Industry Intel

Context Matters: Turning Data into Threat Intelligence

1949, 1971, 1979, 1981, 1983 and 1991. Yes, these are numbers. You more than likely even recognize them as years. However, without context you wouldn’t immediately recognize them as years in which Sicily’s Mount Etna experienced major eruptions. Data matters, but only...

Out from the Shadows: The Dark Web

You’ve likely heard of the dark web. This ominous sounding shadow internet rose in prominence alongside cryptocurrencies in the early 2010s, eventually becoming such an ingrained part of our cultural zeitgeist that it even received its own feature on an episode of Law...

Webroot DNS Protection: Now Leveraging the Google Cloud Platform

We are  excited to announce Webroot® DNS Protection now runs on Google Cloud Platform (GCP). Leveraging GCP in this way will provide Webroot customers with security, performance, and reliability.  Security Preventing denial of service (DoS) attacks is a core benefit...

Streaming Safer Means Streaming Legally

It’s been more than a decade since Netflix launched its on-demand online streaming service, drastically changing the way we consume media. In 2019, streaming accounts for an astonishing 58 percent of all internet traffic, with Netflix alone claiming a 15 percent share...

A Cybersecurity Guide for Digital Nomads

Technology has unlocked a new type of worker, unlike any we have seen before—the digital nomad. Digital nomads are people who use technologies like WiFi, smart devices, and cloud-based applications to work from wherever they please. For some digital nomads, this means...

Cyber News Rundown: First GDPR Fine Issues in Poland

Reading Time: ~ 2 min.

First GDPR Fine Issued in Poland

The first fine issued from the Polish privacy regulator has been issued to an unnamed firm for quietly gathering personal data for over 6 million Polish citizens and using it for commercial gains without consent. The fine of £187,000 was generated after officials learned that only 90,000 individuals had been contacted via email, as the company had seemingly no other low-cost options for contacting the remaining millions of affected citizens. 

ASUS Update Utility Used as Backdoor

ASUS recently confirmed that their Live Update utility for notebooks was compromised, leading to at least 500,000 machines being affected by malicious code. While this attack was focused on a only a couple of specific servers, the announcement came nearly a month after the company was told by researchers about the issue and it continued to push the malware via Live Update. Fortunately, ASUS resolved the issue with their latest update and has provided a tool to help customers determine if they’re still at risk. 

Microsoft Takes Domains Back from Hackers

Microsoft has been working for some time to combat state-backed hackers by regaining control of nearly 100 domains that have been used in spear-phishing attacks across the globe. Many of the domains used keywords relating to more popular companies to steal login credentials for the sites they mimicked By obtaining court orders for the domains, Microsoft has continued its long-term legal battle, with help from domain registrars, to take these scams offline. 

Facebook Hack Exposes 110,000 Australians

After the Facebook hack in September of last year the personally identifiable information for over 100,000 Australians was compromised. While some users saw only their name and email address exposed, others had their search history, recent location check-ins, and more information available to the hackers. Facebook began notifying the proper regulatory officials four days after they themselves became aware of the breach that had begun more than a week earlier. 

Cryptocurrency Exchanges Hacked

With an estimated combined loss of over $46 million in cryptocurrency, two exchanges have come forward about hacks that have taken them offline as investigations unfold. DragonEx initially announced that an attack had occurred over the weekend and that they were able to regain some of the stolen funds. They then posted the wallet addresses that had received stolen funds in hopes of having the accounts frozen and the flow of currencies stopped. The second hack on CoinBene has been denied by the company as they haven’t lost any funds, but users were able to trace significant amounts of several cryptocurrencies dumped into other markets not long after the attack on the exchange took place.

Cyber News Rundown: Hacker Exposes 26 Million Personal Records

Reading Time: ~ 2 min.

Gnosticplayers Adds 26 Million More Records for Sale

After the first 3 major data dumps, which totaled over 600 million records, the hacker known as Gnosticplayers has released his latest cache of data, which contains at least 26 million personal user records. These data caches hold customer information for 32 companies overall and have been obtained over just the past couple months, making the data that much more lucrative. The hacker claims these breaches are done simply out of frustration that security is still not being taken seriously by many major companies from across the globe, which may explain why the price tag for each dump is so low.

Hackers Set Off Tornado Sirens in Texas Towns

At least 30 tornado warning sirens in two Texas towns were triggered in the early morning hours by an unknown hacker. While officials quickly shut down the sirens, they did so just 24 hours prior to a major storm during which they might have needed to use these critical emergency systems. This attack is very similar to one that affected the entire Dallas area in 2017, when hackers successfully compromised a radio system that set off over 100 tornado sirens across the city.

Marketing Firm Exposes 230 Million Records

Another misconfigured Amazon database, this time belonging to Exactis, carries the blame for a data breach that could affect at least 230 million individuals, with more data on 110 million individual records tied to businesses. While it is still unclear exactly how long the database was accessible, the company and an external security auditor maintain that the data was not accessed maliciously during its time online, though the independent researcher who first discovered the database reports that the data may have been spotted for sale on the dark web.

Ransomware Cripples Major Aluminum Manufacturer

Norsk Hydro, a major Aluminum producer, suffered a ransomware attack that successfully shut down a large portion of the company’s operations. The attack forced the company to switch to manual operations at all of its facilities around the world, and temporarily take down their website while they worked to restore their systems from backups. Fortunately, the company retains backups for their major operations, so normal production should resume within the week.

Gearbest Leaks 1.5 Million Customer Records

Following the trend of unprotected databases, researchers recently found yet another one, this time belonging to Gearbest (a Chinese e-commerce site). This database contained unencrypted personal records for over 1.5 million customers around the globe, including payment data, ID and passport info, and even data that could compromise Gearbest itself, as URLs for an internal software platform were also exposed. The company has since claimed that the number of exposed records is much smaller than originally posted. However, they also maintain that they use strong encryption on all stored data, despite this latest evidence to the contrary. 

HTTPS: Privacy vs. Security, and Where End Users and Security Culture Fit In

Reading Time: ~ 4 min.

Since the dawn of IT, there’s been a very consistent theme among admins: end users are the weakest link in your network, organization, security strategy, fill-in-the-blank. We’ve all heard the stories, and even experienced them first-hand. An employee falls for a phishing scam and the whole network is down. Another colleague torrents a file laced with malware. Or maybe it’s something less sinister: someone wants to charge their phone, so they unplug something from the only nearby outlet, but what they unplug is somehow critical… help desk tickets ensue. 

But when it comes to security issues caused by human error, it’s not necessarily always the end user’s fault. Cyberattacks are getting more and more sophisticated by the second, and all of them are designed to either circumvent defenses or appear totally legitimate to fool people. One of the major advances of this type that we’ve seen is with phishing sites and the use of HTTPS.

HTTPS: The Beginning

While HTTP is the foundation of all data exchange and communication on the internet, it wasn’t designed for privacy. Transmitting information on the web using HTTP is kind of like sending a postcard; anybody who handles that card can read it. HTTPS was supposed to be a way of adding privacy to protect users and sensitive information from prying eyes.

At first, you’d only see HTTPS on financial or health care websites, or maybe the cart page on a shopping site, where the extra privacy was necessary. And back then, getting a security certificate was much harder—it involved significant costs and thorough security checks. Then, a few years ago, most web browsers started requiring security certificates for every website, or else they’d throw up a scary-looking warning that the site you were trying to visit might be dangerous. That trained us to look for (and trust) HTTPS.

A False Sense of Security

These days, when we see HTTPS at the beginning of a URL or the accompanying lock icon in our browser’s address bar, we’ve been conditioned to think that means we’re safe from harm. After all, the S in HTTPS stands for “secure”, right? But the issue is that HTTPS isn’t really about security, it’s about privacy. That little lock icon just means that any information we transmit on that site is encrypted and securely delivered to its destination. It makes no guarantees that the destination itself, is safe.

If you unwittingly end up on a well-faked phishing copy of your banking website and see the lock icon, it’s natural to assume that you’re in the right place and all is well. Except when you try to log in, what you’re really doing is securely transmitting your login credentials to an attacker. In this case, HTTPS would’ve been used to trick you.

The Bad Guys and HTTPS

Malicious actors are always looking for new ways to trick end users. Because so many of us think HTTPS ensures security, attackers are using it against us. It’s no longer difficult to obtain a security certificate. Attackers can do so very cheaply, or even for free, and there’s really no background or security check involved. 

As I mentioned during my talk on HTTPS at this year’s RSA conference, almost half a million of the new phishing sites Webroot discovered each month of 2018 were using HTTPS. In fact, 93% of phishing domains in September and October alone were hosted on HTTPS sites. When you think about these numbers, it’s easy to see why end users might not be to blame when you discover that a major security breach was caused by someone being duped by a phishing scam. 

The Way Forward

As more HTTPS phishing and malware sites emerge, even the most vigilant among us could fall victim. But that doesn’t mean we shouldn’t invest in end user education. End users are on the front lines on the cybersecurity battlefield. It’s up to us to provide right tools and armor to keep users and the companies they represent safe. To be truly effective, we need to implement ongoing security awareness training programs that recur continually throughout an employee’s time with the company. If we accomplish that, the results speak for themselves; after 12 months of training, end users are 70% less likely to fall for a phishing attempt!

We also need to make sure our security strategies incorporate real-time threat intelligence to accurately classify and determine which websites are good or malicious, regardless of their HTTPS designation. In an age where phishing sites appear and disappear in a matter of hours or minutes, malicious sites use HTTPS, and at least 40% of bad URLs can be found on good domains, it’s more important than ever that we all use the most advanced real-time technologies available. 

Ultimately building a culture of cybersecurity will always be more effective than a top-down mandate.. Everyone in the organization, from the CEO to the newest intern, should be invested in adopting and furthering a security conscious culture. Part of that process is going to be shifting the general IT perceptions around human error and the issues it can cause. We shouldn’t think of our end users as the weakest link in the chain; instead we should think of them as the key to a robust security strategy.

To hear more about HTTPS, phishing, and end user education, you can listen to the podcast I did with cybersecurity executive and advisor Shira Rubinoff at RSAC 2019.

Post Coinhive, What’s Next for Cryptojacking?

Reading Time: ~ 2 min.

In late February, the notorious cryptojacking script engine called Coinhive abruptly announced the impending end to its service. The stated reason: it was no longer economically viable to run.

Coinhive became infamous quickly following its debut as an innovative javascript-based cryptomining script in 2018. While Coinhive maintained that its service was born out of good intentions—to offer website owners a means to generate revenue outside of hosting ads—it took cybercriminals no time at all to create cryptojacking attack campaigns. Cryptojacking became incredibly popular in 2018, infecting millions of sites (and cloud systems among the likes of Tesla) and netting criminals millions in cryptocurrency at the expense of their victims.

Source: Coinhive [dot] com

I honestly did not see this happening, but I do understand. It is reasonable to think that Coinhive didn’t intend for their creation to be abused by criminals. However, they have still kept 30 percent of ALL the earnings generated by their script, one that was often found running illegally on hijacked sites. Most of that profit came from illicit mining, which has earned Coinhive a lot of negative press.

Additionally, 2018 was a terrible year in terms of the US-dollar value of Monero (XMR), which means their service is significantly less profitable now, relative to what it once was. Combined with the fact that the XMR development team hard-forked the coin and changed the difficulty of the hashrate, this means Coinhive is making very little money from legitimate miners.

Coinhive created this service so legitimate domain owners could host their script and generate enough revenue to replace ads. Ads are annoying and I believe this innovation was aimed at attempting to fix that problem. But the ultimate result was a bunch of criminals breaking into other people’s domains and injecting them with Coinhive scripts that essentially stole from visitors to that domain. Without consent, millions of victims’ computers were subject to maximum hardware stress for extended periods of time, all so some criminals could make a few pennies worth of cryptocurrency per computer.

Would you continue to operate a startup business in which most of the money you earned was a cut of criminal activity—stealing from victims in the form of an increased power bill? Maybe a year ago, when the hashing difficulty was easier (you earned more XMR) and XMR was worth 10 times what it’s worth now, it might have been easier to “sleep at night” but now it probably just isn’t worth it.

Even before this news, there were plenty of other copycats—Cryptoloot, JSEcoin, Deepminer, and others—so criminals have plenty of similar services to choose from. At the time of its shutdown, Coinhive had about around 60% share of all cryptojacking campaigns, though we saw this market dominance reach as high as 80% last year. I anticipate these other services stand to take larger shares of cryptojacking revenue now that the largest player has left. We might even see a new competitor service emerge to challenge for cryptojacking dominance.

Stay tuned to the Webroot blog for future developments in cryptojacking.

Cyber News Rundown: Georgia County Pays for Ransomware Threat

Reading Time: ~ 2 min.

Georgia County Pays Six Figure Ransom to Restore IT Systems

Following a ransomware attack earlier this month, officials in Jackson County, Georgia decided to pay a $400,000 ransom in order to obtain a decryption key and return their systems to normal operations. While it’s not normally recommended to pay ransoms, but instead to keep proper backups of critical files, the county decided that it would cost significantly more to restore the systems on their own. It is still unclear how the breach unfolded or how long the hackers had access to the network.

Michigan Healthcare Group Compromised

Sensitive information on over 600,000 patients was recently exposed after the Wolverine Solutions Group (WSG) suffered a data breach. The WSG initially suffered a ransomware attack in September of last year, and has been working to decrypt many of their systems since then. Due to Michigan’s lax laws regarding the announcement of a data breach, customers who may have been affected were contacted only within the last month.

Redirect Tags Found on Fortune 100 Sites

Hundreds of third-party redirect tags have been found hidden on the websites of Fortune 100 companies. These tags could allow attackers to access user data from any of the compromised sites and also degrade the performance of sites with multiple hidden tags. Many site owners even expressed concern over possible customer data loss, but did little to clear the tags from  their sites.

Asian Gaming Companies Infiltrated by Backdoors

Several Asia-based gaming companies have discovered hidden backdoors within main executables of some games attracting tens of thousands of players. Fortunately, after identifying the malicious code two of the three companies immediately pushed updates to their software, and the command & control servers for the backdoors were taken offline soon after. The backdoors appear to have originated from a malicious Chinese hacker group that has committed these types of attacks multiple times in recent years.

Info on 1.8 Million Women Found on Unprotected Chinese Database

An unprotected database was recently found which contains extremely sensitive data for nearly 1.8 million women in China. Amongst the personally identifying information was GPS coordinates, political affiliations, and even available video of specific individuals. Unfortunately, while the owners of this one database were successfully contacted, there are still thousands of similarly unprotected databases on Chinese networks.

Cyber News Rundown: New Ransomware Service Offers Membership

Reading Time: ~ 2 min.

Ransomware as-a-Service Offers Tiered Membership Benefits

Jokeroo is the latest ransomware-as-a-service (RaaS) to begin spreading through hacker forums, though it’s differentiating itself by requiring a membership fee with various package offerings. For just $90, a buyer obtains access to a ransomware variant that they can fully customize in exchange for a 15% service fee on any ransom payments received. Higher packages are also available that offer even more options that give the user a full dashboard to monitor their campaign, though no ransomware has yet to be distributed from the service. 

Android Adware Apps are Increasingly Persistent

Several new apps on the Google Play store have been found to be responsible for constant pop-up ads on over 700,000 devices after being installed as phony camera apps. By creating a shortcut on the device and hiding the main icon, the apps are able to stay installed on the device for a considerable amount of time, as any user trying to remove the app would only delete the shortcut. Fortunately, many users have been writing poor reviews about their experiences in hopes of steering prospective users away from these fraudulent apps while they remain on the store.

Phone Scammers Disguising Themselves with DHS Numbers

People all across the U.S. have been receiving phone calls from scammers claiming to be from the Department of Homeland Security (DHS), with actual spoofed DHS phone numbers, requesting sensitive information. While phone scams aren’t new, this campaign has upped the stakes by threatening the victims with arrest if they don’t provide information or make a payment to the scammers. DHS officials have stated they will never attempt to contact individuals through outgoing phone calls.

Failed Ransomware Attack Leaves Thousands of Israeli Sites Defaced

A ransomware attack aiming to infect millions of Israeli users through a widget used in thousands of websites failed over the weekend. Though all sites began displaying pro-Palestine messages, the intended file download never took place due to a coding error that prevented execution immediately after the pop-up message. After dealing with the poisoned DNS records for the widget creator Nagich, the company was able to restore normal function within a few hours of the attack beginning.

Chicago Medical Center Exposes Patient Records

Nearly eight months after a Rush Medical Center employee emailed a file containing highly sensitive patient information to one of their billing vendors, the company began contacting affected patients and conducting an internal investigation. Rush has setup a call center to provide additional information to concerned patients and has offered all victims access to an identity monitoring service, while warning them to check their credit history for any fraudulent activity.

Cyber News Rundown: Botnet Hijacks Browsers

Reading Time: ~ 2 min.

Fake Apex Legends App Spreads Malware

As the popularity of the latest free-to-play battle royale pushes ever higher, malicious Apex Legends apps have been spotted in the Google Play store with upwards of 100,000 downloads. The fake apps typically offer free in-game currency, or free downloads for an already free game, while installing malware onto devices and directing users to enter phishing domains to further compromise themselves.  

Cryptocurrency Wallet Bug Checks User Passwords with Spellchecker

A new bug has been found within the Coinomi cryptocurrency wallet app that quietly submits each user password to Google’s spellchecker without encryption, leaving user accounts vulnerable to attacks if someone is monitoring the web traffic of the application. The bug was discovered by a researcher who noticed that a majority of his funds had gone missing from his Coinomi-stored cryptocurrencies, leading him to investigate the app more extensively. 

Bangladeshi Embassy Site Compromised

Researchers have found that the web site for the Bangladesh Embassy in Cairo has been compromised and was pushing malicious word document downloads to any user who visited the site. Once the download is confirmed, it installs to an innocuous location within ProgramData and begins attempting to contact the command & control server to pull down additional malware. It’s likely that this issue is linked to an earlier attack on the site that left a cryptominer operating for several days and is affecting users who accessed the site during that time. 

Botnet Controls Browsers Even After Being Closed

A new type of cyber attack has been found that uses normal JavaScript and HTML5 functionality to take control of a user’s browser for a number of malicious activities and can even continue operating and commandeering resources after the browser or website has closed. Through these normal capabilities, this type of attack could affect both desktop and mobile browsers and, due to its nature, can be exceedingly persistent on the system once active. 

Multi-OS Ransomware Demands High Payment

The latest ransomware variant to make its rounds, Borontok, has already been spotted encrypting Linux servers and commercial websites, leaving a .rontok extension at the end of the filename. To make matters worse, the demanded ransom payment is 20 Bitcoins, or roughly $75,000, and gives directions to an actual payment site, though it does later offer the user a chance to negotiate for a lower payment. 

The Ransomware Threat isn’t Over. It’s Evolving.

Reading Time: ~ 5 min.

This is the third of a three-part report on the state of three malware categories: miners, ransomware and information stealers.

Ransomware is any malware that holds your data ransom. These days it usually involves encrypting a victim’s data before asking for cash (typically cryptocurrency) to decrypt it. Ransomware ruled the malware world since late 2013, but finally saw a decline last year. The general drop in malware numbers, along with defensive improvements by the IT world in general (such as more widespread backup adoption), were factors, but have also led this threat to become more targeted and ruthless.

Delivery methods

When ransomware first appeared, it was typically distributed via huge email and exploit kit campaigns. Consumer and business users alike were struck without much discretion. 

Today, many ransomware criminals prefer to select their targets to maximise their payouts. There’s a cost to doing business when it comes to infecting people, and the larger the group of people you are trying to hit, the more it costs. 

Exploit kits

Simply visiting some websites can get you infected, even if you don’t try to download anything. This is usually done by exploiting weaknesses in the software used to browse the web such as your browser, Java, or Flash. Content management and development tools like WordPress and Microsoft Silverlight, respectively, are also common sources of vulnerabilities. But there’s a lot of software and web trickery involved in delivering infections this way, so the bulk of this work is packaged into an exploit kit which can be rented out to criminals to help them spread their malware. 

Renting an exploit kit can cost $1,000 a month, so this method of delivery isn’t for everyone. Only those cybercriminals who’re sufficiently motivated and funded. 

“Because the cost of exploitation has risen so dramatically over the course of the last decade, we’ll continue to see a drop in the use of 0-days in the wild (as well as associated private exploit leaks). Without a doubt, state actors will continue to hoard these for use on the highest-value targets, but expect to see a stop to Shadowbrokers-esque occurrences. The mentioned leaks probably served as a powerful wake-up call internally with regards to who has access to these utilities (or, perhaps, where they’re left behind).” – Eric Klonowski, Webroot Principal Threat Research Analyst

Exploits for use in both malware and web threats are harder to come by these days and, accordingly, we are seeing a drop in the number of exploit kits and a rise in the cost of exploits in the wild. This threat isn’t going anywhere, but it is declining.

Email campaigns

Spam emails are a great way of spreading malware. They’re advantageous for criminals, as they can hit millions of victims at a time. Beating email filters, creating a convincing phishing message, crafting a dropper, and beating security in general is tough to do on a large scale, however. Running these big campaigns requires work and expertise so, much like an exploit kit, they are expensive to rent. 

Targeted attacks

The likelihood of a target paying a ransom and how much that ransom is likely to be is subject to a number of factors, including:

  • The country of the victim. The GDP of the victim’s home nation is correlated to a campaign’s success, as victims in richer countries are more likely to shell out for ransoms 
  • The importance of the data encrypted
  • The costs associated with downtime
  • The operating system in use. Windows 7 users are twice as likely to be hit by malware as those with Windows 10, according to Webroot data
  • Whether the target is a business or a private citizen. Business customers are more likely to pay, and pay big

Since the probability of success varies based on the target’s circumstances, it’s important to note that there are ways of narrowing target selection using exploit kits or email campaigns, but they are more scattershot than other, more targeted attacks.

RDP

Remote Desktop Protocol, or RDP, is a popular Microsoft system used mainly by admins to connect remotely to servers and other endpoints. When enabled by poor setups and poor password policies, cybercriminals can easily hack them. RDP breaches are nothing new, but sadly the business world (and particularly the small business sector) has been ignoring the threat for years. Recently, government agencies in the U.S. and UK have issued warnings about this completely preventable attack. Less sophisticated cybercriminals can buy RDP access to already hacked machines on the dark web. Access to machines in major airports has been spotted on dark web marketplaces for just a few dollars.

Spear phishing

If you know your target, you can tailor an email specifically to fool them. This is known as spear phishing, and it’s an extremely effective technique that’s used in a lot of headline ransomware cases.

Modular malware

Modular malware attacks a system in different stages. After running on a machine, some reconnaissance is done before the malware reinitiates its communications with its base and additional payloads are downloaded. 

Trickbot

The modular banking Trojan Trickbot has also been seen dropping ransomware like Bitpaymer onto machines. Recently it’s been used to test a company’s worth before allowing attackers to deploy remote access tools and Ryuk (ransomware) to encrypt the most valuable information they have. The actors behind this Trickbot/Ryuk campaign only pursue large, lucrative targets they know they can cripple.

Trickbot itself is often dropped by another piece of modular malware, Emotet

What are the current trends?

As we’ve noted, ransomware use may be on the decline due to heightened defences and greater awareness of the threat, but the broader, more noteworthy trend is to pursue more carefully selected targets. RDP breaches have been the largest source of ransomware calls to our support teams in the last 2 years. They are totally devastating to those hit, so ransoms are often paid.

Modular malware involves researching a target before deciding if or how to execute and, as noted in our last blog on information stealers,they have been surging as a threat for the last six months. 

Automation

When we talk about selecting targets, you might be inclined to assume that there is a human involved. But, wherever practical, the attack will be coded to free up manpower. Malware routinely will decide not to run if it is in a virtualised environment or if there are analysis tools installed on machines. Slick automation is used by Trickbot and Emotet to keep botnets running and to spread using stolen credentials. RDP breaches are easier than ever due to automated processes scouring the internet for targets to exploit. Expect more and more intelligent automation from ransomware and other malware in future.

What can I do?

  • Secure your RDP
  • Use proper password policy. This ties in with RDP ransomware threats and especially applies to admins.
  • Update everything
  • Back up everything. Is this backup physically connected to your environment (as in USB storage)? If so, it can easily be encrypted by malware and malicious actors. Make sure to air gap backups or back up to the cloud.
  • If you feel you have been the victim of a breach, it’s possible there are decryption tools available. Despite the brilliant efforts of the researchers in decryption, this is only the case in some instances.

What can Webroot do?

  • Detect and stop ransomware. Prevention is always best, and it’s what we’re best at.
  • Block malicious URLs and web traffic.
  • Rollback changes made by some ransomware.
  • Offer support. Our support is excellent and easy to reach. As well as helping to tackle any possible ransomware attack, our team will investigate the root cause and help you secure your organisation against future attacks. Specialised security hardening tools that can be deployed from your console to your machines in a few clicks.
  • For more technical details see our Ransomware Prevention Guide.

Cyber News Rundown: Phishing through Email Filter

Reading Time: ~ 2 min.

Email Phishers Find New Filter Bypass

Since email filters have gained popularity over the last decade, scammers have been forced to adapt their attacks. To bypass a normal URL filter that would check for malicious links, these scammers have found a way to alter the “document relationship” file (xml.rels) and continue to push out harmful links. By removing the malicious link from the relationship file, many filters simply skip over it and allow the link to remain clickable, a new tactic which relies on filters scanning only a portion of a file.

Unknown Devices Putting UK Firms at Risk

In a recent survey, nearly 3 million UK businesses have admitted to constantly monitoring dozens of unknown devices connecting to their corporate networks. With internal security flaws being the main driver for data breaches, new policies should be implemented to work with the increasing number of external IoT devices connecting with systems expected to maintain a certain level of privacy. Unfortunately, many companies still see IoT devices as a non-threat and continue to ignore the gaping security holes appearing within their walls.

Swedish Healthcare Database Left Unattended for Years

A server was recently discovered to contain millions of call records made to a Swedish Healthcare Guide service that has been left exposed for up to six years. The server itself was created, then forgotten in 2013, and has since missed dozens of patches, leaving it vulnerable to at least 23 unique security flaws. Within the call records are names, birth dates, and even social security numbers, though after hearing of the breach, the company made swift efforts to properly secure the sensitive data.

Stanford Students Exposed After URL Vulnerability Spotted

What started as a simple admissions document request has left the personal data of 93 students exposed, due to a simple flaw in the record’s URL. By easily swapping out parts of the numeric ID viewable in the document’s URL, anyone with a login to the site could view another student’s records. Within the admissions documents was personal information relating to a specific student, including non-university records like background/criminal checks and citizenship standings. Fortunately, Stanford was quick to make the necessary changes and contacting affected students.

Cyber News Rundown: Photography Site Breached

Reading Time: ~ 2 min.

Popular Photography Site Breached

A major photography site, 500px, recently discovered they had suffered a data breach in July of last year. Data ranging from name and email addresses, to birthdates and user locations, were comprised. While the company did confirm no customer payment data is stored on their servers, all 15+ million users are receiving a forced password reset to ensure no further accounts can be compromised.

Nigerian Scammers Target ‘Lonely’ Victims

 A recent email campaign by a criminal organization known as Scarlet Widow has been focusing on matchmaking sites for people they consider to be lonelier, elderly, or divorced. By creating fake profiles and gaining the trust of these individuals, the scammers are not only attempting to profit financially, but also causing emotional harm to already vulnerable people.  In some cases these victims have been tricked into sending thousands of dollars in response to false claims of needing financial assistance, with one victim sending over $500,000 in a single year.

VFEmail Taken Down by Hackers

The founder of VFEmail watched as nearly 20 years-worth of data was destroyed by hackers in an attack that began Monday morning. Just a few hours after servers initially went down, a Tweet from a company account announced that all of the servers and backups had been formatted by a hacker traced back to Bulgarian hosting services. The motivation for the attack is still unclear, though given the numerous security measures the hacker successfully bypassed, it appears to have been a significant effort.

Urban Electric Scooters Vulnerable to Attacks

With the introduction of electric scooters to many major cities, some are curious about the security measures keeping customers safe. One researcher was able to wirelessly hack into a scooter from up to 100 yards and use his control to brake or accelerate the scooter at will, leaving the victim in a potentially dangerous situation. Without a proper password authentication system for both the scooter and the corresponding application, anyone can take control of the scooter without needing a password.

Phishing Campaign Stuffs URL Links with Excessive Characters

The latest phishing campaign to gain popularity has brought with it a warning about accounts being blacklisted and a confirmation link containing anywhere from 400 to 1,000 characters. Fortunately for observant recipients, the link should immediately look suspicious and serve as an example of the importance of checking a URL before clicking on any links.

Cyber News Rundown: Phishing British Parliament

Reading Time: ~ 2 min.

Members of British Parliament Targeted by Phishing Attack

Dozens of MPs from the UK were recently subjected to malicious spam and unauthorized solicitations via their mobile devices. Fortunately, as this wasn’t the first phishing attempt on MPs, many were quick to delete any unusual messages and quickly warned others to do the same. Due to the ease of mounting such an attack, phishing campaigns can be extremely effective, especially when deploying social engineering tactics to increase the victim pool.

Major African Utility Company Breached

One of the largest energy providers on the African continent suffered a data breach this week, brought on by an employee downloading a game onto a corporate device. Along with introducing a fairly sophisticated banking Trojan onto the system, the employee also allowed for a database containing sensitive customer information to be made available to the attackers. Even more worrisome, the utility company was only made aware of the breach after an independent security researcher attempted to contact them about the stolen data via Twitter.

Cryptocurrency Exchange Collapses After CEO Death

A Canadian-based cryptocurrency exchange was recently faced with a major dilemma after the untimely death of their CEO and only person to have access to the offline coin storage wallet. With more than $100 million worth of cryptocurrency current tied up in the exchange, many customers quickly found themselves without access to their funds, possibly indefinitely. Having a single point of failure is a critical, and easily avoidable, issue for any digital company.

Fast Food POS Breach

A new breach has been discovered that could affect any customers who paid with a credit card at any Huddle House fast-food locations over the past two years. While the specific malware variant is still unknown, there were obvious signs of credential stealing and other information gathering tactics. Huddle House has since been working with law enforcement and credit companies to help potential victims with credit monitoring.

Google Play Removes Porn Apps

In another wave of cleaning up the Google Play store, the company recently removed 29 apps that were disguised as photo or camera apps but would instead steal user photos and display a steady stream of pornographic advertisements. The apps had all been downloaded between 100,000 and 1 million time each, and were often extremely difficult to remove, even hiding the app icon entirely. Additionally, some of the apps would display as a photo editor, encouraging users to upload any extra pictures that weren’t already stolen.

Carbonite to Acquire Webroot

Reading Time: ~ 2 min.

I’m excited to share that Webroot has entered into an agreement to be acquired by Carbonite, a leader in cloud-based data protection for consumers and businesses.

Why do I think this is such good news for customers, partners and our employees?  

For customers and partners, the combined Webroot and Carbonite will create an integrated solution for their top security needs today and a platform for us to build upon in the future. When surveyed, SMBs and MSPs consistently name endpoint security and backup and data recovery services among their top priorities.

For our threat intelligence partners, the addition of new data sources will make our threat intelligence services even more powerful.

We see great opportunities ahead building on the solutions you trust—endpoint and network protection, security awareness training and threat intelligence services—and extending them to backup and data recovery and beyond.

For employees, we see a great future of growth for a team with a shared culture. Both Webroot and Carbonite have tremendously talented team members who together will bring even more innovative solutions to market. But, just as important, both companies have a culture of customer focus, where customer success is the ultimate proof of company success. 

Until the transaction closes, we must operate as separate companies. After close, which we expect to happen in the first calendar quarter of 2019, I look forward to sharing more information about our plans.

In the meantime, customers and partners can expect:  

  • The same commitment to customer care and support. You will have access to your same account reps and award-winning customer support team.
  • Future solutions that combine Webroot’s threat intelligence driven portfolio with Carbonite’s data protection solutions.
  • Extended sales channels and partner ecosystems. Carbonite partners will provide additional channels for Webroot to reach new customers and partners worldwide.

The most important point I want to underline is that our commitment to you will not change, and we are just expanding the family of people dedicated to building great solutions to protect you and your customers. 

Mike Potts
President & CEO, Webroot