Malware Bytes Security

Subscribe to Malware Bytes Security feed
The Security Blog From Malwarebytes
Updated: 56 min 26 sec ago

Malwarebytes teams up with security vendors and advocacy groups to launch Coalition Against Stalkerware

4 hours 27 min ago

Today, Malwarebytes is announcing its participation in a joint effort to stop invasive digital surveillance: the Coalition Against Stalkerware.

For years, Malwarebytes has detected and warned users about the potentially dangerous capabilities of stalkerware, an invasive threat that can rob individuals of their expectation of, and right to, privacy. Just like the domestic abuse it can enable, stalkerware also proliferates away from public view, leaving its victims and survivors in isolation, unheard and unhelped.

The Coalition Against Stalkerware is the next necessary step in stopping this digital threat—a collaborative approach steered by the promise of enabling the safe use of technology for everyone, everywhere. The coalition includes representatives from cybersecurity vendors, domestic violence organizations, and the digital rights space.

Our coalition’s eight founding members are Malwarebytes, Kaspersky, G Data, National Network to End Domestic Violence, Electronic Frontier Foundation, Operation Safe Escape, WEISSER Ring, and the European Network for the Work with Perpetrators of Domestic Violence.

Already, the coalition has produced results.

In the past month, both Malwarebytes and Kaspersky shared research and intelligence on stalkerware with one another. This exchange has improved the detection rate for both our products, but more than that, it has improved the safety of users everywhere.

Further, coalition members have taken on the task of defining stalkerware and creating its detection criteria, crucial steps in empowering the cybersecurity industry to better understand this threat and how to fight it.

Finally, the coalition’s website,, includes information for domestic abuse survivors and advocates, including links to external resources, information about state laws, recent news articles, and survivors’ stories.

With this group, we are making a call to the broader cybersecurity industry: If you have ever made a promise to protect people, now is the time to uphold that promise. Stalkerware is a known, documented threat, and you can help stop it.

Join our fight. You’ll be in good company.

Our journey against invasive monitoring apps

In 2019, Malwarebytes began a recommitment to detecting and stopping apps that could invasively monitor users without their knowledge. These types of programs, which we classify as “monitor” or “spyware” in our product, can provide domestic abusers with a new avenue of control over their survivors’ lives, granting wrongful, unfettered access to text messages, phone calls, emails, GPS location data, and online browsing behavior.

In this effort, we’ve analyzed more than 2,500 samples of programs that had been flagged in research algorithms as potential monitoring/tracking apps or spyware. We grew our database of known monitoring/spying apps to include more than 100 applications that no other vendor detects and more than 10 that were, as of October 1, still on the Google Play Store.

Further, we’ve written multiple blogs for domestic abuse survivors and advocates on what to do if they have these types of apps on their phones, how to protect against them, and how organizations supporting victims of stalking can secure their data. In the summer, we also offered cybersecurity advice to domestic abuse advocates and survivors for the National Network to End Domestic Violence’s Technology Summit in San Francisco.

We are proud of our work, but we cannot ignore an important fact—it was not conducted in isolation.

Our blogs relied on the expertise of several domestic abuse advocates, along with the published work of researchers in intimate partner violence and digital rights. Our invitations to local community justice centers were as much about presenting as they were about learning. Our meetings with local law enforcement taught us about difficulties in collecting evidence of these invasive apps, and how domestic abusers can slip through the cracks of legal enforcement.

Every time we reached out, we learned more and we improved. With the Coalition Against Stalkerware, we hope to deepen these efforts.

The post Malwarebytes teams up with security vendors and advocacy groups to launch Coalition Against Stalkerware appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (November 11 – 17)

Mon, 11/18/2019 - 11:43am

Last week on Malwarebytes Labs, we offered statistics and information on a sneaky new Trojan malware for Android, inspected a bevy of current Facebook scams, and explained the importance of securing food and agriculture infrastructure.

We also released our latest report on cybercrime tactics and techniques, offering new telemetry about the many cybersecurity threats facing the healthcare industry. You can read the full report here.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (November 11 – 17) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Stalkerware’s legal enforcement problem

Mon, 11/18/2019 - 10:47am

Content warning: This piece contains brief descriptions of domestic violence and assault against women and children.

In the past five years, only two stalkerware developers, both of whom designed, marketed, and sold tools favored by domestic abusers to pry into victims’ private lives, have faced federal consequences for their actions. Following a guilty plea in court, one was ordered to pay $500,000, and his app was subsequently shut down. The other was ordered to change his apps if he wanted to keep selling them.

The dearth of meaningful legal enforcement against stalkerware makers extends to another realm—stalkerware users. Those who install stalkerware with the intent to monitor, control, harass, or otherwise abuse their victims typically get away with it, avoiding legal penalty even if there’s plenty of evidence to suggest their guilt.

To blame is a frustrating yet human struggle that includes low awareness, police mistrust, limited law enforcement resources, scant data, furtive advertising schemes, and a criminal justice system that must rely on currently-available statutes—some decades old—to bring charges against alleged criminals who utilize a modern, evolving cyberthreat.

This is stalkerware’s legal enforcement problem. The invasive cyberthreat can be installed on unsuspecting users’ mobile devices to gain access to their text messages, emails, call logs, browser activity, GPS location, and even their microphone and camera. It is entangled deeply in cases of stalking, harassment, and assault—then muddied by its relationship with cybercrime and technology abuse, two little-understood and vastly under-resourced areas of criminal justice.   

Erica Olsen, director of the Safety Net program at the National Network to End Domestic Violence (NNEDV), summed up the difficulties.

“There’s generally a lack of motivation on this issue and a consistent minimization of this type of abuse,” Olsen said. “That’s complicated further when the numbers on this type of abuse are hard to track, since many people are going the route of a factory reset or a new device, and because police either don’t have access to the forensic software to test, are unwilling to use it in these cases, or survivors don’t want to.”

She continued: “That can make it seem like this isn’t happening as much as it is.” 

Large problem, limited action

In October, the US Federal Trade Commission (FTC) became the latest government body to launch a new front against stalkerware.

Following an investigation into the company Retina-X Studios and its owner, James N. Johns Jr., the FTC said it found multiple violations of the Children’s Online Privacy Protection Act (COPPA) and the Federal Trade Commission Act, which prohibits businesses from deceiving their customers. The FTC’s consent agreement told a story of broken data security promises, repeated data breaches, user privacy invasions, and compromised device security.

Per the agreement with the FTC, Retina X and Johns Jr. can no longer develop, promote, or advertise their apps—PhoneSheriff, MobileSpy, and TeenSafe—unless significant changes are made to the apps’ designs and functionalities. The same restrictions apply to any stalkerware-type app that the company and its founder work on in the future. Because of limitations of the FTC Act, the FTC could not issue a fine to Retina-X and Johns Jr. on their first violation.

At the time of the settlement agreement, Electronic Frontier Foundation Cybersecurity Director Eva Galperin, a staunch advocate against stalkerware, told Business Insider: “I’ll take what I can get.”

The problem, Galperin said, is that the FTC’s settlement only precluded Retina-X and Johns Jr. from working on stalkerware apps that were not for “legitimate” purposes—an inherently flawed premise.

“There are simply no legitimate purposes for secret stalking apps,” Galperin wrote together with EFF Associate Director of Research Gennie Gebhart.

The FTC’s settlement represented a change in enforcement, though—it was the first federal action against a stalkerware maker in five years.

In 2014, the FBI indicted a man who allegedly conspired to sell and advertise the stalkerware app StealthGenie, which could, without a user’s consent, monitor their text messages and phone calls, and peer into their online browsing behavior. The man, who was then 31 years old, pleaded guilty to the charges and received a $500,000 fine. A US District Judge later permanently shut down StealthGenie’s operations.

When Malwarebytes reached out to the FBI to better understand how it is tracking stalkerware, a spokesperson said that the bureau’s Internet Crime Complaint Center, which receives complaints about app-related crimes, has not received many complaints about stalkerware itself. The spokesperson said that stalkerware could be part of complaints being made in other categories, though, like personal data breach or malware-related activities.

Though five years apart, the actions by the FBI and the FTC bear a striking similarity. The allegations against the two stalkerware developers dealt with the economics of stalkerware— selling, marketing, promoting, advertising.

Upon the FBI’s successful prosecution of StealthGenie’s owner, then-Assistant Attorney General Leslie Caldwell affirmed this focus:

“Make no mistake: Selling spyware is a federal crime, and the Criminal Division will make a federal case out if it.”

But sometimes, the federal crime of selling stalkerware is not enough to catch everyone who makes it, said NNEDV’s Olsen.

“If you look at the language and discussion of the Stealth Genie app conviction, it was all about the marketing and the product that they were selling,” Olsen said. Unfortunately, countless stalkerware developers have changed their marketing tactics to position their products as more “family-focused” parental monitoring apps, but with the exact same, non-consensual spying capabilities. These slapdash marketing changes make it difficult for government agencies to actually catch and stop stalkerware developers, Olsen said.

“That change in their marketing makes it harder to hold them accountable because they can claim they are not responsible for people misusing or manipulating their product, but that their product is not meant to be used for illegal activity,” Olsen said.

What to do, then, if developers have faced few consequences, and an easy escape route—retooled advertising—is readily available? Easy, Olsen said. Go after the criminal users.

“If they can’t go after them for that,” Olsen said, “then the accountability has to be on the person who knowingly misused it for a criminal purpose.”

Stalkerware’s illegal uses

The legal effort to stop stalkerware users is an uphill battle. Much of that is because stalkerware itself, and the ownership of it, is not a crime.

Instead, it is how stalkerware is usedthat could violate various state and federal laws. Unfortunately, many of its use cases are grim, tied often into cases of domestic violence, sexual harassment, and assault.

Danielle Citron, professor of law at Boston University School of Law, wrote about stalkerware-leveraged domestic violence in her 2015 paper “Spying Inc.

“A woman fled her abuser who was living in Kansas. Because her abuser had installed a cyber stalking app on her phone, her abuser knew that she had moved to Elgin, Illinois. He tracked her to a shelter and then a friend’s home where he assaulted her and tried to strangle her. In another case, a woman tried to escape her abusive husband, but because he had installed a stalking app on her phone, he was able to track down her and her children. The man murdered his two children. In 2013, a California man, using a spyware app, tracked a woman to her friend’s house and assaulted her.”

When stalkerware isn’t directly tied to violence, it can still be used in several ways that break multiple federal and state laws.

For example, a domestic abuser in California who uses stalkerware to record their partner’s phone calls without their knowledge could be violating California Penal Code 632(a), which forbids recording a phone conversation without all parties consenting, along with the federal Wiretap Act. A domestic abuser in New York who uses stalkerware to track a survivor’s movements through GPS tracking could be in violation of New York state’s “Jackie’s Law.” And a domestic abuser who jailbreaks someone’s phone to install stalkerware onto the device could be in violation of the federal Computer Fraud and Abuse Act, a broad law that WhatsApp has claimed was violated by the Israelia spyware maker NSO Group.

Quite obviously, though, stalkerware use is most often bundled into complaints of stalking, cyberstalking, and online harassment—statutes that cover a gamut of illegal behavior including intimidation, harassment, and bullying that happen in real life or online.

But even when the US government receives cases that outline these crimes, the actual, successful prosecution against the alleged criminals is rare, according to data obtained by ThinkProgress.

In 2017, ThinkProgress reported that the US Department of Justice frequently failed to prosecute cyberstalking and online harassment cases from 2012 to 2016. During that time period, US Attorneys’ offices prosecuted 321 cases of online harassment and stalking, which included 41 cases for cyberstalking. Of those 41 cases, 21 resulted in convictions.

The numbers betray the reported volume of cyberstalking that was happening at the time.

According to 2016 data from the Data & Society Research Institute and the Center for Innovative Public Health Research, an astonishing 8 percent of all US Internet users had been cyberstalked at some time in their lives. Further, 14 percent of Internet users under the age of 30 reported they’d been cyberstalked, which included 20 percent of women under 30.

ThinkProgress wrote that the data it collected is not ironclad. The data represented cases in which cyberstalking or online harassment were the first charge listed in an indictment. Also, because of how the federal statute on cyberstalking is written, the prosecutions include cases in which stalking happened through more physical means, like through a phone or through the mail.

Still, when ThinkProgress showed its data to Citron, she remarked: “That’s pathetic.”

Mary Anne Franks, professor of law at the University of Miami School of Law and vice-president of the Cyber Civil Rights Initiative, echoed Citron’s statements.

“Anecdotally, we’ve definitely heard that law enforcement generally, and the FBI in particular, is not interested in the vast majority of cases,” Franks told the outlet.

The FBI, however, only investigates crimes with a federal nexus, and quite often, the potential crimes committed in tandem with the use of stalkerware break state laws, which are to be investigated by local police.

There, different obstacles arise.

Local breakdown

As we’ve seen, the federal response to stalkerware—and to cyberstalking and online harassment—is limited. Researchers claim that US Attorneys are uninterested in prosecuting charges of cyberstalking and online harassment, and federal agencies, like the FBI and FTC, have jurisdictional limits to their investigations.

But what about at the state level, where victims can work with local police, who in turn can obtain evidence of illegal behavior, and then recommend charges and prosecution to a county’s District Attorney office?

When looking at how local law enforcement agencies respond to crimes in which stalkerware could play a role, human struggles emerge, said Maureen Curtis, vice president for the criminal justice and court programs for Operation Safe Horizon. Some of those struggles include: both victim and local law enforcement not understanding how stalkerware could be used in stalking situations, difficulty in collecting strong evidence of cyberstalking, and fear that contacting the police will make the situation worse.

Curtis has worked with the New York Police Department to train countless officers on domestic violence victim safety, offender accountability, housing options, and the criminal justice response to domestic violence. She said that her office has seen a shift stalking behavior, from a previously physical crime to one today that includes text messages, GPS tracking, and calls made from spoofed phone numbers.

It is, she said, much more “invisible,” which makes it much harder to track and much harder to find evidence on. 

“When I think about domestic violence and sexual assault and the way the criminal justice responds, there are still crimes where the onus is on the victim to show they’re a victim—definitely with stalking,” Curtis said. “It can be very difficult, particularly now, when it’s more hidden and survivors don’t have the understanding of it—it leads to them not having the evidence they feel they need.”

But even when evidence is recorded, Curtis said, the reporting of this type of behavior depends on a tenuous relationship between domestic violence survivors and the police who patrol their communities.

“Some survivors don’t want criminal prosecution—they want the [violence] to stop, and they might think that contacting the police will escalate [the situation],” Curtis said. She said that many survivors also have to consider the consequences of having their abuser arrested or sent to prison.

“If the [abuser] is an immigrant, they could be deported. If they’re working, they could lose their job,” Curtis said. She said the concerns pile up for communities of color, too. “Here in New York City, if I’m a woman of color, I may be afraid of calling the police because I’m afraid what might happen to my partner. Or I fear that, if I have children, and I call the police, they may call the child welfare authority and now I have another system involved in my life.”

Unfortunately, the frustrations can continue when a survivor decides to work with law enforcement to attempt to bring charges against an individual, Curtis said, because police can recommend charges be made, but they’re not the ones to actually prosecute. That job falls to local district attorneys.

“The police can get frustrated because, even if they write someone up, the district attorney may not feel there’s enough evidence, so the police get declined prosecution, which frustrates the police department,” Curtis said. “It’s a vicious cycle.”

What to do?

In 2015, then-Democratic Senator Al Franken reintroduced a federal bill to ban the development, use, and sale of GPS-stalking apps, creating a potential legislative solution to both the creation and use of some types of stalkerware.

At the time, Sen. Franken stressed the bewildering fact that many of the apps that enabled illegal activity were, themselves, not illegal.

“[The legislation] will help a whole range of people affected by cyberstalking, including survivors of domestic violence, and it would finally outlaw unconscionable—but perfectly legal—smartphone apps that allow abusers to secretly track their victims,” Sen. Franken said.

Introduced in the Senate, the bill was referred to the Judiciary Committee, where it stalled.  

When asked if federal legislation was the right path forward to solving the many issues in catching stalkerware abusers, cyberstalkers, and online harassers, Curtis said that new laws might help, but she had separate advice: Get the industry to do its part.

Years ago, Curtis’ office had an arrangement with Verizon, she said, in which Operation Safe Horizon could work with the phone provider to get a domestic abuse survivor’s phone number changed, free of charge. She also pointed to a free event at the New York City Family Justice Center, happening this year, in which Cornell University researchers are offering a “digital privacy check-up,” which includes a scan for “spyware.”

She said cybersecurity vendors could learn from that.

“I would imagine that, if there’s a way of putting malware onto a device, the people who really understand the tech can find it and get rid of it,” Curtis said.

She stressed that any company that wants to help must remember to provide its services for free, as many domestic violence survivors suffer from limited resources. The best part about companies getting involved, Curtis said, is that it provides an entirely new, separate avenue for relief:

“It will work whether you want to involve the criminal justice system or not.”

The post Stalkerware’s legal enforcement problem appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Stealthy new Android malware poses as ad blocker, serves up ads instead

Thu, 11/14/2019 - 2:51pm

Since its discovery less than a month ago, a new Trojan malware for Android we detect as Android/Trojan.FakeAdsBlock has already been seen on over 500 devices, and it’s on the rise. This nasty piece of mobile malware cleverly hides itself on Android devices while serving up a host of advertisements: full-page ads, ads delivered when opening the default browser, ads in the notifications, and even ads via home screen widget. All while, ironically, posing as an ad blocker vaguely named Ads Blocker.

Upon installation: trouble

Diving right into this mobile threat, let’s look at its ease of infection. Immediately upon installation, it asks for Allow display over other apps rights.

This is, of course, so it can display all the ads it serves.

After that, the app opens and asks for a Connection request to “set up a VPN connection that allows it to monitor network traffic.” Establishing a VPN connection is not unusual for an ad blocker, so why wouldn’t you click OK? 

To clarify, the app doesn’t actually connect to any VPN.  Instead, by clicking OK, users actually allow the malware run in the background at all times.

Next up is a request to add a home screen widget.

This is where things get suspicious. The added widget is nowhere to be found. On my test device, it added the widget to a new home screen page.  Good luck finding and/or clicking it though.

The fake ad blocker then outputs some jargon to make it look legit.

Take a good look, because this will most likely be the last time you’ll see this supposed ad blocker if you are one of the many unfortunate victims of its infection.

Extreme stealth

Ads Blocker is inordinately hard to find on the mobile device once installed. To start, there is no icon for Ads Blocker. However, there are some hints of its existence, for example, a small key icon status bar.

This key icon was created after accepting the fake VPN connection message, as shown above. As a result, this small key is proof that the malware is running the background.

Although hard to spot, another clue is a blank white notification box hidden in plain sight.

Warning: If you happen to press this blank notification, it will ask permission to Install unknown apps with a toggle button to Allow from this source. In this case, the source is the malware, and clicking on it could allow for the capability to install even more malware.

If you try to find Ads Blocker on the App info page on your mobile device to remove manually, it once again hides itself with a blank white box.

Luckily, it can’t hide the app storage used, so the floating 6.57 MB figure show above can assist in finding it. Unless you spot this app storage number and figure out which app it belongs to (by process of elimination), you won’t be able to remove Ads Blocker from your device.

Android malware digs in its fangs

This Android malware is absolutely relentless in its ad-serving capabilities and frequency. As a matter of fact, while writing this blog, it served up numerous ads on my test device at a frequency of about once every couple minutes. In addition, the ads were displayed using a variety of different methods.

For instance, it starts with the basic full-page ad:

In addition, it offers ads in the notifications:

Oh look, it wants to send ads through the default web browser:

Last, remember the request to add a widget to the home screen that seemed to be invisible? Invisible widget presents: even more ads.

The ads themselves cover a wide variety of content, and some are quite unsavory—certainly not what you want to see on your mobile device.

Infections on the rise

Needless to say, this stealthy Android malware that plasters users with vulgar ads is not what folks are looking for when they download an ad blocker. Unfortunately, we have already counted over 500 detections of Android/Trojan.FakeAdsBlock. Moreover, we collected over 1,800 samples in our Mobile Intelligence System of FakeAdsBlock, leading us to believe that infection rates are quite high. On the positive side, Malwarebytes for Android removed more than 500 infections that are otherwise exceedingly difficult to remove manually.

Source of infection

It is unclear exactly where this Android malware is coming from. The most compelling evidence we have is based on VirusTotal submission data, which suggests the infection is spreading in the United States. Most likely, users are downloading the app from third-party app store(s) looking for a legitimate ad blocker, but are unknowingly installing this malware instead.

Moreover, from the filenames of several submissions, such as Hulk (2003).apk, Guardians of the Galaxy.apk, and Joker (2019).apk., there’s also a connection with a bogus movie app store as another possible source of infection.

Additional evidence demonstrates the Android malware might also be spreading in European countries such as France and Germany. A forum post was created on the French version of regarding Ads Blocker, and a German filename was submitted to VirusTotal. 

A new breed of mobile malware

A new breed of stealthy mobile malware is clearly on the uptick. Back in August, we wrote about the hidden mobile malware xHelper, which we detect asAndroid/Trojan.Dropper.xHelper. At that time, xHelper had already been removed from 33,000 mobile devices—and the numbers continue to grow. Ads Blocker is even more stealthy and could easily reach the same rate of infection.

You can call it shameless plugging if you like, but this trend of stealthy Android malware highlights the necessity of a good mobile anti-malware scanner, like Malwarebytes. With more and more users turning to their mobile phones for banking, shopping, storing health data, emailing, and other sensitive, yet important functions, protecting against mobile malware has become paramount. Beware of third-party app stores, yes, but have backup in case apps like Ads Blocker have you fooled.

Stay safe out there!

The post Stealthy new Android malware poses as ad blocker, serves up ads instead appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Labs report finds cyberthreats against healthcare increasing while security circles the drain

Wed, 11/13/2019 - 8:00am

The team at Malwarebytes Labs is at it again, this time with a special edition of our quarterly CTNT report—Cybercrime tactics and techniques: the 2019 state of healthcare. Over the last year, we gathered global data from our product telemetry, honeypots, threat intelligence, and research efforts, focusing on the top threat categories and families that plagued the medical industry, as well as the most common attack vectors used by cybercriminals to penetrate healthcare defenses.

What we found is that healthcare-targeted cybercrime is a growing sector, with threats increasing in volume and severity while highly-valuable patient data remains unguarded. With a combination of unsecured electronic healthcare records (EHR) spread over a broad attack surface, cybercriminals are cashing in on industry negligence, exploiting vulnerabilities in unpatched legacy software and social engineering unaware hospital staff into opening malicious emails—inviting infections into the very halls constructed to beat them.

Our report explores the security challenges inherent to all healthcare organizations, from small private practices to enterprise HMOs, as well as the devastating consequences of criminal infiltration on patient care. Finally, we look ahead to innovations in biotech and the need to consider security in their design and implementation.

Key takeaways: the 2019 state of healthcare

Some of the key takeaways from our report:

  • The medical sector is currently ranked as the seventh-most targeted global industry according to Malwarebytes telemetry gathered from October 2018 through September 2019.
  • Threat detections have increased for this vertical from about 14,000 healthcare-facing endpoint detections in Q2 2019 to more than 20,000 in Q3, a growth rate of 45 percent.
  • The medical industry is overwhelmingly targeted by Trojan malware, which increased by 82 percent in Q3 2019 over the previous quarter.
  • While Emotet detections surged at the beginning of 2019, TrickBot took over in the second half as the number one threat to healthcare today.
  • The healthcare industry is a target for cybercriminals for several reasons, including their large databases of EHRs, lack of sophisticated security model, and high number of endpoints and other devices connected to the network.
  • Consequences of a breach for the medical industry far outweigh any other organization, as stolen or modified patient data can put a stop to critical procedures, and devices locked out due to ransomware attack can result in halted operations—and sometimes even patient death.
  • New innovations in biotech, including cloud-based biometrics, genetic research, and even advances in prosthetics could broaden the attack surface on healthcare and result in far-reaching, dire outcomes if security isn’t baked into their design and implementation.

To learn more about the cyberthreats facing healthcare and our recommendations for improving the industry’s security posture, read the full report:

Cybercrime tactics and techniques: the 2019 state of healthcare

The post Labs report finds cyberthreats against healthcare increasing while security circles the drain appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Vital infrastructure: securing our food and agriculture

Tue, 11/12/2019 - 3:06pm

I don’t expect to hear any arguments on whether the production of our food is important or not. So why do we hardly ever hear anything about the cybersecurity in the food and agriculture sector?

Depending on the country, agriculture makes up about 5 percent of the gross domestic product. That percentage is even bigger in less industrial countries. That amounts to a lot of money. And that’s just agriculture. For every farmer, 10 others are employed in related food businesses.

In fact, the food and agriculture sector is made up of many different contributors—from farmers to restaurants to supermarkets and almost every imaginable step in between. They range in size from a single sheepherder to multinational corporations like Bayer and Monsanto.

With a growing population and a diminishing amount of space for agriculture, the sector has grown to rely on more advanced techniques to meet the growing demands for agricultural products. And these techniques rely on secure technology to function.

Precision agriculture

Precision agriculture is an advanced form of agriculture, and as such, it uses a lot of connected technology. This basically puts it in the same risk category as household IoT devices. When looking at these devices from a security standpoint, it doesn’t matter a whole lot whether you are dealing with a web printer or a milking machine.

The connected technologies that are in use in agriculture mostly rely on remote sensing, global positioning systems, and communication systems to generate big data, analytics, and machine learning.

The main threats to this type of technology are denial-of-service attacks and data theft. With limited availability of bandwidth in some rural areas, communication loss may be caused by other factors outside a cyberattack— which makes it all the more important to have something to fall back on.

Data protection and data recovery are different entities but so closely related that solutions need to account for both. Data protection mostly comes down to management tools, encryption, and access control. Recovery requires backups or roll-back technology, which is easy to deploy and the backups require the same protection as the original data.

Supply chain

The supply chain for our food is variable, ranging from farmer’s supplies to the supermarket where we buy our food. Depending on the type of food, the chain can be extremely short (farm-to-table) or quite long. You may find a pharmaceutical giant like Bayer as a supplier for a farmer, but also as a manufacturer that gets its raw materials from farmers. Recently, Bayer was the victim of a cyberattack, which was likely aimed at industrial espionage.

Given the sensitive nature of the food supply chain which directly influences our health and happiness, it is only natural that we want to control the security of every step in the process. In order to do so, we look at suppliers other than those of physical goods and systems.

Financial institutions, for example, are heavily invested in agriculture, since it is one of the largest verticals. Back in 2012, a hacking group installed a Remote Access Trojan (RAT) on the computer of an insurance agent and used it to gain access to and steal reports and documents related to sales agents, as well as thousands of sent and received emails and passwords from Farmers Insurance.

Traceability across the supply chain is increasingly in demand by the public and sellers of the end-products. They want to know not only where the ingredients or produce came from, but when the crop was harvested and how they were grown and treated before they ended up on stores’ shelves.

Physical protection

Besides disrupting the industry supply chain, cyberattacks could potentially be used to harm to consumers or the environment. An outbreak of a disease and the consequential fear of contamination could devastate a food processor or distributor.

Given the number of producers and their spread across the country, a nationwide attack as an act of war or terrorism seems farfetched. But sometimes undermining the trust of the population in the quality of certain products can serve as a method to spread unrest and insecurity.

We have seen such attacks against supermarkets where a threat actor threatens to poison a product unless the owner pays up. In Germany, for example, a man slipped a potentially lethal poison into baby food on sale in some German supermarkets in an extortion scheme aimed at raising millions of Euros.

In Mexico, a drug cartel used government information about one of the most lucrative crops, avocado, to calculate how much “protection money” they could ask of its farmers, implying they would kidnap family members if they didn’t pay.

Cybersecurity for food

In the food and agriculture sector, cybersecurity has never been a prominent point of attention. But you can expect the technology used in precision agriculture to become a target of cybercriminals, especially if resources become more precious. Whether they would hold a system hostage until the farmer pays or whether they would abuse connected devices in a DDoS attack, cybercriminals could take advantage of lax security measures if the industry doesn’t sit up and take notice.

The use of big data to enhance production and revenue makes sense, but with the use of big data comes the risk of data corruption or theft.

Meanwhile, the food and agriculture sector is operating in chains and is dependable on other chain organizations or third parties. What is true for any chain is that it is only as strong as its weakest link, which in this case tends to be single farmers or small businesses. And as in most sectors, budgets of small businesses are tight, and cybersecurity is somewhere near the bottom of the list in spending. Even though an attack on expensive farming equipment could be costly, Not to mention shutting a company down for a while in a ransomware type of attack.

You’ve got that backwards

As the farming equipment industry has no problem forcing farmers to have their maintenance done by authorized dealers, farmers have resorted to installing firmware of questionable origin on their tractors to avoid paying top dollar for repairs and maintenance. This opens up a whole new avenue for cybercriminals to get their malware installed by the victims themselves. Apparently, all you have to do is offer it up as John Deere firmware on an online forum. You can even get paid for selling the software and then collect a ransom to get the tractor operational again as a bonus.


While farmers are renowned to cooperate when buying and selling goods, and to exchange information about illnesses and diseases, there is no such initiative when it comes to sharing information about cyberthreats and how to thwart them. Setting up such an initiative might be a first step in the right direction.

In our society being able to track back where a product or its ingredients came from becomes more important. Implementing the traceability could be an ideal moment to couple it with data security.

For the same reason as with household IoT devices manufacturers should be held accountable for providing an acceptable level of security or the possibility to apply such a level into their products. No hardcoded credentials, hard to change passwords, or weak default security settings.

Stay safe everyone!

The post Vital infrastructure: securing our food and agriculture appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Facebook scams: Bad ads, bogus grants, and fake tickets lurk on social media giant

Mon, 11/11/2019 - 1:27pm

We recently highlighted new steps Instagram is taking to try and clamp down on scammers sending fake messages on their platform. It turns out, other social media giants are walking a similar path for a variety of bogus ads and other attacks. Facebook scams in particular have taken off, despite the company’s efforts to stamp them out.

Facebook is now extending a rollout of their bogus ad reporting tool to Australia, after a variety of popular Australian celebrities kept appearing in fake ads. Regular readers may remember the genesis of this reporting tool being a similar incident in the UK involving popular consumer advice expert Martin Lewis.

Facebook’s ad reporting tool will allow Australian users to flag dodgy investment schemes or hard-to-cancel product trials—this alongside the corporation’s claims to have already shut down some 2.2 billion fake accounts worldwide.

While this is certainly welcome news for users of the social media platform, there’s still an awful lot of bad ads currently in circulation outside of these fake offers and adverts. Below, we’ll lead you through some of the more popular and current Facebook scams, such as efforts to hijack your social media account, swipe personal information, and of course, part you from your money.

Rogue ad campaigns

Scammers will happily compromise social media accounts, and then use them to purchase thousands of dollars of ad space before they can be shut down. In the examples given, one victim only had the ad campaign shut down because his credit card expired—else he feared he’d have been hit by $10,000 in credit card debt. Another had adverts running for about $1,550 per day until notified by PayPal. Ironically, one of the victims runs a business focused on privacy-themed adverts.

Some of the bogus ads listed certain items at a cheap price to make it look as though it had to be a pricing error of some sort. This is a common tactic going back many years, but the twist here is that the landing pages contained credit card skimmers so anyone paying up for a bargain had their payment details swiped instead.

Concert ticket fakeouts

Facebook is a popular place for some social event wheeling and dealing, especially in dedicated groups and fan pages. It turns out fake messages advertising non-existent tickets are also, sadly, quite popular.

Here’s how it works: Facebook scammers wait for an event coming up, the smaller the better to fly under the radar. At this point, they cut and paste the same bogus “I have free tickets but I can’t make it” message and wait for the replies to come flooding in. They’ll list the typical reasons why they can’t go: “I’m out of town”, “I’m undergoing surgery”, or“there’s a family emergency.”

If you spend enough time digging around, you’ll likely see the same cut and paste missive posted by multiple, supposedly independent accounts. One quick dubious money transfer later and you’ll be out of pocket with no tickets to show for it. Keeping track of event organiser pages when looking for tickets is a must to ensure you don’t fall for the same scam.

Clones, messenger grant scams, and lottery shenanigans

The old problem of “cloned” accounts rears its ugly head once more. Cloning happens when a scammer can’t gain control of a genuine social media account, so they do the next best thing—steal the photo, the bio, and any other pertinent information to replicate the real thing. From there, they try to social engineer their way into the victim’s bank balance.

The smartest part about these Facebook scams is the cloning and mapping out of potential contacts to try and trick. After that, tactics fall back to the more mundane. Scammers will message contacts with: “I’ve been in an accident and need help”or “I’m overseas and have lost my wallet” pleas for help. In this case, “A grant is available” is a commonplace and quite an old technique. The current keywords to set off alarm bells include gift cards, world bank, and grants. If you see any of those suddenly dropped into a conversation, it’s almost certainly going to be a scam.

If in doubt, check that the person talking to you is actually in your friends list—clones won’t be. Additionally, if it is genuinely your friend that doesn’t mean the danger is over. What it actually means is that they were probably compromised and don’t know about it. In both cases, find an alternate means to get in touch and verify the who, what, when, where, and why.

Lottery messenger scams work along similar lines. They claim you’ve won a prize, but once you’ve contacted a third party to claim your winnings, you’ll find you need to send them money for a variety of not quite plausible reasons. Often, the profiles telling you that you’ve won will imitate Mark Zuckerberg.

Don’t get fooled on Facebook

Looping back around to our initial fake Facebook ad problem, you can read a little more about how they operate under the hood over on BuzzFeed. We’ve covered many Facebook fakeouts down the years, our most recent being the wave of bogus Ellen profiles pushing movie streaming services.

The good news is that most, if not all, of these Facebook scams have been done before. If you’re not sure, a quick search will reveal prior examples covered on news sites, security blogs, or forum posts.

Always be cautious, remember the old “if it’s too good to be true, it probably is” routine, and keep yourself scam free on social media.

The post Facebook scams: Bad ads, bogus grants, and fake tickets lurk on social media giant appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (November 4 – November 10)

Mon, 11/11/2019 - 11:38am

Last week on Malwarebytes Labs, we announced the launch of Malwarebytes 4.0, tackled data privacy legislation, and explored some of the ways robocalls come gunning for your data and your money. We also laid out the steps involved in popular vendor email compromise attacks.

Other cybersecurity news
  • Bug bounty bonanza: Rockstar Games open up their bounty program to include the newly-released Red Dead Redemption 2 on PC. (Source: The Daily Swig)
  • The fake news problem: A study shows it’s bad news for people thinking they can avoid bogus information on social networking portals. (source: Help Net Security)
  • On trial for hacking…yourself? A very confusing story involving a judge, their office computer, and a lesson learned in workplace computer forensics. (Source: The Register)
  • Who’s there? A security flaw: an Internet-connected doorbell causes headaches for owners. (Source: CyberScoop)
  • More fake ads on Facebook: An old scam returns to imitate the BBC and fool eager clickers. (Source: Naked Security)
  • Social media spy games: an Ex-Twitter employee stands accused of spying for Saudi Arabia. (Source: Reuters)
  • Cities power down: Johannesburg up and running after a cyberattack. (Source: BusinessTech)
  • Sextortion attacks still causing trouble: A new report claims these insidious scams are still bringing grief to the masses. (Source: Tricity news)
  • Space-based infosec: If you were wondering how space factors into the US national cyber strategy, then this article will probably be helpful. (Source: Fifth Domain)

Stay safe, everyone!

The post A week in security (November 4 – November 10) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Not us, YOU: vendor email compromise explained

Thu, 11/07/2019 - 4:49pm

Silent Starling, an online organized criminal group hailing from West Africa, seem to have reminded SMBs and enterprises alike the perils of business email compromise (BEC) scams once more. This time, they’ve advanced BEC into a more potent modality by widening the scope of its potential targets and methodically preparing for the attack from timing to execution. Thus, vendor email compromise (VEC) is born.

If you may recall, BEC is a form of targeted social engineering attack against institutions by baiting certain staff members—usually a CFO or those in the finance, payroll, and human resource departments—who either have access to company monetary accounts or the power to make financial decisions.

A BEC campaign always starts off with an email, either phishing or a spoofed email. Some BEC scams wants money from the get-go while others are more interested in sensitive information, such as W-2 forms.

BEC is remarkably effective at ensnaring victims. Although it may seem like mere trickery, an impressive level of sophistication is actually put into these campaigns to succeed. In fact, a typical BEC campaign so closely follows the kill chain framework used by advanced persistent threats (APTs) that it is deemed APT-like. As such, BEC deserves attention worthy of an APT attack.

So if BEC is already sophisticated enough to warrant APT-level protection, where does that leave businesses hit vendor email compromise?

BEC changed targets and gets a new name?

Before we launch into logistics of how to protect against VEC, let’s rewind and unpack naming conventions.

It’s true that scam campaigns change targets all the time and on occasion, in a heartbeat. But this particular scam evolution is quite unconventional because the amount of resources required to pull off a highly-successful VEC attack are easily quadruple that of a traditional BEC scam. To look at it another way, threat actors have introduced more friction into their operation instead of removing or minimizing it. However, they’ve also opened up the capacity to inflict far more damage to the target organization and to businesses worldwide.

While a typical BEC campaign baits one staff member at-a-time to extract money from a targeted organization, a VEC scam doesn’t go after a company for their money. Instead, VEC scammers look to leverage organizations against their own suppliers.

It’s typical for global brands to have hundreds of thousands of suppliers around the world. Proctor & Gamble, for example, has at least 50,000 company partners. This translates to at least 50,000 potential victims if VEC scammers can get a foothold in Proctor & Gamble’s systems. And these aren’t 50,000 individuals—it’s 50,000 organizations open to compromise.

This seems like a surefire money-making scheme, but it costs VEC scam operatives much more time and effort to sift through and study communication patterns based on thousands of current and archived email correspondences between the target business and their supply chain.

Okay, now I’m listening. How does VEC work?

According to the Agari Cyber Intelligence Division (ACID), the cybersecurity bod that has been engaging with Silent Starling for a time and recently put out a dossier about the group, the VEC attack chain this scam group follows is made up of three key phases.

  • Intrusion. This is where scammers attempt to compromise business email accounts of vendors in a variety of ways, such as phishing. Once successful, scammers move to phase two.
  • Reconnaissance. This is where scammers sit tight and go on “active waiting” mode. While doing so, they gather intel by sifting through archived emails, which may number in the thousands, and create email forwarding and/or redirect rules on the compromised accounts to have copies sent to email accounts the scammers control. They take note of dates so they know the timing, billing practices, the look of recognized official documents, or other information they can use for the success of the attack.
  • Actions on objectives. This is where they launch the VEC attack. The scammer/impersonator makes sure that they are contacting the right person in the targeted supplier company; the email content they create has high fidelity, meaning that it closely resembles typical vendor wording and communication style; and the timing is as consistent as possible with previous correspondences. Doing these checks and balances make VEC exceedingly difficult to detect.

We’d like to add that reconnaissance also happens before the intrusion phase, in which VEC scammers gather intel on companies they want to target, particularly those whose accounts they can attempt to compromise.

How can business owners protect against VEC and BeC?

Business owners should address these types of online threats before they happen, while they are happening, and after they happen.


Remember that scams—these included—target people. In particular, they take advantage of what your people don’t know. That said, awareness of the existence of VEC, BEC, and other account takeover campaigns should be the first order of business.

Organizations must ensure that all members of staff, from the newly-hired and contractual employee to the CEO, should at least have background knowledge on what these scams are, how they work, what the scam mails they use look like, who are the key persons in the company threat actors would target, and what these key persons can do if or when they ever receive is a suspicious email.

Furthermore, it pays to familiarize employees with proper business procedures on how funds and/or sensitive information should be requested.

Establishing policies and procedures for business conducted over email should be in place, if there aren’t already. Organizations can build these around the assumption that the requesting party is not who they are and that they must verify who they claim they are. Think of it as an internal two-step verification process. This can be as simple as calling the boss or supplier using their contact number in record or requiring another person to authorize the request.

Also consider including a “no last-minute urgent fund request” from higher ups. If this is unavoidable for some reason, a rigorous verification process must be in place and upheld in the event of such a request. The higher up making the request must know the process and expect to undergo it.


It’s possible for highly-sophisticated scams to tick all the verification boxes—until they don’t. Remember that in these particular scams, there will always be something different that will stand out. It could be the sender’s name, signature, or the email address itself, but usually it’s the sudden change in account details that raises the alarm. Heed this alarm and call the supplier or vendor making the financial request—a video call would be ideal if possible—to confirm once more if they have submitted the request.


In the event that fraud is discovered after the financial request is fulfilled, begin the recovery process right away. Call your bank and request that they talk to the bank where the transfer was sent. If your business is insured, call your insurers and company shareholders. Lastly, reach out to local law enforcement and the FBI.

While things may be chaotic at this point, organizations must remember to document everything that has happened while gathering evidence. This is information that is not only essential during investigations but can also be used as material for training employees. It may not seem like it, but successful cyber and scam attacks are invaluable experiences organizations can learn from.

Furthermore, assess if sensitive information has been stolen as well. If so, mitigate according to the type of information stolen so that it can never be used to harm the company, its assets, and its people.

Lastly, if your company is not using one (or some) already, consider investing in security tools with advanced configuration options that could detect and nip BEC and VEC scams in the bud. Such technologies include email authentication technologies, like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC).

Stay safe!

The post Not us, YOU: vendor email compromise explained appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Here are the most popular robocall scams and how to avoid them

Wed, 11/06/2019 - 1:52pm

We recently examined how robocall scams are a serious threat to privacy, alongside the astonishing rate at which their volume continues to increase. Forty-three billion calls in 2019 with an average of 131 calls per person in the US alone is not something to be sniffed at. No matter how careful you are with your number, no matter which security measures you take, it can all be undone with one leaked database—then you’re on another list, forever.

Despite all precautions, it’s sadly inevitable that you’ll eventually wind up on a robocalling list or two. Then it’s a case of limiting damage and endless number blocking. Automated dialing ensures they’ll never, ever get tired of calling you unless you take some preventative action.

This week, we’re going to look at some specific examples of robocalls, the types of threats they present, and what’s at stake, including loss of privacy, finances, or even both simultaneously.

Can we listen to some robocall recordings?

You sure can.

A writer for Marketplace decided to take some of these robocalls instead of simply hanging up to see what kind of scam was on offer, and recorded portions of the calls. If you ever wanted to hear an authentic Chinese robocall scam in action, then today’s your lucky day.

Some of the call introductions are quite inventive. As always, there’s the faintest whiff that you may have done something wrong…maybe…and even if you didn’t, your details may be in the hands of criminals. You’d want to get that sorted out as soon as possible, especially if the nice person at the bank is telling you to do so. Right?

As far as specifics go, tactics involve:

  • Claiming your information was on debit cards sold illegally
  • Claiming your identity has been stolen
  • Claiming irregular activity has been flagged on your bank account

As with many similar scams, fraudsters are hoping potential victims are so rattled by these claims that they won’t notice they’re being primed for information. Why would a bank or similar institution ask you to confirm your name without volunteering it themselves? The answer, of course, is that they don’t have it and can’t address you unless you tell them first.

It’s a basic slice of cold reading, frequently deployed by con artists and tricksters who’d rather you just hand over what they need so they can turn it back on you.

Robocall scams targeting Chinese students

As demonstrated in the Marketplace article, there’s a solid wave of Chinese language robocalls right now, something which seems to have begun in earnest around two years ago. While the calls emulate the most common robocall tactics—fake caller ID, spoofing a trusted business entity, leaving a short automated message hoping you’ll press a specific number on your phone—they deploy some additional measures designed to bait, harass, and worry Chinese targets as much as possible. 

Last month, I looked at how mainland China–based scammers are targeting Chinese students in the UK with threats of deportation. Focusing on immigration status, alongside mentions of embassies and potential legal trouble all make an unwelcome reappearance in US robocalls. Students once again have become popular targets, whether resident in the United States or simply visiting. Fraudsters even make use of text and send potential victims sensitive information about themselves, such as passport scans—just like the international student attacks in the UK.

It’s not just happening in the US; the same tactics exploded into life in Australia in May 2018, with threatening calls supposedly coming from the Chinese embassy in Canberra.

Press 1 to perform a fake kidnapping

Possibly the most extreme version of robocall scams involves staged kidnappings. After the standard “You’re in trouble” robocall messages, things take a sharp turn into the surreal as scammers convince people to take photos of themselves as if they’ve been kidnapped, before sending said imagery to other relatives who’ll be told they need to pay a ransom. People don’t want their relatives falling foul to terrible kidnappers, so of course it’s pretty much game over in the “will they, won’t they” pay up stakes.

Is that really Apple robocalling you?

Another popular robocall tactic involves spoofing the geniuses at Apple. On October 31, Missouri Attorney General Eric Schmitt put out an alert regarding robocalls where the scammers pretend to be Apple support. You know all those endless, awful fake Apple emails clogging up your inbox on a daily basis? They’re down the other end of your telephone now, hunting for personal information and money.

The recorded message plays out like this:

This is Molly from Apple Support. We have found some suspicious activity in your iCloud account, that your iCloud account has been breached. Before using any Apple device please contact an apple support advisor

They even leave a phone number you can dial later if you don’t have time to process the robocall when they ring you.

Robocall SSN scams

It seems there’s something in the air at the moment, because the IRS warned of Social Security Number robocall scams making the rounds on October 24. These aren’t people pretending to be embassies; they’re more akin to those Facebook viral chain hoaxes where talented hackers will delete your profile by a certain date unless you repost their message.

Here, they’re threatening to wipe your SSN unless you address a fictitious unpaid tax bill. As per their own advice, neither the IRS nor their collection agencies will ever:

  • Call to demand immediate payment using a specific payment method such as a prepaid debit card, iTunes gift card or wire transfer. The IRS does not use these methods for tax payments.

  • Ask a taxpayer to make a payment to a person or organization other than the U.S. Treasury.

  • Threaten to immediately bring in local police or other law-enforcement groups to have the taxpayer arrested for not paying.

  • Demand taxes be paid without giving the taxpayer the opportunity to question or appeal the amount owed.

Internet and offline scams have a long history of flagging themselves as fake by throwing decidedly unofficial payment methods (iTunes vouchers, Steam gift cards) into supposedly official routines. These would appear to be no different.

The other social security scam

The Social Security Administration (SSA) scam became prominent in September 2019, but hasn’t really gone away. The pattern is familiar: There are claims of benefits being suspended, with the only way out being money wires, or cash being placed onto gift cards.

Attacks along these lines can take terrifying amounts of money away from their victims. And they don’t just focus on the elderly: Anyone and everyone, including millennials, can be a target as far as robocallers are concerned.

A problem for everybody

While the majority of robocall articles focus on calls coming from China, the problem isn’t confined to that region. Indeed, the US has more than its fair share of robocall-related issues, with five US states contributing to the top locations for robocall origination. Mexico, the Philippines, Costa Rica, Guatemala, and India complete the list, according to the Federal Trade Commission (FTC).

Alex Quilici, CEO of robocall-blocking app YouMail, told USA Today that he estimates “hundreds of millions” of calls originated from inside the US. In June 2019, the FTC cracked down on US-based robocalls, and reported that the majority of scams they shut down were based in California and Florida.

What can we do about it?

As robocalling has been such a common problem over the years, we already have a full rundown on what you can do to avoid these attacks as best as possible. The people behind them will continue to slather us with their nonsense pressure, fictitious time limits, and bizarre fake kidnapping requests. But there’s one simple way to ensure they never win: Just don’t pick up the phone.

Avoid all that chaos by resisting the temptation to press buttons or pick up and yell. Robocall scammers have been known to ensnare even the most savvy users. Simply let unknown numbers ring into the void forevermore. When your identity and bank account are safe and sound, you’ll be glad you did.

The post Here are the most popular robocall scams and how to avoid them appeared first on Malwarebytes Labs.

Categories: Malware Bytes

ACCESS Act might improve data privacy through interoperability

Wed, 11/06/2019 - 11:00am

Data privacy is back in Congressional lawmakers’ sights, as a new, legislative proposal focuses not on data collection, storage, and selling, but on the idea that Americans should be able to more easily pack up their user data and take it to a competing service—perhaps one that better respects their data privacy.

The new bill would also require certain tech companies, including Facebook, Google, and Twitter, to introduce “interoperability” into their products, allowing users to interact across different platforms of direct competitors.

These rules, referred to in the bill as data portability and interoperability, would presumably allow Americans to, for example, download all their data from Facebook and move it to privacy-focused social network Ello. Or talk directly to Twitter users while using the San Francisco-based company’s smaller, decentralized competitor, Mastodon. Or even, perhaps, log into their Vimeo account to comment on YouTube videos.

Data portability and interoperability are nothing new: Mobile phone users can keep their phone number when switching wireless providers; enterprise software can today read the files made on competitor programs, like the various documents made by Apple Pages, Microsoft Word, and Google Docs.

But few, if any, notable examples of data portability and interoperability came at the behest of federal legislation. Whether this new bill will succeed—in passage, in improving data portability and interoperability, and in its stated purpose of improving data security—remains to be seen.

Avery Gardiner, senior fellow of competition, data, and power for the Center for Democracy and Technology, said that the bill has a few good ideas, but in trying to improve data privacy, it strangely does not focus on the issue itself.

“If we have a privacy problem, which we do have in America, let’s fix that with privacy legislation,” Gardiner said.

Cory Doctorow, a writer, activist, and research affiliate with MIT Media Lab, appreciated the bill’s focus on interoperability—a topic that could use smart rule-making and which is getting little attention in Congress, as opposed to the constant, possibly futile attempts to strictly regulate Big Tech offenders, like Facebook.

“This aims to fix the Internet,” Doctorow said, “so that Facebook’s behavior is no longer so standard.”


On October 22, US Senators Mark Warner (D-VA), Josh Hawley (R-MO), and Richard Blumenthal (D-CT) introduced the Augmenting Compatibility and Competition by Enabling Service Switching Act, or, ACCESS Act.

The bill would regulate what it calls “large communications platforms,” which are online products and services that make money from the collection, processing, sale, or sharing of user data, and that have more than 100 million monthly active users in the United States. The bill calls the owners of these products “communications providers.”

Plainly, the bill applies to both Big Tech companies and the platforms they own and operate, including Facebook and its Messenger, WhatsApp, and Instagram platforms, Google and its YouTube platform, and the primary products of LinkedIn and Pinterest.

But rather than placing new rules on these tech giants in an effort to break them up—a rallying cry for some Democratic presidential candidates—the bill instead aims to open up competition against them, potentially creating a level playing field where users can easily leave a platform that betrays their trust, runs afoul of federal agreements, or simply stops providing an enjoyable experience.

“The exclusive dominance of Facebook and Google have crowded out the meaningful competition that is needed to protect online privacy and promote technological innovation,” said Sen. Blumenthal, who helped introduce the bill, in a prepared statement. “The bipartisan ACCESS Act would empower consumers to finally stand up to Big Tech and move their data to services that respect their rights.”

The ACCESS Act has three prongs—data portability, interoperability, and “delegability,” which we’ll discuss below.

First, on data portability, any company that operates a large communications platform would need to develop a way for users to grab their user data and move it over to a competitor in a secure, “structured, commonly used, and machine-readable format.”

While some companies already provide a way for users to download their data—one Verge reporter downloaded 138 GB of their own data following the passage of the European Union’s General Data Protection Regulation—the potential to seamlessly port it over to a competitor could lower barriers to leaving behind Big Tech companies that dominate today’s social media ecosystem.

CDT’s Gardiner said that the bill’s attempt to introduce data portability is good, but whether it will be effective depends on a robust, competitive landscape where upstarts can actually accept a user’s data in a meaningful way. Right now, she said, that landscape does not exist.

“The way that your data would be useful is pretty specific to the way it is already in someone’s platform,” Gardiner said. “You’re not going to port your Facebook data into Twitter because it wouldn’t help you do anything, as a user.”

Gardiner said she understood what the bill is trying to accomplish, but she questioned whether it was the most effective route.

“When I read the press statements, I think part of what they’re saying is that privacy failures by some of the Big Tech companies are, in part, due to the lack of competition, so we should facilitate competition for communications platforms,” Gardiner said. “I have a simpler approach to solve that problem, and that’s to pass privacy legislation.”

On the bill’s demands of interoperability, companies must develop an “interoperability interface” for every large communications platform they own. For a company like Facebook, that would mean allowing interoperability with its Messenger, WhatsApp, and Instagram platforms, as CEO Mark Zuckerberg promised earlier this year, as well as with outside competitors that want to enter the field.

Finally, on “delegability,” the bill asks that Americans be given the opportunity to select a third party to manage their privacy and account setting across the various platforms they use. Those third parties, which the bill calls “custodial third-party agents,” must register with the US Federal Trade Commission and abide by rules that the Commission would need to issue after the bill’s passage.

Custodial third-party agents could charge a fee for their services, the bill says, and must protect the privacy and security of their users’ data.  

Interoperability’s importance

The ACCESS Act seeks a type of interoperability in which competitors can attract new users to their platforms by making their services compatible with a dominant player in the market. If users don’t need to use Facebook’s Messenger to stay in touch with their friends, for instance, they may find it easier to leave Messenger behind altogether, loosening Facebook’s hold on users today.

This type of interoperability has already helped dislodge the near-monopolies of Microsoft and IBM out of their respective markets—the enterprise software applications Word, Excel, and Powerpoint; and the PC itself.

But interoperability could do more than put large tech companies on watch. It could actually lead to a safer Internet for users, Doctorow said.

Doctorow told an anecdote about his friend, a comic book writer who receives targeted harassment from a group of predominantly male Twitter users. The users, angered by the writer’s feminist views, send threatening direct messages to her. But, after she reads the direct messages, they delete them.

This is for two reasons, Doctorow said. One, users cannot report a direct message to Twitter unless that direct message is still available and not deleted. Twitter does not accept screenshots in harassment reports because of the potential for faked claims.

Two, once the direct message has been deleted, the same harassers will comment publicly on the comic writer’s Twitter feed, and to several other women in her online community. These public comments, Doctorow said, reference the same content of the threatening direct messages, re-traumatizing the writer.

This is a cycle of harassment in which direct threats skirt consequences, only to reappear in similar content, increasing the feeling of powerlessness for the victim.

Interestingly, Doctorow said, there might be an opportunity for interoperability to help.

The comic writer and her small community of friends could use an outside competitor (or develop one themselves) to continue their discussions—which typically take place on Twitter—while setting up rules that would prevent the harassers’ direct messages and Tweets from showing up in their feeds and inboxes.

It’s more than a blocklist, Doctorow said. It’s giving power to users to engage with meaningful, online communities that already exist in a way that supports and protects them.

Interoperability, then, might offer a potential solution for users to avoid online harassment—until aggressors find them on a new platform. But will interoperability actually serve the ACCESS Act’s stated goal of improving data privacy?

How to regulate data privacy

The ACCESS Act is at least the sixth federal bill proposed in the past year that aims to improve Americans’ data privacy.

As Malwarebytes Labs has reported, each federal bill seeks to improve data privacy through various means. One Senator’s bill would enforce a “Do Not Track” list, another would create a “duty to care” for user data, and another would require clear and concise terms of service agreements.

The ACCESS Act, on the other hand, is the first data privacy bill to focus on data portability and interoperability. Both concepts have provided proven, better experiences for technology users across multiple sectors. College students can take their transcripts to a new university when they wish to transfer schools. Healthcare patients can take their records to a new provider.

But with Congress taking a winter recess in just six weeks, there is essentially zero chance that any of these data privacy bills will pass in 2019.

Maybe 2020 will be better for users and their data privacy.

The post ACCESS Act might improve data privacy through interoperability appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Announcing Malwarebytes 4.0: smarter, faster, and lighter

Tue, 11/05/2019 - 3:01am

Malwarebytes was founded on the belief that everyone has a fundamental right to a malware-free existence. Every product we make is built on that premise. That’s why we’ve been hard at work on the latest version of Malwarebytes for Windows that not only sports a whole new look, but packs cutting-edge detection methods into a lightweight, lightning-fast program.

We proudly present: Malwarebytes 4.0.

Malwarebytes 4.0 signifies a big step forward in the fight against online crime. It uses smarter technologies to quickly identify stealthy malware and scan faster than ever—all with 50 percent less impact on CPU during scans.

Malwarebytes 4.0: What’s improved

Our first step in taking malware defense to the next level was making important improvements to our existing Malwarebytes for Windows technologies. They include:

  • Improved zero-hour detection that pinpoints new threats as they arise
  • Upgraded behavioral detection capabilities that catch more diverse threats—even those that use signature evasion
  • Improved overall performance and scan speed
  • Redesigned User Interface (UI) for easier, more intuitive functionality
  • Simplified Windows Security Center integration settings
  • Enhanced web protection technology
Malwarebytes 4.0: What’s new

Malwarebytes 4.0 introduces Katana, our brand-new detection engine that uses patented, dynamic methods to recognize zero-hour, often polymorphic malware even before it’s released in the wild. These same methods have been optimized with a faster threat definition process, so they’re not only smarter and more accurate, but using them results in faster scans while taking up less CPU.

“Polymorphic threats have changed the game in cybersecurity. By the time traditional antivirus creates a signature for these threats, it can be too late. Cybersecurity providers need to stay ahead of the game by recognizing potential threats before they can cause damage,” said Akshay Bhargava, Chief Product Officer at Malwarebytes.

“Malwarebytes 4.0 is designed to block these evolving threats in record time using innovative detection technology. Our new intuitive user interface helps customers more easily engage with their cybersecurity. Furthermore, the new engine is optimized and requires 50 percent less of the CPU while scanning.”

A new look and more integrations

The redesigned UI of Malwarebytes 4.0 is more informative, intuitive, and simple to navigate. Increased automation means users receive the latest updates to the product with less effort on their part. A threat statistics dashboard allows users to see which threats are blocked by Malwarebytes in real time—both on their own device and on machines throughout the world. The new UI also features dynamic integration with the Malwarebytes Labs blog, keeping customers informed on the latest cyberthreats, trends, and protection advice.

Each time Malwarebytes Labs posts a new blog, it will appear in the “Security news” section.

In addition, threats blocked or quarantined by Malwarebytes 4.0 are now linked directly to our Threat Center, so you can read up on each threat’s profile, including symptoms of infection, attack methods, and ways to remediate or protect against it.

Threat profile of Trojan.Emotet, one of the most prevalent threats detected today. Where to find support

For instructions on how to install Malwarebytes 4.0, including the latest version of Malwarebytes for Mac, check out the following knowledge-base articles:

Malwarebytes for Windows

Malwarebytes for Mac

Should you run into any problems or have any questions that remain unanswered, please reach out to our Customer Success team. You can find information, FAQs, and several support options through our support portal.

Let us know how you like the new version in the comments or through our social media channels.

Stay safe, everyone!

The post Announcing Malwarebytes 4.0: smarter, faster, and lighter appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (October 28 – November 3)

Mon, 11/04/2019 - 11:37am

Last week on Malwarebytes Labs, we celebrated the birth of the Internet 50 years ago, highlighted reports about the US Federal Trade Commission (FTC) filing a case against stalkerware developer Retina-X, issued a PSI on disaster donation scams, looked at the top cybersecurity challenged SMBs face, and provided guidance to journalists on how they can defend themselves against threat actors.

Other cybersecurity news
  • A new infostealer called Raccoon emerged as the new malware-as-a-service (MaaS) that is causing a lot of buzz in the underground. (Source: SecurityWeek)
  • Notorious Russian APT, Fancy Bear, was found targeting sporting and anti-doping organizations worldwide. (Source: Microsoft)
  • Millions of Adobe Creative Cloud users exposed due to a misconfiguration. (Source: Sophos’s Naked Security Blog)
  • The online store of the American Cancer Society was found infected with malware by Magecart. (Source: TechCrunch)
  • According to a report from the FTC, younger adults are more susceptible to fraud compared to senior adults. (Source: The Washington Post)
  • Systems used in the state-run Nuclear Power Corp of India were found to contain malware. (Source: Reuters)
  • Sextortion scammers began hacking Blogger and WordPress sites to make threats more believable, which leads to a higher likelihood of paying up. (Source: Bleeping Computer)
  • MessageTap, a malware strain developed by Chinese APT threat actors, is capable of monitoring of SMS traffic and other mobile information to target individuals. (Source: SC Magazine UK)
  • Threat actors have their eyes set on esports tournaments. (Source: TechRadar)
  • Highly popular Android emoji app racks up millions of unauthorized purchases. (Source: The Register)
  • Gafgyt, an aggressive IoT malware, was found to force affected systems to join its botnet. (Source: ZDNet)

Stay safe!

The post A week in security (October 28 – November 3) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Cybersecurity for journalists: How to defeat threat actors and defend freedom of the press

Fri, 11/01/2019 - 4:26pm

When you’re a journalist or work for the press, there may be times when you need to take extra cybersecurity precautions—more so than your Average Joe. Whether a reporter is trying to crowd-source information without revealing their story or operating in a country where freedom of the press is a pipe dream, cybersecurity plays an important role for any journalist producing work online—which is essentially every journalist today.

While the stakes may be a little higher for reporters in war zones, on crime beats, or in political journalism, all writers with public bylines, newscasters, press agents, photographers, and other journalism staff need to consider cybersecurity best practices a priority. Protecting personally identifiable information, online accounts, and proprietary data is not just a nice-to-have for journalists. It’s fundamental to the integrity of their professional reputation—and trust in the press in and of itself.

What happens if a hacker “outs” a source whom a journalist promised anonymity? Could that source experience retribution or physical harm? What if a cybercriminal could access national stories and change content to be untrue? Already, misinformation is rampant on the Internet.

If Facebook won’t ban all-out lies in political ads, it’s up to our newspapers and publishing outlets to defend the truth. And one way they can better do so is by increasing cybersecurity defenses and awareness.

Why journalists need cybersecurity

There are many valid reasons for journalists to better educate themselves on cybersecurity and consider investing in some security tools, but some of the most important are:

  • Protecting sources’ PII, especially locations, identities, and titles
  • Hiding from authorities who might be trying to kill a story or force you to reveal a source under penalty of law
  • Keeping data secure and private if you are asked to turn over a device
  • Securing communication when you fear eavesdropping, bugging, or other forms of online surveillance
  • If writing under a pen name or pseudonym, preventing online harassment or doxing

As any journalist worth her salt knows, if your anonymous sources become public knowledge, no one will want to talk to you, much less reveal confidential information to you, again. There goes your livelihood.

In some countries and under some circumstances, journalists may not want to reveal what they are working on or where they are working on it. Being able to conduct investigations “off the grid” is key in these conditions, as is making sure your best-kept secrets and tomorrow’s scoop aren’t revealed in data leaked online or easily scraped from an unlocked device.

Communications can be intercepted, no matter which type. Even face-to-face conversations can be overheard or eavesdropped on. But reporters’ juicy interviews may be of particular interest to cybercriminals, especially nation-state actors conducting longtail reconnaissance on high-profile targets. Whether you’re talking to the local baker for a human interest story or sitting down with the Director of National Security, it is wise to assume you are under surveillance—or could be if you don’t take precautions.

Unfortunately, many journalists know first-hand how publishing online can invoke Internet ire via commenting trolls and rage-filled Tweetstorms. A thick coat of armor is necessary to withstand the sometimes needlessly cruel and personal feedback; many an online reporter have booked therapist appointments accordingly. But additional cyber defense is necessary to ensure physical protection from harm, as well to shield from harassment and doxing attempts.

Cybersecurity methods and tools

Not every journalist needs all of the cybersecurity methods and tools listed below, but they should at least have a basic understanding of what these methods can do for them, and how to apply them when necessary.

  • Data encryption
  • End-to-end encrypted communication (email, chat, videoconferencing)
  • Deleting metadata
  • Disabling location services when necessary
  • Creating secure backups, either to the cloud or to external hard drives
  • Private browsing and other online activities
  • Deleting navigation history and cookies
  • Using caution when activating IoT devices that may be vulnerable or insecure; for example, don’t use Alexa to dial an anonymous source
  • Using a VPN to anonymize Internet traffic
  • Educating yourself on basic cybersecurity hygiene, and implementing a few technology solutions, including an AV/anti-malware, firewall, password manager, 2FA, and updating any software when patches are ready

Data encryption and creating secure backups are closely related. When your device falls into the wrong hands, you don’t want a criminal to be able to simply exfiltrate all the data you have gathered on it. Encryption can make finding the data hard, or impossible, for those who don’t have the key. And if you do lose a device, its securely backed-up data can be accessed elsewhere.

Encrypted communication is a bit more challenging. The more sophisticated the method of communication, the harder it seems to render it secure.

Encrypting email is fairly easy. Many have done it before you and how-to-guides are readily available. Using end-to-end encrypted chat is a matter of choosing the right software. Real end-to-end encryption means the information will be encrypted using a secret key rather than in plain text. All you need to do is find a trustworthy app that both parties can use. The same is true for video conferencing software, though it may be harder to find familiar names that also offer end-to-end encryption.

Your location can be given away in more ways than you may realize. It is not only a matter of turning off location access completely. Your local time, IP address, and list of Wi-Fi networks you used can also give someone at least a crude idea of where you are or have been.

When it comes to keeping your location a secret, also remember to delete the navigation history of your car, browser, or other device used to find a physical address. Also make sure that the rental “connected vehicle” has been reset, so the previous user can’t keep track of you on his phone.

For photographers, it’s also relevant to delete metadata, as it doesn’t always just include technical and descriptive data, but can also contain a GPS location.

While browsing, it pays off to use a browser that was developed with your privacy in mind, or using a well-vetted plugin or extension that protects privacy. Add a VPN to your toolset to hide your true IP. Using a VPN may raise awareness that you are up to something, and not every VPN provider will treat your data with the same respect, so do some digging into their background and track record before you decide which one to use.

Recent articles have made us aware of the fact that some of our IoT devices are eavesdropping on us. So, when you are having a private conversation that needs to stay private, check your surroundings for devices that could be listening and make sure they can’t hear or relay your talk.

With all this in mind, don’t forget about basic cybersecurity hygiene and awareness. We can’t say this enough: Keep your software up-to-date, patched, and properly configured. Use an anti-malware solution and at least a basic firewall. Use 2FA authorization where possible, and password lock all your devices. Clear your browser cache and search history.

Another basic principle when you are a public figure and don’t want to be doxed or harassed is a strict social media regime. Consider all that you post public to the world, even if you have a private account. or separate your journalist account from your personal one, with zero links between the two.

Recommended reading: Cybersecurity basics

If you are not skilled in cybersecurity, do not be ashamed to ask for help setting up your defenses. And know who to contact if anything goes south, even after all your efforts. Also do not assume that your employer is on top of your secure communications: Ask about it.

Resources for journalists

This list is not exhaustive, but it gives you an idea of what’s available:

The Assistance Desk of Reporters Without Borders (RSF) provides financial and administrative assistance to professional journalists and citizen-journalists who have been the victims of reprisals because of their reporting.

To report a press freedom violation, you can contact the appropriate Committee to Protect Journalists (CPJ) regional staff. All information is confidential. Contact details per region can be found on the CPJ website.

Totem offers digital security training specifically for activists and journalists. It helps them use digital security and privacy tools and tactics more effectively in their work.

Citizen Lab’s Security Planner aims to improve your online safety with advice from experts. All you need to do is answer a few questions and get personalized online safety recommendations.

The post Cybersecurity for journalists: How to defeat threat actors and defend freedom of the press appeared first on Malwarebytes Labs.

Categories: Malware Bytes

SMBs lack resources to defend against cyberattacks, plus pay more in the aftermath

Thu, 10/31/2019 - 5:41pm

Cyberattacks, many have noted, are the fastest growing economic crime not only in the United States, but also around the world. This upward trend has been observed since 2014, according to PricewaterhouseCoopers (PwC), and won’t likely be slowing down anytime soon.

Cyberattacks—much like the advancement of technology, the interweaving of digital lives among familiars and strangers via social networks, and the broadening adoption of the Internet—are here to stay.

As much as the Internet has changed individual lives on the planet—for better or for worse—it’s changed the way people do business even more. The current reality is that a business is not much of a business if it’s not online. Even local small businesses, such as restaurants, home renovation companies, or dance studios, require some kind of Internet presence to flourish.

However, stepping into the online realm as a business is, in itself, a double-edged sword. While the visibility the Internet affords entrepreneurs almost guarantees growth, on the flip side, organizations also put themselves at risk of Internet-borne threats. Online retailers may run afoul of web skimming tactics. Online publishers and bloggers using content management systems can be hacked, or their advertisements poisoned via malvertising. Even simply opening emails can put an enterprise at risk.

Organizations of all sizes must understand that in today’s world, cyberattacks are an inevitability.

Unfortunately, a majority of small- to-medium-sized businesses (SMBs) are unprepared for any form of digital assault, much less aware of its inevitability. In the end, some affected organizations emerge from an attack with such excessive losses that they are put out of business—permanently.

So exactly how unprepared are SMBs for an eventual cyberattack? To help paint a picture of their current cybersecurity posture, we gathered a few noteworthy statistics. Suffice to say, they aren’t good.

Cybersecurity posture of SMBs

We took a look at several factors impacting SMB cybersecurity, from rate of incidents and staff shortages to costs shouldered after an attack. Here’s how they pan out:

Cyber incidents

Non-enterprise businesses reported more cyber incidents in 2019 compared to the previous year, according to the Hiscox Cyber Readiness Report.

  • For small businesses reporting at least one or more cyber incidents, the proportion has increased from 33 percent of respondents to 47 percent.
  • For medium-sized businesses, the increase is even greater, moving from 36 percent in 2018 to 63 percent in 2019.
  • Verizon’s 2019 Data Breach Investigations Report found that 43 percent of all breach victims were small businesses.
Lack of resources

SMBs typically have fewer resources for cybersecurity protection, whether that’s a smaller budget for software solutions or overtaxed or undertrained IT staff. This can result in negligence that ultimately leads to breach.

  • On average, an SMB can face up to 5,000 security alerts per day, yet only 55.6 percent of them investigate these alerts, according to Cisco.
  • According to the aforementioned Keeper Security-Ponemon Institute report, 6 out of 10 SMBs report that attacks against them are more targeted, sophisticated, and damaging; yet 47 percent of them have no idea how to protect their companies from cyberattack.
  • 52 percent of SMBs claim they don’t have an in-house IT professional on staff, according to Untangle’s 2019 SMB IT Security Report.
  • Untangle also found that 48 percent of organizations claim that limited budget is one of a handful of barriers they face when it comes to IT security.
Cost of an attack
  • SMBs shoulder a heftier cost relative to their size compared to larger organizations, per IBM’s Cost of a Data Breach Report.
  • Organizations with a headcount between 500 and 1,000 shelled out an average of US$2.65 million in total data breach costs.
  • The total cost for organizations with more than 25,000 employees averaged $204 per employee, whereas organizations with between 500 and 1,000 employees had an average cost of $3,533 per employee.

Interestingly, two independently published reports, namely Cisco’s Small and Mighty special report [PDF] on small and mid-market businesses and Keeper Security and the Ponemon Institute’s State of Cybersecurity in Small & Medium Size Businesses reflected a similar range of costs.

In the same Small and Mighty report, Cisco also reveals that SMBs are more likely to give in to paying threat actors their ransom demands as they cannot operate without access to critical data and cannot afford the usual 8+ hours of downtime.

Top SMB threats and ways to fight them

Does this mean SMBs should stay away from the Internet? Clearly, that’s not the answer. However, if organizations large and small don’t take steps to secure their businesses against cyberattacks, they’re not only putting themselves at risk for profit loss, but may be stunting global economic growth. According to Accenture, a trusted digital economy could stimulate an additional 2.8 percent growth in organizations over the next five years, translating into $5.2 trillion in value creation opportunities for society as a whole.

Yet SMBs face sophisticated cyberattack methods with far fewer resources than large enterprise organizations to fight them. We list a few of the top SMB threats below, as well as our recommendations for the best ways to combat them—keeping in mind budget and staff constraints.


When it comes to online threats, malicious attacks by cybercriminals via malware still rank as the top challenge for SMBs in several reports. In most cases, not only is malware difficult to detect, but it’s also costly to remediate and mitigate. Whatever the threat is, let’s not forget that potential threat actors are motivated toward financial gain via extortion, coercion, fraud, or stealing sensitive and classified information that can be sold to the highest bidder.

In 2019, SMBs have been especially impacted by ransomware and Trojans, such as Emotet and TrickBot, according to our product telemetry.

Recommendations: To address the challenge of sophisticated malware attacks, SMBs should first and foremost create a backup plan so that they won’t lose critical data in the event of a ransomware attack. Data can be safely stored to the cloud and accessed anywhere, should machines be frozen out in an attack. In addition, purchasing a budget-friendly endpoint protection solution that blocks sophisticated attacks can help carry some of the load in place of a highly-trained IT staff.

Web-based attacks

Based on Accenture’s The Cost of Cybercrime report, web-based attacks are among the top reasons why businesses lose revenue. Such attacks normally make use of an Internet browser and an SMB’s official website as the attack launchpad to perform criminal acts, such as accessing and stealing confidential client information or compromising the site to make it infect visitors. Examples of web-based attacks are cross-scripting (XSS), drive-by downloads, and SQL injection (SQLi).

Recommendations: The majority of web-based attacks start off when threat actors attempt to manipulate or tamper with a website’s functionality using code as input to entry fields. Preventing such code from rendering is a general security measure that SMBs could begin adopting. This way, businesses can have better control over the types of user input their websites accepts and renders when someone interacts with them.

For SMBs, mitigating web-based attacks and threats may involve inviting a security professional to audit their website’s code for potential gaps that miscreants can exploit, and advising on how best to address them. While we’re on the subject of coding, SMBs such as app developers or others with programming staffs will want to make it a priority to train on how to code well with security in mind.

Distributed denial of service (DDoS) attacks

DDoS attacks often result in extended downtime for business websites, and that’s never good for the targeted organization. This means clients are denied access to the site, which stops them from transacting with the business, and the business loses precious opportunity, money, and productivity.

Recommendations: Perhaps the easiest way a business can thwart off DDoS attacks is to avail of services from a good content delivery network (CDN). However, prevention can also be done in-house without breaking the bank. Expect a DDoS to happen in the future and plan ahead for it. Establish workplace protocols on what to do in the event of a DDoS attack to your company’s website. If you can, include in the planning phase what, how, and when you would communicate with your clients about a website outage caused by this attack.

Phishing and social engineering attacks

A whopping 85 percent of organizations experience this type of attack, especially now that the top threats to businesses, Emotet, Trickbot, and various ransomware families, are often delivered via phishing email. With fraudsters and social engineers getting wilier, their tactics are getting more sophisticated and polished. And we can expect this to increase unless businesses start taking these threats seriously.

Recommendations: Train all members of staff. There are some simple methods you can use to help employees identify phishing emails vs. legitimate ones. Many examples of phishing emails and current scams exist online. Make cybersecurity awareness a top priority. Step it up by creating an intentional culture of security within the company.

Insider threats

Dangers posed by current and former employees with malicious intent will always loom over SMB executives. However, insider threats are not just limited to the obvious. Often, it’s the staff who are negligent, inattentive, and abuses their privileges that become an accidental insider and trigger a data breach.

Recommendations: The topic of insider threats must be included in every cybersecurity training staff undergoes. Doing so likely decreases the likelihood of accidental insiders but not address the deliberately lax or professional insiders however. In this case, implementing controls can furtherminimize insider threat incidents.

Remote workers

Whether remote workers like it or not, they are a risk to their organizations. Sad to say that many organizations are unaware of this, nor do they realize the magnitude of the risk remote workers pose on company assets, including intellectual property, as well as customer, staff, and vendor information. As such, they fail to conform to best practices set by the US Small Business Administration, and they fail to implement the most basic of cybersecurity measures.

Recommendations: Education and policies, once again, play a role in securing an SMB’s remote workers.

Long term effects of cyberattacks

Many from the outside looking in may assume that once organizations are back up and running after a data breach, apart from a few hiccups, business will continue as normal. Nothing could be further from the truth.

Depending on how much damage a data breach has caused a business in total, it may take awhile for them to regain back what they lost and become profitable again. Sometimes, years-long consequences after a breach are felt by SMBs. This includes damage to the business’s reputation and loss of trust from current and potential clients.

The best course of action SMBs can take after a cyberattack is to learn from their experience by improving their overall cybersecurity posture and state of cyber readiness going forward. Make cybersecurity and privacy a priority. Create multiple backups of your most sensitive data. Regularly monitor and conduct risk assessments. Educate workers. Lastly, make sure that all devices connecting to your network are properly configured and protected with anti-malware software and strong encryption protocols.

Stay safe!

The post SMBs lack resources to defend against cyberattacks, plus pay more in the aftermath appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Help prevent disaster donation scams from causing more misery

Wed, 10/30/2019 - 4:36pm

It’s a sad day when we have to warn people about medical charity scams, or tax fakeouts, or even have a week dedicated to foiling charity fraud—but here we are. With so many natural disasters occurring, from wildfires in California to tornadoes in Dallas, disaster donation scams remain a top resource for scammers looking for free cash.

Unfortunately, disaster donation scams are nothing new. Back in 2013, I spent many hours tracking and shutting down fake charity scams focused on Typhoon Haiyan and many more. Some of those tricks from way back when are still in use, and we need to do what we can to inform and ward off potential attacks.

Avoiding fake disaster donation scams: part 1

A handy list of tips has been posted to KQED, detailing all the ways you can steer clear of these scams. While many of them may seem obvious to regular readers of this blog, there are always folks out there who haven’t heard of these, much less realize that people are actively trying to rip them off through charitable causes.

If you have relatives who donate after a disaster (or just donate generally), feel free to send this post their way. To summarize the tips quickly, and of particular note:

  • Keep track of payments to charitable organizations
  • Watch your payment method: don’t make donations via cash, gift card, or by wiring money
  • Steer clear of pressure—especially in relation to paying “as soon as possible”
Avoiding fake disaster donation scams: part 2

I’d also like to add some of my own suggestions, based on things I’ve experienced while tackling these scams and talking about them at events through the years.

  1. Door-to-door visits should always be treated with caution. At the bare minimum, they should have a recognisable badge, and a way to verify they are who they say they are. I don’t think I’ve ever run into a house call where you couldn’t take a leaflet or web address and go make the donation in your own time.If they really, desperately need the money now? Ask yourself why and then do some digging once they’ve gone. If you think it’s all a bit suspicious after that, report it to the most appropriate contact point.
  2. Cold calling is a popular past-time of donation scammers. It’s easier than ever to spoof caller ID, so simply matching numbers to legitimate sources on official websites is not 100 percent foolproof. I’ve mentioned the infamous FEMA cleanup crews in the past, and they’re often one of the first scams to hit the ground running. Be on the lookout for similar fakeouts involving Red Cross, United Nations, UNICEF, and more. If it’s a big name, it’s a potential target.Again: don’t be pressured into handing over payment details to cold callers. It’s worth noting that fake websites abound, both on free and paid hosting.
  3. Scammers will often pretend to be a charity organisation, sending missives claiming to be Red Cross or Salvation Army, or pretty much anyone else they think may be relevant to a disaster. Nothing odd there. However, what they will do is frequently include a real email address in their request for money. Why? To keep things looking as real as possible.The sting in the tail is where they also insist you CC an email address belonging to the scammer when you send bank details, because “high server load” may mean the real address never gets the reply. They’ll also request you give them a week or two to reply as they’re experiencing high volume of mail. This is also just a way to get you to leave them alone for a week as they happily plunder your bank account without question.
  4. Scammers will exploit the fear of lost/missing relatives to make more money. They’ll post up pictures of missing people culled from news services and ask for money to “help find them.” They’ll make use of those fun automatic newspaper headline generators to present you with fake headlines about rewards if only you send X amount of cash to Y (also a tactic used by 419 scammers).Relatives will naturally post lots of personal information to social media, and scammers will happily use that, too, in their social engineering exploits. I saw this a lot during Typhoon Haiyan, a problem exacerbated by people not really being familiar with genuine ways to locate missing people. Myself and others made extensive use of Google’s crisis map and their person finder to help steer people away from fakes.Note that these services are still operational whenever they may be needed, and there are many other ways to attempt reunification without being ripped off.
  5. Finally, never underestimate how weird the scams may be in their attempt to pull the rug from under you. “Whale crashes into building” was a popular social media scam back in 2011, because the more sensational-sounding viral a video you have the better. “Earthquake relief” via the promise of a few clicks went a long way to making someone money and not much else. There’s “miracle escapes” which often aren’t, rogue installs, and and even Twitter spambots firing out links to expensive “radiation health” ebooks. They’ll do whatever it takes.
Report scammers

I’ll leave you with a few more links, so you can report anything suspicious that comes your way, or at least use the below as a way to get your information where it needs to be:

Scammers hope a combination of tragedy and your sympathy will provide them with the keys to your bank account. Any and all donations given to criminals are potentially causing misery and loss of life where the money is actually needed, so it’s down to all of us to step up and tackle this scourge head on.

The post Help prevent disaster donation scams from causing more misery appeared first on Malwarebytes Labs.

Categories: Malware Bytes

Stalkerware developer dealt new blow by FTC

Tue, 10/29/2019 - 11:56am

Last week, the US Federal Trade Commission (FTC) interpreted its broad consumer protection mandate to file a first-of-its-kind enforcement action against the developer of three mobile stalkerware applications. The developer was banned from further selling the apps unless significant changes were made in design and functionality.

The FTC’s required changes address notification procedures and language, built-in mobile device security, written consent, and proper cybersecurity documentation and policies.

Together, the requirements potentially create the first set of “standards” for what an app must include if it has features that can monitor another user’s device. However, the potential impact of those requirements—which do not apply to any other current stalkerware developers—remains in question.

Two anti-stalker advocates—Erica Olsen, who leads the National Network to End Domestic Violence’s Safety Net program, and Eva Galperin, cybersecurity director at Electronic Frontier Foundation—welcomed news of the FTC case, though to varying degrees.

“I absolutely think this is exciting, and it’s needed, and it’s an important precedent to set,” Olsen said, adding that the FTC’s case is just a first step, and that extra work is needed to hold stalkerware makers and abusers fully accountable.

In speaking with Business Insider, Galperin worried about what the FTC actually targeted.

“I’ll take what I can get,” Galperin said. “The basis of the [FTC’s] action is not that [the stalkerware developer] is making stalkerware, it’s that they’re not making secure stalkerware.”

The FTC investigation

On October 22, the FTC announced that an investigation into the Florida-based company Retina-X Studios LLC and its owner, James N. Johns Jr., produced several alleged violations of both the Children’s Online Privacy Protection Act (COPPA) and the Federal Trade Commission Act (FTCA), which prohibits companies from deceiving their customers.

In comments at a media briefing the same day, FTC Bureau of Consumer Protection Director Andrew Smith said that Retina-X’s three apps—MobileSpy, Phone Sheriff, and TeenSafe— “allowed purchasers to surreptitiously monitor almost everything on the mobile devices on which they were installed, all without the knowledge or permission of the mobile device’s user.”

The three apps, which have been featured in Motherboard’s series “When Spies Come Home” and in Malwarebytes Labs’ own reporting, allowed users to spy on another user’s device, granting them access to text messages, emails, phone calls and logs, GPS location data, and web browser activity. These apps, and others with similar features, have become a prominent hallmark in domestic abuse relationships. They are a serious threat to users everywhere.

According to an FTC spokesperson, the Commission recognized this threat.

“The FTC is always looking to protect consumers, and most especially vulnerable populations,” the spokesperson said. “We understand that consumers have a growing reliance on technology, and its misuse can cause new forms of abuse and be used as a tool to amplify harms, including in domestic violence situations.”

The FTC alleged that Retina-X and Johns Jr. failed users in several ways.

Retina-X allegedly failed to protect the data it was collecting, which included “GPS locations, text messages and other personal information from children.” Retina-X also allegedly allowed app purchasers to “access sensitive information about device users, including the user’s physical movements and online activities.”

The FTC also criticized Retina-X because, for its apps to be installed on a device, that device first had to be jailbroken or rooted, a process which the FTC said “exposed the devices to security vulnerabilities and likely invalidated manufacturer warranties.”

Further, the FTC called out Retina-X for its supposed privacy promise to users. Though the company told app purchasers that their “private information is safe with us,” Retina-X actually suffered two data breaches. Worse, the FTC said that Retina-X did not learn about the 2017 breach until a journalist with Vice contacted the company, having received a tip from the hacker themselves.

In 2018, nearly the exact same scenario happened again. Following the second breach, Retina-X shut down its apps “indefinitely.”

According to the FTC and Vice, the hacker accessed login names, encrypted login passwords, text messages, GPS locations, contacts, and photos.

In recent years, the FTC has shown large interest in trying to protect consumers harmed by company data breaches.

In 2017, the FTC reached a settlement with Uber, after an investigation found that the ride-hailing company failed to prevent unauthorized access to a cloud server storing sensitive consumer data. This year, the Commission reached a settlement with Equifax over the credit reporting agency’s 2017 data breach that affected 147 million Americans.

Along the way, the FTC has also provided guidance to consumers affected by the Marriot data breach and the more recent Capital One data breach.

An FTC spokesperson declined to comment on the origins of the investigation.

“FTC investigations are nonpublic so we don’t discuss why we started a particular investigation,” the spokesperson said.

The Retina-X consent order

Though the FTC cannot issue monetary fees for first-time offenders of the Federal Trade Commission Act, it can try to curb deceptive and dangerous behavior by getting companies and individuals to sign “consent orders.” If any party that has signed a consent order then violates that order in the future, the FTC can then issue monetary penalties.

The consent order presented to Retina-X and Johns Jr. has already been signed. It includes permanent rules that Retina-X and Johns Jr. must comply with should they ever try to engage in “promoting, selling, or distributing” any software application, program, or code that can be installed by one users onto another user’s device to track their activity.

To start, Retina-X and Johns Jr. cannot work on any monitoring app that would require a user to jailbreak or root or otherwise circumvent the built-in security of an end-user’s device. Retina-X and Johns Jr. also must ensure that any monitoring app they work on requires “written attestation” from its users that they will use the app for “legitimate and lawful” purposes.

According to the FTC, “legitimate and lawful” purposes for a monitoring app includes only the following:

  • Parent monitoring a minor child
  • Employer monitoring an employee who has provided express written consent to being monitored
  • Adult monitoring another adult who has provided express written consent to being monitored

Further, any app that Retina-X and Johns Jr. work on cannot give users the option to hide the app’s icon from an end-user’s device screen.

The FTC further stated that end-users should be able to “click” an app icon to reach a page that clearly and conspicuously tells the user the name of the app, its functions, that it is present and running on the end-user’s device, and information on how to contact the apps’ representatives in case of wrongful installation.

NNEDV’s Olsen spoke positively about the new notification requirements.

“We’re big on notifications,” Olsen said. “It’s not that there’s not a time and a place and use for certain types of monitoring apps, but the way these (MobileSpy, Phone Sheriff, TeenSafe) were obviously developed were clearly for a misuse, so, I think this is a great precedent.”

Olsen said that the FTC contacted NNEDV weeks before its public announcement, and that the commission and the organization worked together to develop shared images and language.

Olsen also said that, following communication with the FTC, NNEDV updated its own pages on stalkerware and spyware, including one resource on “Phone Surveillance & Safety for Survivors,” and another on “Computer Surveillance & Safety for Survivors.”

“This space is always changing a bit,” Olsen said, “so we tried to make sure that, when we’re connecting with people, we’re verifying and understanding the tech as much as possible.”

Data destruction and reporting requirements

The majority of the FTC’s remaining rules in its consent order focus on data collection, cybersecurity, and reporting protocols.

Should any monitoring app that Retina-X and Johns Jr. work on have an associated website, that website must have a home page that clearly states that the app can only be used for “legitimate and lawful” purposes. An additional, similar notice must be provided on any “purchase page” for users who buy any such monitoring app, otherwise the purchase cannot be allowed.

Further, Retina-X and Johns Jr. must, within 120 days, “destroy all Personal Information collected from a Monitoring Product or Service prior to entry” of the consent order.

Retina-X and Johns Jr. must also implement an information security program and obtain third party assessments every two years of that information security program. Retina-X and Johns Jr. must also provide annual certifications to the FTC that show whatever monitoring product they work on is in compliance with the consent order. Also, the two must report to the FTC “covered incidents,” like data breaches that already have notification requirements for every state, within 10 days of discovery.

Finally, if Retina-X and Johns Jr. decide to continue their business, or start a new one, a “compliance report” must be submitted to the FTC in one year detailing the primary physical, postal, and email addresses, and telephone numbers, of any business operations. For the next 10 years, Retina-X and Johns Jr. must report to the FTC, within 14 days, any changes to business names and residence address, any creation, merger, or sale of the business or its subsidiaries, and, for Johns Jr. specifically, any changes to his title or role.

A new front against stalkerware?

Not since 2014 has a stalkerware developer faced federal enforcement against their actions. That year, the FBI indicted a man for allegedly conspiring to sell and advertise the stalkerware app “Stealth Genie.” Months later, a US District judge ordered the permanent stop to the advertising, marketing, or sale of the app.  

At last week’s media briefing, FTC Bureau of Consumer Protection Director Smith said that, though the Commission’s actions against Retina-X were the first against a stalking app developer, they may not be the last.

“Although there may be legitimate reasons to track a phone, [Retina-X’s] apps were designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses,” Smith said. “Under these circumstances, we will seek to hold app developers accountable for designing and marketing a dangerous product.”

Olsen said that the FTC’s work in this area is just one piece of a much larger puzzle.

“What needs to happen is, there needs to be continued conversation on whether there are gaps in federal law and state law that would prevent these apps from being developed in the first place, or to hold people accountable after,” Olsen said. “There is still a lack of civil remedies for people to go after companies on these things.”

More so, Olsen explained that a multi-pronged approach is required in better stopping stalkerware. That includes better educating and equipping local law enforcement to find and detect stalkerware on mobile devices, she said.

Overall, the FTC’s new front appears to be a welcome one. However, the effort against stalkerware continues.

“It’s three apps, and there are hundreds more,” Olsen said. “There’s still a lot of work that needs to be done.”

If you or a loved one are the victim of domestic abuse, remember that you can call the National Domestic Violence Hotline at 1-800-799-7233, or can visit their website from a safe device at

The post Stalkerware developer dealt new blow by FTC appeared first on Malwarebytes Labs.

Categories: Malware Bytes

As Internet turns 50, more risks and possibilities emerge

Tue, 10/29/2019 - 11:00am

This op-ed originally appeared in the San Francisco Chronicle on October 28, 2019.

We occupy a richly-connected world. On the Internet, we collapse distance and shift time. But this Internet that delivers mail, connects us with friends, lets us work anywhere, and shop from the palm of the hand, is a mere 50 years old, slightly younger than Jennifer Aniston and Matt Perry.

On October 29, 1969, UCLA computer science professor Leonard Kleinrock was supervising programming student Charley Kline, who sent a message from his school’s computer to a computer in Douglas Engelbart’s laboratory at Stanford Research Institute in Menlo Park, CA.

Attempting to log onto the SRI computer, Kleinrock was able to transmit just two characters—LO—before the connection failed. Thus, the first transmission had a security problem: lack of availability.

From this inauspicious beginning, the Internet was born because this was the first connection on a wide area network using a new technology called packet switching.

In the 1960s, computers were common in universities, big businesses, and government research operations, but every computer was a closed system.

Imagine integrating them into a network of networks, enabling collaboration among researchers worldwide. That was the vision behind the Arpanet, the system Kleinrock developed. Though its demonstration ran afoul of connectivity issues, it was designed to be resilient to the unreliability of network connections.

During the 1950s Cold War, the Air Force wanted to harden its radar system to survive a nuclear attack and respond, making a crippling first strike by an enemy less appealing. The solution, developed by Paul Baran and Donald Davies, encompassed a decentralized network, packaging data into small chunks. This packet-switching technology was at the Arpanet’s core.

The Arpanet was designed for resilience but not security. That became a problem. With hundreds of hosts, each with their own ideas about networking, managing communication was challenging.

In 1973, Robert Kahn and Vinton Cerf developed a new approach. The differences among local network protocols would be masked by a common internetwork protocol, relegating details to the host networks.

It took a decade to re-engineer this core technology of the network of networks. Kahn and Cerf’s TCP/IP protocols were implemented on January 1, 1983. The next year, the number of nodes surpassed 1,000, and it was soon renamed the Internet.

Other developments in the 1980s began to transform the Internet into a place for the general public, including the introduction of Domain Name Servers turning cryptic numerical Internet addresses into readable names like and In 1989 at CERN, Tim Berners-Lee created the World Wide Web and the first web browser, transforming the Internet into a virtual world. The dedicated public information services turned into websites, as did libraries and stores, and seemingly everything.

But this public use made the Internet attractive to bad actors. A year before the web, the world got a wake-up call when the Morris worm largely brought down the Internet. The malicious software infected an estimated 10 percent of servers on the net and it took days to remove the worm. Robert Morris, its creator, was convicted under the Computer Fraud and Abuse Act and was sentenced to probation, community service, and a fine.

The Internet’s carefree days were over. New attacks occurred, each one generating a news story. But before long, there were too many to count.

The Internet has become, in the words of Kleinrock, who sent that first message with his student, “a pervasive global nervous system.” But at the core it is still the same Arpanet created 50 years ago, and this is a mixed blessing. The Internet is rugged, but motivated actors can cause trouble, and risks are outpacing advances.

Online banking and shopping are convenient, until someone steals your password or identity. You enjoy the benefits of the richly connected life, so long as you are vigilant about spam, adware, Trojans, viruses, worms, phishing, spyware, and keyloggers. System admins fight attacks, but a lot of it comes down to you, the user.

After 50 years, we are still in the early days of this transformation in our society. But we can see the future in tech labs and startups today.

As we move into virtual worlds, the Internet is also going to be moving into us. Going to the doctor will be less necessary as implanted sensors feed and read from cloud-based medical diagnostic software. Your emotional reaction to a commercial is of value: Advertisers will be willing to pay to understand those reactions in real time.

Add your own scenarios. The richly connected future is bright and strange. The Arpanet’s prescient foundation will enable unimagined uses beyond the present-day Internet. But the urgency of protecting the Internet from bad actors is also increasing, and the stakes will get higher.

The security of the Internet could be the determining factor of it reaching the next phase of its potential.

The post As Internet turns 50, more risks and possibilities emerge appeared first on Malwarebytes Labs.

Categories: Malware Bytes

A week in security (October 21 – 27)

Mon, 10/28/2019 - 12:05pm

Last week on Malwarebytes Labs, we explored a link between Magecart Group 5 and the Carbanak APT, we discussed the growing rate of robocalls threatening user privacy, and we tipped you off on how to protect yourself from doxing.

We were glad to see the BBC raise awareness about stalkerware, much like we did a few weeks ago.

Other cybersecurity news
  • NordVPN, a popular virtual private network, confirmed it was the victim of a data center breach in 2018 with reportedly only a minor impact. (Source: CNet)
  • The European Data Protection Supervisor says it has “serious concerns” over Microsoft‘s contracts with European Union institutions. (Source: ZDNet)
  • Avast has become the victim of a cyberespionage campaign that saw hackers gain deep access to its network.  (Source: Forbes)
  • A new ransomware has been discovered called FuxSocy that borrows much of its behavior from the notorious and now-defunct Cerber Ransomware. (Source: BleepingComputer)
  • Researchers have uncovered malware in 17 iOS apps that were removed from Apple’s official App Store. (Source: ThreatPost)
  • Latest Firefox brings privacy protections front and center letting you track the trackers. (Source: The Mozilla blog)
  • A stealthy Microsoft SQL server backdoor malware was spotted in the wild that could allow a remote attacker to control an already compromised system stealthily. (Source: The Hacker News)
  • Performing searches on some celebrities comes with a higher risk of being hacked. (Source: TechSpot)
  • Research linked ransomware and data breaches to an uptick in fatal heart attacks. (Source: PBS)
  • Cybercrime reports filed by UK citizens have sat inside a police database without being investigated after being placed in quarantine by security software. (Source: ZDNet)

Stay safe, everyone!

The post A week in security (October 21 – 27) appeared first on Malwarebytes Labs.

Categories: Malware Bytes

How to protect yourself from doxing

Fri, 10/25/2019 - 11:37am

“Abandon hope all ye who enter.”

This ominous inscription affixed atop the gates to Hell in Dante’s Divine Comedy applies peculiarly well to describe the state of the Internet today.

It’s hard to draw a parallel to the utility that the Internet has offered to modern civilization—perhaps no other technological innovation has brought about greater change. Yet, one of its many consequences is the steady erosion of individual privacy, as cybercriminals (and even regular users) become more creative with malicious activities perpetrated against others online.

Among the many harmful techniques of threatening a user’s online privacy is doxing. Doxing refers to the collection of a user’s private information, which is inevitably spread across multiple platforms (including social media), and publishing it publicly. Doxing may be conducted by researching public databases, hacking, or through social engineering. While there are some legitimate reasons for doxing, such as risk analysis or to aid in law enforcement investigations, it’s mostly used to shame, extort, or enact vigilante justice.

The act of doxing poses serious dangers not only to the privacy of an Internet user, but also to their physical safety. It’s not uncommon for a doxing victim to be harassed in person or be targeted for swatting spoofs. Nonetheless, you can take some effective measures to prevent becoming a potential victim of a doxing attempt.

1. Make all social media handles/usernames private

It is a fairly simple matter for anyone stalking you online to cross-reference your multiple online personalities (read usernames/handles) from different social media platforms. If all your profiles are visible at a single click to any random Tom, Dick, or Harry with a working Internet connection, you may be leaving yourself open to doxing.

The good news is that most popular social media platforms have considerably improved their privacy controls. It is advisable to explore privacy settings for all your profiles, and keep personally identifiable information, such as your phone number, addresses, and other sensitive data invisible to anyone you don’t know.

2. Use unique usernames for each platform

The easiest way to make yourself target practice for someone learning the art of doxing is to use the same username for every online message board, social media, and service you are using. Avoid this at all costs—unless you are developing an online persona or influencer program. If so, hiding personal details associated with those profiles becomes even more imperative.

For the rest of us, it’s wise to have a unique username for different situations and compartmentalize usernames on the basis of purpose. For instance, if you use Instagram, comment on an online gaming forum, and participate in a community for political discussions, use a different username for each of these purposes, with no obvious connection between them. For this reason, we don’t recommend using social media profiles to sign in to other services (i.e. sign in using Facebook or Twitter).

Separating online account identities makes it quite difficult for anyone that might take an interest in launching a doxing attack against you to collect all the necessary pieces to form a true identity. And while it can be frustrating to manage so many different usernames and passwords, software such as password managers can assist in the juggling act.

3. Be wary of online quizzes and app permissions

The philosophy of maintaining online privacy is simple: limit sharing of personal information online unless absolutely necessary. Online quizzes and needless mobile app permissions are the antitheses to this philosophy.

Online quizzes seem completely innocent, but they are often goldmines of personal information that you happily provide without thinking twice. For example, some parts of a quiz may even serve as security questions to your passwords. Since many quizzes ask for permission to see your social media information or your email address before showing who your spirit animal is, they can easily associate this information with your real identity.

As we saw with Facebook’s Cambridge Analytica fiasco, those online quizzes aren’t always as innocent as they seem. Without much context on who is launching the quiz and why, it’s best to avoid taking them altogether.

Mobile apps are also rich sources of personal data. Many apps ask for access permissions to your data or device that shouldn’t concern the app software at all. For instance, an image editing app has no logical use for your contacts. If it’s asking to access your camera or photos, that makes sense. But if it also wants to look at your contacts, GPS location, and social media profiles, there’s definitely something fishy going on.

So while we can’t say “avoid downloading apps that request permissions” altogether, we do recommend you take a good look at which permissions are being requested and consider whether they’re necessary for the app to function.

4. Use VPNs

VPNs (virtual private network) hide your IP address from third parties on the web. Normally, every website that you access can see your IP, which can reveal a lot about you, such as the city you are located in and even your real identity. VPNs boost your online privacy by giving you a fake IP address associated with a different location, which can easily throw off a doxer trying to track your trail.

The only problem is that there are a lot of VPNs out there, and not all of them are secure. The task of choosing one that suits your needs can be made easier with VPN comparison resourcessuch as this, as well as our article on mobile VPNs.

Learn how to configure your VPN to support all devices in your home network. Read more: One VPN to rule them all

5. Hide domain registration information from WHOIS

WHOIS is a database of all registered domain names on the web. This public register can be used to find out details about the person/organization that owns a given domain, their physical address, and other contact information—all the stuff doxers would love to get their hands on.

If you are planning to run a website (domain) anonymously without giving your real identity away, don’t forget to make your personal information private and hidden from the WHOIS database. Domain registrars have controls over these privacy settings, so you’ll have to ask your domain registration company about how to do so.

Final thoughts

Online privacy is becoming harder and harder to preserve as our connectedness expands, courtesy of the Internet. Organizations look for personal details of their customers for more successful, targeted marketing opportunities. Applications request private information to support functionality—and sometimes ask for too much. Social media networks and search engines mine personal data for advertising profits. At this point, simply having an online presence is enough to put your privacy at risk.

At the same time, remember that for a great majority of cases, taking a few extra steps to hide, scatter, or make more difficult to access personal information online can throw doxers off your scent and protect your privacy. This strategy is effective in turning away all but the most persistent doxers from gathering pieces of information about you and publishing it on the Internet. As an added bonus, protecting your PII from doxers also makes it more difficult for cybercriminals to scoop up your details to use in a social engineering attack. 

Perhaps we needn’t abandon all hope online after all.

The post How to protect yourself from doxing appeared first on Malwarebytes Labs.

Categories: Malware Bytes