Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Fake ‘WhatsApp Missed Voicemail’ themed emails lead to pharmaceutical scams

WhatsApp users, watch what you click on! A currently circulating fraudulent spam campaign is brand-jacking WhatsApp in an attempt to trick its users into clicking on links found in the email. Once socially engineered users fall victim to the scam, they’re automatically exposed to a fraudulent pharmaceutical site, offering them pseudo bargain deals. Let’s assess the fraudulent campaign, and expose the fraudulent infrastructure supporting it.

read more…

ThreatVlog Episode 12: Top Cyber Threats of 2013

In the latest ThreatVlog from Webroot, threat researcher Marcus Moreno discusses the top threats that affected the vyber world in 2013. From breaches to crypto-locks, we have seen some very malicious code run around out there, but these three take the cake.

http://youtu.be/fytRST4h22M

Cybercriminals offer fellow cybercriminals training in Operational Security (OPSEC)

In need of a fresh example that malicious and fraudulent adversaries continue professionalizing, and standardizing demanded cybercrime-friendly products and services, all for the sake of monetizing their experience and expertise in the profitable world of cybercrime? Publicly launched around the middle of 2013, a product/training course targeting novice cybercriminals is offering them a manual, recommendations for open source/free software, as well as access to a private forum set up for customers only, enlightening them to everything a cybercriminals needs to know in order to stay secure and anonymous online. The standardized OPSEC offering is targeting novice cybercriminals, and also has an interesting discount based system, offering $10 discounts for every feedback from those who’ve already taken the course.

read more…

Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercriminals with bulletproof hosting capabilities – part three

In a series of blog posts throughout 2013, we emphasized on the lowering of the entry barriers into the world of cybercrime, largely made possible by the rise of managed services, the re-emergence of the DIY (do-it-yourself) trend, and the development of niche market segments, like the practice of setting up and offering bulletproof hosting for a novice cybercriminal’s botnet generating platform. The proliferation of these easy to use, once only found in the arsenal of tools of the sophisticated cybercriminals, tools, is the direct result of cybercrime ecosystem leaks, cracked/pirated versions, or a community-centered approach applied by their authors, who sometimes rely on basic ‘freemium’ marketing models, namely, offering a free and paid/licensed version of their cybercrime-friendly tools.

Not surprisingly, we continue to observe the development of the niche market segment targeting novice cybercriminals, empowering them with botnet setting up services, as well as bulletproof hosting for their command and control infrastructure. In this post, I’ll discuss yet another such cybercrime ecosystem market proposition, that’s differentiating its unique value propositions (UVP) by vertically integrating — offering binding of Bitcoin miners and malware crypting services — as well as offering the option to set up a dozen of well known IRC/HTTP based botnet generating tools.

read more…

Mobile Security 2014: Predictions

MobileThreats-resized-600

The most recent and interesting threats we see are more or less “evolved” forms of previous threats, including those originating from the PC side. People have been “spoofing” parts of apps, such as code, appearance, or digital certificates, since Android malware first started appearing. The MasterKey exploit was a whole new way to modify the app without even having to spoof anything (since this was the exploit which allowed applications to be changed without invalidating the existing digital signature). It’s also very interesting to see how threats like Zitmo or RAT-type apps seem to get better and better at mirroring the PC versions of those threats.

For instance, Zitmo (Zeus in the mobile) seems to always come from the same template, afterwards customized to mimic various authentication or banking apps, similar to the PC version. In general, what are most interesting are those threats which appear to be getting better and better at these techniques considered mainstays of PC malware. We don’t expect to stop seeing these types of developments in many of the different threats seen around the Android landscape.

Our top 5 predictions:

  • More PC-side infections ported to Android, especially Ransomware
  • Increasingly-sophisticated obfuscation techniques
  • Increasingly-sophisticated packing techniques
  • Greater focus on social engineering within Android malware
  • At least one new exploit similar to the level/severity of MasterKey

Stay protected!
There are many ways to change your habits and use security software to help prevent catching a bug on your Android device. When downloading apps, know where you are getting them from. Though not foolproof, the Google Play Store is still, by far, the safest place to get apps for your Android devices.

2

Use Android security software to protect your devices, such as Webroot SecureAnywhere. There are many other apps which will provide additional help identifying various risky behaviors, settings, or software on your phone as well. Furthermore, the Android operating system gets more secure and informative every day, allowing users to better understand the permissions and risks behind their apps.

Lastly, keep up on the latest Android news! It’s super easy with all the great news outlets, blogs, and Twitter feeds out there. If it’s hot, new, or just plain interesting, you can count on many tech news outlets, including the Webroot Threat Blog, to post or comment about it.

Tumblr under fire from DIY CAPTCHA-solving, proxies-supporting automatic account registration tools

Next to the ubiquitous for the cybercrime ecosystem, traffic acquisition tactics such as, blackhat SEO (search engine optimization), malvertising, embedded/injected redirectors/doorways on legitimate Web sites, establishing purely malicious infrastructure, and social engineering driven spam campaigns, cybercriminals are also masters of utilizing social media for the purpose of attracting traffic to their fraudulent/malicious campaigns. From the efficient abuse of Craigslist, the systematic generation of rogue/bogus/fake Instagram, YouTube, and email accounts, the process of automatic account generation continues to take place, driving a cybercriminal’s fraudulent business model, naturally, setting up the foundations for upcoming malicious campaigns that could materialize at any point in time.

In this post, I’ll discuss a commercially available automatic account registration tool that’s successfully targeting Tumblr, emphasize on its core features, and discuss tactics through which its users could abuse access to these automatically registered accounts.

read more…

How cybercriminals efficiently violate YouTube, Facebook, Twitter, Instagram, SoundCloud and Google+’s ToS

With social media, now an inseparable part of the marketing expenditures for every modern organization, cybercriminals quickly adapted to the ongoing buzz, and over the last couple of years, have been persistently supplying the market segment with social media metrics performance boosts, in the the form of bogus likes, dislikes, comments, favorites, subscribers, and video/music plays. This process, largely made possible by the massively undermined CAPTCHA bot vs human verification practice, results in automatically registered accounts, or the persistent data mining of malware-infected hosts for accounting data for social media accounts, continues to scale, allowing both individuals and organizations to superficially boost their social media reputation. In this post, I’ll discuss a recently sampled such service, offering an unlimited number of likes, dislikes, comments, favorites, subscribers and video/music plays, that’s either monetizing automatically registered accounts, compromised legitimate accounts, or what we believe they’re doing, a mix of both in an attempt to meet the demand for their services.

read more…

Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits – part two

Ever since we exposed and profiled the evasive, multi-hop, mass iframe campaign that affected thousands of Web sites in November, we continued to monitor it, believing that the cybercriminal(s) behind it, would continue operating it, basically switching to new infrastructure once the one exposed in the post got logically blacklisted, thereby undermining the impact of the campaign internationally. Not surprisingly, we were right. The campaign is not only still proliferating, but the adversaries behind it have also (logically) switched the actual hosting infrastructure. Let’s dissect the currently active malicious iframe campaign that continues to serving a cocktail of (patched) client-side exploits, to users visiting legitimate Web sites.

read more…

Cryptolocker Ransomware and what you need to know

The basics
The Ransomware known as Cryptolocker has been prominent in the media lately, and one that we’re asked about often. Ransomware in general is nothing new, we have been seeing ransomware that hijacked your desktop wallpaper demanding payment for several years now, but while the older ransomware was rather easily removed, Cryptolocker has taken ransomware to a new level. What Cryptolocker does is encrypt files (primarily document files but also image files and other file types) on your computer and any network drives that computer has access to using a very strong encryption method and then demands payment with a 72-hour time period in order to get the files decrypted. This works by using public key encryption and there is no way to decrypt the encrypted files without paying the ransom for the private key.

What you can do help prevent getting infected in the first place and minimize the damage
Run up-to-date security software such as Webroot SecureAnywhere. As with any malware, blocking it in the first place is the best defense.

Since Crypolocker is typically installed through malicious email attachments, familiarize yourself (and your employees) with how to identify potentially malicious and suspicious emails. This will not just help prevent against Cryptolocker, this is a delivery method commonly used by all flavors of malware.

Isolate an infected computer from any network drives at the first sign of infection. Unplug the network cable or disable the wireless connection. This is especially important in Enterprise (Business) environments in order to help prevent files on network drives from being encrypted.

cryptolocker window

Cryptolocker is easily identified by its “Payment Countdown” window

cryptolocker desktop

Some Cryptolocker variants also change your desktop background with additional information in case your antivirus has removed the Cryptolocker files and you still wish to pay the ransom to recover your files.

Backup, backup, backup. You should be backing up your essential files anyway, and you could look at Cryptolocker as a brutal reminder why backups are so essential. Off-site or cloud backup is highly recommended, as off-site backup has long been an essential part of any Disaster Recovery Plan. If you are a home user backing up to a removable drive, be sure to disconnect it when not in use since Cryptolocker can encrypt your backup files on the external drive.

 Other Webroot resources on Cryptolocker

 http://images.saas.webroot.com/Web/Webroot/%7bd4d3ba36-c6b8-43f7-944e-19c486dbcd31%7d_Cryptolocker.pdf

https://community.webroot.com/t5/Webroot-Education/CryptoLocker-Malware-What-you-still-need-to-know/ta-p/69057#.Up5vpsRDt1Z

ThreatVlog Episode 11: Staying safe while doing holiday shopping online

In this edition of the Webroot ThreatVlog, Grayson Milbourne talks about the threats that exist online in the holiday shopping craze. As more and more money is spent online, criminals are becoming more skilled at stealing all sorts of personal information, from credit card numbers to identifying credentials. As with all shopping, common sense is necessary, and with the tips and tricks provided, you will be even more protected while finding that perfect gift online.

http://youtu.be/ayzVT0NQngU

Compromised legitimate Web sites expose users to malicious Java/Symbian/Android “Browser Updates”

We’ve just intercepted a currently active malicious campaign, relying on redirectors placed at compromised/hacked legitimate Web sites, for the purpose of hijacking the legitimate traffic and directly exposing it to multi mobile OS based malicious/fraudulent content. In this particular case, a bogus “Browser Update“, which in reality is a premium rate SMS malware.

read more…

Today’s “massive” password breach: a Webroot perspective

Computer Password Security

First, this is not a blog about a big corporate breach, or a massive new discovery.  Rather, the researchers at Trustwave gained access to a botnet controller interface (the C&C element of a botnet) known as Pony and revealed the data within. Not surprisingly, as the vast majority of botnets target user credentials, this controller had a good deal of data related to passwords. While 2 million passwords might seem like a lot, it is really a drop in the bucket compared to many recent breaches. Think about Adobe who lost a minimum of 28 million, but is rumored to be closer to 130 million, login credentials to their services. Combine this with  the fact that many people use the same password for all online accounts.

read more…