Malware Bytes

The forgotten domain: Exploring a link between Magecart Group 5 and the Carbanak APT

Malware Bytes Security - Tue, 10/22/2019 - 11:00am

This blog post was authored by Jérôme Segura, William Tsing, and Adam Thomas.

In a previous post, we described the possible overlap between certain domains registered by Magecart Group 4 and the Cobalt gang. While attribution is always a difficult endeavor, sharing TTPs can help others to connect the dots between campaigns observed in the wild and threat groups.

This time, we looked at Magecart Group 5 by examining a number of domains and their ties with other malicious activity. The data predates changes on whois (before GDPR took effect) and allows us to identify registrant data that is connected to Dridex phishing campaigns and the Carbanak group.

Magecart Group 5 tactics

With some exceptions, such as the Ticketmaster breach, Group 5 has a different modus operandi; it targets the supply chain used by e-commerce merchants to load various libraries, analytics, or security seals. Attacks consist of compromising a third-party supplier and affecting hundreds or even thousands of websites downstream.

In a September 2018 blog, we wrote about a trust seal that was loaded (with its malicious code) by a large number of merchants. A trust seal is essentially a confidence indicator in the shape of a badge that gives shoppers reassurance that the online store is safe and malware-free.

The skimmer script belonging to Magecart Group 5 was largely obfuscated and set to exfiltrate data, such as name, address, credit card number, expiry date, and CVV back to the criminals every time someone made a purchase on one of the compromised stores.

This kind of supply-chain attack, where thousands of stores are loading altered code, have a much higher return than individually targeting stores.

Bulletproof registrar and Magecart

We spent some time digging into a number of Magecart domains registered via the well-known Chinese registrar BIZCN/CNOBIN. Similar to our research on the bulletproof host in Eastern Ukraine, we looked at how this provider was essentially a bulletproof registrar. Previous activity on BIZCN includes rogue Canadian pharmacy websites in addition to exploit kit activity tagged as the “AfraidGate.”

We narrowed down the domains to a smaller subset previously identified as used by Magecart Group 5. The threat actors registered the domain informaer under eight different top-level domains (TLDs) using privacy protection services (see IOCs for full list). However, they may have forgotten to apply the same to, which revealed the following:

Registrar URL:
Updated Date: 2017-02-27T08:35:38Z
Creation Date: 2017-02-21T12:48:51Z
Registry Expiry Date: 2018-02-21T12:48:51Z
Registrar:, Inc.
Registrant Name: Guo Tang
Registrant Organization: Xinxin Co.
Registrant Street: Dazhongsi 13
Registrant City: Beijing
Registrant State/Province: Haidian
Registrant Postal Code: 101402
Registrant Country: CN
Registrant Phone: +86.1066569215
Registrant Fax: +86.1066549216
Registrant Email: Connection with Dridex malware and Carbanak Group

If we pivot from this email address, we can identify other domains—in particular, several that connect to Dridex phishing campaigns.

Dridex is a robust banking Trojan that has been around for many years. To this day, it continues to be distributed via malicious spam campaigns using fake invoices.

Looking closer at the email address, we can see that it was used to register domains used into the following Dridex phishing campaigns:

Carbanak is a sophisticated threat group targeting banks and using a backdoor of the same name for espionage and data exfiltration. In a 2017 blog post, the Swiss CERT posted about phishing campaigns where Dridex was used to deliver the Carbanak malware.

During our incident response in 2016, we could identify Dridex to be the initial infection vector, which had arrived in the victim’s mailbox by malicious Office Word documents, and uncovered the installation of a sophisticated malware called Carbanak, used by the attacker for lateral movement and conducting the actual fraud.

A diagram from Swiss CERT also shows how the Dridex loader does some victim triaging to either deliver Dridex proper (for consumers or low interest targets) or Carbanak for companies and high-value targets.

Another interesting data point from the registrant details is the phone number. (+86.1066569215) is mentioned by Brian Krebs in a blog post examining connections between a Russian security firm and the Carbanak group.

Looking beyond

As Magecart activity increases and new groups emerge, it can sometimes be helpful to go back in time to examine bread crumbs that may have been left behind.

Victimology also helps us to get a better idea of the threat actor behind attacks. For instance, we see many compromises that affect a small subset of merchants that are probably tied to less sophisticated criminals, often using a simple skimmer or a kit.

In contrast, we believe that the bigger breaches that reel in a much larger prize are conducted by advanced threat groups with previous experience in the field and with well-established ties within the criminal underground.

Indicators of Compromise

Magecart Group 5 domains


Registrant information

Domains used in Dridex phishing campaign


The post The forgotten domain: Exploring a link between Magecart Group 5 and the Carbanak APT appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (October 14 – 20)

Malware Bytes Security - Mon, 10/21/2019 - 11:45am

Last week on Malwarebytes Labs, we tried to unlock the future of the password (its vulnerabilities, current alternatives, and possible future disappearance), analyzed the lagging response by many businesses in adopting a patch for Pulse VPN vulnerability, looked at Instagram’s bulked-up security against phishing emails scams, and were reminded that ransomware remains a dominant threat facing businesses and consumers today.

We also continued our work at the intersection of National Cybersecurity Awareness Month and National Domestic Violence Month by providing guidelines on the current cyberthreats facing all organizations—particularly those that protect the data of domestic abuse survivors and their advocates.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (October 14 – 20) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Pulse VPN patched their vulnerability, but businesses are trailing behind

Malware Bytes Security - Fri, 10/18/2019 - 12:36pm

In April 2019, Pulse Secure published an advisory about a vulnerability in their software. In August, cybercriminals were massively scanning for systems that were running a vulnerable version. Now it’s October, and still many organizations have not applied the patches that are available for this vulnerability.

This is a trend we’ve seen repeated with dozens of other publicly-known vulnerabilities and organizations that are slow to update software to the latest, most secure versions.

With so many organizations falling victim to cyberattack via exploited vulnerability, we have to ask: Why aren’t people patching?

What are the vulnerabilities?

Reading the above, you might suspect that the vulnerabilities were not serious or hard to exploit. But that’s not the impression we get from the Pulse Secure advisory. It states:

“Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform a remote arbitrary file access on the Pulse Connect Secure gateway. This advisory also includes a remote code execution vulnerability that can allow an authenticated administrator to perform remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways.”

Pulse Connect Secure is a VPN solution for organizations and offers remote users a secure connection to the corporate network so they can remotely log in and work. Pulse Policy Secure is a well-known Network Access Control solution, which does not only control who can connect but also assigns the appropriate permissions.

When it comes to software like this, an authentication by-pass vulnerability is a serious problem. Any criminal with the proper knowledge can pretend to be an employee and access company resources. In this case, https access and the use of an especially-prepared URL would be enough to read an arbitrary file on a vulnerable system.

Needless to say, that is a serious problem—and we haven’t even touched on the remote code execution possibility. Every hacker’s dream is to be able to run their code on your system. That gives them a foothold within your network from which they can expand their activities. They can plant ransomware or whatever else they fancy.

Where would they get the necessary knowledge

By design, many cybercriminals are opportunistic, and they will jump at any easy copy-and-paste job that renders enough cash. So, when the vulnerability was discussed elaborately at Black Hat in early August, the method to exploit the vulnerability became general knowledge.

Since using this method hardly requires expert knowledge, researchers soon noticed a lot of scanning activity by cybercriminals looking for vulnerable systems. The vulnerability in Pulse Secure was presented along with a few vulnerabilities in other SSL VPN products. Shortly after, an exploit for this vulnerability was published on GitHub, so every copycat could have it handy.


On Saturday, August 24, 2019, scans performed by Bad Packets found a total of 14,528 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510. Over 5,000 of those were in the US, including military, federal, state, and local government agencies.

A week later, 10,471 Pulse Secure VPN servers worldwide remained vulnerable to compromise. On Monday, September 16, 2019, there were still 7,712 left to be patched. On Monday, October 7, 2019, a surprising 6,018 remained, with a lot of active scanning going on—and this was after advisories have been issued by the NSA and the NCSC.


A basic question in cases like these is: Who is responsible for applying patches? Without doubt, we expect a vendor to develop a patch as soon as the vulnerability is made known to them, but what happens after that?

Industry leaders have long warned that vulnerability remediation and effective patch management are essential to keep organizations safe from cyberattacks. But there are a few essential steps in the delivery chain after the patch is released:

  • Customers need to be made aware of the patch and the required urgency.
  • Security providers or resellers need to make sure their customers are aware of the existence of the patch and the possible consequences of not applying it.
  • Organizations need to have a department or external provider that is responsible for keeping the security software updated. Spending money on top-notch software and then leaving it unattended is a sure waste of money. Keeping software in shape is not limited to applying patches, but security patches can sometimes be more important than fetching the latest rules update.

The natural next question, then, is why aren’t organizations applying patches as soon as they know about them?

Recommended reading: Tackling the shortage in skilled IT staff: whole team security

So, what’s stopping them from applying the patch?

Assuming that an organization’s IT or security team is aware of the patch, possible reasons for holding off might be fear of disrupted processes or a possible disagreement on what they might regard as critical. But the possible consequences of an unpatched critical vulnerability should heavily outweigh those concerns.

There could be several other reasons for not applying patches as soon as they are available:

  • Understaffed IT and security teams
  • Looking into the consequences first, which could slow down the process due to lack of feedback
  • Waiting for others to share their experiences before applying patches
  • Unaware of the patch’s existence, sometimes as a result of not having time to follow up on emails and warning signs
  • Lack of a point of contact. Whose problem is it? And whose job is to solve it?

As you can see, most of these can be traced back to a lack of staff and time, and sometimes funding is responsible for those two shortages. But sometimes understaffing is because of other reasons. And once you are understaffed, the lack of time to follow up on problems comes as a logical consequence.

The Pulse vulnerability is not alone

It’s not like the Pulse vulnerability is the only VPN-related vulnerability out there (or any software vulnerability, for that matter). Similar problems are known to exist in products from Fortinet and Palo Alto.

In an advisory from the National Cyber Security Center (NCSC) in the UK, users of the affected VPN products can find specified log entries to look for signs of a compromise or attempt to compromise. They also emphasize the need for patching:

“Security patches should always be applied promptly. More guidance is available on the NCSC website. The NCSC acknowledges that patching is not always straightforward and in some cases can cause business disruption, but it remains the single most important step an organisation or individual can take to protect itself.”

So, the question remains: If organizations are aware of the patch and have the staff resources to apply it, why are so many dragging their feet? Maybe some of our readers can shed some light on this mystery. Feel free to share your personal experiences in the comments.

The post Pulse VPN patched their vulnerability, but businesses are trailing behind appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Why all organizations must better protect sensitive data

Malware Bytes Security - Thu, 10/17/2019 - 1:30pm

About two weeks ago, National Cybersecurity Awareness Month (NCSAM) kicked off with a new message stressing personal responsibility for users keeping themselves safe online: “Own IT. Secure IT. Protect IT.” NCSAM asked users to consider best practices for both securing their own devices and protecting sensitive data.

But personal responsibility in cybersecurity extends beyond individuals—it reaches right into the workplace, affecting nearly every company, business, or organization that handles user, customer, and employee data. Without an organization’s help, individuals can still be left defenseless to several attacks.

The user who creates and stores long passphrases in a password manager is still vulnerable to a data breach that releases their sensitive details, like their email address, physical address, and full name. The online customer who only connects to secure Wi-Fi networks is still vulnerable to a corporate hack of that retailer from threat actors seeking credit card numbers. The employee who uses multi-factor authentication on their sensitive online accounts is still vulnerable to a company-wide ransomware attack.

The truth is that companies, businesses, and organizations have an obligation to protect the sensitive data that belongs to their employees, users, and customers.

For some organizations, that obligation is a matter of real, physical safety.

For National Domestic Violence Awareness Month, Malwarebytes announced a recommitment to protecting users from stalkerware— the nefarious threat often leveraged by domestic abusers to surveil their partners. In continuing our work in this field, today we are looking at how the NCSAM principles can be translated into practical, actionable recommendations for organizations that handle and protect the data of already at-risk individuals—domestic abuse survivors.

Though these recommendations focus on domestic abuse agencies, they touch on many of the same problems experienced by small- and mid-sized organizations. They deal with lost devices, data retention and deletion, device security, and location tracking. So even if you’re not working for a domestic abuse agency, we highly recommend you read on. Your customers will thank you for helping to protect their sensitive data and their privacy.

Threats and recommendations

Threat actors today have changed their tactics. No longer do they just phish from a list of swiped personal email addresses. No longer do they rely solely on random employee missteps of opening an email attachment or clicking a link.

Instead, threat actors target organizations and zero in on their vulnerabilities in endpoint and network security. They phish, yes, but they spear phish—convincingly spoofing third-party vendors or banks or even the CEO. They attack major organizations and companies, looking to steal the sensitive data that they know is stored within, or cripple an organization’s infrastructure in hopes of getting a ransom payout.

As the threat landscape has evolved, so, too, must the organizations at risk.

Below are several threats facing domestic abuse agencies and other businesses today. We hope some of the following recommendations, which have also been shared by the National Network to End Domestic Violence (NNEDV), can help organizations everywhere stay safe.

Advocates using personal devices for their jobs

Despite the important work performed by domestic abuse shelters and agencies around the world, those same shelters and agencies often suffer from narrow funding, which can directly limit the types of technology available to their employees.

When Malwarebytes Labs recently visited the Morgan Hill Community Center to discuss stalkerware with local domestic violence advocates, about one fifth of the audience showed us that they relied on their personal mobile devices to support domestic abuse survivors.

The risks of relying solely on personal devices for this type of work are myriad.

The loss of a personal device, either through forgetfulness or from theft, could reveal sensitive information, including the contact information, text messages, emails, and voicemails of survivors, along with the GPS location data and contact information of advocates, as well as the contact information for an advocate’s family, friends, and coworkers.

NNEDV, which has published multiple guides for tech safety for both survivors and advocates, explained why the use of personal devices creates unseen vulnerabilities.

“If advocates’ friends and family members have access to an advocate’s phone, they could see survivor information in the contacts, email, or text messages,” the organization wrote in its “Cell Phone Best Practices” guide. “In addition, if the advocate’s phone was part of a family plan, the account holder (which may not be the advocate) could have access to phone records and other details that could include survivor information, breaching confidentiality.”

Agencies have several options to limit these risks.

First, agencies should provide advocates with mobile devices to do their jobs. Understandably, not every agency can afford to give every employee the latest smart device, so, instead, agencies should only offer what advocates need to be successful in their roles.

If employees are frequently in contact with survivors, receiving both text messages and phone calls, they at least need a mobile device. If employees are meeting survivors in the field or traveling between shelters, they would benefit from a phone that has GPS features and a mobile app for directions and maps. Further, if an employee has no direct contact with survivors, maybe they don’t need an agency-provided phone at all.

Also, agency-provided devices should require passcodes to unlock.

Passcodes, as we explained before, are the first line of defense to prevent unwanted parties from accessing a device. For the type of work performed by domestic abuse advocates, this security step is vital. An unsecured device could reveal which domestic abuse survivors are reaching out, their contact info including their phone number and email address, and their plans for safety.

Each agency-provided device should have a unique passcode, and the passcodes should be known to the agency’s IT and technology staff, stored on a separate device (like a desktop or laptop) and kept safe in a password manager.  

If agencies cannot provide phones, they can still implement policies on how personal devices are secured. For instance, passcodes should also be required on personal devices used for agency work. The passcode should be at least six digits long, and it should be required for every device unlock.

Lost devices

With both personal devices and agency-provided devices, the loss or theft of a mobile device could reveal potentially countless survivors’ sensitive details. Agencies should consider not only the security risks of a lost device, but also the potential breach of confidentiality and privacy for survivors.

To mitigate the damage of a lost or stolen device, agencies should install remote wiping capabilities on the devices they own and provide. These tools, like Find My iPhone on iPhones, Find My Mobile on Samsung devices, and Find My Device on Google Pixel devices, allow a device’s owner to remotely locate a device, lock it, and wipe all its stored data if lost or stolen.

Further, agencies should remember that lost devices have a separate, equally vital risk. Not only is the data that is locally stored vulnerable, but so is the data that is accessible through online accounts and networks connected to that device. Whatever platforms an employee connects to on their device, like their work email, their Slack groups, even their HR and benefits portal, are also left vulnerable to an attack if a device is lost or stolen.

To stem this risk, agencies should install a single sign-on (SSO) solution for employees who access the variety of work platforms necessary to do their jobs.

As we said before on this topic:

Single sign-on offers two immediate benefits. One, your employees don’t need to remember a series of passwords for every application, from the company’s travel request service to its intranet homepage. Two, you can set up a SSO service to require a secondary form of authentication—often a text message sent to a separate mobile device with a unique code—when employees sign in.

By utilizing these two features, even if your employee has their company device stolen, the thief won’t be able to log into any important online accounts that store other sensitive company data.”

Agencies could consider using any of the most popular single sign-on providers for small and medium businesses, including Okta and OneLogin.

Stored text conversations and call logs

Smart devices today store an enormous amount of information by default, including text messages that are several years old, and call logs that go just as far back.

The sensitivities of survivors’ text messages are obvious. These are the conversations of often at-risk individuals who are seeking help in developing a safety plan or receiving emotional support. These are private conversations that should be protected.

Similarly, a device’s automatically stored call logs can reveal sensitive, private information, even if the phone call itself is not recorded.

Call log history that shows a middle-of-the-night phone call to a suicide prevention hotline, a weekly call to an HIV emotional support line, or a between-work-and-home phone call to the National Domestic Violence Hotline all immediately reveal the potential content and topics of those conversations, even without a transcript of what was said.

To provide security and privacy for domestic abuse survivors, agencies should delete stored text messages when they are no longer needed. Agencies could also consider using a secure, end-to-end encrypted messaging app, like Signal, which allows for chat messages to automatically disappear after a scheduled time. For this process to work, though, survivors would also have to download and use the same secure messaging app.

Like with stored text conversations, agencies should regularly delete incoming and outgoing call logs. Further, agencies should not save survivor contact info on the actual devices being used.  

We understand that some agencies work directly with law enforcement, sometimes offering stored text messages and call logs as a means to provide evidence of domestic abuse. If that is part of your agency’s support services, let your survivors know this ahead of time.

Location tracking

Most domestic abuse advocates cannot do their work only from a desk. Often, advocates work outside, meeting survivors in safe locations, traveling between an organization’s multiple chapters, and potentially visiting conferences and training sessions.

For the advocates who rely on GPS services on mobile devices for directions, their digital location history can reveal potentially private information, including the locations both of survivors and currently nonpublic safe houses. One of the most popular GPS mapping apps today, Google Maps, has a feature called “Your Timeline,” which, if turned on, allows a user to view their own location history, including what locations they visited, what time they were there, and what route they took.

Though “Your Timeline” is only visible to users and not third parties, the problem of a lost or stolen device remains—if someone else can access an unsecured mobile device, then they could access that device’s location history, too.

Domestic abuse agencies should turn off location history for the devices they provide to advocates, and they should stress that advocates who rely on personal devices do the same.

 For a full understanding of how to do this on Android and iPhone devices, you can read The Guardian’s piece here, which delves into how to turn off all location tracking.

Organizational cybersecurity threats

Protecting your organization is about more than being smart with the devices your employees use and the data that lives there. It also includes protecting your organization’s infrastructure from threat actors and human error.

Domestic abuse agencies should protect themselves with an anti-malware, anti-virus solution. With a proper solution, employee devices, including both desktop/laptop machines and mobile phones, can be protected from an infection or an attack before it even happens.


Domestic abuse agencies complete an extraordinary amount of work in providing services, emotional support, and safety planning to survivors. Today, much of that work leaves behind a digital trail, and it is up to those same agencies to make sure that the data belonging to survivors is equally protected.

Though the list of cybersecurity threats and recommendations can seem overwhelming, it can be split up into easy takeaways:

  • Advocates should, whenever possible, be provided with devices to do their jobs
  • All devices should be required to have a passcode to unlock
  • The threat of a lost device can be mitigated by installing remote wiping capabilities and using a single sign-on solution to protect connected online account information
  • Stored text messages and call logs should be regularly purged
  • Location tracking on advocates’ devices should be turned off
  • Agencies should install anti-malware protection on their machines

Many years ago, the intersection of National Cybersecurity Awareness Month and National Domestic Violence Awareness Month had little overlap. Today, the two are closely intertwined. For domestic abuse agencies, the protection of data is analogous to the protection of domestic abuse survivors.

Though NCSAM’s cybersecurity principles may stress personal responsibility, it is the duty of organizations everywhere to understand their own responsibility in today’s world. Secure those who rely on you. Protect them. They should not be left alone.

The post Why all organizations must better protect sensitive data appeared first on Malwarebytes Labs.

Categories: Malware Bytes

When can we get rid of passwords for good?

Malware Bytes Security - Wed, 10/16/2019 - 4:17pm

Or perhaps I should have asked, “Can we ever get rid of passwords for good?”

The security world knows passwords are a problem. Products ship with default passwords that are never changed. People reuse old passwords or adopt easy-to-guess passwords that hackers easily defeat via brute force. Or users simply can’t keep up with having to remember 27 different passwords for various online accounts.

Many times before, we’ve discussed ways to make passwords more secure. Use longer and more complex phrases that don’t include personally identifiable information. Consider a single-sign-on or password management service. Use two- or multi-factor-authentication (MFA) because simple login credentials are not secure enough.

However, these approaches do nothing to eliminate our reliance on passwords as the line of defense between public and private information. And ultimately, passwords will always be susceptible to human error.

To combat the password problem, mobile device and application developers have begun adopting biometrics measures to replace numeric passcodes, including the use of fingerprints, graphics, and facial recognition. I’m pretty sure that a lot of companies are working on a fix-all solution for this problem, or maybe even feel they have already found it.  But so far none of them has turned out to be even remotely as popular as the password.

Before we consider a password-less future, let’s have a look at some of the existing security measures and alternatives for passwords. Because one thing’s for sure: Nobody is happy about having to remember different passwords for every site, app, and device.

But if users continue writing down their passwords in notebooks or post-it notes, re-using passwords across platforms, or sticking with easy-to-remember combos like 1-2-3-4-5, then cybercriminals will continue having a field day with their data.

Password managers

Password managers are a life savior for those of us that care enough to use a different password for every site. But are they really an alternative to passwords? You still need the original passwords, right? Actually, you need one extra password because password managers require that you develop one master password to rule them all. However, the benefit is that, after entering all your account credentials to the password manager one time, you need only remember the master password moving forward.

You might argue that if you lose access to your password manager or if it is compromised somehow, this only makes matters much, much worse. Indeed, there is some risk. However, password managers often encrypt or scramble original passwords for accounts, and those that use 2FA or multi-factor authentication have additional security measures to prevent a breach.

Password managers aren’t perfect, but they are generally much more secure than the current standard alternative. We continue to recommend consumers use password managers with MFA as cybersecurity best practice.

Single sign-on (SSO)

SSO software is popular at workplaces to manage the variety of third-party applications embraced by organizations, as well as to better protect remote workers’ access to company resources. By logging into a central site when you start your workday, you are granted access to a dashboard of company applications and servers approved for your endpoint, usually for the rest of the day. The advantage for the organization is that the granted access can be adjusted based on individual user needs and clearance.

The use of SSO software makes it extra important to lock your computer when you leave your desk, or never leave your laptop unattended in a coffee shop. This is because the login credentials it manages are granted to the machine, as if you are the sole user. So, John the Prankster could have a look at your last pay slip if you leave your workstation behind unlocked. Or worse, if your computer is stolen and you are still signed on, the criminal can view all the workplace data you have access to.

Password recovery

Unfortunately, many users have fallen back on password recovery as a mode of accessing their accounts. If they can’t write the password down, but must remember complex and different passwords for each account (and haven’t yet adopted password management, either because they are unaware of the service, unwilling to pay for it, or wary of its privacy and security benefits), then what other choice do they have but to consistently reset?

Some people abuse the password recovery feature for every website they need to log onto. You probably know the drill:

  • Click on “I forgot my password.”
  • Receive an email with a URL you have to click before it loses validity, or worse, they send you a new temporary password in plaintext.
  • Log in and change the new password, and you are on your merry way.
  • Repeat when you want to visit again.

I recently became painfully aware of a possible downside to this method when I lost access to one of my email accounts. Yikes! What happens when you don’t have a password and can’t retrieve its replacement because you are either locked out of your email account, shut it down, or can’t remember the password for your email address either?

Luckily, I didn’t have to find out. I was able to log in and change my email account where necessary. But for those depending on password recovery, that puts a lot of onus on remembering email account passwords and trusting that email credentials will never, ever be compromised or stolen. Because what happens when your email is hacked? Now all your password reset links are being sent directly to a cybercriminal. Talk about backfiring.


Biometrics refers to using physical characteristics to identify users and allow them access to and control of their computers. Instead of letters, numbers, and symbols typed on a keyboard, devices using biometric authentication measure and calculate physical attributes of the body, from pressure to the tiny imprints made by fingerprints, to facial recognition and vocal cadence.

While biometrics are definitely gaining traction, especially as one of the authentication factors in MFA, there is one major problem lurking on the horizon. What if someone manages to “steal” your biometric authentication by lifting a fingerprint? Or if you “lose” access to it through some kind of accident or reconstructive surgery? What are you supposed to do—grow a new pair of eyes?! Even your number of fingers could change at some point.

Behavioral biometrics is something that more and more financial institutions are beginning to take notice of. This is a dynamic form of authentication that looks into a person’s behavioral patterns—the way they interact with systems and technologies—to identify users.

While its accuracy is high, behavioral biometrics are not yet a 100 percent match, so for now the tech is being used to monitor sessions rather than during the login authentication. This means that a bank or other organization can use behavioral biometrics to check whether it is still you using the site, or whether someone else took over the session and log you out accordingly.

Physical keys

This is a type of authentication that is often part of a two-factor-authentication (2FA). First you login and then you prove you say who you are by pressing a button on the physical key. This can be a device connected to your computer as a USB stick or by Bluetooth or any other close-range contact. In February 2019, Google announced that Android devices running 7.0 and higher could be used to log people into websites and apps. Using FIDO2, an open standard developed by the FIDO Alliance, Android users could be automatically logged into their sites using the biometric or passcode sign-in for their device in place of individual passwords.

The down side to using a physical security key is that it requires extra hardware that can be lost or broken, or, in the case of Android devices, quite expensive. It would nevertheless be a good alternative if it could be used everywhere, which for the moment is not even close to the truth.

iOS devices do not currently use the FIDO2 standard, and about 42 percent of Android users are still running version 6.0 software and older. In addition, while the FIDO standard is adopted by many browsers, its API still needs to be incorporated by software and app developers in order to support using the feature to sign into their programs.

Authentication apps

Authentication apps allow you to use your phone to log in at specific sites, typically by scanning a QR code on the website and then authenticating through your phone by using biometrics or a passcode. Your phone will send a confirmation to the website and consequently you will be allowed to proceed.

Recommended reading: Is two-factor authentication (2FA) as secure as it seems?

These authentication apps are often used by banks and other public organizations. However, QR codes, or two-dimensional bar codes, have known flaws that have been exploited by cybercriminals and used frequently in scams.

Trust-score authentication

This is closely related to behavioral biometrics. Google, and maybe others, are working on this. A trust score is calculated based on several factors, such as location, facial recognition, and typing pattern. If the score is high enough, you’ll be granted access.

Sounds great, but can you imagine how frustrating it must be when you are denied access and you have no idea why? And if such authentication software would tell you what you are doing different from usual, this opens a possibility for an attacker to impersonate you through trial and error.


A client authentication certificate is a security certificate used to authenticate clients during an SSL handshake. It authenticates users who access a server by exchanging the client authentication certificate. Simply put, this means you have a valid certificate on your system that has not expired and was issued by a trusted certificate authority.

Some encrypted information is sent back and forth to ensure that you have both the public and private key that go with that certificate. When that exchange is successful, the server can provide you with access to the resources you are entitled to. However, cybercriminals have discovered ways to abuse the certificate system via malware, so this method is not 100 percent foolproof.


Somewhat similar to authentication certificates is GRC’s authentication method, which was dubbed SQRL. For a complete description of how SQRL works we recommend reading Welcome to SQRL (PDF). It is an interesting concept that combines the strong points of some of the other methods like encryption, into a single factor authentication method.

Checking stolen credentials

We would like to point out some services that you can use to check whether or not your password credentials have been stolen or compromised. Most of our readers will be acquainted with have i been pwned, where you can check based on email address.

On VeriCloud’s site, you can search based on email address and domain (for organizations), and you can have VeriCloud email you the leaked password(s). Don’t feel guilty when your email address(es) appear on these sites. It happens to the best of us! But check where they were found, and make sure you change the password you used there and didn’t re-use it elsewhere.

Mathematical facts about passwords

In case you need to create new passwords, here is something to consider. Did you know how much difference those few extra characters make?

Basically, the strength of the password is determined by two different factors and the number of possibilities can be calculated with the formula a to the power of b, where a = the number of allowed characters and b is the length of the password.

For example, a basic password that can contain six lowercase letters will have a number of possibilities 26^6 which equals 308,915,776. That may seem like a lot, but in a brute force attack such a password will last less than a second.

Adding two letters gives us roughly 209 billion options and such a password would last against a brute force attack for a few hours. If you can also use uppercase letters, numbers, and special characters, the base of the equation is 77, and we can reach 208 billion with only six characters.

Still, we are looking at a password that would take only hours to crack in an attack. To construct a password that would last a lifetime at the current state of computing speeds would require a password that is 12 letters long (95,428,956,661,682,176 options) or nine characters if we can use the full set (95,151,694,449,171,437 options).

Note that computer speeds continue to increase and that the chance your password will be leaked is still present, so there is no guarantee that such a password will last. But at the moment, the long and multi-charactered password is still king. While other methods such as biometrics, physical keys, and web authentication are in the works, security flaws have already been identified.

As for the future, ideas about implanted microchips, brain passwords, and DNA-based identification have already been circulated, but ethical concerns loom large. Will there ever be a truly 100 percent secure system to replace passwords?

Our guess is no. In fact, there’s no such thing as 100 percent protection. But with widespread adoption of better practices and easier, more innovative technology, the password problem should at the very least because far less annoying for consumers—which will make it far more secure for the world.

The post When can we get rid of passwords for good? appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Instagram clamps down on fake messages with anti-phishing tool

Malware Bytes Security - Tue, 10/15/2019 - 11:51am

Instagram accounts will always be a popular target for scammers. You might not think it’s a big deal if someone has their account swiped, but it’s often the vanguard of many online businesses. A takeover, or a deletion, can be absolutely devastating.

Smart hacking crews are always in the background, waiting to see what they can get away with—and it’s not just the public-facing account at risk, but personal data behind the scenes, too.

To combat these attacks, quite a few security additions have been made to Instagram over the years. Now, with the introduction of the “Emails from Instagram” anti-phishing tool, one more inroad for scammers has been made significantly harder to bypass.

The great anti-phishing divide

“Emails from Instagram” will make it much clearer if a message is actually from the social media platform or a scammer. Once you receive the update, messages will be split between “Mails from Instagram” and “Other.”

Anything sent your way from Instagram will be in the former; everything else will be in the latter. Scammers pretending to be your social network of choice is a classic slice of social engineering, and the anti-phishing tool will hopefully go a long way to shutting down Instagram-centric attacks of this nature.

Instagram tricks of the trade

Whether locked down or not, there’s a huge swathe of Instagram scams to steer clear of, and sadly the platform will never be rid of them. Here’s some of the most common, sneaky, and downright clever attacks. Most, if not all of these, will be in circulation somewhere. It’s up to us to give them as wide a berth as possible.

  • Fake viral boosting apps: You’ll come across fake apps both on official app stores and also floating around in the wild. They’ll usually claim to boost your likes, visibility, follower count, and more. What they actually do is take the username/password combination you punched in and send them back to base. From there, your account is entirely at the mercy of the hijackers. It could be sold on, given away for free, used to spam, or just plain trolled until Instagram shuts it down.
  • Exploiting cool features to push spam: Instagram stories are a neat way to quickly express thoughts with a small video clip or some looping images. If your account was compromised, you might find your latest story sending mutual contacts to spam and dubious sign-up forms.
  • Bogus profiles: The never-ending world of free video game offers comes back to haunt us, via many a compromised and purpose-built account. The method may not be as fancy as an Instagram story, but the end result is the same. Quite a few of these bogus game offer accounts tend to be designed quite nicely, too.
  • The “Who is watching you / what are they up to” scam: A wheeze around since the days of Myspace, seeing what your friends are up to or wondering who lands on your profile is another perennial favourite with scammers. In this case, they prey on people’s insecurities with their relationships. Are they cheating on you? Find out via bogus messages and dubious third-party websites asking for mobile numbers.
  • Casting bait outside Instagram: Not all scams originate from inside the Instagram walls. Quite often it begins in utterly unrelated comment sections, culminating with third-party browser extension installs. Standalone image viewer/downloading tools are also popular ways to install potentially unwanted programs on a system.
  • Viral hoaxes: Never has “It belongs in a museum” been more appropriate, but panicked requests to repost something lest accounts be deleted/hackers take over the world never, ever go out of fashion.
  • The major event bandwagon: You can guarantee anytime a holiday or major event takes place, scammers will be there plying their bogus wares. Soccer is a big target for this, as are high-profile sporting events in general.
Some additional help

Instagram has a lot of advice with regards to account security. If your account has been compromised, there’s multiple directions you can go in depending on situation. Impersonation? They have that covered, too. They also have more general security tips, and a generous amount of additional links which can be found in the Privacy and Safety Center dropdown menu. Two factor authentication is also on offer, should you want to make use of it—we strongly suggest that you do whenever possible.

Launching an anti-phishing tool is an interesting move by Instagram, and one we hope to see on other sites. It won’t magically solve the problem of imitation Instagram messages, but it should go some way to making a large dent in their ability to convince potential victims to click a bogus link.

The post Instagram clamps down on fake messages with anti-phishing tool appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Europol: Ransomware remains top threat in IOCTA report

Malware Bytes Security - Mon, 10/14/2019 - 12:00pm

The European Union Agency for Law Enforcement Cooperation, or Europol, just released its annual Internet Organized Crime Threat Assessment (IOCTA) report for the year. And we weren’t surprised to find that ransomware, despite its palpable decline in volume these past few months—a trend we’ve also seen and documented—remains the most prominent threat in terms of prevalence and financial damage.

It’s not just data

While the IOCTA report talks about online threats that both consumers and businesses face on a daily basis, it also puts data at the center of it all. We rely on it—often, all too much—and criminals know this. And yet, most threat actors behind attack campaigns rely on our data to make their attacks more successful, compelling us to take action. After all, nowadays an attack that doesn’t use data against its owners wouldn’t be much of a money-earning scheme.

Threat actors can deprive organizations and individuals’ access to their own files by encrypting and holding them for ransom, such is the case for ransomware. And they can also deny the average user access to an organization’s data (and services) through Distributed Denial of Service (DDoS) attacks. According to Europol, such attacks with an extortion element in them are the most prevalent.

Data also enables other forms of online crime like fraud. Criminals are primarily after financial data, such as credit card information, online banking credentials, and cryptocurrency wallet data. They are also after personally identifiable information (PII) and other login credentials. Such data fuels other profitable, targeted attacks like business email compromise (BEC) scams, spear phishing, and account takeovers.

There is also the challenge of data overload, particularly in the realm of child sexual exploitation (CSE) crimes. The staggering amount of material online detected by law enforcement and private companies continues to increase to the point that it’s putting a strain on law enforcement resources to investigate these crimes. One contributing factor to the increase of availability of CSE material online is that more underage users are accessing and using social media, thus, criminals reach and communicate with them via these platforms.

Courtesy of Europol Other IOCTA findings
  • The IOCTA report also noted that key infection vectors are [1] phishing and [2] remote desktop protocol (RDP) vulnerabilities. Simple patching can address vulnerabilities. As for phishing, did you know that you can be targeted on your desktop and smart phone?
  • Organizations are growing more concerned about sabotage performed by malicious insiders. Learn about insider threats here.
  • Ransomware tactics have shifted, from a scattergun approach of infecting systems to a more focused and refined targeting of profitable victims. This means that ransomware proponents target those with a greater ability to pay a ransom than the average, normal user. Here are some tips on how to beat ransomware.
  • BEC is evolving. There have been campaigns wherein threat actors used malware and network intrusion. Get to know more about “the scam that gets better with age” and take note of the ways businesses can combat BEC scams.
  • Self-generated explicit material (SGEM) is on the uptick. Young children now have access to high-quality smart phones, which enables them to produce and share SGEM, either voluntarily or under coercion. The rising number of SGEM victims will likely to continue. Parents and guardians: Please talk to your kids about this, and other online risks.
  • Jackpotting, also known as black-box attacks, against ATMs are becoming more widespread and accessible due to tools like Cutlet Maker being more available on the dark web. Check out our mini-series—part 1, part 2—on ATM attacks and fraud.
  • Card-not-present (CNP) fraud and skimming continue to plague financial institutions. Don’t be a victim of skimming.
  • Due to law enforcement activity and extensive DDoS attacks against hidden services, many have grown distrustful of the onion router (Tor) environment. While underground market administrators are currently exploring alternatives, a migration to a new platform will not likely happen yet.

Stay safe!

The post Europol: Ransomware remains top threat in IOCTA report appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (October 7 – 13)

Malware Bytes Security - Mon, 10/14/2019 - 11:30am

Last week on Malwarebytes Labs, we peered into the possible future of cybersecurity insurance, described the process for securing today’s managed service provider, and provided an in-depth explainer on the business espionage tactic known as “war shipping.”

Further, in considering the intersection of National Cybersecurity Awareness Month and National Domestic Violence Awareness Month, we gave a rundown on the current stalkerware landscape, including why it’s hard to protect against, and why Malwarebytes is committed to increasing security for users everywhere.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (October 7 – 13) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Securing the managed service provider (MSP)

Malware Bytes Security - Fri, 10/11/2019 - 2:04pm

Managed service providers (MSPs) have been a boon to midsize enterprise. They allow for offloading technical debt to an agent with the skills and resources to manage it, thereby giving an organization room to focus on growing a business, rather than the particulars of infrastructure.

For a long while, third-party service providers were not targeted directly for their security failures, as lucrative targets were more directly available. But with security best practices gaining slow adoption across enterprise organizations, MSPs have gradually become subject to threats—with their clients as the ultimate objective—as they are seen as an easier win than attacking clients through the front door.

Today, an MSP can expect to be targeted not just in their own right, but as a soft pivot point to obtain client data that might otherwise be better defended against direct attack.

But how bad is the threat landscape for managed service providers, really? MSPs typically operate in a resource-constrained environment, and surely secondary attacks wouldn’t be nearly as common as direct attacks, right?

Let’s take a look at what third-party service providers are facing today in attempts to keep those clients safe and happy.

Ransomware attacks on MSPs Managed service providers would not be pleased to see this ransom note.

Ransomware can be used in a secondary attack leveraged against specific client data. It can also be deployed in an opportunistic attack, just as with individual end users. Or it can serve as a targeted attack against a market segment hurt severely by downtime, as it has been for US cities and schools.

In June 2019, attacks against MSP customers were observed using PowerShell to push Sodinokibi ransomware to managed endpoints. These tactics were previously employed by GandCrab ransomware actors, who used a vulnerability in remote administration software in an attempt to infect all of the MSP’s clients at once.

While ransomware is a constant in the threat landscape for both end users and enterprises of all sizes, multi-vector targeted attacks using ancillary software as a pivot point were previously only seen with APT groups. Given the potential for threat actors to monetize an MSP’s large client base all at once, defenders should expect complex attacks like these to increase in the future.

APT attacks

APT attacks are the focus of much hand-wringing in enterprise security conversations, despite the fact they’re rather rare. Ninety percent of organizations would be better served by focusing on the OWASP top 10, asset management, and default configuration errors over even beginning to address APT attacks.

That said, MSPs with high-value targets as customers can fall into the 10 percent of businesses subject to secondary, targeted attacks. Previously seen most commonly with law firms servicing sensitive clients, some APT movement has expanded to address all service providers that hold data on their primary targets.

Between 2017 and 2018, the MenuPass group used stolen credentials to gain access to a Norwegian MSP with roughly 850,000 total customers. They subsequently enumerated network data and exfiltrated proprietary information, with the likely intent of obtaining intelligence on specific MSP clients.

Notable in this campaign was the surreptitious use of legitimate credentials to gain a foothold on the victim networks. These tactics were observed in the wild to the extent that USCERT released an advisory to IT service providers to implement a defense-in-depth strategy to mitigate future APT attacks.

Defenders should note here the use of legitimate credentials. APT groups are most commonly known for using zero-day vulnerabilities or other attacks requiring high resources and institutional support. But like other less sophisticated threat groups, they are under no obligation to continue doing so—poor credential management in conjunction with unpatched third-party software are sufficient to allow APT actors a clear path to a client’s proprietary data via MSP network.

So how do you know if your client list includes “sensitive targets” subject to this sort of attack? Threat modeling is a topic in itself that can go a long way toward identifying at risk clients. (See our take on threat modeling here.) But prior attacks indicate that clients involved in law, defense contracting, manufacturing, or organizing political dissent are potentially subject to APT attacks, whether directly or via your networks.

The usual suspects

Having reviewed some intriguing operations specifically focused on MSP data and customers, we would be remiss if we failed to mention the attacks that, by weight, make up the bulk of threats that all organizations face.

Though used by APT 10 to breach an Australian MSP, mishandling of administrator credentials is not an advanced attack. Failure to vet and appropriately patch third-party software introduces significant risk that doesn’t require a sophisticated actor to exploit. (More on third party application security here.)

For a recent example, cloud management platform OnApp has been found to have a vulnerability allowing access to all managed servers with a cloud provider—provided they start with access to one.

Lastly, poor asset management and lack of appropriate log analysis tools (or in some cases, failure to use them) has been responsible for escalating a relatively minor security incident to a significant breach in many instances, whether the attack was targeted or not. Although IT service providers face unique challenges as enumerated above, ignoring the basics can result in opportunistic attacks as damaging as a potential APTs.

The takeaway

An MSP looking to provide top tier service to a valuable client can no longer focus exclusively on uptime as the only measure of quality. A shifting threat landscape has made high-value data a prominent target, regardless of whose network it sits on. Increased security awareness across enterprise organizations will only continue to increase the payoff of attacking ancillary targets like service providers in furtherance of threat actor objectives.

Third-party IT service providers generally aren’t overtly negligent, but can find themselves behind the curve on security due to a lack in up-to-date subject matter expertise, a failure to cover the basics, and most prominently, the idea that security is a cost center to be minimized as aggressively as possible.

Enterprise security is in fact an investment in public trust that is required for sustained capital growth. The successful MSP over the long term with be the one best able to maintain and capitalize on customer trust. Ignore that trust at your peril.

The post Securing the managed service provider (MSP) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Cyber insurance: here to stay, whether we like it or not

Malware Bytes Security - Thu, 10/10/2019 - 11:00am

Cyber insurance has been a big talking point in infosec circles for many months now. We’ve mentioned it in passing ourselves a few times, usually in relation to ransomware attacks.

This isn’t surprising; ransomware may not be the threat that brought cyber insurance to life, but it absolutely helped to supercharge it. Depending on where in the world you reside, the actual act of wrapping insurance around computer security can be quite a technical challenge.

Not a month goes by where a business or city council isn’t making headlines alongside big payouts from insurance providers. Generally, the reception to insurance and ransomware isn’t massively positive. This is because of the oft-suggested possibility that it encourages ransomware.

However, eliminating cyber insurance as an option altogether could also bring about disastrous results for organizations.

They’ll keep coming back for more

It was bad enough when victims handed over cash to attackers, because people were putting themselves out of pocket to recover files. With advice from law enforcement occasionally becoming a little confusing, insurance suddenly pops up and makes the whole process a little more official, a little more formal.

At this point, it doesn’t really seem to matter much if the victims pay up off their own back, if they hand over a ransom then reclaim money from insurers, or if the insurer is simply on hand to cover recovery and cleanup costs. The bottom line is, it’s hard to argue that this doesn’t just keep the attacks coming. And with bigger payouts promised by providers, it seems the next logical step would be cybercriminals upping their ransoms, too.

Did they only ask for a few hundred dollars last time? Too bad, they’ve seen the adverts promising up to $50,000 to victims. If companies are happy to hand over that kind of money, then why not ramp up the ransom in corresponding fashion? The attackers have got little to lose, except the take spent on targeting more potential victims.

All the same: It’s possible that just maybe we’re being a little too hard on insurers.

Evening the odds?

We really can’t throw the insurance-shaped baby out with the bathwater. There are a number of fairly standard pieces of infosec wisdom that indicate the ransomware problem—nay, the entire cybercrime economy—is benefiting from multiple gaps in organizations’ security. You’ll hear some of these talking points weaved into conference presentations, or on blogs, including our own.

These gaps include lack of training, lean IT and security staff, lack of incident response plans, the need for layered defense, ineffective backup systems, and much more. While individuals and organizations will naturally differ on the fine points, the broad strokes usually end up aligning much of the time.

However, when you actually sit down and take in all these points as a whole, it does seem that cyber insurance is one possible natural response to fill the gaps left by the areas these common talking points focus on.

Taking the long road

By and large, there’s a long way to go where security is concerned—especially in the workplace, and with so many attacks currently focusing almost exclusively on businesses. No matter how good the network admin thinks their systems are locked down, there’s going to be a large variation in technical skillsets in any workplace.

Lots of employees probably aren’t that great with computers. It’s still not unusual to encounter workers who can only use the computer in front of them to perform the specific task required for their job, and nothing else. Factor in phishing as a common attack vector, and the gaps in an organization’s security posture widen into canyons.

It’s training time

The employees we speak of likely do not go on Reddit, or read The Register, or this blog, or any other security resources. Is it reasonable to expect someone crunching out 40+ hours a week in a high-pressure environment like a call center to also jam their way through dozens of infosec resources in a constant battle of playing keep-up?

Of course not, which is why businesses should be training their staff effectively in security practices. Except, we know a lot of the time that doesn’t happen either. Without the necessary budget available—or even someone on hand who knows about cybersecurity policy, assuming the business can afford them—you’re not going to see a lot of infosec brown bag lunch sessions.

You probably will see a lot of people being told to read the Internet AUP on their Intranet, but that’s about it. Large organizations can often afford the luxury of dedicated trainers who keep providing sessions outside the initial week-long orientation, but that’s often all that’s available.

Humorously, one of the few businesses I’ve come across that could afford a rotating set of permanent training staff all day long for employees was an insurance company.

Training: time, money, and effort

Even if a subject matter expert can afford some sort of training, it takes a sizable amount of hard work to constantly source information on new threats and how to mitigate them. While a lot of threats are quite mundane and fairly old, they still work, which is why they keep coming back.

Additionally, there really are attacks out there which fall under the “pretty smart and quite sophisticated” banner from time to time. Sometimes a new threat is pretty much old hat after a month, such is the pace now. All these factors can ultimately lead to battle fatigue of the most serious kind: simply giving up.

An eventual admission of defeat is usually accompanied by training which quickly goes out of date. At that point, we’re back to square one: no training and no chance of keeping up with the Malware Joneses.

A wafer thin layer of security

This is the part where we’d turn to our ultra secure, layered slice of unbreachable defense—except for many businesses, it simply doesn’t exist. In fact, we argue 100 percent preventative security is a myth altogether. But smart and effective security solutions are out there for organizations. The problem is many either don’t have the budget for them, don’t understand how to use complex programs, or don’t even realize they exist.

Home users probably have it worse, as we’ve gone from “actual organization with maybe someone trained in this charged with holding things together” to “random home user who wasn’t sure which security tool to buy, so they bought nothing instead.”

While it’s possible ransomware authors may use the thought of vulnerable home users plus big insurance payouts to shift attacks back from business to consumer, these things tend to swing back and forth more often than not. It’d be more surprising if attackers’ attention didn’t eventually return to consumers anyway.

Back it up a little

At last, we turn to our old friend the backup. One of ransomware’s greatest enemies, yet (again) not as well and widely-deployed as it could be. Many people’s first experience with backing up files is sadly the point where they’ve already lost everything.

External storage can be expensive depending on budget requirements. Cloud storage is a more secure solution, but it has its drawbacks as well. Businesses have a lot more cash available in this respect, but a sensible and orderly backup plan is often replaced by “massive pile of random files in duplicate folders, and what even is all of this stuff anyway?”

It’s also quite likely that however expensive insurance is, making backups will be cheaper for most consumers and small businesses. If the insurance policy insists on you making backups in order to be covered, it’s arguable that you’re then paying for something you’re already negating by backing up.

This is a bit of a simplistic view though, as backing up files doesn’t prevent the infection of endpoints. So, if systems go offline or if the organization cares to clear the infection from the network, they still might need insurance coverage for cleanup and recovery.

All those wonderful backups aren’t much use if the malware authors do more to the network than “simply” lock up some desktops and plaster a few ransom notes all over the place. Coming back from a ransom outbreak is no mean feat, and many organizations would probably be quite grateful for the assistance when disaster strikes.

On the flip side, if backups aren’t required by the insurance firm then one could ask how seriously is the insurance firm taking the threat. Are they interested in encouraging a minimum baseline for what people should be doing, or are they simply resigned to handing over wads of cash forevermore?

Staking a claim

With all this in mind, is it any wonder that insurance is now a growing market? Are we able to criticize this growing aspect of security with a straight face, when the truth of the matter is the dam is not only breaking in several places but has pretty much collapsed entirely for some folks?

Criticizing someone for paying the ransom when it’s their only way to get their baby photos back, or stop a business from going under and ruining lives is a tough call. So, too, is out-and-out condemning a newish form of business model, which for some people may be their only realistic hope to get back on track.

Perhaps the security industry needs to start looking at how insurance can more effectively bridge the gap between offering victims a hand and needlessly encouraging massive payouts, which may serve to encourage ransomware authors—and other forms of attack.

One thing’s for certain: Cyber insurance isn’t going away. So it’s up to all of us to figure out the best way to make it work for everybody.

The post Cyber insurance: here to stay, whether we like it or not appeared first on Malwarebytes Labs.

Categories: Malware Bytes

How to protect against stalkerware, a murky but dangerous mobile threat

Malware Bytes Security - Wed, 10/09/2019 - 11:00am

Last week, we pledged that—in honor of National Cybersecurity Awareness and Domestic Violence Awareness months—we would continue the fight against the online scourge known as stalkerware, or applications used to track and spy on victims without their knowing consent.

We told readers that, despite working to protect against stalkerware programs for more than five years, it was time to take our efforts to the next level by spreading awareness of stalkerware and its dangers, and demonstrating how law enforcement, cybersecurity vendors, and advocacy groups can team up for better results.

We laid out our vision and our plans for future action, calling on other security vendors, organizations, and individuals to get involved.

And now we’re ready to get back to work.

This year’s NCSAM emphasizes personal accountability, stressing the importance of taking proactive steps to enhance cybersecurity at home and in the workplace. The overarching theme of 2019 boils down to a nifty tagline: Own IT. Secure IT. Protect IT. If you need that deconstructed a bit, the message asks users to consider key security concerns, such as maintaining online privacy, securing consumer devices and browsing experiences, and protecting against scams and other threats.

In the context of stalkerware, then, the goal of this particular campaign is to raise awareness of this threat, as well as the difficulty defining, and thus protecting against it. We aim to help users be personally proactive by demonstrating why stalkerware is both murky and dangerous, where to draw the line between legitimate monitoring programs and stalkerware, and most importantly, how to protect against stalkerware if users feel it’s being used against them.

What makes stalkerware dangerous

In previous blogs, we already described what stalkerware is and what it can do, especially on a mobile device. In a nutshell: Stalkerware can see all the things you see on your device, hear all the things you hear, pinpoint your physical location, and even remotely control your camera and microphone. Calls can be intercepted, eavesdropped on, and recorded—all without the knowledge of the device owner.

Stalkerware applications can conduct equally nefarious surveillance operations as spyware, a category of threats deemed by the cybersecurity industry as malicious. However, unlike spyware, stalkerware is largely available on the open market—including on Google Play—to anyone willing to pay.

Often marketing themselves as parental monitoring tools, though sometimes outright advertising their true purpose (to catch a cheating spouse in the act or “keep tabs” on a partner), stalkerware applications are able to skirt many cybersecurity solution detection protocols because, if used with consent or as originally marketed, they may not be particularly malicious.

The danger is that there’s a whole lot of gray area in between malicious spyware used by nation-states and legitimate monitoring programs used by parents or in the workplace. When VICE’s Motherboard first reported on the rampant usage of surveillance applications by “regular people,” jealous or distrustful lovers were often cited as the main participants. And while stalkerware applications might help confirm the nagging suspicion of an affair, they are more often leveraged as tools for control and abuse.

In fact, according to the National Domestic Violence Hotline, digital surveillance is a form of abuse itself.

Let’s take a second to unpack that, because it’s important. If someone is using stalkerware to monitor their partner unknowingly, they are participating in a form of abuse. It’s not a long leap from there to full-blown manipulation, and even violence.

Indeed, according to a 2014 study conducted by NPR, a whopping 85 percent of US shelters for abused women were working directly with a victim being tracked via GPS; 75 percent said their victims’ abusers were eavesdropping on their conversations remotely, using hidden mobile apps. This was five years ago.

Despite concerted efforts to “out” a few well-known consumer stalkerware applications by hacktivists—including a breach of FlexiSpy and Retina-X, makers of PhoneSheriff and SniperSpy—the market for personal surveillance has only grown.

In 2014, we started with 421 signatures for applications defined as stalkerware, including monitoring and spyware programs. Signatures are created to identify known threats, and they are uploaded into our software’s database so that when a Malwarebytes user comes across that threat, we automatically detect it.

Today, we have more than 4,300 monitoring signatures in our database, an increase of more than 900 percent over five years. And that’s only signatures of known threats.

Through a technology called behavioral heuristics, we are able to identify if an application is acting like a threat—in this case, if it’s monitoring user activity, location, browser history, or employing other surveillance techniques—and detect it based on suspicious activity. In that way, we catch many more threats that were previously unknown. Through heuristics and signatures combined, we now detect more than 150,000 stalkerware applications.

In addition, thousands of those apps are currently active in the wild. Over the last three months, we have seen 2,332 programs that we consider stalkerware detected at least once by Malwarebytes for Android. Out of those, 107 were categorized as spyware, while the other 2,225 were flagged as monitors.

Monitoring software is currently catalogued as a potentially unwanted program (PUP) by Malwarebytes, therefore it isn’t automatically blocked and removed from user systems. We instead isolate the application and allow users to make the decision whether or not to keep the program and prevent our software from detecting it in the future, or dispose of it.

While this allows users to make an autonomous choice about which types of applications to allow on their devices, it also represents a challenge if abusers can simply add monitoring programs to an exclusion list and keep on spying without intrusion.

You can start to see now why stalkerware has proved problematic for the security industry. Where do you draw the line between freedom and safety? For us, it boils down to one simple term: consent.

To monitor, or not to monitor

In a world where opportunities to connect over the digital realm translate into opportunities to cheat, deceive, bully, stalk, harass, and otherwise be bombarded by awfulness, it’s no wonder users are tempted to keep an eye on those they care about most: their partners and children.

As we said in our article about the difference between parental monitoring apps and stalkerware, we are not here to tell people how to parent their kids. Nor are we about to expunge on relationship advice. But we can tell you what is considered an invasion of privacy or unauthorized access in the eyes of the law, as well as the cybersecurity community.

If you strip away the reasons for using monitoring apps—ranging from legitimate love and concern for safety to a desire to exert power and control over an individual—the capabilities of many stalkerware and monitoring programs are no different, technically, from surveillance programs used by nation-states.

Let’s take a look at a few examples to demonstrate our meaning.

Below are four monitoring applications that, so far, only Malwarebytes detects. Two of them are still available on Google Play and Apple’s App Store.

Couple Tracker

  • Detection name: Android/Monitor.CoupleTracker
  • Available on: third-party platforms, its own website
  • Features: includes location and phone activity viewable in real time; delete prevention, which keeps partners from hiding or removing texts, calls, or other content; call and text history

Track Boyfriend

  • Detection name: Android/Monitor.TrackFriend
  • Available on: third-party platforms, its own website
  • Features: includes call, email, and social media tracking; access to contact names, email addresses, and phone numbers; ability to monitor dates and times of contacts made with individuals, and number of times contacted

Shadow: Kid’s Key Logger

  • Detection name: Android/Monitor.SimplleKeyLogger
  • Available on: Google Play
  • Features: includes key and event logging; browser and call history; applications accessed; email and text content; allows parent/partner to modify or delete files, applications, and pictures; records time spent online, using apps, or on other activities

Safer Kid 

  • Detection name: Android/Monitor.SaferKid
  • Available on Google Play and the App Store
  • Features: text message monitoring; screen time management; browser and call history; access to contact names, email addresses, and phone numbers; adult content blocking; cannot be disabled without parent knowledge or consent

We detect apps such as these under the guise that they could be used legitimately, but also have potential to be misused. More importantly, many of the features and capabilities of these applications can be construed as invasions of privacy—even by parents who aren’t trying to snoop on their kids. And finally, if implemented without consent, monitoring apps cross the line into abusive territory.

For example, Couple Tracker requires that both partners download the app on their phones and states that its icon cannot be hidden. This could be interpreted as a sign of consent, but an abuser could easily manipulate a victim into participating, or download the application without his partner’s knowledge, relegating the icon to a less visible area on the phone.

Meanwhile, Safer Kid allows parents to monitor web browsing, phone contacts, text messaging, and call history, while also restricting access to adult content and downloads of inappropriate apps. While limiting Internet access to age-appropriate content is well within a parent’s right, any notion of privacy is undone by the application’s other features. And if a child is not aware of the full feature set of parental controls on her device, any trust she had established with them will likely evaporate as well.

While this information alone might be enough to deter some folks, monitoring applications—even those used with consent—are often rife with vulnerabilities and other security risks.

In 2017, Cisco researchers disclosed multiple vulnerabilities for “Circle with Disney,” a tool for monitoring a child’s Internet usage. In 2018, a UK-based cybersecurity researcher found two unsecured cloud servers operated by TeenSafe. The servers included tens of thousands of accounts details, including parents’ email addresses and children’s Apple ID email addresses.

Just last month, researchers at Avast discovered serious security flaws in 600,000 wearable child trackers sold on Amazon and other online merchants. The devices exposed data sent to the cloud, including the real-time GPS locations of children.

Armed with this knowledge, if you’re still considering a monitoring application, aim to avoid these important markers:

  • Can the application be used without knowing consent from the person being monitored?
  • Does the program have capabilities that infringe on personal privacy or allow for unauthorized access as defined by the law or your own moral compass?
  • Are there real security risks to using the application?

If the answer is “yes” to any of these, our advice is to find a different program—or consider ditching the idea of surveilling loved ones altogether.

How to protect against stalkerware

On the other side of the coin are the victims of stalkerware—most often partners or spouses, with a special nod to those embroiled in domestic violence. Since so many of these applications can be used without consent and include stealth features that hide their presence, it’s difficult for victims of stalkerware to know exactly what they’re dealing with in order to determine next best steps.

However, as noted above, most domestic violence victims are also victims of digital abuse, including having their locations and communications tracked. And most could tell you that they didn’t know how their partner did it, but they knew, somehow, they had “hacked” into their device.

So the first step is a gut check. There are a few technical symptoms of stalkerware, including quickly-depleting battery life and increased data use, but those could be symptomatic of a multitude of other malware, hardware, or battery issues. Therefore, when trying to assess if your device has been infiltrated with stalkerware, consider the following factors, which are outlined in full in our article for victims of domestic abuse on what to do when you find stalkerware on your device:

  • Does your partner have physical access to your device?
  • Does your partner know your device’s passcode?
  • Does your partner seem to know where you are without telling him?
  • Is your girlfriend suddenly asking pressing questions about a topic you only discussed via text or email with someone else?
  • Are photos suddenly disappearing or appearing on your device without your tampering?
  • Does your partner just seem to know too much?

Domestic violence advocacy groups and victims we spoke with pointed to the same signal: a feeling of being watched. As Erica Olsen, director of the Safety Net project for the National Network to End Domestic Violence, advised users in a previous Labs blog: trust yourself. You know the feeling of being watched and controlled. Trust those feelings and never discount your own concerns.

While we previously and carefully documented next steps for victims of abuse, next steps for “regular” users are not quite as nuanced and complex. Android users can download the free version of Malwarebytes for Android and run a scan to root out stalkerware, spyware, or other monitoring programs. If our program finds stalkerware on your device, we recommend you remove it and immediately change your device’s passcode (or create a passcode if you don’t have one).

From there, consider resetting passwords of other accounts using a clean, safe device. And moving forward, pay special attention to the applications on your device and the permissions available for each.

We don’t know the specifics of users’ relationships with their partners, and wouldn’t dare to consider advising on how to figure out who put the stalkerware on your device or whether or not to confront an individual you know is responsible. Again, this is outside of the context of domestic violence. For those who are victims of abuse, an entirely different protocol is necessary to ensure physical safety. We cannot stress that enough.

But for those who are not at risk from abusive partners, we can say this: You deserve an autonomous, free, and safe experience with technology. Whoever infringes on that is not your friend. Whether you’re a parent who wants to keep their child safe or a partner who worries the person they love is going astray, you can address these situations without destroying trust, with informed consent, and with respect for personal privacy.

In the spirit of National Cybersecurity Awareness Month, we ask that those who are not at risk of physical or emotional abuse join us in a public display of support. To increase awareness of threats lurking unknown on devices, including stalkerware, download one of our free scanners (for Android, Windows, iOS, and Mac) and upload your results to Twitter—while making sure no personally identifiable information is on display. Follow the directions below for the opportunity to win a free Premium license:

1. Install Malwarebytes on your device for free at

2. Screenshot your scan result and upload them to Twitter.

3. Tag and follow @Malwarebytes for your chance to win a Premium license.

We’ll choose the winners at the end of the week. In the meantime, stay informed, stay aware, and as always, stay safe!

The post How to protect against stalkerware, a murky but dangerous mobile threat appeared first on Malwarebytes Labs.

Categories: Malware Bytes