Cybersecurity for journalists: How to defeat threat actors and defend freedom of the press

When you’re a journalist or work for the press, there may be times when you need to take extra cybersecurity precautions—more so than your Average Joe. Whether a reporter is trying to crowd-source information without revealing their story or operating in a country where freedom of the press is a pipe dream, cybersecurity plays an important role for any journalist producing work online—which is essentially every journalist today.

While the stakes may be a little higher for reporters in war zones, on crime beats, or in political journalism, all writers with public bylines, newscasters, press agents, photographers, and other journalism staff need to consider cybersecurity best practices a priority. Protecting personally identifiable information, online accounts, and proprietary data is not just a nice-to-have for journalists. It’s fundamental to the integrity of their professional reputation—and trust in the press in and of itself.

What happens if a hacker “outs” a source whom a journalist promised anonymity? Could that source experience retribution or physical harm? What if a cybercriminal could access national stories and change content to be untrue? Already, misinformation is rampant on the Internet.

If Facebook won’t ban all-out lies in political ads, it’s up to our newspapers and publishing outlets to defend the truth. And one way they can better do so is by increasing cybersecurity defenses and awareness.

Why journalists need cybersecurity

There are many valid reasons for journalists to better educate themselves on cybersecurity and consider investing in some security tools, but some of the most important are:

  • Protecting sources’ PII, especially locations, identities, and titles
  • Hiding from authorities who might be trying to kill a story or force you to reveal a source under penalty of law
  • Keeping data secure and private if you are asked to turn over a device
  • Securing communication when you fear eavesdropping, bugging, or other forms of online surveillance
  • If writing under a pen name or pseudonym, preventing online harassment or doxing

As any journalist worth her salt knows, if your anonymous sources become public knowledge, no one will want to talk to you, much less reveal confidential information to you, again. There goes your livelihood.

In some countries and under some circumstances, journalists may not want to reveal what they are working on or where they are working on it. Being able to conduct investigations “off the grid” is key in these conditions, as is making sure your best-kept secrets and tomorrow’s scoop aren’t revealed in data leaked online or easily scraped from an unlocked device.

Communications can be intercepted, no matter which type. Even face-to-face conversations can be overheard or eavesdropped on. But reporters’ juicy interviews may be of particular interest to cybercriminals, especially nation-state actors conducting longtail reconnaissance on high-profile targets. Whether you’re talking to the local baker for a human interest story or sitting down with the Director of National Security, it is wise to assume you are under surveillance—or could be if you don’t take precautions.

Unfortunately, many journalists know first-hand how publishing online can invoke Internet ire via commenting trolls and rage-filled Tweetstorms. A thick coat of armor is necessary to withstand the sometimes needlessly cruel and personal feedback; many an online reporter have booked therapist appointments accordingly. But additional cyber defense is necessary to ensure physical protection from harm, as well to shield from harassment and doxing attempts.

Cybersecurity methods and tools

Not every journalist needs all of the cybersecurity methods and tools listed below, but they should at least have a basic understanding of what these methods can do for them, and how to apply them when necessary.

  • Data encryption
  • End-to-end encrypted communication (email, chat, videoconferencing)
  • Deleting metadata
  • Disabling location services when necessary
  • Creating secure backups, either to the cloud or to external hard drives
  • Private browsing and other online activities
  • Deleting navigation history and cookies
  • Using caution when activating IoT devices that may be vulnerable or insecure; for example, don’t use Alexa to dial an anonymous source
  • Using a VPN to anonymize Internet traffic
  • Educating yourself on basic cybersecurity hygiene, and implementing a few technology solutions, including an AV/anti-malware, firewall, password manager, 2FA, and updating any software when patches are ready

Data encryption and creating secure backups are closely related. When your device falls into the wrong hands, you don’t want a criminal to be able to simply exfiltrate all the data you have gathered on it. Encryption can make finding the data hard, or impossible, for those who don’t have the key. And if you do lose a device, its securely backed-up data can be accessed elsewhere.

Encrypted communication is a bit more challenging. The more sophisticated the method of communication, the harder it seems to render it secure.

Encrypting email is fairly easy. Many have done it before you and how-to-guides are readily available. Using end-to-end encrypted chat is a matter of choosing the right software. Real end-to-end encryption means the information will be encrypted using a secret key rather than in plain text. All you need to do is find a trustworthy app that both parties can use. The same is true for video conferencing software, though it may be harder to find familiar names that also offer end-to-end encryption.

Your location can be given away in more ways than you may realize. It is not only a matter of turning off location access completely. Your local time, IP address, and list of Wi-Fi networks you used can also give someone at least a crude idea of where you are or have been.

When it comes to keeping your location a secret, also remember to delete the navigation history of your car, browser, or other device used to find a physical address. Also make sure that the rental “connected vehicle” has been reset, so the previous user can’t keep track of you on his phone.

For photographers, it’s also relevant to delete metadata, as it doesn’t always just include technical and descriptive data, but can also contain a GPS location.

While browsing, it pays off to use a browser that was developed with your privacy in mind, or using a well-vetted plugin or extension that protects privacy. Add a VPN to your toolset to hide your true IP. Using a VPN may raise awareness that you are up to something, and not every VPN provider will treat your data with the same respect, so do some digging into their background and track record before you decide which one to use.

Recent articles have made us aware of the fact that some of our IoT devices are eavesdropping on us. So, when you are having a private conversation that needs to stay private, check your surroundings for devices that could be listening and make sure they can’t hear or relay your talk.

With all this in mind, don’t forget about basic cybersecurity hygiene and awareness. We can’t say this enough: Keep your software up-to-date, patched, and properly configured. Use an anti-malware solution and at least a basic firewall. Use 2FA authorization where possible, and password lock all your devices. Clear your browser cache and search history.

Another basic principle when you are a public figure and don’t want to be doxed or harassed is a strict social media regime. Consider all that you post public to the world, even if you have a private account. or separate your journalist account from your personal one, with zero links between the two.

Recommended reading: Cybersecurity basics

If you are not skilled in cybersecurity, do not be ashamed to ask for help setting up your defenses. And know who to contact if anything goes south, even after all your efforts. Also do not assume that your employer is on top of your secure communications: Ask about it.

Resources for journalists

This list is not exhaustive, but it gives you an idea of what’s available:

The Assistance Desk of Reporters Without Borders (RSF) provides financial and administrative assistance to professional journalists and citizen-journalists who have been the victims of reprisals because of their reporting.

To report a press freedom violation, you can contact the appropriate Committee to Protect Journalists (CPJ) regional staff. All information is confidential. Contact details per region can be found on the CPJ website.

Totem offers digital security training specifically for activists and journalists. It helps them use digital security and privacy tools and tactics more effectively in their work.

Citizen Lab’s Security Planner aims to improve your online safety with advice from experts. All you need to do is answer a few questions and get personalized online safety recommendations.

The post Cybersecurity for journalists: How to defeat threat actors and defend freedom of the press appeared first on Malwarebytes Labs.

SMBs lack resources to defend against cyberattacks, plus pay more in the aftermath

Cyberattacks, many have noted, are the fastest growing economic crime not only in the United States, but also around the world. This upward trend has been observed since 2014, according to PricewaterhouseCoopers (PwC), and won’t likely be slowing down anytime soon.

Cyberattacks—much like the advancement of technology, the interweaving of digital lives among familiars and strangers via social networks, and the broadening adoption of the Internet—are here to stay.

As much as the Internet has changed individual lives on the planet—for better or for worse—it’s changed the way people do business even more. The current reality is that a business is not much of a business if it’s not online. Even local small businesses, such as restaurants, home renovation companies, or dance studios, require some kind of Internet presence to flourish.

However, stepping into the online realm as a business is, in itself, a double-edged sword. While the visibility the Internet affords entrepreneurs almost guarantees growth, on the flip side, organizations also put themselves at risk of Internet-borne threats. Online retailers may run afoul of web skimming tactics. Online publishers and bloggers using content management systems can be hacked, or their advertisements poisoned via malvertising. Even simply opening emails can put an enterprise at risk.

Organizations of all sizes must understand that in today’s world, cyberattacks are an inevitability.

Unfortunately, a majority of small- to-medium-sized businesses (SMBs) are unprepared for any form of digital assault, much less aware of its inevitability. In the end, some affected organizations emerge from an attack with such excessive losses that they are put out of business—permanently.

So exactly how unprepared are SMBs for an eventual cyberattack? To help paint a picture of their current cybersecurity posture, we gathered a few noteworthy statistics. Suffice to say, they aren’t good.

Cybersecurity posture of SMBs

We took a look at several factors impacting SMB cybersecurity, from rate of incidents and staff shortages to costs shouldered after an attack. Here’s how they pan out:

Cyber incidents

Non-enterprise businesses reported more cyber incidents in 2019 compared to the previous year, according to the Hiscox Cyber Readiness Report.

  • For small businesses reporting at least one or more cyber incidents, the proportion has increased from 33 percent of respondents to 47 percent.
  • For medium-sized businesses, the increase is even greater, moving from 36 percent in 2018 to 63 percent in 2019.
  • Verizon’s 2019 Data Breach Investigations Report found that 43 percent of all breach victims were small businesses.

Lack of resources

SMBs typically have fewer resources for cybersecurity protection, whether that’s a smaller budget for software solutions or overtaxed or undertrained IT staff. This can result in negligence that ultimately leads to breach.

  • On average, an SMB can face up to 5,000 security alerts per day, yet only 55.6 percent of them investigate these alerts, according to Cisco.
  • According to the aforementioned Keeper Security-Ponemon Institute report, 6 out of 10 SMBs report that attacks against them are more targeted, sophisticated, and damaging; yet 47 percent of them have no idea how to protect their companies from cyberattack.
  • 52 percent of SMBs claim they don’t have an in-house IT professional on staff, according to Untangle’s 2019 SMB IT Security Report.
  • Untangle also found that 48 percent of organizations claim that limited budget is one of a handful of barriers they face when it comes to IT security.

Cost of an attack

  • SMBs shoulder a heftier cost relative to their size compared to larger organizations, per IBM’s Cost of a Data Breach Report.
  • Organizations with a headcount between 500 and 1,000 shelled out an average of US$2.65 million in total data breach costs.
  • The total cost for organizations with more than 25,000 employees averaged $204 per employee, whereas organizations with between 500 and 1,000 employees had an average cost of $3,533 per employee.

Interestingly, two independently published reports, namely Cisco’s Small and Mighty special report [PDF] on small and mid-market businesses and Keeper Security and the Ponemon Institute’s State of Cybersecurity in Small & Medium Size Businesses reflected a similar range of costs.

In the same Small and Mighty report, Cisco also reveals that SMBs are more likely to give in to paying threat actors their ransom demands as they cannot operate without access to critical data and cannot afford the usual 8+ hours of downtime.

Top SMB threats and ways to fight them

Does this mean SMBs should stay away from the Internet? Clearly, that’s not the answer. However, if organizations large and small don’t take steps to secure their businesses against cyberattacks, they’re not only putting themselves at risk for profit loss, but may be stunting global economic growth. According to Accenture, a trusted digital economy could stimulate an additional 2.8 percent growth in organizations over the next five years, translating into $5.2 trillion in value creation opportunities for society as a whole.

Yet SMBs face sophisticated cyberattack methods with far fewer resources than large enterprise organizations to fight them. We list a few of the top SMB threats below, as well as our recommendations for the best ways to combat them—keeping in mind budget and staff constraints.


When it comes to online threats, malicious attacks by cybercriminals via malware still rank as the top challenge for SMBs in several reports. In most cases, not only is malware difficult to detect, but it’s also costly to remediate and mitigate. Whatever the threat is, let’s not forget that potential threat actors are motivated toward financial gain via extortion, coercion, fraud, or stealing sensitive and classified information that can be sold to the highest bidder.

In 2019, SMBs have been especially impacted by ransomware and Trojans, such as Emotet and TrickBot, according to our product telemetry.

Recommendations: To address the challenge of sophisticated malware attacks, SMBs should first and foremost create a backup plan so that they won’t lose critical data in the event of a ransomware attack. Data can be safely stored to the cloud and accessed anywhere, should machines be frozen out in an attack. In addition, purchasing a budget-friendly endpoint protection solution that blocks sophisticated attacks can help carry some of the load in place of a highly-trained IT staff.

Web-based attacks

Based on Accenture’s The Cost of Cybercrime report, web-based attacks are among the top reasons why businesses lose revenue. Such attacks normally make use of an Internet browser and an SMB’s official website as the attack launchpad to perform criminal acts, such as accessing and stealing confidential client information or compromising the site to make it infect visitors. Examples of web-based attacks are cross-scripting (XSS), drive-by downloads, and SQL injection (SQLi).

Recommendations: The majority of web-based attacks start off when threat actors attempt to manipulate or tamper with a website’s functionality using code as input to entry fields. Preventing such code from rendering is a general security measure that SMBs could begin adopting. This way, businesses can have better control over the types of user input their websites accepts and renders when someone interacts with them.

For SMBs, mitigating web-based attacks and threats may involve inviting a security professional to audit their website’s code for potential gaps that miscreants can exploit, and advising on how best to address them. While we’re on the subject of coding, SMBs such as app developers or others with programming staffs will want to make it a priority to train on how to code well with security in mind.

Distributed denial of service (DDoS) attacks

DDoS attacks often result in extended downtime for business websites, and that’s never good for the targeted organization. This means clients are denied access to the site, which stops them from transacting with the business, and the business loses precious opportunity, money, and productivity.

Recommendations: Perhaps the easiest way a business can thwart off DDoS attacks is to avail of services from a good content delivery network (CDN). However, prevention can also be done in-house without breaking the bank. Expect a DDoS to happen in the future and plan ahead for it. Establish workplace protocols on what to do in the event of a DDoS attack to your company’s website. If you can, include in the planning phase what, how, and when you would communicate with your clients about a website outage caused by this attack.

Phishing and social engineering attacks

A whopping 85 percent of organizations experience this type of attack, especially now that the top threats to businesses, Emotet, Trickbot, and various ransomware families, are often delivered via phishing email. With fraudsters and social engineers getting wilier, their tactics are getting more sophisticated and polished. And we can expect this to increase unless businesses start taking these threats seriously.

Recommendations: Train all members of staff. There are some simple methods you can use to help employees identify phishing emails vs. legitimate ones. Many examples of phishing emails and current scams exist online. Make cybersecurity awareness a top priority. Step it up by creating an intentional culture of security within the company.

Insider threats

Dangers posed by current and former employees with malicious intent will always loom over SMB executives. However, insider threats are not just limited to the obvious. Often, it’s the staff who are negligent, inattentive, and abuses their privileges that become an accidental insider and trigger a data breach.

Recommendations: The topic of insider threats must be included in every cybersecurity training staff undergoes. Doing so likely decreases the likelihood of accidental insiders but not address the deliberately lax or professional insiders however. In this case, implementing controls can furtherminimize insider threat incidents.

Remote workers

Whether remote workers like it or not, they are a risk to their organizations. Sad to say that many organizations are unaware of this, nor do they realize the magnitude of the risk remote workers pose on company assets, including intellectual property, as well as customer, staff, and vendor information. As such, they fail to conform to best practices set by the US Small Business Administration, and they fail to implement the most basic of cybersecurity measures.

Recommendations: Education and policies, once again, play a role in securing an SMB’s remote workers.

Long term effects of cyberattacks

Many from the outside looking in may assume that once organizations are back up and running after a data breach, apart from a few hiccups, business will continue as normal. Nothing could be further from the truth.

Depending on how much damage a data breach has caused a business in total, it may take awhile for them to regain back what they lost and become profitable again. Sometimes, years-long consequences after a breach are felt by SMBs. This includes damage to the business’s reputation and loss of trust from current and potential clients.

The best course of action SMBs can take after a cyberattack is to learn from their experience by improving their overall cybersecurity posture and state of cyber readiness going forward. Make cybersecurity and privacy a priority. Create multiple backups of your most sensitive data. Regularly monitor and conduct risk assessments. Educate workers. Lastly, make sure that all devices connecting to your network are properly configured and protected with anti-malware software and strong encryption protocols.

Stay safe!

The post SMBs lack resources to defend against cyberattacks, plus pay more in the aftermath appeared first on Malwarebytes Labs.

Help prevent disaster donation scams from causing more misery

It’s a sad day when we have to warn people about medical charity scams, or tax fakeouts, or even have a week dedicated to foiling charity fraud—but here we are. With so many natural disasters occurring, from wildfires in California to tornadoes in Dallas, disaster donation scams remain a top resource for scammers looking for free cash.

Unfortunately, disaster donation scams are nothing new. Back in 2013, I spent many hours tracking and shutting down fake charity scams focused on Typhoon Haiyan and many more. Some of those tricks from way back when are still in use, and we need to do what we can to inform and ward off potential attacks.

Avoiding fake disaster donation scams: part 1

A handy list of tips has been posted to KQED, detailing all the ways you can steer clear of these scams. While many of them may seem obvious to regular readers of this blog, there are always folks out there who haven’t heard of these, much less realize that people are actively trying to rip them off through charitable causes.

If you have relatives who donate after a disaster (or just donate generally), feel free to send this post their way. To summarize the tips quickly, and of particular note:

  • Keep track of payments to charitable organizations
  • Watch your payment method: don’t make donations via cash, gift card, or by wiring money
  • Steer clear of pressure—especially in relation to paying “as soon as possible”

Avoiding fake disaster donation scams: part 2

I’d also like to add some of my own suggestions, based on things I’ve experienced while tackling these scams and talking about them at events through the years.

  1. Door-to-door visits should always be treated with caution. At the bare minimum, they should have a recognisable badge, and a way to verify they are who they say they are. I don’t think I’ve ever run into a house call where you couldn’t take a leaflet or web address and go make the donation in your own time.If they really, desperately need the money now? Ask yourself why and then do some digging once they’ve gone. If you think it’s all a bit suspicious after that, report it to the most appropriate contact point.
  2. Cold calling is a popular past-time of donation scammers. It’s easier than ever to spoof caller ID, so simply matching numbers to legitimate sources on official websites is not 100 percent foolproof. I’ve mentioned the infamous FEMA cleanup crews in the past, and they’re often one of the first scams to hit the ground running. Be on the lookout for similar fakeouts involving Red Cross, United Nations, UNICEF, and more. If it’s a big name, it’s a potential target.Again: don’t be pressured into handing over payment details to cold callers. It’s worth noting that fake websites abound, both on free and paid hosting.
  3. Scammers will often pretend to be a charity organisation, sending missives claiming to be Red Cross or Salvation Army, or pretty much anyone else they think may be relevant to a disaster. Nothing odd there. However, what they will do is frequently include a real email address in their request for money. Why? To keep things looking as real as possible.The sting in the tail is where they also insist you CC an email address belonging to the scammer when you send bank details, because “high server load” may mean the real address never gets the reply. They’ll also request you give them a week or two to reply as they’re experiencing high volume of mail. This is also just a way to get you to leave them alone for a week as they happily plunder your bank account without question.
  4. Scammers will exploit the fear of lost/missing relatives to make more money. They’ll post up pictures of missing people culled from news services and ask for money to “help find them.” They’ll make use of those fun automatic newspaper headline generators to present you with fake headlines about rewards if only you send X amount of cash to Y (also a tactic used by 419 scammers).Relatives will naturally post lots of personal information to social media, and scammers will happily use that, too, in their social engineering exploits. I saw this a lot during Typhoon Haiyan, a problem exacerbated by people not really being familiar with genuine ways to locate missing people. Myself and others made extensive use of Google’s crisis map and their person finder to help steer people away from fakes.Note that these services are still operational whenever they may be needed, and there are many other ways to attempt reunification without being ripped off.
  5. Finally, never underestimate how weird the scams may be in their attempt to pull the rug from under you. “Whale crashes into building” was a popular social media scam back in 2011, because the more sensational-sounding viral a video you have the better. “Earthquake relief” via the promise of a few clicks went a long way to making someone money and not much else. There’s “miracle escapes” which often aren’t, rogue installs, and and even Twitter spambots firing out links to expensive “radiation health” ebooks. They’ll do whatever it takes.

Report scammers

I’ll leave you with a few more links, so you can report anything suspicious that comes your way, or at least use the below as a way to get your information where it needs to be:

Scammers hope a combination of tragedy and your sympathy will provide them with the keys to your bank account. Any and all donations given to criminals are potentially causing misery and loss of life where the money is actually needed, so it’s down to all of us to step up and tackle this scourge head on.

The post Help prevent disaster donation scams from causing more misery appeared first on Malwarebytes Labs.

Stalkerware developer dealt new blow by FTC

Last week, the US Federal Trade Commission (FTC) interpreted its broad consumer protection mandate to file a first-of-its-kind enforcement action against the developer of three mobile stalkerware applications. The developer was banned from further selling the apps unless significant changes were made in design and functionality.

The FTC’s required changes address notification procedures and language, built-in mobile device security, written consent, and proper cybersecurity documentation and policies.

Together, the requirements potentially create the first set of “standards” for what an app must include if it has features that can monitor another user’s device. However, the potential impact of those requirements—which do not apply to any other current stalkerware developers—remains in question.

Two anti-stalker advocates—Erica Olsen, who leads the National Network to End Domestic Violence’s Safety Net program, and Eva Galperin, cybersecurity director at Electronic Frontier Foundation—welcomed news of the FTC case, though to varying degrees.

“I absolutely think this is exciting, and it’s needed, and it’s an important precedent to set,” Olsen said, adding that the FTC’s case is just a first step, and that extra work is needed to hold stalkerware makers and abusers fully accountable.

In speaking with Business Insider, Galperin worried about what the FTC actually targeted.

“I’ll take what I can get,” Galperin said. “The basis of the [FTC’s] action is not that [the stalkerware developer] is making stalkerware, it’s that they’re not making secure stalkerware.”

The FTC investigation

On October 22, the FTC announced that an investigation into the Florida-based company Retina-X Studios LLC and its owner, James N. Johns Jr., produced several alleged violations of both the Children’s Online Privacy Protection Act (COPPA) and the Federal Trade Commission Act (FTCA), which prohibits companies from deceiving their customers.

In comments at a media briefing the same day, FTC Bureau of Consumer Protection Director Andrew Smith said that Retina-X’s three apps—MobileSpy, Phone Sheriff, and TeenSafe— “allowed purchasers to surreptitiously monitor almost everything on the mobile devices on which they were installed, all without the knowledge or permission of the mobile device’s user.”

The three apps, which have been featured in Motherboard’s series “When Spies Come Home” and in Malwarebytes Labs’ own reporting, allowed users to spy on another user’s device, granting them access to text messages, emails, phone calls and logs, GPS location data, and web browser activity. These apps, and others with similar features, have become a prominent hallmark in domestic abuse relationships. They are a serious threat to users everywhere.

According to an FTC spokesperson, the Commission recognized this threat.

“The FTC is always looking to protect consumers, and most especially vulnerable populations,” the spokesperson said. “We understand that consumers have a growing reliance on technology, and its misuse can cause new forms of abuse and be used as a tool to amplify harms, including in domestic violence situations.”

The FTC alleged that Retina-X and Johns Jr. failed users in several ways.

Retina-X allegedly failed to protect the data it was collecting, which included “GPS locations, text messages and other personal information from children.” Retina-X also allegedly allowed app purchasers to “access sensitive information about device users, including the user’s physical movements and online activities.”

The FTC also criticized Retina-X because, for its apps to be installed on a device, that device first had to be jailbroken or rooted, a process which the FTC said “exposed the devices to security vulnerabilities and likely invalidated manufacturer warranties.”

Further, the FTC called out Retina-X for its supposed privacy promise to users. Though the company told app purchasers that their “private information is safe with us,” Retina-X actually suffered two data breaches. Worse, the FTC said that Retina-X did not learn about the 2017 breach until a journalist with Vice contacted the company, having received a tip from the hacker themselves.

In 2018, nearly the exact same scenario happened again. Following the second breach, Retina-X shut down its apps “indefinitely.”

According to the FTC and Vice, the hacker accessed login names, encrypted login passwords, text messages, GPS locations, contacts, and photos.

In recent years, the FTC has shown large interest in trying to protect consumers harmed by company data breaches.

In 2017, the FTC reached a settlement with Uber, after an investigation found that the ride-hailing company failed to prevent unauthorized access to a cloud server storing sensitive consumer data. This year, the Commission reached a settlement with Equifax over the credit reporting agency’s 2017 data breach that affected 147 million Americans.

Along the way, the FTC has also provided guidance to consumers affected by the Marriot data breach and the more recent Capital One data breach.

An FTC spokesperson declined to comment on the origins of the investigation.

“FTC investigations are nonpublic so we don’t discuss why we started a particular investigation,” the spokesperson said.

The Retina-X consent order

Though the FTC cannot issue monetary fees for first-time offenders of the Federal Trade Commission Act, it can try to curb deceptive and dangerous behavior by getting companies and individuals to sign “consent orders.” If any party that has signed a consent order then violates that order in the future, the FTC can then issue monetary penalties.

The consent order presented to Retina-X and Johns Jr. has already been signed. It includes permanent rules that Retina-X and Johns Jr. must comply with should they ever try to engage in “promoting, selling, or distributing” any software application, program, or code that can be installed by one users onto another user’s device to track their activity.

To start, Retina-X and Johns Jr. cannot work on any monitoring app that would require a user to jailbreak or root or otherwise circumvent the built-in security of an end-user’s device. Retina-X and Johns Jr. also must ensure that any monitoring app they work on requires “written attestation” from its users that they will use the app for “legitimate and lawful” purposes.

According to the FTC, “legitimate and lawful” purposes for a monitoring app includes only the following:

  • Parent monitoring a minor child
  • Employer monitoring an employee who has provided express written consent to being monitored
  • Adult monitoring another adult who has provided express written consent to being monitored

Further, any app that Retina-X and Johns Jr. work on cannot give users the option to hide the app’s icon from an end-user’s device screen.

The FTC further stated that end-users should be able to “click” an app icon to reach a page that clearly and conspicuously tells the user the name of the app, its functions, that it is present and running on the end-user’s device, and information on how to contact the apps’ representatives in case of wrongful installation.

NNEDV’s Olsen spoke positively about the new notification requirements.

“We’re big on notifications,” Olsen said. “It’s not that there’s not a time and a place and use for certain types of monitoring apps, but the way these (MobileSpy, Phone Sheriff, TeenSafe) were obviously developed were clearly for a misuse, so, I think this is a great precedent.”

Olsen said that the FTC contacted NNEDV weeks before its public announcement, and that the commission and the organization worked together to develop shared images and language.

Olsen also said that, following communication with the FTC, NNEDV updated its own pages on stalkerware and spyware, including one resource on “Phone Surveillance & Safety for Survivors,” and another on “Computer Surveillance & Safety for Survivors.”

“This space is always changing a bit,” Olsen said, “so we tried to make sure that, when we’re connecting with people, we’re verifying and understanding the tech as much as possible.”

Data destruction and reporting requirements

The majority of the FTC’s remaining rules in its consent order focus on data collection, cybersecurity, and reporting protocols.

Should any monitoring app that Retina-X and Johns Jr. work on have an associated website, that website must have a home page that clearly states that the app can only be used for “legitimate and lawful” purposes. An additional, similar notice must be provided on any “purchase page” for users who buy any such monitoring app, otherwise the purchase cannot be allowed.

Further, Retina-X and Johns Jr. must, within 120 days, “destroy all Personal Information collected from a Monitoring Product or Service prior to entry” of the consent order.

Retina-X and Johns Jr. must also implement an information security program and obtain third party assessments every two years of that information security program. Retina-X and Johns Jr. must also provide annual certifications to the FTC that show whatever monitoring product they work on is in compliance with the consent order. Also, the two must report to the FTC “covered incidents,” like data breaches that already have notification requirements for every state, within 10 days of discovery.

Finally, if Retina-X and Johns Jr. decide to continue their business, or start a new one, a “compliance report” must be submitted to the FTC in one year detailing the primary physical, postal, and email addresses, and telephone numbers, of any business operations. For the next 10 years, Retina-X and Johns Jr. must report to the FTC, within 14 days, any changes to business names and residence address, any creation, merger, or sale of the business or its subsidiaries, and, for Johns Jr. specifically, any changes to his title or role.

A new front against stalkerware?

Not since 2014 has a stalkerware developer faced federal enforcement against their actions. That year, the FBI indicted a man for allegedly conspiring to sell and advertise the stalkerware app “Stealth Genie.” Months later, a US District judge ordered the permanent stop to the advertising, marketing, or sale of the app.  

At last week’s media briefing, FTC Bureau of Consumer Protection Director Smith said that, though the Commission’s actions against Retina-X were the first against a stalking app developer, they may not be the last.

“Although there may be legitimate reasons to track a phone, [Retina-X’s] apps were designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses,” Smith said. “Under these circumstances, we will seek to hold app developers accountable for designing and marketing a dangerous product.”

Olsen said that the FTC’s work in this area is just one piece of a much larger puzzle.

“What needs to happen is, there needs to be continued conversation on whether there are gaps in federal law and state law that would prevent these apps from being developed in the first place, or to hold people accountable after,” Olsen said. “There is still a lack of civil remedies for people to go after companies on these things.”

More so, Olsen explained that a multi-pronged approach is required in better stopping stalkerware. That includes better educating and equipping local law enforcement to find and detect stalkerware on mobile devices, she said.

Overall, the FTC’s new front appears to be a welcome one. However, the effort against stalkerware continues.

“It’s three apps, and there are hundreds more,” Olsen said. “There’s still a lot of work that needs to be done.”

If you or a loved one are the victim of domestic abuse, remember that you can call the National Domestic Violence Hotline at 1-800-799-7233, or can visit their website from a safe device at

The post Stalkerware developer dealt new blow by FTC appeared first on Malwarebytes Labs.

As Internet turns 50, more risks and possibilities emerge

This op-ed originally appeared in the San Francisco Chronicle on October 28, 2019.

We occupy a richly-connected world. On the Internet, we collapse distance and shift time. But this Internet that delivers mail, connects us with friends, lets us work anywhere, and shop from the palm of the hand, is a mere 50 years old, slightly younger than Jennifer Aniston and Matt Perry.

On October 29, 1969, UCLA computer science professor Leonard Kleinrock was supervising programming student Charley Kline, who sent a message from his school’s computer to a computer in Douglas Engelbart’s laboratory at Stanford Research Institute in Menlo Park, CA.

Attempting to log onto the SRI computer, Kleinrock was able to transmit just two characters—LO—before the connection failed. Thus, the first transmission had a security problem: lack of availability.

From this inauspicious beginning, the Internet was born because this was the first connection on a wide area network using a new technology called packet switching.

In the 1960s, computers were common in universities, big businesses, and government research operations, but every computer was a closed system.

Imagine integrating them into a network of networks, enabling collaboration among researchers worldwide. That was the vision behind the Arpanet, the system Kleinrock developed. Though its demonstration ran afoul of connectivity issues, it was designed to be resilient to the unreliability of network connections.

During the 1950s Cold War, the Air Force wanted to harden its radar system to survive a nuclear attack and respond, making a crippling first strike by an enemy less appealing. The solution, developed by Paul Baran and Donald Davies, encompassed a decentralized network, packaging data into small chunks. This packet-switching technology was at the Arpanet’s core.

The Arpanet was designed for resilience but not security. That became a problem. With hundreds of hosts, each with their own ideas about networking, managing communication was challenging.

In 1973, Robert Kahn and Vinton Cerf developed a new approach. The differences among local network protocols would be masked by a common internetwork protocol, relegating details to the host networks.

It took a decade to re-engineer this core technology of the network of networks. Kahn and Cerf’s TCP/IP protocols were implemented on January 1, 1983. The next year, the number of nodes surpassed 1,000, and it was soon renamed the Internet.

Other developments in the 1980s began to transform the Internet into a place for the general public, including the introduction of Domain Name Servers turning cryptic numerical Internet addresses into readable names like and In 1989 at CERN, Tim Berners-Lee created the World Wide Web and the first web browser, transforming the Internet into a virtual world. The dedicated public information services turned into websites, as did libraries and stores, and seemingly everything.

But this public use made the Internet attractive to bad actors. A year before the web, the world got a wake-up call when the Morris worm largely brought down the Internet. The malicious software infected an estimated 10 percent of servers on the net and it took days to remove the worm. Robert Morris, its creator, was convicted under the Computer Fraud and Abuse Act and was sentenced to probation, community service, and a fine.

The Internet’s carefree days were over. New attacks occurred, each one generating a news story. But before long, there were too many to count.

The Internet has become, in the words of Kleinrock, who sent that first message with his student, “a pervasive global nervous system.” But at the core it is still the same Arpanet created 50 years ago, and this is a mixed blessing. The Internet is rugged, but motivated actors can cause trouble, and risks are outpacing advances.

Online banking and shopping are convenient, until someone steals your password or identity. You enjoy the benefits of the richly connected life, so long as you are vigilant about spam, adware, Trojans, viruses, worms, phishing, spyware, and keyloggers. System admins fight attacks, but a lot of it comes down to you, the user.

After 50 years, we are still in the early days of this transformation in our society. But we can see the future in tech labs and startups today.

As we move into virtual worlds, the Internet is also going to be moving into us. Going to the doctor will be less necessary as implanted sensors feed and read from cloud-based medical diagnostic software. Your emotional reaction to a commercial is of value: Advertisers will be willing to pay to understand those reactions in real time.

Add your own scenarios. The richly connected future is bright and strange. The Arpanet’s prescient foundation will enable unimagined uses beyond the present-day Internet. But the urgency of protecting the Internet from bad actors is also increasing, and the stakes will get higher.

The security of the Internet could be the determining factor of it reaching the next phase of its potential.

The post As Internet turns 50, more risks and possibilities emerge appeared first on Malwarebytes Labs.

A week in security (October 21 – 27)

Last week on Malwarebytes Labs, we explored a link between Magecart Group 5 and the Carbanak APT, we discussed the growing rate of robocalls threatening user privacy, and we tipped you off on how to protect yourself from doxing.

We were glad to see the BBC raise awareness about stalkerware, much like we did a few weeks ago.

Other cybersecurity news

  • NordVPN, a popular virtual private network, confirmed it was the victim of a data center breach in 2018 with reportedly only a minor impact. (Source: CNet)
  • The European Data Protection Supervisor says it has “serious concerns” over Microsoft‘s contracts with European Union institutions. (Source: ZDNet)
  • Avast has become the victim of a cyberespionage campaign that saw hackers gain deep access to its network.  (Source: Forbes)
  • A new ransomware has been discovered called FuxSocy that borrows much of its behavior from the notorious and now-defunct Cerber Ransomware. (Source: BleepingComputer)
  • Researchers have uncovered malware in 17 iOS apps that were removed from Apple’s official App Store. (Source: ThreatPost)
  • Latest Firefox brings privacy protections front and center letting you track the trackers. (Source: The Mozilla blog)
  • A stealthy Microsoft SQL server backdoor malware was spotted in the wild that could allow a remote attacker to control an already compromised system stealthily. (Source: The Hacker News)
  • Performing searches on some celebrities comes with a higher risk of being hacked. (Source: TechSpot)
  • Research linked ransomware and data breaches to an uptick in fatal heart attacks. (Source: PBS)
  • Cybercrime reports filed by UK citizens have sat inside a police database without being investigated after being placed in quarantine by security software. (Source: ZDNet)

Stay safe, everyone!

The post A week in security (October 21 – 27) appeared first on Malwarebytes Labs.

How to protect yourself from doxing

“Abandon hope all ye who enter.”

This ominous inscription affixed atop the gates to Hell in Dante’s Divine Comedy applies peculiarly well to describe the state of the Internet today.

It’s hard to draw a parallel to the utility that the Internet has offered to modern civilization—perhaps no other technological innovation has brought about greater change. Yet, one of its many consequences is the steady erosion of individual privacy, as cybercriminals (and even regular users) become more creative with malicious activities perpetrated against others online.

Among the many harmful techniques of threatening a user’s online privacy is doxing. Doxing refers to the collection of a user’s private information, which is inevitably spread across multiple platforms (including social media), and publishing it publicly. Doxing may be conducted by researching public databases, hacking, or through social engineering. While there are some legitimate reasons for doxing, such as risk analysis or to aid in law enforcement investigations, it’s mostly used to shame, extort, or enact vigilante justice.

The act of doxing poses serious dangers not only to the privacy of an Internet user, but also to their physical safety. It’s not uncommon for a doxing victim to be harassed in person or be targeted for swatting spoofs. Nonetheless, you can take some effective measures to prevent becoming a potential victim of a doxing attempt.

1. Make all social media handles/usernames private

It is a fairly simple matter for anyone stalking you online to cross-reference your multiple online personalities (read usernames/handles) from different social media platforms. If all your profiles are visible at a single click to any random Tom, Dick, or Harry with a working Internet connection, you may be leaving yourself open to doxing.

The good news is that most popular social media platforms have considerably improved their privacy controls. It is advisable to explore privacy settings for all your profiles, and keep personally identifiable information, such as your phone number, addresses, and other sensitive data invisible to anyone you don’t know.

2. Use unique usernames for each platform

The easiest way to make yourself target practice for someone learning the art of doxing is to use the same username for every online message board, social media, and service you are using. Avoid this at all costs—unless you are developing an online persona or influencer program. If so, hiding personal details associated with those profiles becomes even more imperative.

For the rest of us, it’s wise to have a unique username for different situations and compartmentalize usernames on the basis of purpose. For instance, if you use Instagram, comment on an online gaming forum, and participate in a community for political discussions, use a different username for each of these purposes, with no obvious connection between them. For this reason, we don’t recommend using social media profiles to sign in to other services (i.e. sign in using Facebook or Twitter).

Separating online account identities makes it quite difficult for anyone that might take an interest in launching a doxing attack against you to collect all the necessary pieces to form a true identity. And while it can be frustrating to manage so many different usernames and passwords, software such as password managers can assist in the juggling act.

3. Be wary of online quizzes and app permissions

The philosophy of maintaining online privacy is simple: limit sharing of personal information online unless absolutely necessary. Online quizzes and needless mobile app permissions are the antitheses to this philosophy.

Online quizzes seem completely innocent, but they are often goldmines of personal information that you happily provide without thinking twice. For example, some parts of a quiz may even serve as security questions to your passwords. Since many quizzes ask for permission to see your social media information or your email address before showing who your spirit animal is, they can easily associate this information with your real identity.

As we saw with Facebook’s Cambridge Analytica fiasco, those online quizzes aren’t always as innocent as they seem. Without much context on who is launching the quiz and why, it’s best to avoid taking them altogether.

Mobile apps are also rich sources of personal data. Many apps ask for access permissions to your data or device that shouldn’t concern the app software at all. For instance, an image editing app has no logical use for your contacts. If it’s asking to access your camera or photos, that makes sense. But if it also wants to look at your contacts, GPS location, and social media profiles, there’s definitely something fishy going on.

So while we can’t say “avoid downloading apps that request permissions” altogether, we do recommend you take a good look at which permissions are being requested and consider whether they’re necessary for the app to function.

4. Use VPNs

VPNs (virtual private network) hide your IP address from third parties on the web. Normally, every website that you access can see your IP, which can reveal a lot about you, such as the city you are located in and even your real identity. VPNs boost your online privacy by giving you a fake IP address associated with a different location, which can easily throw off a doxer trying to track your trail.

The only problem is that there are a lot of VPNs out there, and not all of them are secure. The task of choosing one that suits your needs can be made easier with VPN comparison resourcessuch as this, as well as our article on mobile VPNs.

Learn how to configure your VPN to support all devices in your home network. Read more: One VPN to rule them all

5. Hide domain registration information from WHOIS

WHOIS is a database of all registered domain names on the web. This public register can be used to find out details about the person/organization that owns a given domain, their physical address, and other contact information—all the stuff doxers would love to get their hands on.

If you are planning to run a website (domain) anonymously without giving your real identity away, don’t forget to make your personal information private and hidden from the WHOIS database. Domain registrars have controls over these privacy settings, so you’ll have to ask your domain registration company about how to do so.

Final thoughts

Online privacy is becoming harder and harder to preserve as our connectedness expands, courtesy of the Internet. Organizations look for personal details of their customers for more successful, targeted marketing opportunities. Applications request private information to support functionality—and sometimes ask for too much. Social media networks and search engines mine personal data for advertising profits. At this point, simply having an online presence is enough to put your privacy at risk.

At the same time, remember that for a great majority of cases, taking a few extra steps to hide, scatter, or make more difficult to access personal information online can throw doxers off your scent and protect your privacy. This strategy is effective in turning away all but the most persistent doxers from gathering pieces of information about you and publishing it on the Internet. As an added bonus, protecting your PII from doxers also makes it more difficult for cybercriminals to scoop up your details to use in a social engineering attack. 

Perhaps we needn’t abandon all hope online after all.

The post How to protect yourself from doxing appeared first on Malwarebytes Labs.

Growing rate of robocalls threatens user privacy

When a person sees a call from an unknown number and picks up to hear a recorded voice on the other end, they’ve received a robocall. Some are helpful, such as reminders of upcoming doctor’s appointments or school announcements.

However, the vast majority are from unsolicited parties trying to convince people to purchase products or services, or to disclose personal information.

Robocalls are undoubtedly annoying, especially when they disrupt meetings, meals, or quality time with loved ones. But these intrusive calls pose serious threats to data privacy, too. And they’re on the rise.

How common are robocalls in the US?

The problem with increasing numbers of robocalls in the United States is well documented. The Federal Communications Commission (FCC) receives over 200,000 complaints about robocalls each year, representing about 60 percent of their total complaint volume.

According to the YouMail Robocall Index, which measures robocalls placed and received nationwide, 43.3 billion robocalls were placed so far in 2019, with an average of 131.9 calls received per person. For comparison, YouMail’s data shows more than 48 billion robocalls for 2018—about 18 billion more than the 2017 total. If 2019 numbers hold, we’ll likely see at least 10 billion more robocalls than we did last year.

The YouMail Index also shows that each US person received an average of about 14 robocalls last month. However, the calls come much more frequently in some area codes. Households in the 404 area code of Atlanta, Georgia, and its surrounding suburbs, for example, received more than 60 calls in September 2019.

Robocalls are particularly unceasing for some high-profile people. One opinion writer for The Washington Post stated that she received more than 14 robocalls in a single day—by 10 a.m. Not surprisingly, 52 percent of people who responded to a survey carried out by B2B research firm Clutch said they received at least one robocall per day, and 40 percent got multiple calls.

Court rulings and formal complaints

Some people find their lives so disrupted by robocalls that they file formal complaints or take legal action. In 1991, the Telephone Consumer Protection Act (TCPA) was signed into law prohibiting all pre-recorded or auto-dialed calls and texts to cell phones without explicit consent. In addition, the National Do Not Call Registry (DNC) was formed, allowing users to explicitly opt out of telemarketing calls.

Since 2017, the Federal Trade Commission (FTC) found that 66.8 percent of complaints filed to the DNC registry relate to robocalls—totaling a little more than 12 million. Of all complaints filed, the most popular call topic was about reducing debt, while “imposters” was ranked as second.

While the TCPA states that consumers may receive monetary payout for individual violations, including robocalls, court cases haven’t always supported this literal translation. An August 2019 ruling on Salcedo v. Hanna, a TCPA-related case, stated a single unsolicited text message was not injurious enough to proceed with a lawsuit.

Nuisance calls vs. high-risk

While users might be tempted to deduce they needn’t worry about data privacy with robocalls, a high number of imposters, fraud, scams, and spoofing activities associated with robocalls indicates otherwise.

Transaction Network Survey looked at robocalls in a 2019 report and split them into two categories: nuisance and high-risk. Nuisance calls are not considered malicious and are often based on non-compliance, while high-risk calls center on fraudulent activity, such as scams delivered to collect money or personal details.

The report concluded that nuisance calls increased by 38 percent over the last year, while high-risk calls rose by 28 percent in the same timeframe. While nuisance calls are increasing at a higher rate than high-risk calls, continuing malicious robocall activity demonstrates the need for constant user awareness, as criminals are becoming more clever with their scamming techniques.

For example, robocalls don’t just arrive as unknown numbers. One in 1,700 mobile numbers are hijacked by robocall spoofers every month, more than double last year’s rate of one in 4,000 mobile numbers. As a result, 2.5 percent of people who have had their number hijacked have disconnected their phone. In addition, spoofed numbers easily trick users into picking up the phone, believing they’ll hear a recognizable voice on the other end.

Robocalls collect PII

A startling statistic from the Clutch survey revealed 21 percent of people accidentally or intentionally gave information to a robocaller. Various factors may compel them to do so. For example, the Clutch data showed health topics were a common subject for robocalls. Similarly, most of the FTC’s DNC call complaint data related to debt relief calls.

Scammers of all types focus on urgency. They convince people that if they don’t act quickly, they’ll face dire consequences. When a victim hears about something related to their health or money, they may offer personal details without taking the time to investigate. Also, a phone call requires in-the-moment communication, and many people instinctually respond politely to avoid conflict.

The time of day robocalls happen could also make individuals more likely to disclose their data in haste. Insider scrutinized five years of FTC call data and determined that unwanted calls most likely occurred on weekdays between 10 a.m. and 11 a.m.

That’s when many people are at work, or at least trying to be productive. If they answer the phone and hear a robocall recording, they may think the quickest way to get relief from the annoyance is to give what’s requested, especially if the robocall seems legitimate.

Scammers use real data

Another threat to data privacy from robocalls threatening is the growing trend of scammers using genuine data to make their calls seem realistic. First Orion conducted a study of scam calls—not restricted to the robocall variety—and described a tactic called enterprise spoofing.

It involves scammers using actual data—often obtained from large-scale breaches—to impersonate real businesses and convince victims to give up personal details and money. The company’s statistics showed three-quarters of people reported scam callers had accurate information about them and used those tidbits to put the squeeze on victims.

Indeed, most robocalls feature automated voices on the other end of the line, and people may never talk to humans. But, it’s not hard to imagine how scammers could create a robocall message applying to a large segment of users, then snatch up individuals fooled by the scheme in follow-up real-time conversations.

How to protect against robocalls

The robocall problem opened an opportunity in the marketplace to develop apps that could block robocalls, or at least identify them. Many security vendors, including Malwarebytes, offer programs that flag or block scam calls and filter unwanted texts. These programs work in part by blacklisting numbers of known scammers, but also by using algorithms that recognize spoofing techniques or block numbers by the sheer volume of calls they place.

However, research indicates some scam call-blocking apps send user data to third-party companies without users’ knowledge, or as specified deep within a multi-page EULA document. So we recommend users be critical about which apps they use to block unwanted calls.

Other ways to protect against robocalls include the following:

  • Add your phone number(s) to the FTC’s Do Not Call registry.
  • Manually add numbers from robocallers into your phone’s block list, located in “settings” for most devices.
  • Don’t pick up the phone if you don’t recognize the number.
  • Sign up for your carrier’s call blocking service.

Data is king

If the last year of privacy scandals and data breaches from social media giants, educational institutions, cities and local governments haven’t demonstrated this fact enough, the growing rate of robocalls further confirms that personal data is a valuable asset worth protecting from cybercriminals’ greedy clutches.

Besides causing immense frustration for users, robocalls threaten user privacy by exposing victims to data-stealing scams. That reality gives users yet another reason to err on the side of caution when giving out personal information, even if the source seems authentic.

The post Growing rate of robocalls threatens user privacy appeared first on Malwarebytes Labs.

The forgotten domain: Exploring a link between Magecart Group 5 and the Carbanak APT

This blog post was authored by Jérôme Segura, William Tsing, and Adam Thomas.

In a previous post, we described the possible overlap between certain domains registered by Magecart Group 4 and the Cobalt gang. While attribution is always a difficult endeavor, sharing TTPs can help others to connect the dots between campaigns observed in the wild and threat groups.

This time, we looked at Magecart Group 5 by examining a number of domains and their ties with other malicious activity. The data predates changes on whois (before GDPR took effect) and allows us to identify registrant data that is connected to Dridex phishing campaigns and the Carbanak group.

Magecart Group 5 tactics

With some exceptions, such as the Ticketmaster breach, Group 5 has a different modus operandi; it targets the supply chain used by e-commerce merchants to load various libraries, analytics, or security seals. Attacks consist of compromising a third-party supplier and affecting hundreds or even thousands of websites downstream.

In a September 2018 blog, we wrote about a trust seal that was loaded (with its malicious code) by a large number of merchants. A trust seal is essentially a confidence indicator in the shape of a badge that gives shoppers reassurance that the online store is safe and malware-free.

The skimmer script belonging to Magecart Group 5 was largely obfuscated and set to exfiltrate data, such as name, address, credit card number, expiry date, and CVV back to the criminals every time someone made a purchase on one of the compromised stores.

This kind of supply-chain attack, where thousands of stores are loading altered code, have a much higher return than individually targeting stores.

Bulletproof registrar and Magecart

We spent some time digging into a number of Magecart domains registered via the well-known Chinese registrar BIZCN/CNOBIN. Similar to our research on the bulletproof host in Eastern Ukraine, we looked at how this provider was essentially a bulletproof registrar. Previous activity on BIZCN includes rogue Canadian pharmacy websites in addition to exploit kit activity tagged as the “AfraidGate.”

We narrowed down the domains to a smaller subset previously identified as used by Magecart Group 5. The threat actors registered the domain informaer under eight different top-level domains (TLDs) using privacy protection services (see IOCs for full list). However, they may have forgotten to apply the same to, which revealed the following:

Registrar URL:
Updated Date: 2017-02-27T08:35:38Z
Creation Date: 2017-02-21T12:48:51Z
Registry Expiry Date: 2018-02-21T12:48:51Z
Registrar:, Inc.
Registrant Name: Guo Tang
Registrant Organization: Xinxin Co.
Registrant Street: Dazhongsi 13
Registrant City: Beijing
Registrant State/Province: Haidian
Registrant Postal Code: 101402
Registrant Country: CN
Registrant Phone: +86.1066569215
Registrant Fax: +86.1066549216
Registrant Email:

Connection with Dridex malware and Carbanak Group

If we pivot from this email address, we can identify other domains—in particular, several that connect to Dridex phishing campaigns.

Dridex is a robust banking Trojan that has been around for many years. To this day, it continues to be distributed via malicious spam campaigns using fake invoices.

Looking closer at the email address, we can see that it was used to register domains used into the following Dridex phishing campaigns:

Carbanak is a sophisticated threat group targeting banks and using a backdoor of the same name for espionage and data exfiltration. In a 2017 blog post, the Swiss CERT posted about phishing campaigns where Dridex was used to deliver the Carbanak malware.

During our incident response in 2016, we could identify Dridex to be the initial infection vector, which had arrived in the victim’s mailbox by malicious Office Word documents, and uncovered the installation of a sophisticated malware called Carbanak, used by the attacker for lateral movement and conducting the actual fraud.

A diagram from Swiss CERT also shows how the Dridex loader does some victim triaging to either deliver Dridex proper (for consumers or low interest targets) or Carbanak for companies and high-value targets.

Another interesting data point from the registrant details is the phone number. (+86.1066569215) is mentioned by Brian Krebs in a blog post examining connections between a Russian security firm and the Carbanak group.

Looking beyond

As Magecart activity increases and new groups emerge, it can sometimes be helpful to go back in time to examine bread crumbs that may have been left behind.

Victimology also helps us to get a better idea of the threat actor behind attacks. For instance, we see many compromises that affect a small subset of merchants that are probably tied to less sophisticated criminals, often using a simple skimmer or a kit.

In contrast, we believe that the bigger breaches that reel in a much larger prize are conducted by advanced threat groups with previous experience in the field and with well-established ties within the criminal underground.

Indicators of Compromise

Magecart Group 5 domains


Registrant information

Domains used in Dridex phishing campaign


The post The forgotten domain: Exploring a link between Magecart Group 5 and the Carbanak APT appeared first on Malwarebytes Labs.

A week in security (October 14 – 20)

Last week on Malwarebytes Labs, we tried to unlock the future of the password (its vulnerabilities, current alternatives, and possible future disappearance), analyzed the lagging response by many businesses in adopting a patch for Pulse VPN vulnerability, looked at Instagram’s bulked-up security against phishing emails scams, and were reminded that ransomware remains a dominant threat facing businesses and consumers today.

We also continued our work at the intersection of National Cybersecurity Awareness Month and National Domestic Violence Month by providing guidelines on the current cyberthreats facing all organizations—particularly those that protect the data of domestic abuse survivors and their advocates.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (October 14 – 20) appeared first on Malwarebytes Labs.