out this opportunity to take advantage of the increased interest in mobile banking and cryptocurrency investing.

The FBI has observed threat actors using the names, logos, and other identifying information of legitimate financials in apps and websites.


While the basics are the same, there are some variants of this type of fraud which the FBI demonstrates with a few examples.

In the first one, victims were duped into downloading an app that used the name and logo of an actual US financial institution. Then the threat actors encouraged the victims to deposit cryptocurrency into wallets associated with their accounts on the app. But the app did not originate from the company the victims thought, and when they tried to withdraw funds from the app, they received an email stating they had to pay taxes on their investments before making withdrawals. After paying the supposed tax, the victims remained unable to withdraw funds.

Separately, threat actors operating under the name of a legitimate cryptocurrency exchange that closed in 2018 used the same method of having the victims pay taxes after which there was still no way to get a refund.

Then, threat actors using a name very similar to that of a currency exchange provider in Australia defrauded a victim by telling them that they had enrolled in a program requiring a minimum balance of $900,000. When the victim tried to cancel the subscription, they received instructions to deposit the requested funds or have all assets frozen.


To stay out of the claws of these imposters there are a few precautions you can take.

  • Be wary of unsolicited requests to download investment applications, especially from unexpected sources.
  • Verify the legitimacy of the app by checking out whether the company is legitimate and operates the app, and ensure that any financial disclosures or documents are tailored to the app’s purpose and the proposed financial activity.
  • Treat applications with limited and/or broken functionality with skepticism.

Financial institutions should warn their customers about fake websites and apps using their logos to dupe investors.

Defrauded financial institutions and their customers are encouraged to contact the FBI via the Internet Crime Complaint Center or their local FBI field office.

Stay safe, everyone!

The post Fraudulent cryptocurrency investment apps are duping investors appeared first on Malwarebytes Labs.

Categories: Techie Feeds

PayPal phishing campaign goes after more than just your login credentials

Malwarebytes - Tue, 07/19/2022 - 13:14

A new phishing campaign targeting PayPal users aims to get extensive data from potential victims. The data it’s after includes government documents like passport, as well as selfie photos. In a nutshell, it’s an extensive form of information theft, the likes of which could result in someone’s identity being fully stolen and their financial and other online accounts being taken over.

PayPal phishing sites are a dime a dozen due to the number of people and companies using it as another form of payment method. However, what’s notable about this campaign is that all the phishing pages are hosted on legitimate WordPress sites.

Hundreds—if not thousands—of WordPress sites remain vulnerable and easily exploited by scammers because of their poor security and the use of weak passwords. This was evident after Akamai found an attacker had planted a phishing kit on its WordPress honeypot.

After successfully brute-forcing their way into the WordPress site using a list of common credentials, the attackers then installed a file manager plugin that let them upload the phishing kit to the compromised site.

To avoid detection, the phishing kit cross-referenced IP addresses to domains belonging to companies it wants to avoid. Naturally, some of these domains include those belonging to cybersecurity organizations.

Blending into the background

Akamai researchers also noticed how the scammers made an effort to make their phishing page as indistinguishable as possible from the legitimate one. For one thing, the actors used .htaccess (short for hypertext access), a file that allows an admin to modify how a URL destination appears on the address bar.

In this case, the scammers wanted their phishing URL to make it look like it wasn’t a PHP file, so they edited out the “.php” bit of the URL. This makes sense because PayPal’s sign-in page doesn’t have an extension.

Oddly enough, the phish starts off asking users to type in the alphanumeric string they see on the “Security Challenge” page, under the guise of a means to verify that the user isn’t a bot.

This fake PayPal page asks you to enter what you see into a text box.
(Source: Akamai)

The next page then asks for the user’s PayPal credentials. Normally, phishing kits would stop here, and the scammers would leave content with the PayPal credentials they can then misuse and abuse.

But not here. In this case they want more. This is just the start of a sophisticated work-up to get users to provide such sensitive information without them realizing it.

After users provide their PayPal credentials, they are then presented with a notice of “unusual activity” in the next screen.

(Source: Akamai)

Once users click the “Secure My Account” button, they are then directed to a page telling them to confirm all their card details. Here, Akamai noted that a ZIP code and CVV are normally sufficient.

(Source: Akamai)

Next, the scammers then ask users for yet more information, specifically their ATM PIN, social security number (SSN), and their mother’s maiden name—a bit of detail that could bypass an additional security layer for an account.

(Source: Akamai)

The PayPal phishing site then encourages users to link an email address to their PayPal account, giving the attackers a token, and therefore access, to that email account. It also encourages victims to upload official government documents, such as a passport, driver’s license, or national ID, to secure the account.

Uploading government documents and taking a selfie to verify them is a bigger ballgame for a victim than just losing credit card information — it could be used to create cryptocurrency trading accounts under the victim’s name. These could then be used to launder money, evade taxes, or provide anonymity for other cybercrimes. 

~ Akamai Security Research, Akamai

For a verification process for an account showing unusual activity, the amount of information being asked from users is ridiculous and overkill. However, Akamai researchers believe that socially engineering PayPal users to let them keep giving away their data is what makes this phishing kit successful.

“People judge brands and companies on their security measures these days,” said Akamai in the report. “Not only is it commonplace to verify your identity in a multitude of ways, but it’s also an expectation when logging in to sites with ultrasensitive information, such as financial or healthcare companies.”

Phishing, in general, has come a long way. Attackers have been learning from their mistakes thanks to our growing understanding of their tactics and social engineering techniques.

As users of online services, we, too, have an obligation over our own online security and privacy. And the only way one can tell apart two seemingly identical websites is to look at your browser’s address bar.

To rephrase a line: to err is human, to scrutinize URLs is divine.

Stay safe!

The post PayPal phishing campaign goes after more than just your login credentials appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Warning for WordPress admins: uninstall the Modern WPBakery plugin immediately!

Malwarebytes - Tue, 07/19/2022 - 12:07

WordPress admins are being warned to remove a buggy plugin or risk a total site takeover.

This particular threat relates to a plugin which is no longer in use: Modern WPBakery page builder addons. The vulnerability in the plugin, known as CVE-2021-24284, allows “unauthenticated arbitrary file upload via the ‘uploadFontIcon’ AJAX action”. This means that attackers could upload rogue PHP files to the WordPress site, leading to remote code execution and a complete site takeover.

There’s been a sudden increase in attacks related to this abandoned WordPress relic. In 2021, researchers discovered “several vulnerable endpoints” which could lead to injection of malicious JavaScript or even deletion of arbitrary files in Modern WPBakery. This time around, the aim of the game is to once again upload rogue PHP files then inject malicious JavaScript into the site.

Roughly 1.6 million sites have been scanned to check for the plugin’s presence by bad actors, and current estimates suggest somewhere in the region of 4,000 to 8,000 websites are still playing host to the plugin.

Check and remove ASAP

The current advice is to check for the plugin, and then remove it as soon as you possibly can. It’s been completely abandoned, and no security-related fixes will be forthcoming.

If you have it installed, you’re on your own, and it’s likely only a matter of time before the exploiters make their way to your Modern WPBakery hosting website and start getting up to mischief.

Do yourself and your site visitors a favour: Remove this outdated invitation to site-wide compromise as soon as you possibly can.

The post Warning for WordPress admins: uninstall the Modern WPBakery plugin immediately! appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Roblox breached: Internal documents posted online by unknown attackers

Malwarebytes - Tue, 07/19/2022 - 11:12

A data compromise situation has impacted Roblox Corporation, the developers of the massive smash-hit video game Roblox. An as-yet unknown attacker has breached an employee account, and is in the process of exposing the data they’ve collected.

Nobody knows if they’ve exhausted their newly-plundered treasure trove, or if more leaks will follow.

Hacks and compromise: from myth to reality

The Roblox player base is young, and naturally enough worried about risks from cheats and account compromise. As a result, Roblox spends a fair amount of time debunking hacking myths. The most well known of these debunks probably relates to its John Doe and Jane Doe developer managed accounts.

Sadly for Roblox, this time around it appears that the compromise is very real with one key difference. It’s the developers under attack, rather than the players. For the time being, at least, they remain unaffected.

Internal employee information: leaked

A Roblox forum post has been playing host to around 4GB of stolen data. This data includes identification documents, spreadsheets related to Roblox creators, and various email addresses. At time of writing, there’s no specifics with regard to the “identification documents”. This could mean driving licence, passport, employee ID scan…we simply don’t know at the moment.

Roblox informed Motherboard that the documents were “illegally obtained as part of an extortion scheme that we refused to cooperate with”.

While there isn’t much information available yet, extortion tactics could suggest a double extortion attempt. The first thing to spring to mind here would be a ransomware attack. If the victim refuses to pay the ransom, the malware authors threaten to leak files. This can be incredibly damaging for all concerned, especially as files are often published even when the ransom is paid.

Of course, the extortion could spring from another source. Motherboard mentions the cache being stolen from an employee. The employee may have been phished. In this scenario, there is no ransomware involvement. Whatever the reason for the attack origin, players will naturally enough be very concerned.

What can you do to keep your Roblox account safe?

We don’t know if data has been grabbed outside of what’s already been leaked. There’s no indication from Roblox that user data has been accessed, which may only be known for certain as the investigation into the attack wraps up.

This is how you can help to keep your own account safe from harm in the meantime:

Watch out for phishing. Phishing attacks often follow on from breaches, although it may take days, or even weeks for an attempt to land in your mailbox. Be wary of mails asking you to login, or claiming that there has been a problem with your account. We suggest navigating to the official Roblox site directly instead of clicking links sent to your email address.

Set up two-step verification. This will help keep your account secure even if you were to hand over your login to a bogus website. Visit your account settings page, and then from the security tab select the type of two-step verification that you’d prefer. Roblox allows for a variety of different authenticator apps for use with your account.

Logout of public and shared devices. Roblox is great to play on the go. However, leaving your account logged in at on a public computer could result in item or account theft. Make sure you’ve fully logged out of any device which doesn’t belong to you. Public device compromise is still a very easy way to lose account access, and one which younger gamers could easily forget about as a potential threat.

The post Roblox breached: Internal documents posted online by unknown attackers appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The FTC will go after companies misusing location, health, and other sensitive data

Malwarebytes - Mon, 07/18/2022 - 15:55

After the overturning of Roe V Wade, many feared that using, having access to, and sharing reproductive and sexual health data—once done freely—would be outlawed with the practice of abortion in many states. To protect such data from falling into the wrong hands,  Congresswoman Sara Jacobs (D-CA) sponsored the “My Body, My Data Act of 2022” bill.

Four days after the bill entered the House of Representatives and the Senate, US President Joe Biden signed an Executive Order Protecting Access to Reproductive Health Care Services, an order aimed at safeguarding healthcare services and protecting patient privacy and access to accurate information, among others.

Following this, the FTC (Federal Trade Commission) has warned tech companies and data brokers about potentially misusing the health data the US government seeks to protect.

The interconnectedness of devices has made life easier for most of us, but it remains a major nightmare for privacy-conscious consumers and organizations.

And while location data (among others) is generated by apps, consumers regularly generate their own sensitive data, too, in the form of apps aiding them in testing their blood sugar, recording their sleep patterns, or capturing their biometric features to access devices. In matters related to personal reproductive health, this could be in the form of apps for tracking periods, monitoring fertility, or managing contraceptive use.

The FTC asserts that a combination of these generated data “creates a new frontier of potential harms to consumers”.

“The misuse of mobile location and health information—including reproductive health data—exposes consumers to significant harm,” said the FTC in a post. “Criminals can use location or health data to facilitate phishing scams or commit identity theft. Stalkers and other criminals can use location or health data to inflict physical and emotional injury.”

The exposure of health information and medical conditions, especially data related to sexual activity or reproductive health, may subject people to discrimination, stigma, mental anguish, or other serious harms.

The FTC renewed its vow to go after companies that use American digital data unfairly or deceptively.

“The Commission is committed to using the full scope of its legal authorities to protect consumers’ privacy. We will vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data. The FTC’s past enforcement actions provide a roadmap for firms seeking to comply with the law.”

The regulator will closely scrutinize corporate claims that data is “anonymized”, as research has shown that it can be trivial to de-anonymize such data, even when they’re part of a seemingly homogenous data set. The FTC would also be after companies that gather more than what they ask users to consent for or those that retain data indefinitely.

The post The FTC will go after companies misusing location, health, and other sensitive data appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Roe v. Wade: How the cops can use your data: Lock and Code S03E15

Malwarebytes - Mon, 07/18/2022 - 15:17

On the evening of June 23, in the United States, millions of women went to bed with a Constitutional right to choose to have an abortion, and they went to bed with the many assurances that are tied to that right—to speak about getting an abortion, to organize and provide support to those seeking abortions, to search for abortion services safely online, to digitally track their menstrual cycles, to record their reproductive plans, all without too much concern about who would be interested in that information.

But on June 24, that Constitutional right was removed by the Supreme Court.

Immediately, this legal story has become one of data privacy, as countless individuals ask themselves: What surrounding activity is now allowed?

Should Google be used to find abortion providers out of state? Can people write on Facebook or Instagram that they will pay for people to travel to their own states, where abortion is protected? Should people continue texting friends about their thoughts on abortion? Should they continue to use a period-tracking app? Should they switch to a different app that is now promising to technologically protect their data from legal requests? Should they clamp down on all their data? What should they do?

Today, on the Lock and Code podcast with host David Ruiz, we speak with two experts on this intersection of data privacy and legal turmoiil—Electronic Frontier Foundation staff attorney Saira Hussain and senior staff technologist Cooper Quintin.

As Quintin explains in the podcast, while much of the focus has recently been on the use of period-tracking apps, there are so many other forms of data out there that people should protect: 

“Period-tracking apps aren’t the only apps that are problematic. The fact is that the majority of apps are harvesting data about you. Location data, data that you put into the apps, personal data. And that data is being fed to data brokers, to people who sell location data, to advertisers, to analytics companies, and we’re building these giant warehouses of data that could eventually be trawled through by law enforcement for dragnet searches.”

By spotlighting how benign data points—including shopping habits and locations—have already been used to reveal pregnancies and miscarriages and to potentially identify abortion-seekers, our guests explain what data could now be of interest to law enforcement, and how people at home can keep their decisions private and secure.

Tune in to hear all this and more on the most recent episode of Lock and Code.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “SCP-x5x (Outer Thoughts)” by Kevin MacLeod (
Licensed under Creative Commons: By Attribution 4.0 License
Outro Music: “Good God” by Wowa (

The post Roe v. Wade: How the cops can use your data: Lock and Code S03E15 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Extortionists target restaurants, demand money to take down bad reviews

Malwarebytes - Mon, 07/18/2022 - 12:51

Restaurants and other eating establishments are being targeted by extortionists who post fake reviews online and then offer to remove them in exchange for a gift card.

The possibility has always existed to leave poor reviews on Google Maps and elsewhere. However, seeing fraudsters get organised and issue extortion threats alongside the review is a new development.

According to the New York Times, businesses are being “deluged” with the poor reviews. Extortion threats are then mailed to the business owners, apologising for the actions but insisting that $75 Google Play gift cards be purchased in order to have the poor reviews erased.

Card codes are mailed to a ProtonMail account, where the scammers pick up their bounty. The codes are likely sold on at this point to turn a tidy profit. We don’t know if anyone actually sent a card code to the relevant mail address, nor if any reviews were removed by the fraudsters in cases where a payment was made.

The group claims to be based in India, and is currently targeting businesses in San Francisco, New York, and Chicago.

The bad review bombing technique

Review bombing is something you’ve probably heard about in relation to gaming. When fans of certain titles become annoyed with changes in a game, or something is released which they object to, some turn to leaving bad reviews.

These reviews tend to be organised by groups, and plaster a product’s page with poor ratings. This has a negative impact on the title, and comes with a variety of side effects. It might even make the product less visible to other shoppers due to the product review score tanking.

Platforms selling games have had to take significant action against these tactics in recent years, developing new ways to spot inauthentic reviews and hiding them away from the public.

Defending your business from bad review practices

Google offers several guides for both reviewers and business owners where reviews are concerned.

Firstly, there’s detailed information about adding a review on Maps. While this is useful to know as a business owner, the really important information is on the How to remove reviews guide. Review removal requests are initiated via the Manage Reviews page. Before you submit, you need to check through the Prohibited and Restricted content section and see which category extortion attempts would fall under.

We suspect Civil Discourse > Harassment, or Deceptive Content > Misrepresentation would be good places to start.

  • We don’t allow users to post content to harass other people or businesses, or encourage others to participate in harassment.
  • Misleading information can impact the quality of information on Google Maps. For this reason, we don’t allow individuals to use Google Maps to mislead or deceive others, or make misrepresentations.

This includes:

  • False or misleading accounts of the description or quality of a good or service. 

No matter which rules you feel that your extortion-laced missives fall under, here’s how to report in both Maps and Search:

Flag a review in Google Maps
  1. On your computer, open Google Maps.
  2. Find your Business Profile.
  3. Find the review you’d like to report.
  4. Click More > Flag as inappropriate.
Flag a review in Google Search
  1. On your computer, go to Google.
  2. Find your Business Profile.
  3. Click Google Reviews.
  4. Find the review you’d like to report.
  5. Click More > Report review. Select the type of violation you want to report.

The post Extortionists target restaurants, demand money to take down bad reviews appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Elden Ring maker Bandai Namco hit by ransomware and data leaks

Malwarebytes - Thu, 07/14/2022 - 16:09

It’s not been a great couple of months for gaming giant Bandai Namco. The name behind smash hit titles like Elden Ring and Dark Souls has endured a long run of cheats and hacks.

Hacking concerns led to Remote Code Execution issues, and multiplayer features in Souls titles were disabled for months. In March, in-game cheats in Elden Ring meant players had to turn off multiplayer to avoid new attacks.

We’re now in July and Bandai Namco has experienced its most severe issue yet, confirming it has fallen victim to a severe ransomware attack.

Eurogamer published a Bandai Namco statement, which reads as follows:

On 3rd July, 2022, Bandai Namco Holdings Inc. confirmed that it experienced an unauthorised access by third party to the internal systems of several Group companies in Asian regions (excluding Japan).

“After we confirmed the unauthorised access, we have taken measures such as blocking access to the servers to prevent the damage from spreading. In addition, there is a possibility that customer information related to the Toys and Hobby Business in Asian regions (excluding Japan) was included in the servers and PCs, and we are currently identifying the status about existence of leakage, scope of the damage, and investigating the cause.

“We will continue to investigate the cause of this incident and will disclose the investigation results as appropriate. We will also work with external organizations to strengthen security throughout the Group and take measures to prevent recurrence.

Double threat

While triple threat attacks are becoming increasingly popular, double threat (locking up data and then threatening to make it public if the ransom isn’t paid) are still big business. What we have here is a classic double threat, being run by a group with no qualms about following through on its promises.

ALPHV ransomware group (alternatively referred to as BlackCat ransomware group) claims to have ransomed Bandai Namco.

Bandai Namco is an international video game publisher. Bandai Namco video game franchises include Ace Combat, Dark Souls, Dragon Ball*, Soulcaliber, and more.

— vx-underground (@vxunderground) July 11, 2022

In the tweet above, the screenshot refers to the compromise as “data soon”. The fear is that data is going to be leaked at some point in the near future. There is currently no word how much data has been grabbed, or what the ransomware authors are asking as payment.

Whether the data is related to employees, third parties, or even customers, we simply don’t know. Games publishers and developers are also host to significant amounts of confidential data for unreleased and unannounced games. This is an additional angle to consider. Would attackers value secret game IP over user data? Possibly.

The bad news carousel

This lands at a really bad time for Bandai Namco. It’s not so long ago that the Dark Souls multiplayer servers were in the process of being switched back on. This could well throw a large ransomware shaped spanner into the works for those plans.

There has to be concern over the considerable skillet of the BlackCat attackers, considering some of its likely past exploits. BlackCat stands accused of attacks on some of Europe’s largest ports back in February of this year. January saw data published belonging to a luxury fashion brand, and it wasn’t so long ago that it was publishing stolen data related to a luxury spa and resort located in the US.

This is one group which will absolutely carry out its double threat extortion threats. BlackCat is also ramping up its typical ransom amount, currently weighing in at around $2.5m. It remains to be seen how Bandai Namco handles this situation. Unfortunately for the publisher and their customers, the ransomware authors are firmly in the driving seat.

The post Elden Ring maker Bandai Namco hit by ransomware and data leaks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Predatory Sparrow massively disrupts steel factories while keeping workers safe

Malwarebytes - Thu, 07/14/2022 - 16:05

Stuxnet‘s attack on Iran’s uranium enrichment facilities manifested fears of cyberattacks leaking into the real world. What once was theory is now upon us.

Two weeks ago, multiple Iranian steel facilities experienced a cyberattack that might have been pulled off by what many cybersecurity experts in the field believe is “a professional and tightly regulated team of state-sponsored military hackers, who may even be obliged to carry out risk assessments before they launch an operation.”

The group who claimed responsibility for the attack goes by the nom de hack Predatory Sparrow.

Predatory Sparrow’s logo, which it uses on its Telegram and Twitter accounts. (Source: The BBC)

The victim organizations are the Khouzestan Steel Company (KSC), Mobarakeh Steel Company (MSC), and Hormozgan Steel Company (HOSCO).

Some say Predatory Sparrow’s name is a play on “Charming Kitten”, the name of the notorious Iranian APT (advanced persistent threat) group. Although Predatory Sparrow has its own social media accounts, these are not searchable under the English nom but under its Persian equivalent, Gonjeshke Darande.

The attackers caused the foundry to spew hot molten steel and fire onto the factory floor, but not until workers had already cleared the area, unbeknownst of what was about to happen. The timing of the group’s attack is deliberate.

A video captured during one of these attacks was shared on its social platforms as proof. It already has 200,000 views.

“Today, 27/06/2022, we, ‘Gonjeshke Darande’, carried out cyberattacks against Iran’s steel industry which affiliated [sic] with the IRGC and the Basij,” a caption within the video reads. “These companies are subject to international sanctions and continue their operations despite the restrictions.”

These cyberattacks, being carried out carefully so to protect innocent individuals, are in response to the aggression of the Islamic Republic.

The public office of the Iranian National Cyberspace Center confirmed the attacks, blaming the incidents on “foreign enemies.” The outcome triggered a temporary shutdown of facilities. The public office also claimed, “Security systems quickly took action to contain and repel the effects.”

According to sources close to the two organizations affected by the attack, the only reason severe damage wasn’t done to the production line was that they were switched off at night due to power supply restrictions. The attack “is understood” to have occurred between midnight and 6AM, Tehran time. Systems affected by the attack are the production and security systems.

At this point, no one knows whether Predatory Sparrow is a state-sponsored group. Is it just merely a group of hacktivists out to punish corporations they see are crossing the line?

“If this does turn out to be a state sponsored cyber-attack causing physical – or in the war studies jargon ‘kinetic’ damage – this could be hugely significant,” Emily Taylor, editor of the Cyber Policy Journal, told the BBC.

Ersin Cahmutoglu, a cybersecurity researcher from ADEO Cyber Security Services, also has a theory. “If this cyberattack is state-sponsored then of course Israel is the prime suspect. Iran and Israel are in a cyber-war, and officially both states acknowledge this.”

“Both states mutually organise cyberattacks through their intelligence services and everything has escalated since 2020 when retaliation came from Israel after Iran launched a failed cyberattack on Israeli water infrastructure systems and attempted to interfere with the chlorine level.”

UK-based Iranian activist and independent cyberespionage investigator Nariman Gharib also shared his thoughts: “If Israel is behind these attacks, I think they are showing that they can do real damage rather than just disrupting a service. It shows how things can quickly escalate.”

Last week, Predatory Sparrow leaked “top secret documents and tens of thousands of emails”, along with “trading practices” from the steel makers it attacked.

The post Predatory Sparrow massively disrupts steel factories while keeping workers safe appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New variant of Android SpyJoker malware removed from Play Store after 3 million+ installs

Malwarebytes - Thu, 07/14/2022 - 15:03

Security researcher Maxime Ingrao has found a new variant of Android/Trojan.Spy.Joker which he’s dubbed Autolycos. Malware in this family secretly subscribes users to premium services. The researcher noted that the eight applications that contained this malware had racked up a total of over 3 million downloads.

Toll fraud malware

Toll fraud malware is a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent. At the moment, toll fraud malware—also known as fleeceware—is one of the most prevalent types of Android malware. And not only does the number of infections keep going up, so does the sophistication of the malware.


Android/Trojan.Spy.Joker was the first major family that specialized in this field. It was first found in the Play Store in 2017. Joker is capable of clicking on online ads, and asks for SMS permissions during installation so it can access One Time Passwords (OTPs) to secretly approve payments. The user will never know that they have been subscribed to some service online until they check their bank statements or phone invoice.


Google uses the name Bread for the Joker malware family. In January, 2020, Google Play Protect detected and removed 1,700 unique Bread apps from the Play Store. By using as little code as possible and thoroughly hiding it, Joker generates a very discreet footprint which makes it hard to detect. But SMS and toll fraud generally require some basic functionality like disabling WiFi which needs one of a handful of APIs. Since Joker expects security researchers to look for those APIs, it uses a wide variety of techniques to mask the usage of them.

Slow response

The small footprint and masked usage of APIs must make it hard to find malicious apps among the multitude of apps that can be found in the Google Play Store. But that doesn’t explain why it took Google over a year to remove the eight apps reported by Maxime Ingrao. He reported the apps in June, 2021, and the last two were removed on July 13, 2022. It’s possible they would still be available if the researcher hadn’t gone public because he said he got tired of waiting.


As mentioned earlier, the malware is still undergoing development. What is new about this type is that it no longer requires a WebView. WebViews are exactly what the name indicates—a small view to a piece of Web content. A WebView can be a tiny part of the app screen, a whole page, or anything in between. Not requiring a WebView greatly reduces the chances that the user of an affected device notices something fishy is going on. Autolycos avoids WebView by executing URLs on a remote browser and then including the result in HTTP requests.

Malicious apps

BleepingComputer posted the list of malicious apps found by Maxime Ingrao, which users may still have installed:

  • Vlog Star Video Editor ( – 1 million downloads
  • Creative 3D Launcher (app.launcher.creative3d) – 1 million downloads
  • Wow Beauty Camera ( – 100,000 downloads
  • Gif Emoji Keyboard (com.gif.emoji.keyboard) – 100,000 downloads
  • Freeglow Camera 1.0.0 ( – 5,000 downloads
  • Coco Camera v1.1 ( –  1,000 downloads
  • Funny Camera by KellyTech –  500,000 downloads
  • Razer Keyboard & Theme by rxcheldiolola – 50,000 downloads

Pradeo researchers have also identified four new malicious applications that embed the Joker malware:

  • Smart SMS Messages 50.000+ installs
  • Blood Pressure Monitor 10.000+ installs
  • Voice Languages Translator 10.000+ installs
  • Quick Test SMS 10.000+ installs
How to avoid toll fraud malware

Users that have any of the listed apps installed are advised to remove them as soon as possible. To avoid getting infected and duped by toll fraud malware there are a few countermeasures you can take:

  • Keep Play Protect active.
  • Pay attention to apps asking for permissions, in this case especially SMS permissions.
  • Minimize the number of apps you install, however useful they may seem. The Autolycos operators created numerous advertising campaigns on social media.
  • Do not rely on user reviews alone, since the malware authors use bots to maintain a good user rating.

Also, always keep an eye on your background internet data, battery consumption, phone invoices, and bank statements, just in case. The sooner you stop it, the smaller the damages.

The post New variant of Android SpyJoker malware removed from Play Store after 3 million+ installs appeared first on Malwarebytes Labs.

Categories: Techie Feeds

China’s Tonto Team increases espionage activities against Russia

Malwarebytes - Thu, 07/14/2022 - 14:38

According to analyses of several cybersecurity firms and CERT (Computer Emergency Response Team) Ukraine (CERT-UA), the state-sponsored threat actor group Tonto Team, which has been linked to China-backed cyber operations, is ramping up its spying campaign against Russian government agencies. 

The campaign, which involves an email, a Word document file in RTF (Rich Text File) format, and a backdoor payload, starts off with socially engineering recipients to convince them to open a malformed attachment, triggering the execution of an MS Office exploit, particularly in the Equation Editor.

According to SentinelOne, the RTF file masquerades as a government advisory or security warning to agencies and infrastructure providers of potential attacks.

This is the malicious RFT document attached to an email sent over by the Tonto Team to targets, shared by one of our threat intelligence researchers on Twitter.
(Source: Hossein Jazi | Malwarebytes)

The fake advisory is written in Russian. Below is the Google-translated text in English:

(Source: Hossein Jazi | Malwarebytes) Dear colleagues! In addition, we remind you that recently there have been more cases of attempts to steal logins / passwords for access of employees of the Minsitry to official mail and the Service Portal. Attackers on behalf of representatives of the Department of the Ministry of Foreign Affairs, government and other organizations send letters to e-mail addresses, in which they convince you to familiarize yourself with various documents and information. Under no circumstances do not enter your service login / password in such cases. Please note that the documents must be attached to the letter and opened from the body of the letter. Compliance with these rules will allow you to maintain the confidentiality of not only your data, but also the data of other employees of the Ministry.

The Tonto Team used Royal Road (sometimes called “8.t”) to create the malicious RTF file. First analyzed by nao_sec, Royal Road is a document builder that gives threat actors the ability to embed malicious code within RTF files, aiding actors in compromising target systems.

The exploit is triggered upon opening the file, and the malware payload, Bisonal, is dropped. Bisonal, a tool many Chinese threat actors use, is a RAT (remote access Trojan). Apart from Chinese APTs (Advanced Persistent Threats), no other threat actor has used Bisonal.

The Tonto Team, an APT group that has been around almost as long as Bisonal, has many aliases: Karma Panda, Bronze Huntley, CactusPete, and Earth Akhlut. The group is known for targeting Asian nations (South Korea, Taiwan, and Japan) and Russia. So, this isn’t the first time China has been in the case of the former Soviet state. Rather, this is about a notable increase in targeting activity against Russia.

“What we’re seeing here is a potential Chinese government increase in intelligence collection requirements from inside Russia,” SentinelOne Senior Threat Researcher Tom Hegel told Dark Reading in an interview. “Perhaps an increased prioritization or expansion of resources assigned to such tasking.”

China is prioritizing its espionage campaign against Russia due to the ongoing Russian invasion of Ukraine. And while Chinese officials see themselves with Russia as “comprehensive strategic partners of coordination”, their diplomatic relations have strengthened through the years, mainly to suppress the expansion of Western alliances.

What China is doing is “simply China looking out for itself in uncertain times,” Hegel is also quoted saying. “Like any well-resourced nation, they seek to support their own agenda through cyber, and the state of affairs in Russia may be adjusting just what they prioritize.”

Chinese hacking groups have been using Royal Road and Bisonal for years, which says a lot. Its longevity points to the shared use of resources among these groups, making attribution very difficult. The repeated use of these tools through the years also suggests that campaigns against targeted nations have been successful, which gives us an idea of the state of security of these countries.

“The fact that these toolkits evolve and continue to operate really speaks to how well they’re resourced, and the state of the defense side,” Hegel told CyberScoop in a separate interview. “Nothing can really stop them from continuing to use this. It’s still successful in many cases, as we see here. You look at the exploits they’re using in these documents, they’re years old exploits. They’re popping people that are out of date by quite a few years.”

The post China’s Tonto Team increases espionage activities against Russia appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds