Threat Lab

What Defines a Machine Learning-Based Threat Intelligence Platform?

As technology continues to evolve, several trends are staying consistent. First, the volume of data is growing exponentially. Second, human analysts can’t hope to keep up—there just aren’t enough of them and they can’t work fast enough. Third, adversarial attacks that...

Global Privacy Concerns: The World’s Top Five Cities Using Invasive Technology

Cities are expanding their technological reach. Many of their efforts work to increase public protections, such as using GPS tracking to help first responders quickly locate the site of a car accident. But, in the rush for a more secure and technologically advanced...

A Chat with Kelvin Murray: Senior Threat Research Analyst

In a constantly evolving cyber landscape, it’s no simple task to keep up with every new threat that could potentially harm customers. Webroot Senior Threat Research Analyst Kelvin Murray highlighted the volume of threats he and his peers are faced with in our latest...

A Cybersecurity Guide for Digital Nomads

Technology has unlocked a new type of worker, unlike any we have seen before—the digital nomad. Digital nomads are people who use technologies like WiFi, smart devices, and cloud-based applications to work from wherever they please. For some digital nomads, this means...

Cloud Services in the Crosshairs of Cybercrime

It's a familiar story in tech: new technologies and shifting preferences raise new security challenges. One of the most pressing challenges today involves monitoring and securing all of the applications and data currently undergoing a mass migration to public and...

A Chat with Kelvin Murray: Senior Threat Research Analyst

Reading Time: ~ 3 min.

In a constantly evolving cyber landscape, it’s no simple task to keep up with every new threat that could potentially harm customers. Webroot Senior Threat Research Analyst Kelvin Murray highlighted the volume of threats he and his peers are faced with in our latest conversation. From finding new threats to answering questions from the press, Kelvin has become a trusted voice in the cybersecurity industry.

What is your favorite part of working as a Senior Threat Research Analyst? 

My favorite part about being a threat researcher is both the thrill of learning about new threats and the satisfaction of knowing that our work directly protects our customers. 

What does a week as a Senior Threat Research Analyst look like? 

My week is all about looking at threat information. Combing through this information helps us find meaningful patterns to make informed analysis and predictions, and to initiate customer protections. It roughly breaks down into three categories. The first would be “top down” customer data like metadata. The data we glean from our customers is very important and a big part of what we do. The interlinking of all our data and the assistance of powerful machine learning is a great benefit to us.  

Next would be “whole file” information, or static file analysis and file testing. This is a slow process but there are times when the absolute certainty and granular detail that this kind of file analysis provides is essential. This isn’t usually part of my week, but I work with some great specialists in this regard.  

Last would be news and reports on the threat landscape in general. Risks anywhere are risks everywhere. Keeping up to date with the latest threats is a big part of what I do. I work with a variety of internal teams and try to advise stakeholders, and sometimes media, on current threats and how Webroot fits in. Twitter is a great tool for staying in the know, but without making a list to filter out the useful bits from the other stuff I follow, I wouldn’t get any work done! 

What skills have you built in this role? 

Customer support taught me a lot in terms of the client, company culture, and dealing with customer requests. By the time I was in business support I was learning the newer console system and more corporate terms. Training on the job was very useful for my move to threat, where I also picked up advanced malware removal (AMR), which is the most hands on you can get with malware and the pain it causes customers. All of that knowledge is now useful to me in my public facing role where I prepare webinars, presentations, interviews, blogs, and press answers about threats in general. 

What is your greatest accomplishment in your career at Webroot so far? 

Learning the no-hands trick on the scooter we have in the office. And of course my promotion to Senior Threat Research Analyst. I have had a lot of different roles in my time here, but I’m glad I went down the path I did in terms of employment. There’s never a dull moment when you are researching criminal news and trends, and surprises are always guaranteed. 

What brought you to Webroot? 

I like to say divine providence. But really I had been travelling around Asia for a few months prior to this job. When I got back home I was totally broke and needed a job. A headhunter called me up out of the blue, and the rest is history.   

Are you involved in anything at Webroot outside of your day to day work? 

Listening, singing and (badly) dancing to music. Dublin is a fantastic place for bands and artists to visit given its proximity to the UK and Europe and the general enthusiasm of concert goers. I do worry that a lot of venues, especially nightclubs, are getting shut down and turned into hotels though. I sing in a choir based out of Trinity College.  

Favorite memory on the job? 

Heading to (the now closed) Mabos social events with my team. The Mabos collective ran workshops and social and cultural events in a run-down warehouse that they lovingly (and voluntarily) converted down in Dublin’s docklands. Funnily enough, that building is now Airbnb’s European headquarters. 

What is your favorite thing about working at Webroot? 

The people that I get to work with. I have made many great friendships in the office and still see previous colleagues socially, even those from five or six years ago.  

What is the hardest thing about being a Senior Threat Research Analyst? 

Prioritizing my time. I can try my hand at a few different areas at work, but if I don’t focus enough on any one thing then nothing gets done. I find everything interesting and that curiosity can get in the way sometimes! 

What is your favorite thing to do in Dublin?  

Trying new restaurants and heading out to gigs. I’d be a millionaire if I didn’t eat out at lunchtime so much. Dublin is full of great places. I like all kinds of gigs from dance to soul to traditional. The Button Factory is one of the coolest venues we have. 

How did you get into the technology field? 

I first become interested in technology through messing with my aunt’s Mac back in the early 90s. There were a lot of cool games on her black and white laptop she brought home from a compucentre she worked in, but the one that sticks in my memory was Shufflepuck Café. My dad always had some crazy pre-Windows machines lying around. Things with cartridges or orange text screens running Norton commander. 

 To learn more about life at Webroot, visit https://www.webroot.com/blog/category/life-at-webroot/

Antivirus vs. VPN: Do You Need Both?

Reading Time: ~ 3 min.

Public concern about online privacy and security is rising, and not without reason. High-profile data breaches make headlines almost daily and tax season predictably increases instances of one of the most common types of identity theft, the fraudulent filings for tax returns known as tax-related identity theft

As a result, more than half of global internet users are more concerned about their safety than they were a year ago. Over 80% in that same survey, conducted annually by the Center for International Governance Innovation, believe cybercriminals are to blame for their unease.  

Individuals are right to wonder how much of their personally identifiable data (PII) has already leaked onto the dark web. Are their enough pieces of the puzzle to reconstruct their entire online identity?  

Questions like these are leading those with a healthy amount of concern to evaluate their options for enhancing their cybersecurity. And one of the most common questions Webroot receives concerns the use of antivirus vs. a VPN.  

Here we’ll explain what each does and why they work as compliments to each other. Essentially, antivirus solutions keep malware and other cyber threats at bay from your devices, while VPNs cloak your data by encrypting it on its journey to and from your device and the network it’s communicating with. One works at the device level and the other at the network level.  

Why You Need Device-Level Antivirus Security 

Antiviruses bear the primary responsibility for keeping your devices free from infection. By definition, malware is any software written for the purpose of doing damage. This is the category of threats attempting to undermine the antivirus (hopefully) installed on your PC, Mac, and yes, even smartphones like Apple and Android devices, too.  

In an ever-shifting threat landscape, cybercriminals are constantly tweaking their approached to getting your money and data. Banking Trojans designed specifically for lifting your financial details were among the most common examples we saw last year. Spyware known as keyloggers can surreptitiously surveil your keystrokes and use the data to steal passwords and PII. A new category of malware, known as cryptojackers, can even remotely hijack your computing power for its own purposes.  

But the right anti-malware tool guarding your devices can protect against these changing threats. This means that a single errant click or downloaded file doesn’t spell disaster. 

“The amazing thing about cloud-based antivirus solutions,” says Webroot threat analyst Tyler Moffit, “is that even if we’ve never seen a threat before, we can categorize it in real time based on the way it behaves. If it’s determined to be malicious on any single device, we can alert our entire network of users almost instantaneously. From detection to protection in only a few minutes.” 

Why You Need Network-Level VPN Security 

We’ve covered devices, but what about that invisible beam of data traveling between your computer and the network it’s speaking to? That’s where the network-level protection offered by a VPN comes into play.  

While convenient, public networks offering “free” WiFi can be a hotbed for criminal activity, precisely because they’re as easy for bad actors to access as they are for you and me. Packet sniffers, for instance, can be benign tools for helping network admins troubleshoot issues. In the wrong hands, however, they can easily be used to monitor network traffic on wireless networks. It’s also fairly easy, given the right technical abilities, for cybercriminals to compromise routers with man-in-the-middle attacks. Using this strategy, they’re able to commandeer routers for the purpose of seeing and copying all traffic traveling between a device and the network they now control.  

Even on home WiFi networks, where you might expect the protection of the internet service provider (ISP) you pay monthly, that same ISP may be snooping on your traffic with the intent to sell your data.  

With a VPN protecting your connection, though, data including instant messages, login information, social media, and the rest is encrypted. Even were a cybercriminal able to peek at your traffic, it would be unintelligible.  

“For things like checking account balances or paying bills online, an encrypted connection should be considered essential,” says Moffit. “Without a VPN, I wouldn’t even consider playing with such sensitive information on public networks.”  

How Webroot Can Help 

Comprehensive cybersecurity involves protecting both data and devices. Antivirus solutions to protect against known and unknown malware—like the kinds that can ruin a laptop, empty a bank account, or do a cybercriminals bidding from afar—are generally recognized as essential. But for complete protection, it’s best to pair your antivirus with a VPN—one that can shield your data from intrusions like ISP snooping, packet sniffers, and compromised routers.  

Click the links for more information about Webroot SecureAnywhere® antivirus solutions and the Webroot® WiFi Security VPN app.  

HTTPS: Privacy vs. Security, and Where End Users and Security Culture Fit In

Reading Time: ~ 4 min.

Since the dawn of IT, there’s been a very consistent theme among admins: end users are the weakest link in your network, organization, security strategy, fill-in-the-blank. We’ve all heard the stories, and even experienced them first-hand. An employee falls for a phishing scam and the whole network is down. Another colleague torrents a file laced with malware. Or maybe it’s something less sinister: someone wants to charge their phone, so they unplug something from the only nearby outlet, but what they unplug is somehow critical… help desk tickets ensue. 

But when it comes to security issues caused by human error, it’s not necessarily always the end user’s fault. Cyberattacks are getting more and more sophisticated by the second, and all of them are designed to either circumvent defenses or appear totally legitimate to fool people. One of the major advances of this type that we’ve seen is with phishing sites and the use of HTTPS.

HTTPS: The Beginning

While HTTP is the foundation of all data exchange and communication on the internet, it wasn’t designed for privacy. Transmitting information on the web using HTTP is kind of like sending a postcard; anybody who handles that card can read it. HTTPS was supposed to be a way of adding privacy to protect users and sensitive information from prying eyes.

At first, you’d only see HTTPS on financial or health care websites, or maybe the cart page on a shopping site, where the extra privacy was necessary. And back then, getting a security certificate was much harder—it involved significant costs and thorough security checks. Then, a few years ago, most web browsers started requiring security certificates for every website, or else they’d throw up a scary-looking warning that the site you were trying to visit might be dangerous. That trained us to look for (and trust) HTTPS.

A False Sense of Security

These days, when we see HTTPS at the beginning of a URL or the accompanying lock icon in our browser’s address bar, we’ve been conditioned to think that means we’re safe from harm. After all, the S in HTTPS stands for “secure”, right? But the issue is that HTTPS isn’t really about security, it’s about privacy. That little lock icon just means that any information we transmit on that site is encrypted and securely delivered to its destination. It makes no guarantees that the destination itself, is safe.

If you unwittingly end up on a well-faked phishing copy of your banking website and see the lock icon, it’s natural to assume that you’re in the right place and all is well. Except when you try to log in, what you’re really doing is securely transmitting your login credentials to an attacker. In this case, HTTPS would’ve been used to trick you.

The Bad Guys and HTTPS

Malicious actors are always looking for new ways to trick end users. Because so many of us think HTTPS ensures security, attackers are using it against us. It’s no longer difficult to obtain a security certificate. Attackers can do so very cheaply, or even for free, and there’s really no background or security check involved. 

As I mentioned during my talk on HTTPS at this year’s RSA conference, almost half a million of the new phishing sites Webroot discovered each month of 2018 were using HTTPS. In fact, 93% of phishing domains in September and October alone were hosted on HTTPS sites. When you think about these numbers, it’s easy to see why end users might not be to blame when you discover that a major security breach was caused by someone being duped by a phishing scam. 

The Way Forward

As more HTTPS phishing and malware sites emerge, even the most vigilant among us could fall victim. But that doesn’t mean we shouldn’t invest in end user education. End users are on the front lines on the cybersecurity battlefield. It’s up to us to provide right tools and armor to keep users and the companies they represent safe. To be truly effective, we need to implement ongoing security awareness training programs that recur continually throughout an employee’s time with the company. If we accomplish that, the results speak for themselves; after 12 months of training, end users are 70% less likely to fall for a phishing attempt!

We also need to make sure our security strategies incorporate real-time threat intelligence to accurately classify and determine which websites are good or malicious, regardless of their HTTPS designation. In an age where phishing sites appear and disappear in a matter of hours or minutes, malicious sites use HTTPS, and at least 40% of bad URLs can be found on good domains, it’s more important than ever that we all use the most advanced real-time technologies available. 

Ultimately building a culture of cybersecurity will always be more effective than a top-down mandate.. Everyone in the organization, from the CEO to the newest intern, should be invested in adopting and furthering a security conscious culture. Part of that process is going to be shifting the general IT perceptions around human error and the issues it can cause. We shouldn’t think of our end users as the weakest link in the chain; instead we should think of them as the key to a robust security strategy.

To hear more about HTTPS, phishing, and end user education, you can listen to the podcast I did with cybersecurity executive and advisor Shira Rubinoff at RSAC 2019.

Post Coinhive, What’s Next for Cryptojacking?

Reading Time: ~ 2 min.

In late February, the notorious cryptojacking script engine called Coinhive abruptly announced the impending end to its service. The stated reason: it was no longer economically viable to run.

Coinhive became infamous quickly following its debut as an innovative javascript-based cryptomining script in 2018. While Coinhive maintained that its service was born out of good intentions—to offer website owners a means to generate revenue outside of hosting ads—it took cybercriminals no time at all to create cryptojacking attack campaigns. Cryptojacking became incredibly popular in 2018, infecting millions of sites (and cloud systems among the likes of Tesla) and netting criminals millions in cryptocurrency at the expense of their victims.

Source: Coinhive [dot] com

I honestly did not see this happening, but I do understand. It is reasonable to think that Coinhive didn’t intend for their creation to be abused by criminals. However, they have still kept 30 percent of ALL the earnings generated by their script, one that was often found running illegally on hijacked sites. Most of that profit came from illicit mining, which has earned Coinhive a lot of negative press.

Additionally, 2018 was a terrible year in terms of the US-dollar value of Monero (XMR), which means their service is significantly less profitable now, relative to what it once was. Combined with the fact that the XMR development team hard-forked the coin and changed the difficulty of the hashrate, this means Coinhive is making very little money from legitimate miners.

Coinhive created this service so legitimate domain owners could host their script and generate enough revenue to replace ads. Ads are annoying and I believe this innovation was aimed at attempting to fix that problem. But the ultimate result was a bunch of criminals breaking into other people’s domains and injecting them with Coinhive scripts that essentially stole from visitors to that domain. Without consent, millions of victims’ computers were subject to maximum hardware stress for extended periods of time, all so some criminals could make a few pennies worth of cryptocurrency per computer.

Would you continue to operate a startup business in which most of the money you earned was a cut of criminal activity—stealing from victims in the form of an increased power bill? Maybe a year ago, when the hashing difficulty was easier (you earned more XMR) and XMR was worth 10 times what it’s worth now, it might have been easier to “sleep at night” but now it probably just isn’t worth it.

Even before this news, there were plenty of other copycats—Cryptoloot, JSEcoin, Deepminer, and others—so criminals have plenty of similar services to choose from. At the time of its shutdown, Coinhive had about around 60% share of all cryptojacking campaigns, though we saw this market dominance reach as high as 80% last year. I anticipate these other services stand to take larger shares of cryptojacking revenue now that the largest player has left. We might even see a new competitor service emerge to challenge for cryptojacking dominance.

Stay tuned to the Webroot blog for future developments in cryptojacking.

Cyber News Rundown: New Ransomware Service Offers Membership

Reading Time: ~ 2 min.

Ransomware as-a-Service Offers Tiered Membership Benefits

Jokeroo is the latest ransomware-as-a-service (RaaS) to begin spreading through hacker forums, though it’s differentiating itself by requiring a membership fee with various package offerings. For just $90, a buyer obtains access to a ransomware variant that they can fully customize in exchange for a 15% service fee on any ransom payments received. Higher packages are also available that offer even more options that give the user a full dashboard to monitor their campaign, though no ransomware has yet to be distributed from the service. 

Android Adware Apps are Increasingly Persistent

Several new apps on the Google Play store have been found to be responsible for constant pop-up ads on over 700,000 devices after being installed as phony camera apps. By creating a shortcut on the device and hiding the main icon, the apps are able to stay installed on the device for a considerable amount of time, as any user trying to remove the app would only delete the shortcut. Fortunately, many users have been writing poor reviews about their experiences in hopes of steering prospective users away from these fraudulent apps while they remain on the store.

Phone Scammers Disguising Themselves with DHS Numbers

People all across the U.S. have been receiving phone calls from scammers claiming to be from the Department of Homeland Security (DHS), with actual spoofed DHS phone numbers, requesting sensitive information. While phone scams aren’t new, this campaign has upped the stakes by threatening the victims with arrest if they don’t provide information or make a payment to the scammers. DHS officials have stated they will never attempt to contact individuals through outgoing phone calls.

Failed Ransomware Attack Leaves Thousands of Israeli Sites Defaced

A ransomware attack aiming to infect millions of Israeli users through a widget used in thousands of websites failed over the weekend. Though all sites began displaying pro-Palestine messages, the intended file download never took place due to a coding error that prevented execution immediately after the pop-up message. After dealing with the poisoned DNS records for the widget creator Nagich, the company was able to restore normal function within a few hours of the attack beginning.

Chicago Medical Center Exposes Patient Records

Nearly eight months after a Rush Medical Center employee emailed a file containing highly sensitive patient information to one of their billing vendors, the company began contacting affected patients and conducting an internal investigation. Rush has setup a call center to provide additional information to concerned patients and has offered all victims access to an identity monitoring service, while warning them to check their credit history for any fraudulent activity.

Cyber News Rundown: Photography Site Breached

Reading Time: ~ 2 min.

Popular Photography Site Breached

A major photography site, 500px, recently discovered they had suffered a data breach in July of last year. Data ranging from name and email addresses, to birthdates and user locations, were comprised. While the company did confirm no customer payment data is stored on their servers, all 15+ million users are receiving a forced password reset to ensure no further accounts can be compromised.

Nigerian Scammers Target ‘Lonely’ Victims

 A recent email campaign by a criminal organization known as Scarlet Widow has been focusing on matchmaking sites for people they consider to be lonelier, elderly, or divorced. By creating fake profiles and gaining the trust of these individuals, the scammers are not only attempting to profit financially, but also causing emotional harm to already vulnerable people.  In some cases these victims have been tricked into sending thousands of dollars in response to false claims of needing financial assistance, with one victim sending over $500,000 in a single year.

VFEmail Taken Down by Hackers

The founder of VFEmail watched as nearly 20 years-worth of data was destroyed by hackers in an attack that began Monday morning. Just a few hours after servers initially went down, a Tweet from a company account announced that all of the servers and backups had been formatted by a hacker traced back to Bulgarian hosting services. The motivation for the attack is still unclear, though given the numerous security measures the hacker successfully bypassed, it appears to have been a significant effort.

Urban Electric Scooters Vulnerable to Attacks

With the introduction of electric scooters to many major cities, some are curious about the security measures keeping customers safe. One researcher was able to wirelessly hack into a scooter from up to 100 yards and use his control to brake or accelerate the scooter at will, leaving the victim in a potentially dangerous situation. Without a proper password authentication system for both the scooter and the corresponding application, anyone can take control of the scooter without needing a password.

Phishing Campaign Stuffs URL Links with Excessive Characters

The latest phishing campaign to gain popularity has brought with it a warning about accounts being blacklisted and a confirmation link containing anywhere from 400 to 1,000 characters. Fortunately for observant recipients, the link should immediately look suspicious and serve as an example of the importance of checking a URL before clicking on any links.

Common WordPress Vulnerabilities & How to Protect Against Them

Reading Time: ~ 3 min.

The WordPress website platform is a vital part of the small business economy, dominating the content management system industry with a 60% market share. It gives businesses the ability to run easily-maintained and customizable websites, but that convenience comes at a price. The easy-to-use interface has given even users who are not particularly cybersecurity-savvy a presence on the web, drawing cyber-criminals out of the woodwork to look for easy prey through WordPress vulnerabilities in the process.

Here are some of these common vulnerabilities, and how can you prepare your website to protect against them.

WordPress Plugins 

The WordPress Plugin Directory is a treasure trove of helpful website widgets that unlock a variety of convenient functions. The breadth of its offerings is thanks to an open submission policy, meaning anyone with the skill to develop a plugin can submit it to the directory. WordPress reviews every plugin before listing it, but clever hackers have been known to exploit flaws in approved widgets.

The problem is so prevalent that, of the known 3,010 unique WordPress vulnerabilities, 1,691 are from WordPress plugins. You can do a few things to impede your site from being exploited through a plugin. Only download plugins from reputable sources, and be sure to clean out any extraneous plugins you are no longer using. It’s also important to keep your WordPress plugins up-to-date, as outdated code is the best way for a hacker to inject malware into your site.

Phishing Attacks 

Phishing remains a favored attack form for hackers across all platforms, and WordPress is no exception. Keep your eyes out for phishing attacks in the comments section, and only click on links from trusted sources. In particular, WordPress admins need to be on alert for attackers looking to gain administrative access to the site. These phishing attacks may appear to be legitimate emails from WordPress prompting you to click a link, as was seen with a recent attack targeting admins to update their WordPress database. If you receive an email prompting you to update your WordPress version, do a quick Google search to check that the update is legitimate. Even then, it’s best to use the update link from the WordPress website itself, not an email.

Weak Administrative Practices 

An often overlooked fact about WordPress security: Your account is only as secure as your administrator’s. In the hubbub of getting a website started, it can be easy to create an account and immediately get busy populating content. But hastily creating administrator credentials are a weak link in your cybersecurity, and something an opportunistic hacker will seize upon quickly. Implementing administrative best practices is the best way to increase your WordPress security.

WordPress automatically creates an administrator with the username of “admin” whenever a new account is created. Never leave this default in place; it’s the equivalent of using “password” as your password. Instead, create a new account and grant it administrative privileges before deleting the default administrator account. You’ll also need to change the easily-located and often-targeted administrator url from the default of “wp-admin” to something more ambiguous of your own choosing.

One of the most important practices for any WordPress administrator is keeping the WordPress version up-to-date. An ignored version update can easily become a weak point for hackers to exploit. The more out-of-date your version, the more likely you are to be targeted by an attack. According to WordPress, 42.6% of users are using outdated versions. Don’t be one of them.

Additional Security Practices 

The use of reputable security plugins like WordFence or Sucuri Security can add an additional layer of protection to your site, especially against SQL injections and malware attacks. Research any security plugins before you install them, as we’ve previously seen malware masquerading as WordPress security plugins. If your security plugin doesn’t offer two-factor authentication, you’ll still need to install a secure two-factor authentication plugin to stop brute force attacks. Keeping your data safe and encrypted behind a trusted VPN is also key to WordPress security, especially for those who find themselves working on their WordPress site from public WiFi networks.

WordPress is a powerful platform, but it’s only as secure as you keep it. Keep your website and your users secure with these tips on enhancing WordPress security, and check back here often for updates on all things cybersecurity.

Unsecure RDP Connections are a Widespread Security Failure

Reading Time: ~ 3 min.While ransomware, last year’s dominant threat, has taken a backseat to cryptomining attacks in 2018, it has by no means disappeared. Instead, ransomware has become a more targeted business model for cybercriminals, with unsecured remote desktop protocol (RDP) connections becoming the favorite port of entry for ransomware campaigns.

RDP connections first gained popularity as attack vectors back in 2016, and early success has translated into further adoption by cybercriminals. The SamSam ransomware group has made millions of dollars by exploiting the RDP attack vector, earning the group headlines when they shut down government sectors of Atlanta and Colorado, along with the medical testing giant LabCorp this year.

Think of unsecure RDP like the thermal exhaust port on the Death Star—an unfortunate security gap that can quickly lead to catastrophe if properly exploited. Organizations are inadequately setting up remote desktop solutions, leaving their environment wide open for criminals to penetrate with brute force tools. Cybercriminals can easily find and target these organizations by scanning for open RPD connections using engines like Shodan. Even lesser-skilled criminals can simply buy RDP access to already-hacked machines on the dark web.

Once a criminal has desktop access to a corporate computer or server, it’s essentially game over from a security standpoint. An attacker with access can then easily disable endpoint protection or leverage exploits to verify their malicious payloads will execute. There are a variety of payload options available to the criminal for extracting profit from the victim as well.

Common RDP-enabled threats

Ransomware is the most obvious choice, since it’s business model is proven and allows the perpetrator to “case the joint” by browsing all data on system or shared drives to determine how valuable it is and, by extension, how large of a ransom can be requested.

Cryptominers are another payload option, emerging more recently, criminals use via the RDP attack vector. When criminals breach a system, they can see all hardware installed and, if substantial CPU and GPU hardware are available, they can use it mine cryptocurrencies such as Monero on the hardware. This often leads to instant profitability that doesn’t require any payment action from the victim, and can therefore go by undetected indefinitely.

Source: https://knowyourmeme.com/photos/1379666-cheeto-lock

Solving the RDP Problem

The underlying problem that opens up RDP to exploitation is poor education. If more IT professionals were aware of this attack vector (and the severity of damage it could lead to), the proper precautions could be followed to secure the gap. Beyond the tips mentioned in my tweet above, one of the best solutions we recommend is simply restricting RDP to a whitelisted IP range.

However, the reality is that too many IT departments are leaving default ports open, maintaining lax password policies, or not training their employees on how to avoid phishing attacks that could compromise their system’s credentials. Security awareness education should be paramount as employees are often the weakest link, but can also be a powerful defense in preventing your organization from compromise.

You can learn more about the benefits of security awareness training in IT security here.

Is GDPR a Win for Cybercriminals?

Reading Time: ~ 3 min.GDPR represents a massive paradigm shift for global businesses. Every organization that handles data belonging to European residents must now follow strict security guidelines and businesses are now subject to hefty fines if data breaches are not disclosed. Organizations around the world have been busy preparing to comply with these new regulations, but many internet users are unaware of how GDPR will impact them. While this new oversight enhances user privacy protection, its implementation also opens the door for GDPR-specific cyber threats.

Anyone with even the slightest online presence has been subject to a barrage of new terms and conditions released by companies concerning GDPR, which became effective on May 25, 2018. Criminals are taking advantage of this overwhelming surge of new terms of agreements to execute scams.

A phishing scam purporting to come from Apple is the most popular that we’ve seen. It declares that “For Your Safety, Access To Your Apple ID Has Been Restricted”, then prompts users to update account information before being allowed back in. This particular campaign was designed to capitalize on fatigue from the myriad of updated terms of agreement and privacy policy notifications internet users have encountered in the weeks leading up to GDPR, hoping to catch them off guard. The idea behind the scam is that potential victims are less alert and more likely to agree to and click through anything related to updated terms and conditions. Here’s what the phishing page looks like:

Source: hxxps://www.securitycentre-appleid.com [phishing URL]

When victims click “Update Your Account”, they’re then presented with a fake login page designed to capture their Apple ID credentials.

Source: hxxps://www.securitycentre-appleid.com/Locked.php [Phishing URL]

Targeted Ransomware

Beyond simple phishing scams, GDPR brings new pressure criminals can leverage concerning personal data that companies are responsible for. Targeted ransomware has become popular recently, especially through the RDP attack vector. Cybercriminals are now in a much better position to demand substantially larger ransoms when dealing with company data belonging to EU residents than before.

Were criminals to target an organization handling EU resident data, they’d be in a position to leverage a ransom amount closer to fines meted out under GDPR laws once they’ve breached and encrypted the data. We expect to see an increase in targeted ransomware hoping to exploit the hefty GDPR fine structure.

Another win for cybercriminals comes in the form of the recent change to the WHOIS lookup, made in response to GDPR data privacy restrictions. The Internet Corporation for Assigned Names and Numbers (ICANN), the organization that manages the global domain system, has removed crucial bits of data from public WHOIS lookups to comply with GDPR.

Before this change, when queries were made on domains using WHOIS lookup, information such as registrant’s name, address, email, and phone number was accessible. This proved invaluable when tracking malicious domains linked to malware campaigns. Now, with GDPR, that information will no longer be available publicly, giving cybercriminals another edge. ICANN has since filed a lawsuit seeking to clarify the law as it relates to WHOIS data collection, according to Threatpost.

GDPR Fails

We’ve also seen some unfortunate failures from legitimate companies sending emails trying to educate and inform their customers of GDPR-related changes—and actually violating the regulations while doing so.

Source: @ashstronge on Twitter

In sending this email on blast to their contacts, the company above failed to hide email addresses, thereby sending their users’ contact information to everyone on their email list. A mistake like this may carry costly consequences under the EU’s new rules. It should serve as a reminder to businesses of all sizes– there’s a lot at stake when handling personal data. With only 42 percent of organizations in the U.S., U.K. and Australia reporting they are ready to comply with recent privacy regulations, ramping up information security safeguards will continue to be imperative in 2018.

Be on alert for scams related to GDPR. Interact carefully with the many privacy policy updates you’ve likely received in recent weeks. Remember to practice good cyber hygiene, and always double check website URLs whenever entering personal data.

What do you think about GDPR’s implications for the evolving threat landscape? Let us know in the comments below or join our Tech Talk discussion in the Webroot Community.

‘Smishing’: An Emerging Trend of Phishing Scams via Text Messages

Reading Time: ~ 3 min.Text messages are now a common way for people to engage with brands and services, with many now preferring texts over email. But today’s scammers have taken a liking to text messages or smishing, too, and are now targeting victims with text message scams sent via shortcodes instead of traditional email-based phishing attacks.

What do we mean by shortcodes

Businesses typically use shortcodes to send and receive text messages with customers. You’ve probably used them before—for instance, you may have received shipping information from FedEx via the shortcode ‘46339’. Other shortcode uses include airline flight confirmations, identity verification, and routine account alerts. Shortcodes are typically four to six digits in the United States, but different countries have different formats and number designations.

The benefits of shortcodes are fairly obvious. Texts can be more immediate and convenient, making it easier for customers to access links and interact with their favorite brands and services. One major drawback, however, is the potential to be scammed by a SMS-based phishing attack, or ‘Smishing’ attack. (Not surprisingly given the cybersecurity field’s fondness for combining words, smishing is a combination of SMS and phishing.)

All the Dangers of Phishing Attacks, Little of the Awareness

The most obvious example of a smishing attack is a text message containing a link to mobile malware. Mistakenly clicking on this type of link can lead to a malicious app being installed on your smartphone. Once installed, mobile malware can be used to log your keystrokes, steal your identity, or hold your valuable files for ransom. Many of the traditional dangers in opening emails and attachments from unknown senders are the same in smishing attacks, but many people are far less familiar with this type of attack and therefore less likely to be on guard against it.

Text messages from shortcodes can contain links to malware and other dangers.

Smishing for Aid Dollars

Another possible risk in shortcodes is that sending a one-word response can trigger a transaction, allowing a charge to appear on your mobile carrier’s bill. When a natural disaster strikes, it is common for charities to use shortcodes to make it incredibly easy to donate money to support relief efforts. For instance, if you text “PREVENT” to the shortcode 90999, you will donate $10 USD to the American Red Cross Disaster Relief Fund.

But this also makes it incredibly easy for a scammer to tell you to text “MONSOON” to a shortcode number while posing as a legitimate organization. These types of smishing scams can lead to costly fraudulent charges on your phone bill, not to mention erode aid agencies ability to solicit legitimate donations from a wary public. A good resource for determining the authenticity of a shortcode in the United States is the U.S. Short Code Directory. This site allows you to look up brands and the shortcodes they use, or vice versa.

Protect yourself from Smishing Attacks

While a trusted mobile security app can help you stay protected from a variety of mobile threats, avoiding smishing attacks demands a healthy dose of cyber awareness. Be skeptical of any text messages you receive from unknown senders and assume messages are risky until you are sure you know the sender or are expecting the message. Context is also very important. If a contact’s phone is lost or stolen, that contact can be impersonated. Make sure the message makes sense coming from that contact.

Twitter is a Hotbed for Crypto Scam Bots

Reading Time: ~ 3 min.The brazen theft of cryptocurrency has been an ongoing issue for years now, mostly affecting exchanges and users who fail to store their private keys securely. But what about scams purporting to be giving free cryptocurrency away? It seems a little ridiculous, but there is a serious problem with this new incarnation of the classic “Nigerian letter” scam.

How crypto scams work

The scam is very simple. It asks victims to send fairly small amounts of cryptocurrency in return for a larger amount to be sent back later. The scammers often target influential Twitter accounts that likely have followers interested in cryptocurrency. After a popular account tweets—Elon Musk, for example—the scammer immediately replies to that tweet from an account imitating the influencer. So, @eloonmusk is impersonating @elonmusk, and @officialmacafee is impersonating @officialmcafee.

The biggest red flag here is that tweets pretending to be giving away crypto are not from verified accounts. They don’t have the blue checkmark badge next to their account name, which means they are NOT who they say they are. Usually, these imposter tweets will be supported by an entire botnet of fake accounts working in cahoots to increase the perceived legitimacy of the scam tweets. The tactics these bots use include liking and following each other’s posts and making fraudulent replies to these posts saying they received their Ethereum or Bitcoin successfully. They will even host scam websites that show “proof” this scheme is legitimate.

In an attempt to thwart such scammers, leaders in the crypto community have gone as far as to change their Twitter account names to include explicit warnings that they are not giving away cryptocurrency. Ethereum founder Vitalik Buterin is an example of this method, as well as one of the users most commonly targeted by the scam.

Despite the bold disclaimer, scammers refuse to be shaken and continue to adapt their profiles and language to deceive victims.

What can be done to combat crypto scams?

Recently, Twitter attempted to remedy crypto scams by shadow banning the spammer accounts, but several cryptocurrency influencers were caught amid the ban and experienced temporary issues with their accounts.

“People just started DMing me that they couldn’t see my tweets in threads,” Twitter user @cryptomom told CoinDesk. “It would say ‘tweet unavailable.’ Others said they aren’t getting notifications when I tweet. But no word from Twitter. There is some really weird shit going on for crypto Twitter people right now. A rash of permanent bans and suspensions.”

Adding to confusion, Twitter mistakenly verified an account posing as Tron founder Justin Sun.

Cryto scams could prove to be a hurdle for Twitter and its users who’re active in the crypto space. It’s important for people to understand that these scams will NEVER pay you. These fake accounts will do their best to prove their legitimacy, but they are just preying on the greed of victims.

Twitter will need to introduce new methods for combatting this type of spam. Twitter CEO Jack Dorsey recently announced a new verification process is coming that will make it easier for all users to obtain verification, according to the Chicago Tribune. This change will help the numerous crypto organizations and influencers on Twitter establish a verified presence. It is important for users to be protected from predatory scammers, while also protecting the integrity of a platform that has become a major hub for cryptocurrency discussion and information sharing.

What do you think can be done to stop cryptocurrency scams on Twitter? Join me in the Webroot Community or drop me a line in the comments below!

TrickBot Banking Trojan Adapts with New Module

Reading Time: ~ 5 min.Since inception in late 2016, the TrickBot banking trojan has continually undergone updates and changes in attempts to stay one step ahead of defenders and internet security providers. While TrickBot has not always been the stealthiest trojan, its authors have remained consistent in the use of new distribution vectors and development of new features for their product. On March 15, 2018, Webroot observed a module (tabDll32 / tabDll64) being downloaded by TrickBot that has not been seen in the wild before this time.

It appears that the TrickBot authors are still attempting to leverage MS17-010 and other lateral movement methods coupled with this module in an attempt to create a new monetization scheme for the group.

You can teach an old bot older tricks

Analyzed samples

  • 0058430e00d2ea329b98cbe208bc1dad – main sample (packed)
    • 0069430e00d2ea329b99cbe209bc1dad – bot 32 bit

Downloaded Modules

  • 711287e1bd88deacda048424128bdfaf – systeminfo32.dll
  • 58615f97d28c0848c140d5e78ffb2add – injectDll32.dll
  • 30fc6b88d781e52f543edbe36f1ad03b – wormDll32.dll
  • 5be0737a49d54345643c8bd0d5b0a79f – shareDll32.dll
  • 88384ba81a89f8000a124189ed69af5c – importDll32.dll
  • 3def0db658d9a0ab5b98bb3c5617afa3 – mailsearcher32.dll
  • 311fdc24ce8dd700f951a628b805b5e5 – tabDll32.dll

Behavioral Analysis

Upon execution, this iteration of TrickBot will install itself into the %APPDATA%\TeamViewer\ directory. If the bot has not been executed from its installation directory, it will restart itself from this directory and continue operation. Once running from its installation directory, TrickBot will write to the usual group_tag and client_id files along with creating a “Modules” folder used to store the encrypted plug and play modules and configuration files for the bot.


Image 1: TrickBot’s plug and play modules used to extend the bots functionality

Many of the modules shown above have been previously documented. The systeminfo and injectDll module have been coupled with the bot since its inception. The mailsearcher module was added in December 2016 and the worm module was discovered in late July 2017. The module of interest here is tabDll32 as this module has been previously undocumented. Internally, the module is named spreader_x86.dll and exports four functions similar to the other TrickBot modules.


Image 2a: Peering inside tabDll.dll


Image 2b: Abnormally large .rdata section

The file has an abnormally large rdata section which proves to be quite interesting because it contains two additional files intended to be used by spreader_x86.dll. The spreader module contains an additional executable SsExecutor_x86.exe and an additional module screenLocker_x86.dll. Each module will be described in more detail in its respective section below.

Spreader_x86.dll

When loading the new TrickBot module in IDA, you are presented with the option of loading the debug symbol filename.


Image 3: Debug symbol filename of the downloaded module tabDll.dll

This gives us a preview of how the TrickBot developers structure new modules that are currently under development. When digging deeper into the module, it becomes evident that this module is used to spread laterally through an infected network making use of MS17-010.

Image 4: String references to EternalRomance exploit used for lateral movement

This module appears to make use of lateral movement in an attempt to set up the embedded executable as a service on the exploited system. Additionally, the TrickBot authors appear to be still developing this module as parts of the modules reflective dll injection mechanism are stolen from GitHub.


Image 5: Copied code from ImprovedReflectiveDLLInjection


Image 6: Printf statements from the copied project on GitHub

SsExecutor_x86.exe 

The second phase of the new module comes in the form of an executable meant to run after post exploitation. Again, it was very nice of the TrickBot authors to give us a look at the debug symbols file path.


Image 7: Debug symbol filename of the embedded PE file.

When run, this executable will iterate over the use profiles in registry and goes to each profile to add a link to the copied binary to the start up path. This occurs after lateral movement takes place.

                        Image 8: Iterate over user profiles and create


Image 9: Execution of the copied binary

ScreenLocker_x86.dll

Similarly, to the other TrickBot modules, this module was written in Delphi. This is the first time TrickBot has shown any attempt at “locking” the victims machine.


Image 10: Peering inside screenLocker_x86.dll 

This Module exports two functions, “MyFunction” and a reflective DLL loading function. “MyFunction” appears to be the work in progress:


Image 11: Peering inside “MyFunction”


Image 12: Creation of the Locker Window

If the TrickBot developers are attempting to complete this locking functionality, this generates interesting speculation around the group’s business model. Locking a victim’s computer before you are able to steal their banking credentials alerts the victim that they are infected, thus limiting the potential for credit card or bank theft. However, extorting victims to unlock their computer is a much simpler monetization scheme.

It is notable that this locking functionality is only deployed after lateral movement, meaning that it would be used to primarily target unpatched corporate networks. In a corporate setting (with unpatched machines) it is highly likely that backups would not exist as well. The authors appear to be getting to know their target audience and how to best extract money from them. On a corporate network, where users are unlikely to be regularly visiting targeted banking URLs, exfiltrating banking credentials is a less successful money-making model compared to the locking of potentially hundreds of machines. 

The TrickBot authors continue to target various financial institutions across the world, using MS17-010 exploits in an attempt to successfully laterally move throughout a victim’s network. This is being coupled with an unfinished “screenLocker” module in a new possible attempt to extort money from victims. The TrickBot banking trojan remains under continual development and testing in a constant effort by its developers to stay one step ahead of cybersecurity professionals.