How to securely send your personal information

This story originally ran on The Parallax and was updated on July 3, 2019.

A few months ago, my parents asked a great security question: How could they securely send their passport numbers to a travel agent? They knew email wasn’t safe on its own.

Standard email indeed isn’t safe for sending high-value personal information such as credit card or passport numbers, according to security experts such as Robert Hansen, CEO of intelligence and analysis firm OutsideIntel, now part of Bit Discovery.

“Email sometimes has good cryptography but often does not,” Hansen says. When sending between Gmail accounts or within a company, he adds, secure transport “probably isn’t an issue.” But people should ask themselves, “Can somebody steal the data when it’s at rest?”

There’s no 100 percent hack-proof way to send your personal information across the Internet. But thanks to the development of end-to-end encryption, which secures data from even the company providing the encryption, there are tools and techniques you can use to make the process safer for you and the identification numbers we use to rule our lives.

Here are three expert tips for securely sending someone your personal information when planning your summer vacation, buying your next house, or just sending documents to your doctor’s office (when they don’t have their own secure messaging system.)

Tip 1: Use an app with end-to-end encryption

The use of encryption has been increasing “since the mid-1990s,” notes security expert Bruce Schneier, thanks to a seminal court case allowing companies to work on computer cryptography without having to first seek the government’s permission. 

Some phone apps protect your text messages using end-to-end encryption. We have highlighted several of the best in a guide to apps offering end-to-end encryption. Here are a few we find exceptionally useful for securely sending personal information.

WhatsApp, used by more than 1.5 billion people, is on every major and several minor platform, including an easy-to-use desktop browser app, and it provides end-to-end encryption by default. If you use WhatsApp (acquired by Facebook in 2014,) you use end-to-end encryption. It’s that simple, and its popularity means that you might not have to convince your intended recipient to install it.

WhatsApp’s encryption tech is actually provided by Open Whisper Systems, which makes its own end-to-end encryption text and voice app, Signal. So which app should you use? Signal arguably has two advantages over WhatsApp, at least from a security perspective. Signal doesn’t store any metadata on its chats, while WhatsApp does. It’s not the content of messages, but it can help identify the type of content being sent. Signal can be set to auto-delete messages, which is effective as long as the recipient hasn’t taken a screenshot or otherwise copied the content of the message.

Signal is also open-source, which means that the code on which it’s built is subject to independent reviews. WhatsApp development is closed, and doesn’t have people not associated with the company poking around in its code. While Signal is only for iPhone and Android, both Signal and WhatsApp can comfortably exist on the same device—they don’t conflict with each other. (Sometimes, however, Signal struggles to let its users go.)

As of July 2019, WhatsApp and Signal are the only two end-to-end encrypted messaging apps for which the advocacy nonprofit Electronic Frontier Foundation offers installation instructions in its Surveillance Self-Defense Tool Guide. The organization elsewhere in its guide recommends the end-to-end encrypted messaging app Wire. Wire works on Android, iOS, and desktops. One of Wire’s benefits is that it doesn’t require you to share your phone number to use the service, instead relying on usernames. That can help minimize the ability of others to track you. But it also stores conversation threads in plaintext when you use it across multiple devices.

End-to-end encrypted Wickr also allows users to delete messages they’ve sent after they’ve been viewed. Once you’ve deleted a message you’ve sent, you don’t have to worry about the recipient’s device storing it. However, because Wickr runs only on iOS and Android, and it has no password recovery method, you might have a hard time convincing your recipient to use it. (Editor’s note: Since this story was originally published, Wickr is still available to all users but is focused on businesses, not consumers.)

Tip 2: If you must use email…

If you must use email—perhaps you’re sending the Panama Papers—strongly consider learning about Pretty Good Privacy. The challenge with PGP is that not only do you have to use it correctly, with different instructions for WindowsMac, and Linux, but so does your recipient. You can consider sending a password-protected ZIP file, as long as the password isn’t in the same email you send. 

Electronic Frontier Foundation technologist Jeremy Gillula advises against creating a simple code for sending important numbers, such as changing all 1s to 2s. “If you’re using simple cipher, might as well call up the recipient and tell them over the phone,” he says.

Some email networks are encrypted within their own systems. If you know that your recipient is using Gmail, and you’re using Gmail, the content of the messages will be protected from snooping while being sent, Gillula says. “It can thwart a passive eavesdropper, but you’re still susceptible to active attacks.”

Tip 3: Ask questions

If you’re not sure about your recipient’s computer security, ask him or her about it. Hansen tells a story about trying to get a mortgage, and the mortgage company wanted “unbelievable amounts of information. I took one look at their website and found a number of different flaws in it.” 

He ended up finding a larger, more computer-savvy mortgage company. Good starter questions include:

  • Are the data you transmit and the databases that store it encrypted on disk? 
  • Is access to your information systems handled on a per-user basis, or does everybody use the same username and password?

If the data isn’t encrypted on disk and at rest, and if there’s only one username and password for accessing customer data, keep looking for a different service provider, Hansen says. From there, the questions you ask depend on whether you’re working with a travel agent, a health care provider, or a mortgage firm.


The post How to securely send your personal information appeared first on Malwarebytes Labs.

A week in security (July 1 – 7)

Last week on Malwarebytes Labs, we explained what to do when you find stalkerware, how cooperating apps and automatic permissions are setting you up for failure, and why you should steer clear of Bitcoin Cash generators.

Other cybersecurity news:

  • A former Chief Information Officer (CIO) of Equifax has been issued a prison sentence for insider trading on the firm’s disastrous data breach before the incident became public knowledge. (Source: ZDNet)
  • A new Ryuk ransomware campaign is spreading globally, according to a warning issued by the UK’s National Cyber Security Centre (NCSC). (Source: DarkReading)
  • Orvibo smart home devices leaked billions of user records including logs that contained everything from usernames, email addresses, and passwords, to precise locations. (Source: VPNMentor)
  • Chinese authorities have decided to spy on foreigners crossing the border by installing spyware on Android phones. (Source: iPhoneHacks)
  • Germany‘s cybersecurity agency is working on a set of minimum rules that modern web browsers must comply with in order to be considered secure. (Source: ZDNet)
  • An ongoing attack in the OpenPGP community makes users’ certificates unusable and can essentially break the OpenPGP implementation of anyone who tries to import one of the certificates. (Source: Duo Security)
  • Dubbed Godlua, researchers have discovered the first known malware strain that uses the DNS over HTTPS protocol. (Source: TechSpot)
  • IronPython, darkly: how researchers uncovered an attack on government entities in Europe. (Source: PT Security)
  • Attunity, a company that is currently working with at least half of all Fortune 100 companies, including Netflix, leaked both its clients’ and its own data. (Source: BleepingComputer)
  • The US Cyber Command has issued an alert that hackers have been actively going after CVE-2017-11774. The flaw is a sandbox escape bug in Outlook. (Source: The Register)

Stay safe, everyone!

The post A week in security (July 1 – 7) appeared first on Malwarebytes Labs.

Steer clear of Bitcoin Cash generators

Here’s an interesting evolution on a well-worn scam, taking one profit generating fakeout and turning it into something else entirely.

For years, gamers have been stuck navigating the treacherous waters of fake video game giveaways. With so many actual genuine gaming giveaways around, you’re never quite sure if a site offering free Xbox points, or Steam credits, or downloadable content, is going to do what it claims.

Typically, the site will ask you to pick your reward then “verify you’re a human” or just help a fictitious process along by clicking an ad or filling in a survey or downloading a file and hoping it isn’t malware.

The gamer never gets their rewards. They may well end up with a few unexpected visitors on their desktops, though.

What’s the change here?

One enterprising individual has clearly had enough of the video game wilderness and decided to try and make money in a less explored realm.

Step up, Bitcoin—or to be more accurate, Bitcoin Cash. Bitcoin Cash is a form of cryptocurrency that went its own way in 2017, and then split again in what I can only call the great Bitcoin cash war of 2018 when two rival groups imagined vastly different directions for the fledgling currency.

The intention, with or without split, was supposed to be a digital coin that functioned more as a currency than a digital investment. It is this fertile ground that sets the scene for the site we’re about to look at: Bitcoin-cash-generator(dot)com.

Coin Generator

Click to enlarge

Getting things started

The website claims to “inject exploits into Bitcoin Cash pools and blockchain.” They attempt to put pressure on visitors right from the start, claiming they limit use of the tool to 30 minutes per IP address, up to a maximum profit of 2.5BCH. That’s around £815/US$1,024, so it’s a tidy bit of profit for jumping some hoops. For reference, the minimum amount a visitor can ask for is 0.1 BCH, roughly £32/US$41.

Whatever slice of the pie a visitor picks, they’re going to get a little bit of money back…Or are they?

What hoops do we have to jump through?

Unlike many similar gaming-themed scam sites, surprisingly little. With no social aspect, there’s no real reason to plaster share buttons all over the place or ask to send to friends. This is all about the site visitor only. They simply have to “Enter your Bitcoin cash address bellow [sic]” and move a slider to select their desired amount. (And really, who will pick anything less than the maximum?) Then, they hit the start button.

Pop-ups abound of other IP addresses receiving amounts. “People” in the chatroom confirm it works great. Any hesitation a user might have had is likely gone at this point.

Confirm amount

Click to enlarge

After confirming the desired amount, we’re off to the “this website is doing nothing at all” races.

Constructing the lie

Those familiar with the fake game points/ free gift card websites will know the drill. A collection of random boxes pops up, claiming to be hacking the Gibson. The more vaguely technical sounding it all is, the better—anything that sells the vision of actual, honest-to-goodness exploits doing strange exploity things in the background.

Transfer requests

Click to enlarge

“Injecting transfer requests into the blockchain.” I hate when that happens.

Tunnel time

Click to enlarge

“Connecting to blockchain maintenance channel”

Well of course, it always helps when you connect to the old blockchain maintenance channel.

This one is  a particular favourite of mine, as it’s every TV show’s attempt to show you some hacking on a screen in one hilarious image:

Seems legit

Click to enlarge

It also comes in handy for digging out multiple similar websites apparently using aspects of the same “We’re definitely hacking a blockchain, honest” code.

Multiple claims are made during the supposed hacking process that various attempts have failed to grab the cash, but they continue to persevere with it. Whereas many survey scams are almost instantaneous, these things really stretch out the illusion and make visitors wait a good few minutes while the titanic (fictional) battle rages in the background.

Eventually: success!

Sadly, success comes with a price. At this point, ye olde survey scam would ask you to fill in some offers. The free video game points site would ask you to install a dubious game or spam links across social media.

Here?

They need you to make a small donation, because of course they do. The site reads as follows:

The BitcoinCash network requires a small fee to be paid for each transaction that goes to the miners, else a transaction might never be confirmed. To ensure your transaction confirms consistently and reliably, pay the miners fee of 0.00316 BCH for this transaction at: [wallet address]

The request for 0.00316 BCH (roughly £1/US$1.30) is made regardless of whether you ask for the minimum/maximum amount of free cash. It doesn’t scale upwards.

donation required

Click to enlarge

Does this work?

The only thing that does work in all this is website visitors sending small amounts of cash to the people behind the website(s). As mentioned earlier, we’ve seen a few other sites doing much the same thing, such as freebtc(dot)uw(dot)hu and smartcoingenerator(dot)com:

Generator bitcoin

Click to enlarge

additional generators

Click to enlarge

Money trails

One interesting aspect of this type of scam branching out into digital coinland is increased visibility into site owner antics. You can only go so far with survey scams or random social media profiles sending out spam links. Here, however, much of what constitutes digital transactions are out there in the ether as a matter of public record.

There are entire sub-industries devoted to analysis of Bitcoin transactions and how people make their digital cash flow down the money tubes. Generally, most folks’ experience of watching the Bitcoin wheels go ’round are focused on plain old Bitcoin. Bitcoin Cash is a little different, but you can still take a look behind the scenes.

The various sites we’ve seen offer up different addresses to send their “small transactions,” and not all of them are focused on BitCoin Cash. With reference to the one used on Bitcoin Cash Generator, they do appear to have made a little money so far. It seems doubtful anyone is going to retire from it, though.

Another scam bites the dust

These Bitcoin Cash Generator sites are yet another sub-genre of survey scams that need to be filed under the “Something for nothing” label. If getting your hands on digital currency was this easy, everybody would be doing it. Instead, it’s a unique selling point for a handful of websites lurking in the corners of the net.

The post Steer clear of Bitcoin Cash generators appeared first on Malwarebytes Labs.

Cooperating apps and automatic permissions are setting you up for failure

“Hey you. Someone from HR has invited you to a meeting on Thursday. Would you like me to add the appointment to the calendar?”

Receiving an email notification when someone has invited you to a meeting is a feature that many professionals would not like to miss. Being able to log in at certain sites with your Facebook profile might be less indispensable, but nevertheless, it’s a heavily-used functionality. What do these two functions have in common? They both require an integration between different apps, and this opens up some security and privacy risks.

Some practical problems

Recently, we were reminded that the Google Calendar notifications in Gmail provided scammers with the option to spam users with phishing links to sites that are out to steal user credentials. Basically, scammers were able to craft the links in the invitation so that they included a malicious link. Since this is a relatively unknown method, most people wouldn’t think twice before clicking.

Logging into sites with social media profiles more than doubles the privacy risks you run into by using either app separately. We say this because the data used by either app can easily be combined with those of the other app—therefore cybercriminals can come away with double the payday.

You may have seen these login options for Twitter, Google, and Facebook. And Facebook combines these risks with yet another problem. Many people that canceled their Facebook accounts (or thought they did) have found that coming back to a site where they used to log in with their Facebook account revives said Facebook profile and opens it up for the world to see again.

Seems easier to just choose Facebook or Google, right?

And we haven’t even touched upon the apps that grab the permission to post on these social media sites on your behalf.

Underlying problems

Before we can start to look for effective countermeasures, we need to understand the real foundation behind these security risks. The most common and well-known problems include:

  • Apps that refuse to work without permissions. They shouldn’t require integration.
  • Apps that grant other apps access to their data and settings.
  • Apps that are downloaded and installed by impulse. We tend to forget about them after we’ve stopped using them, but the data sharing goes on.
  • Jailbreaking, rooting, and sideloading apps. Apps outside the Google Play or App Store are not as secure. However, popular games like Fortnite were not available in Google Play, basically forcing their fans to compromise their safety to install the game.
  • Lack of awareness of the implications of granting permissions. Even when the permissions are clearly communicated (the app will be able to post to your Twitter account, for example), users have the inclination to think it will be all right to allow “trusted apps” full permissions.

Even though not every app in the Play Store is 100 percent trustworthy, you can be assured that at least some security checks have been performed. Google does require developers to limit their device permission requests to what’s really necessary for the app. And they do block many apps from the Play Store because they may be harmful, but there are always those that manage to slither through.

These are just the measures taken against apps that are potentially harmful. We shouldn’t forget those that invade or risk your privacy. What’s important to remember here is that when you are installing apps from other unknown sources, they most likely didn’t have to pass any scrutiny at all—and are a likely security or privacy risk.

A regular check of your list of apps may result in some good device-cleaning, which not only reduces your attack surface, but also might improve your device’s performance and speed. While you’re at it, check the permissions on some of the apps that you decide to keep. They may not need all of them to do what you want or expect the app to do for you.

When an app asks for permissions, carefully read what it is asking for and let that sink in before you allow it. I know that these requests always seem to come at an inconvenient moment. You are in a hurry and you want that notification out of your way so you can carry on and use the app.

But consider why a gaming app is asking for access to GPS location. Or how come that financial app wants access to all of your contacts. Is the app really worth turning over that private information? Also note that these requests are not limited to the install process. They may come after an update or when you are trying a new feature.null

Partial solutions

Right now, without more user awareness of the security risks of integration, and without the applications, software programs, or social media platforms narrowing down their permissions requests to only what’s necessary to make the program work, there are only partial solutions for those looking for convenient installation or login processes. However, these solutions do improve your overall security posture without sacrificing too many benefits.

When it comes to integrations, there are a few tips we are happy to share.

Facebook

If you decide to unpair your apps and websites from Facebook, follow the directions below:

  • Under the Facebook menu, go to Settings.
  • Under Security, select Apps and websites then click on the “Logged in with Facebook” section.
  • Select to remove all the entries that you will no longer be using. You can also see what information each app was able to retrieve from your Facebook profile. Quite an eye-opener.
Facebook login aops and sites

Google

Google has an informative page in their Help Center about giving third-party apps access to your Google account. It reads:

“Depending on how you use Google products, some of the information in your account may be extra sensitive. When you give access to third-parties, they may be able to read, edit, delete, or share this private information.”

The integration between Gmail and Google calendar can be rendered less automated (and thus less of a security risk) by turning off the automatic calendar invitations feature. Here are the directions:

  • Go to the Event Setting menu in Google Calendar and disable the automatically add invitations option.
  • Enable the only show invitations to which I’ve responded one instead.
  • Also, users are advised to make sure that the Show declined events in the “View Options” section is also left unchecked.

Twitter

Twitter has a similar page as Google called About third-party applications and log in sessions which warns:

“You should be cautious before giving third-party applications access to use your account.”

The page also provides information on how to remove access for sites and apps. Have a look and check for any unexpected guests.

Cooperating apps

I realize that cooperating apps are designed to make our life easier. After all, it’s frustrating if the left hand doesn’t know what the right hand is doing. And when everything works seamlessly together, our online life has a natural flow. I’m just asking you to give it some thought before you blindly allow integrations and permissions.

It looks as though users have shifted mindsets from “I have nothing to hide” to “They already know everything anyway.” But in both cases, it is true that you don’t have to hand your personal data to “them” on a silver platter, no matter who they are. Your personal information is too valuable to just give away. After all, that’s why cybercriminals (and legitimate organizations) are after it to begin with.

Stay safe out there!

The post Cooperating apps and automatic permissions are setting you up for failure appeared first on Malwarebytes Labs.

A week in security (June 24 – 30)

Last week on Malwarebytes Labs, we peeled back the mystery on an elusive malware campaign that relied on blank JavaScript injections, detailed for readers our latest telemetry on the tricky GreenFlash Sundown exploit, and looked at one of the top campaigns directing traffic toward scareware pages for Microsoft’s Azure Cloud Services.

We also doubled down on our commitment—and significantly increased efforts—to detect stalkerware on victims’ devices.

Other cybersecurity news:

Stay safe, everyone!

The post A week in security (June 24 – 30) appeared first on Malwarebytes Labs.

Helping survivors of domestic abuse: What to do when you find stalkerware

We’re going to talk about something different today. We’re going to talk about domestic abuse.

Earlier this year, cybersecurity company Kaspersky Lab announced that the latest upgrade to its Android app would inform users about whether their devices were running stealthy, behind-the-scenes monitoring apps sometimes referred to as stalkerware.

This type of software can track unsuspecting victims’ locations, record phone calls, peer into text messages and emails, pry into locally-stored photos and videos, and rifle through web browsing activity, all while hidden from view.

Though often, and shamelessly, advertised as a tool for parents to track the activity of their children, these apps are commonly used against survivors of domestic abuse.

It serves as no surprise. Stalkerware coils around a victim’s digital life, giving abusive partners what they crave: control.

Electronic Frontier Foundation Cybersecurity Director Eva Galperin, who pushed Kaspersky Labs into improving its product, told Motherboard at the time of the company’s announcement:

“I would really like to see other [antivirus] companies follow suit, so that I can recommend them instead of just one company that has shown that they are committed to doing this… I’d like to see this be the industry standard so it doesn’t matter which product you’re downloading.”

Malwarebytes stands up to this commitment, as we have for years.

But starting today, we’re going to do more than improve our stalkerware detection capabilities. We’re going to help survivors understand this danger and know what to do if they’re being digitally tracked.

Finding proof of stalkerware

Stalkerware presents a unique detection problem for its victims—it often hides itself from public view, and any attempt to find it could be recorded by the stalkerware itself.

Further, the US government has done little to help. Despite a previous FBI investigation that led to the court-ordered shut down of the stalkerware app StealthGenie, countless other stalkerware apps still operate today.

According to a new study by the University of Toronto’s research and public policy project CitizenLab, the most popular stalkerware apps today in the US, Canada, and Australia are FlexiSpy, Highster Mobile, Hoverwatch, Mobistealth, mSpy, TeenSafe, TheTruthSpy, and Cerberus.

Malwarebytes Labs has previously written about the technological signs of stalkerware—quickly-depleting battery life, increased data usage, and longer response times than usual—but we wanted to explore what stalkerware looks like from a behavioral aspect. We spoke to multiple domestic abuse networks and advocacy groups, and one troubling fact arose repeatedly:

Symptoms of stalkerware are not proof of stalkerware.

Erica Olsen, director of the Safety Net project for the National Network to End Domestic Violence, said her organization consistently hears stories from domestic abuse survivors who are struggling to explain how their partners know about their phone calls, text message conversations, emails, and even visited locations.

“Survivors could come to law enforcement and say ‘My ex knows about the text messages I sent, and I don’t know how they know that,’” Olsen said. But, she said, the signs don’t always guarantee the use stalkerware.

“Could the [recipient] have just told [the ex]?” Olsen said.

In determining the presence of stalkerware, Olsen said survivors should assess several factors:

  • Does their abusive partner have physical access to their device—a common situation for couples who live together?
  • Does their abusive partner know the passcode to unlock a device—another situation that depends on whether an abusive partner even allows for that level of agency and freedom from their victim.
  • Can their abusive partner view call logs on their device, learning who was called, how often, and for how long?
  • Does their abusive partner know the content of phone calls?
  • For domestic abuse survivors who have physically escaped their abuser, do their abusers still know about recently-taken photographs, locations visited, and any information that is typically locked behind an account or device passcode?

Further, Olsen said that domestic abuse survivors should study how the private information is being used by an abuser.

“Abusers will end up hinting at all the things they know that they shouldn’t know,” Olsen said. “That is the most frequent thing we hear from survivors, advocates, and law enforcement—the number one thing is identifying that an abuser knows ways too much.”

Olsen continued: “They know text messages, emails, they have access to accounts logged into via [the survivor’s] phone. That’s when we immediately have to start talking to survivors about what they think is safe.”

While every safety plan is unique, and every domestic abuse situation nuanced, Olsen offered one top-level piece of advice that applies to all survivors: Trust yourself. You know the feeling of being watched and controlled—whether through physical, emotional, mental, or digital means. You should trust those feelings and never discount your own concerns. 

The following ideas do not present a catch-all “solution” to finding stalkerware on a device. Instead, they present information that will hopefully guide survivors toward safety.

Evaluate your own level of safety

Determining what is safe for you is crucial. What you discover in this process can impact what other steps you take after learning about or suspecting the presence of stalkerware on your device.

Ask yourself several questions about what steps you can reliably take.

  • Do you have people you can ask for support?
  • Can you communicate with those people from a safe, non-monitored device?
  • Can you change your social media account passwords?
  • Can you change your own device passcode?
  • Are you allowed to have a device passcode?
  • Can you install antivirus and anti-malware programs on your own device?
  • What would be the consequences of your abusive partner discovering that you are trying to get rid of stalkerware?
  • Do you want to bring in law enforcement?

If all this seems overwhelming, remember that the National Domestic Violence Hotline is there to help.

Your every move might be recorded

When determining your own level of safety, it’s important to remember that everything you do on your compromised device could be recorded and watched by an abusive partner. That means your web browsing activity, your text messages, your emails, and all of your written correspondence could be far from private.

Know what apps are on your phone and what permissions they’re allowed

Olsen advised that domestic abuse survivors know what apps are on their devices at any given moment. While this guideline does not reliably catch hidden stalkerware apps, it does give you an opportunity to understand what other apps might have been installed on your device in an attempt to surveil you.

Remember, abusive partners do not need stalkerware to victimize and control their partners. Instead, Olsen said, abusers can rely on technology misuse.

“The vast majority of our work is in looking at misuses of general technologies that have 100 different good uses, that are never intended to be misused,” Olsen said. “The ownership [of abuse] is always on the abuser for their behavior. If you remove technology, you’re still going to have an abusive person.”

Shaena Spoor, program assistant with W.O.M.A.N. Inc., offered a couple of examples of technology misuses that she has heard about.

“We had some concerns with Snap Maps,” Spoor said about the Snapchat feature rolled out in 2017 that let users find their friends’ locations. Every user that agreed to share their location had their locations updated with every app use.

“For some people, they didn’t realize that locations had been [turned] on,” Spoor said. “If you don’t use the app very often, you’re just sitting on a map, super findable.”

Spoor said she also heard of domestic abuse survivors whose locations were tracked through the use of the location-tracking product Tile. Though sold to legitimately track luggage, wallets, and purses, domestic abusers can also sneak the small plastic device into your jacket or work bag. When the abuser loads up the Tile app, they can then get a real-time result of that device, and thus, your location.

“People use Tile, for example, and hide them in survivor’s stuff,” Spoor said. “[Survivors] are showing up at domestic violence shelters and finding it hidden in a bag.”

Create new online account logins and passwords from a safe device

This one comes straight from the National Network to End Domestic Violence’s Technology Safety project. You should think about making new account logins and passwords.

As one of the the Technology Safety project’s many resource said:

“If you suspect that anyone abusive can access your email or Instant Messaging (IM), consider creating additional email/IM accounts on a safer computer. Do not create or check new email/IM accounts from a computer that might be monitored.”

The Tech Safety resource also advises you to open new accounts with no identifying information, like real names or nicknames. This step should be considered for all important online accounts, including your banking and social media accounts.

Always remember to do this from a safe computer that is not being monitored.

Factory reset or toss your device

Multiple organizations recommended that any stalkerware victim take immediate steps to toss, or wipe clean, their current device. There are a few options:

  • Toss your device and buy a new one
  • Factory reset your device
  • Keep your compromised device, but purchase a new phone that you use for confidential conversations

Olsen advised that every situation has its own unique challenges, and she urged domestic abuse survivors to consider the potential outcomes of whatever option they choose. She said her organization works closely with domestic abuse survivors to come up with the best plan for them.

“We think about the abuser, who no longer has remote access to [the survivor]—they will try to get physical access, and that is a real concern which absolutely could happen,” Olsen said. “If the survivor thinks that [might happen], we try alternatives—buying a pay-as-you-go phone, use it to have critical conversations, private ones, but still keep the regular phone for silly things and to keep the [abuser] at bay.”

Chris Cox, founder of Operation Safe Escape, which works directly with domestic abuse networks and shelters and law enforcement to provide operational and cybersecurity support, echoed similar advice.

“What we always advise, consistently, if an abuser ever had access to the device, leave it behind. Never touch it. Get a burner,” Cox said, using the term “burner” to refer to a prepaid phone, purchased with cash. “You have to assume the device and the accounts are compromised.”

Further, Cox cautioned against survivors trying to wipe stalkerware from a device, as it could introduce a “new vulnerability” in which an abuser learns—through the stalkerware itself—that their victim is trying to thwart the abuser.

Instead, Cox said, “whenever possible, the device is left behind.”

Approach law enforcement

Working with the police is a step taken by survivors who want to take legal action, whether that means eventually obtaining a restraining order or bringing charges against their abuser.

Because of this step’s nuance, you should take caution.

Olsen said that, of the successful attempts she has learned of survivors working with local police, the survivors already have a firm safety plan in place, and they have built a relationship with domestic abuse shelters and advocates. She said that, together with their support network, survivors have managed to get confessions out of their abusers.

But, Olsen stressed, trying to get an abuser to admit to their abusive and potentially criminal behavior is not a step to be taken alone.

“I do not suggest doing this in isolation, but if they’re working with advocates, I have heard of some survivors strategically communicating with abusers,” Olsen said. “It is amazing how many times abusers admit to [using stalkerware].”

Also, survivors should be wary of how police can be used against them, said Cox.

“Abusers, as a whole, are adept at using the law as a weapon,” Cox said. “If a phone belongs to a victim, and it happens to be in the abuser’s name, if the victim leaves and the abuser reports it stolen, [law enforcement] are used as a weapon to track the victim down.”

Call the National Domestic Violence Hotline

If you find stalkerware on your device, or you have strong suspicions about an abusive partner knowing too much about your personal life—with details from text messages and knowledge of private photos—call the hotline from a safe device.

The number for the National Domestic Violence Hotline is 1−800−799−7233.

The hotline’s trained experts can help you find the safest path forward, all while maintaining your confidentiality.

Seek help from various online resources

If you want to find more information online, from a safe device, read through any of these resources about dealing with domestic abuse, stalkerware, and the misuse of technology:

Malwarebytes has also written a few articles on types of technology, malicious or not, that are often abused to their victims’ detriment. Awareness of what’s out there and how it can be used against you can help you stay safe:

And if you are able to install an anti-malware program on your mobile device, running a scan with Malwarebytes for Android can help you detect and remove stalkerware apps—as well as keep a log of which apps were installed on your phone, which is valuable information if you choose to work with law enforcement.

We’re here for you. We care. And we’ll always do what we can to help users have a safe online—and offline—experience with technology.

Stay tuned for our next article in our stalkerware series, which will explore which monitoring apps are safe for parents to use, and which should be avoided. Stay safe.

The post Helping survivors of domestic abuse: What to do when you find stalkerware appeared first on Malwarebytes Labs.

Fake jquery campaign leads to malvertising and ad fraud schemes

Recently we became aware of new domains used by an old malware campaign known as ‘fake jquery’, previously documented by web security firm Sucuri. Thousands of compromised websites are injected with a reference to an external JavaScript called jquery.js.

However, there is something quite elusive about this campaign with regards to its payload. Indeed, to many researchers the supposedly malicious JavaScript is always blank.

In this blog we share how we were able to identify the purpose of the fake jquery malware infection by looking for artifacts and employing a variety of User-Agent strings and geolocations.

Unsurprisingly, we found a web of malicious redirects via malvertising campaigns with a strong focus on mobile users who are tricked into installing rogue apps. The end goal is to monetize via fullscreen adverts that pop up on your phone at regular intervals.

Looking for a clue

Our search begins by looking up some of the domains mentioned on Twitter by @Placebo52510486. There are thousands of sites listed by PublicWWW that have been injected with malicious jquery lookalikes.

While we do not know the exact infection vector, many of these websites are running an outdated Content Management System (CMS).

Like other researchers before, when we replayed traffic the supposedly malicious JavaScript was once again empty.

However, with some persistence and luck, we were able to find an archive of this script when it was not empty.

We can see that it contains a redirect to: financeleader[.]co. A cursory check on this domain confirms the host pairs corresponding to those fake jquery domains. It’s worth noting that browsing to the root domain without the special identifier will redirect to google.com.

Desktop web traffic

There is some geo-targeting involved for the redirections and clearly desktop users do not appear to be the primary focus here. From a US IP address, you are presented with a bogus site where all items point to the same link that redirect you to instantcheckmate[.]com.

Associated web traffic:

From a non US IP, you are redirected to a page that aggressively advertises VPNs:

Associated web traffic:

Mobile web traffic

Once we switch to a mobile User-Agent and Android in particular, we can see a lot more activity and a variety of redirects. For example in one case, we were served a bogus adult site that requires users to download an app in order to play the videos:

Associated web traffic:

This app is malicious (detected as Android/Trojan.HiddenAds.xt by Malwarebytes) and will generate full screen ads at regular intervals.

Traffic monetization and ad fraud

While we encountered some desktop traffic, we believe the primary goal of the fake jquery campaign is to monetize from mobile users. This would explain the level of filtering involved to hide non-qualified traffic.

We weren’t able to get an idea of the scale at play, especially considering that the domain initiating the redirects really only became active in late May. However, given the number of websites that have been compromised, this campaign is quite likely funneling a significant amount of traffic leading to ad fraud.

Malwarebytes users are protected against this campaign both on desktop and mobile.

Indicators of Compromise

Fake jquery domains:
12js[.]org
16js[.]org
22js[.]org
lib0[.]org
16lib[.]org
12lib[.]org
wp11[.]org

Redirects:
financeleader[.]co
afflink[.]org

Malicious APKs:
0e67fd9fc535e0f9cf955444d81b0e84882aa73a317d7c8b79af48d91b79ef19 a210c9960edc5362b23e0a73b92b4ce4597911b00e91e7d3ca82632485c5e68d

The post Fake jquery campaign leads to malvertising and ad fraud schemes appeared first on Malwarebytes Labs.

GreenFlash Sundown exploit kit expands via large malvertising campaign

Exploit kit activity has been relatively quiet for some time, with the occasional malvertising campaign reminding us that drive-by downloads are still a threat.

However, during the past few days we noticed a spike in our telemetry for what appeared to be a new exploit kit. Upon closer inspection we realized it was actually the very elusive GreenFlash Sundown EK.

The threat actors behind it have a unique modus operandi that consists of compromising ad servers that are run by website owners. In essence, they are able to poison the ads served by the affected publisher via this unique kind of malvertising.

In this blog, we review their latest compromise responsible for pushing ransomware, Pony and a coin miner onto a large number of victims.

Stealthy compromise

At first, we believed the attack originated from one ad network, but we were able to pinpoint where it came from by reviewing traffic captures. The affected publisher is onlinevideoconverter[.]com, one of the most popular sites to convert videos. According to SimilarWeb, it drives 200 million visitors per month:

People navigating to the page to convert YouTube videos into the MP4 format will be sent to the exploit kit, but only after some very careful fingerprinting. The full redirection sequence is shown below:

The redirection mechanism is cleverly hidden within a fake GIF image that actually contains a well obfuscated piece of JavaScript:

After some painful debugging, we can see that it links to fastimage[.]site:

The next few sessions contain more interesting code including a file loaded from fastimage[.]site/uptime.js which is actually a Flash object.

This performs the redirection to adsfast[.]site which we recognize as being part of the GreenFlash Sundown exploit kit. It uses a Flash Exploit to deliver its encoded payload via PowerShell:

Leveraging PowerShell is interesting because it allows to do some pre-checks before deciding to drop the payload or not. For example, in this case it will check that the environment is not a Virtual Machine. If the environment is acceptable, it will deliver a very visible payload in SEON ransomware:

The ransomware uses a batch script to perform some of its duties, such as deleting shadow copies:

GreenFlash Sundown EK will also drop Pony and a coin miner while victims struggle to decide the best course of action in order to recover their files.

Wider campaign

Our previous encounters with GreenFlash Sundown EK, for example during our winter 2019 exploit kits review, were always limited to South Korea. However, based on our telemetry this campaign is affecting people all over the globe, which is an interesting departure for this threat group.

Malwarebytes users were already protected against this drive-by attack and we have informed the publisher about the compromise so that they can take action.

Indicators of Compromise

GreenFlash Sundown infrastructure:
hxxps[://]fastimage[.]site/
hxxp[://]adsfast[.]site/
hxxp[://]accomplishedsettings[.]cdn-cloud[.]club/
104.248.42[.]143
172.105.66[.]231
198.211.126[.]118

Seon ransomware:
a89591555b9acb65353c2b854e582bc41db2fbc0eda2210b89a877d1862084df
591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b

Pony:
c772bdf4bd05ab63d90f4399e97a1d7eec2891c221739e3b843f9a8c9eddf4d3
9ff00b46b949bd76923137c0b0ed3cd4e252d6e88a55e9b4798525fa40164850

Coin miner:
58002d0b8acd1a539503d8ea02ff398e7ad079e0b856087f0ca30d767588be4e

The post GreenFlash Sundown exploit kit expands via large malvertising campaign appeared first on Malwarebytes Labs.

Recipe for success: tech support scammers zero in via paid search

Tech support scammers are known for engaging in a game of whack-a-mole with defenders. Case in point, last month there were reports that crooks had invaded Microsoft Azure Cloud Services to host fake warning pages, also known as browser lockers. In this blog, we take a look at one of the top campaigns that is responsible for driving traffic to those Azure-hosted scareware pages.

We discovered that the scammers have been buying ads displayed on major Internet portals to target an older demographic. Indeed, they were using paid search results to drive traffic towards decoy blogs that would redirect victims to a browlock page.

This scheme has actually been going on for months and has intensified recently, all the while keeping the same modus operandi. Although not overly sophisticated, the threat actors behind it have been able to abuse major ad platforms and hosting providers for several months.

Leveraging paid search results

Tech support scams are typically distributed via malvertising campaigns. Cheap adult traffic is usually first on the list for many groups of scammers. Not only is it cost effective, but it also plays into the psychology of users believing they got infected after visiting a dodgy website.

Other times, we see scammers actively targeting brands by trying to impersonate them. The idea is to reel in victims looking for support with a particular product or service. However, in this particular campaign, the crooks are targeting folks looking up food recipes.

There are two types of results from a search engine results page (SERP):

  • Organic search results that match the user’s search query based on relevance. The top listed sites are usually those that have the best Search Engine Optimization (SEO).
  • Paid search results, which are basically ads relevant to the user’s query. They require a certain budget where not all keywords are equal in cost.

Because paid search results are typically displayed at the top (often blending in with organic search results), they tend to generate more clicks.

We searched for various recipes on several different web portals (CenturyLink, Att.net, Yahoo! search and xfinity) and were able to easily find the ads bought by the scammers.

We do not have exact metrics on how many people clicked on those ads but we can infer that this campaign drew a significant amount of traffic based on two indicators: the first being our own telemetry and the second from a URL shortener used by one of the websites:

While those ads look typical and actually match our keyword search quite well, they actually redirect to websites created with malicious intent.

Decoy websites

To support their scheme, the scammers have created a number of food-related blogs. The content appears to be genuine, and there are even some comments on many of the articles.

However, upon closer inspection, we can see that those sites have basically taken content from various web developer sites offering paid or free HTML templates. “<!– Mirrored from…” is an artifact left by the HTTrack website copier tool. Incidentally, this kind of mirroring is something we often witness when it comes to browser locker pages that have been copied from other sites.

During our testing, visiting those sites directly did not create any malicious redirection, and they seemed to be absolutely benign. With only circumstantial evidence and without the so-called smoking gun, a case could not be made just yet.

Full infection chain

After some trial and error that included swapping various User-Agent strings and avoiding using commercial VPNs, we eventually were able to replay a full infection chain, from the original advert to the browser locker page.

The blog’s URL is actually called three consecutive times, and the last one performs a POST request with the eventual conditional redirect to the browlock. In the screenshot below, you can see the difference between proper cloaking (no malicious behavior) and the redirect to a browlock page:

Browlock page

The fake warning page is fairly standard. It checks for the type of browser and operating system in order to display the appropriate template to Windows and Mac OS victims.

The scammers often register entire ranges of hostnames on Azure by iterating through numbers attached to random strings. While many of those pages are taken down quickly, new ones are constantly popping back up in order to keep the campaign running. Here are some URI patterns we observed:

10-server[.]azurewebsites[.]net/call-now1/
2securityxew-561error[.]azurewebsites[.]net/Call-Now1/
10serverloadingfailed-hgdfc777error[.]azurewebsites[.]net/chx/
11iohhwefuown[.]azurewebsites[.]net/Call-Support1/
11serversecurityjunkfile-65error[.]azurewebsites[.]net/Call-Mac-Support/
2serverdatacrash-de-12error[.]azurewebsites[.]net/macx/
2systemservertemporaryblockghjj-510error[.]azurewebsites[.]net/mac-support/

We believe the crooks may also be rotating the decoy site that performs the redirect in addition to the existing user filtering in order to evade detection from security scanners.

Finding the perpetrators

We do not condone interacting with scammers directly, but part of this investigation was about finding who was behind this campaign in order to take action and spare more victims.

To continue on with deception, the rogue technicians lied to us about the state of our computer and made up imaginary threats. The goal was to sell expensive support packages that actually add little value.

The company selling those services is A2Z Cleaner Pro (AKA Coretel Communications) and was previously identified by one victim in August 2018 in a blog comment on the FTC’s website.

Their webste is hosted at 198.57.219.8, where we found two other interesting artifacts. The first one is a company named CoreTel that is also used by the scammers as a kind of business entity. It appears to be a rip off from another domain that pre-existed by several years and also hosted on the same IP adddress:

And then, there are two new recipe sites that were both registered in June and, as with previous ones, they also use content copied from other places:

Mitigation and take down

Malwarebytes’ browser extension was already blocking the various browlock pages heuristically.

We immediately reported the fraudulent ads to Google and Microsoft (Bing), as well as the decoy blogs to GoDaddy. The majority of their domains have been taken down already and their ad campaigns banned.

This tech support scam campaign cleverly targeted an older segment of the population by using paid search results for food recipes via online portals used by many Internet Service Providers.

There is no doubt scammers will continue to abuse ad platforms and hosting providers to carry out their business. However, industry cooperation for takedowns can set them back and save thousands of victims from being defrauded.

Indicators of compromise

Decoy blogs

alhotcake[.]com
bestrecipesus[.]com
cheforrecipes[.]com
chilly-recipesfood[.]com
cookwellrecipes[.]com
dezirerecipes[.]com
dinnerplusrecipes[.]com

dinnerrecipiesforu.com
handmaderecipies[.]com
homecookedrecipe[.]com
hotandsweetrecipe[.]com
just-freshrecipes[.]com
lunch-recipesstore[.]com
mexirecipes[.]com
neelamrecipes[.]com
nidhikitchenrecipes[.]com
organicrecipesandfood[.]com
recipes4store[.]com
recipestores[.]com
royalwarerecipes[.]com
smokyrecipe[.]com
specialsweetrecipes[.]com
starcooking[.]club

starrecipies[.]com
sweethomemadefoods[.]com
tatesty-recipes[.]com
today4recipes[.]com
tophighrecipes[.]com
toptipsknowledge[.]com
totalspicyrecipes[.]com
vegfood-recipes[.]com
yammy-recipes[.]com

handmaderecipies[.]com
homecookedrecipe[.]com
hotandsweetrecipe[.]com
just-freshrecipes[.]com
lunch-recipesstore[.]com
mexirecipes[.]com
neelamrecipes[.]com
nidhikitchenrecipes[.]com
organicrecipesandfood[.]com
recipes4store[.]com
recipestores[.]com
royalwarerecipes[.]com
smokyrecipe[.]com
specialsweetrecipes[.]com
starcooking[.]club

starrecipies[.]com
sweethomemadefoods[.]com
tatesty-recipes[.]com
today4recipes[.]com
tophighrecipes[.]com
toptipsknowledge[.]com
totalspicyrecipes[.]com
vegfood-recipes[.]com
yammy-recipes[.]com

healthycookingidea[.]com
recipesstudios[.]com

a2zpcprotection[.]com
a2zcleanerpro[.]com

Regex to match browlock URIs on Azure

^http(s|):\/\/(?!www)^.{2}[a-z]{2,7}\/([cC]all-([nN]ow|Support)1|chx|macx|(Call-)?[mM]ac-[sS]upport)

The post Recipe for success: tech support scammers zero in via paid search appeared first on Malwarebytes Labs.

A week in security (June 17 – 23)

Last week on the Malwarebytes Labs blog, we took a look at the growing pains of smart cities, took a deep dive into AI, jammed along to Radiohead, and looked at the lessons learned from Chernobyl in relation to critical infrastructure. We also explored a new Steam phish attack, and pulled apart a Mac cryptominer.

Other cybersecurity news

  • Florida City falls to ransomware: Riviera Beach City Council agrees to pay $600,000 to regain use of hijacked computers. (Source: Forbes)
  • Smart TV virus warning goes AWOL: A peculiar promotional message warning about the  dangers posed to smart TVs goes missing. But why? (Source: The Register)
  • Used Nest cams allow continued cam access: This has been fixed, but read on for a look at what happens in the realm of IoT when old devices connect in ways you’d rather they didn’t. (Source: Wirecutter)
  • Fake profiles on LinkedIn go spying: An interesting tale of scammers making use of AI-generated profile pictures to make their bogus accounts look a little more believable. (source: Naked Security)
  • Bella Thorne takes fight to extortionists: The actress decided to share stolen photographs of herself to teach a hacker a lesson. (source: Hollywood Reporter)
  • This phish is a fan of encryption: A new scam claims an encrypted message is waiting, but you need to log in to view it. (Source: Bleeping Computer)
  • Mobile app concerns: High risk vulnerabilities abound in both iOS and Android apps. (Source: Help Net Security)
  • Twitter takes on state sponsored accounts: The social media platform took down around 5,000 accounts being used to push propaganda. (Source: Infosecurity Magazine)
  • Malware comes gunning for Google 2FA: A new attack tries its best to bypass additional security restrictions. (Source: We Live Security)
  • A security hole in one: Mobile malware attempts to swipe numerous pieces of personal information. (Source: SC Magazine)

Stay safe, everyone!

The post A week in security (June 17 – 23) appeared first on Malwarebytes Labs.