Reading Time: ~< 1 min.

Cyber News Rundown: Big Data Mismanagement

Massive Customer Database Left Exposed by Data Management Firm A security researcher recently found a database containing customer information for nearly half a billion users of Veeam software on an unsecured AWS server. Most of the data was contact information...

EICAR – The Most Common False Positive in the World

If you saw a file called eicar.com on your computer, you might think it was malware. But, you would be wrong. Readers, if you haven’t yet met the EICAR test file, allow me to introduce you to it. If you have used the EICAR test file, let’s get a bit cozier with it. If...

Crime and Crypto: An Evolution in Cyber Threats

Cybercriminals are constantly experimenting with new ways to take money from their victims. Their tactics evolve quickly to maximize returns and minimize risk. The emergence of cryptocurrency has opened up new opportunities to do just that. To better understand...

3 Cyber Threats IT Providers Should Protect Against

With cybercrime damages set to cost the world $6 trillion annually by 2021, a new bar has been set for cybersecurity teams across industries to defend their assets. This rings especially true for IT service providers, who are entrusted to keep their clients’ systems...

Spectre, Meltdown, & the CLIMB Exploit: A Primer on Vulnerabilities, Exploits, & Payloads

Reading Time: ~2 min.

In light of the publicity, panic, and lingering despair around Spectre and Meltdown, I thought this might be a good time to clear up the differences between vulnerabilities, exploits, and malware. Neither Spectre nor Meltdown are exploits or malware. They are vulnerabilities. Vulnerabilities don’t hurt people, exploits and malware do. To understand this distinction, witness the CLIMB exploit:

The CLIMB Exploit

Frequently, when a vulnerability is exploited, the payload is malware. But the payload can be benign, or there may be no payload delivered at all. I once discovered a windows vulnerability, exploited the vulnerability, and was then able to deliver the payload. Here’s how that story goes:

It’s kind of embarrassing to admit, but one evening my wife and I went out to dinner, and upon returning, realized we had a problem. It wasn’t food poisoning. We were locked out of our house. The solution was to find a vulnerability, exploit it, and get into the house. The vulnerability I found was an insecure window on the ground floor.

With care I was able to push the window inward and sideways to open it. From the outside, I was able to bypass the clasp that should have held the window closed. Of course, the window was vulnerable for years, but nothing bad came of it. As long as nobody used (exploited) the vulnerability to gain unauthorized access to my home, there was no harm done. The vulnerability itself was not stealing things from my home. It was just there, inert. It’s not the vulnerability itself that hurts you. It’s the payload. Granted, the vulnerability is the enabler.

The window was vulnerable for years, but nothing bad happened. Nobody attacked me, and while the potential for attack was present, an attack (exploit) is not a vulnerability. The same can be true of vulnerabilities in software. Opening the window is where the exploit comes in.

My actual exploit occurred in two stages. First, there was proof of concept (POC). After multiple attempts, I was able to prove that the vulnerable window could be opened, even when a security device was present. Next, I needed to execute the Covert Lift Intrusion Motivated Breach (CLIMB) exploit. Yeah, that means I climbed into the open window, a neat little exploit with no coding required. I suppose I could have broken the window, but I really didn’t want to brick my own house (another vulnerability?).

Now we come to the payload. In this case, the payload was opening the door for my wife. You see, not all payloads are malicious. If a burglar had used the CLIMB exploit, they could have delivered a much more harmful payload. They could have washed the dishes (they wouldn’t, unless they were Sheldon Cooper), they could have stolen electronic items, or they could have planted incriminating evidence. The roof is the limit.

Not all vulnerabilities are as easy to exploit as others. All of my second-floor windows had the same vulnerability, but exploiting them would have been more difficult. I am sure happy that I found the vulnerability before a criminal did. Because I was forgetful that fateful night, I’m also happy the vulnerability was there when I found it. As I said, I really didn’t want to break my own window. By the way, I “patched” my windows vulnerability by placing a wooden dowel between the window and the wall.

There you have it. Vulnerabilities, exploits, and payloads explained through the lens of the classic CLIMB exploit.

Cyber News Rundown: Hackable Gas Stations

Reading Time: ~2 min.

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

Global Gas Station Software Found Unsecured

Researchers have recently discovered a vulnerability that would allow anyone to remotely access thousands of gas stations from around the world. The vulnerability stems from having these stations be connected to the Internet and can give the potential attacker control of gas prices, access to customer payment information, and even control over surveillance cameras. Unfortunately, due to the average age of the pumps in question and the preinstalled software also being outdated, it is unlikely that many of the machines will, or even can, be updated to protect against these vulnerabilities.

NHS Staff Ignoring Security Policies in Favor of Usability

In a recent survey of NHS professionals, it was found that nearly half are using non-approved messaging apps on a regular basis, rather than more secure channels, as they as quicker and easier to use. Even more alarming, a similar number were either completely unaware of their organization’s policies for safely transferring data or had not received any training on the subject. With data security becoming ever more necessary, the organizations that hold our most sensitive data should be held to an even higher standard, as typical consumers have little choice but to trust that they will keep it safe.

Fortnite Mobile Invite Scams Flood Market Prior to Launch

In the days preceding the launch of Fortnite’s Mobile iOS functionality, hundreds of users have taken to posting fake “invites” for sale, throughout various social media sites. While the actual launch is still several days away, these invites have been offered for a variety of prices in hopes of finding someone eager enough to pay to play early.

AMD Chips Contain Critical Vulnerabilities

Over the last week or so, several critical flaws have been found within AMD processor chips that could be harmful, if exploited. While it would already require some administrative access to even begin using the vulnerabilities for harm, the exploit does allow unsigned, and possibly malicious, code to be uploaded to AMD’s Secure Processing Platform without performing any security checks. As these vulnerabilities are still being researched, the extent of their severity has yet to be fully decided.

Florida Virtual School Hit by Data Breach

Within the last few weeks, officials have been working to contact students, parents, and staff that may have been affected by a data breach that occurred sometime in the last year. While it is still unclear on what sensitive data may have been compromised, identity and credit monitoring services are being provided to anyone who has been in the database over the two-year period when it was illicitly accessed.

Home Sweet Hackable Smart Home

Reading Time: ~4 min.

We live in the future. Not one with teleportation, time travel, or flying cars, but one where talking to inanimate objects is the “normal,” even “cool” thing to do.

According to The Smart Audio Report from NPR and Edison Research, 39 million people now own an interactive, voice-activated smart speaker and, in just a few short years, the smart speaker has been joined by countless other smart gadgets, forming a network of connected devices known as the internet of things (IoT). These connected household devices have evolved from assisting with simple tasks like having Alexa play music, to having the ability to control nearly every part of the home, from the ambient temperature to the food that’s purchased for your refrigerator.

It’s pretty amazing, as long you remain in the captain’s chair. But what happens when you’re no longer the one in control?

They see you when you’re sleeping, know when you’re awake

Imagine coming home on a hot day to find your thermostat set to Phoenix-in-August-like temperatures and realizing you can’t change it. Or discovering your internet-connected appliances have been hijacked to do the bidding of cybercriminals in a DDoS attack by a massive IoT botnet. And what could be worse than finding out hackers have the ability to peek into the feed from the nursery webcam? These examples may sound like fear-mongering or idle, worst-case-scenario musings. But they’ve all already happened.

The more consumers buy and use internet-connected home devices, the more opportunities are created for hackers to break in, both digitally and physically. Since IoT products include everything from to fitness bands and home security cameras, to lights, doors, and cars, we run the risk of painting a detailed, time-stamped digital portrait of our daily lives for any hacker with the know-how to access these devices. All they need to access your entire network is one weak link.

Hacked by default

Why are IoT products so vulnerable? According to Webroot senior threat researcher Tyler Moffitt, “the underlining problem with all these emerging IoT devices is that the vendors are only focused on functionality, and have little to no budget for security vetting. Minimum viable product for maximum profit.”

The result? More vulnerabilities leading to more opportunities for attackers to hack your home. The proliferation and widespread adoption of IoT devices presents hackers with billions more targets than previously available, and their success rate need not be high. A single security oversight on a mass-produced device can be devastating.

For example, many smart home devices like Nest Learning Thermostat devices come with a default username and password that most consumers don’t think to change. In some cases, that’s simply not an option, as passwords are sometimes hardcoded into the firmware. Oftentimes, hackers can easily find default login information online and sneak onto your device. Then, with the help of a little malware, they can gain control of your entire fleet of smart-home devices. And hundreds of other people’s.

Patches and updates are another gaping door left open to hackers. Many IoT devices either simply can’t be patched to protect against the latest threats, or their manufacturers don’t have the budget or resolution to release prompt updates. In an up-and-coming market segment filled with startups, there isn’t even a guarantee your device manufacturer will be around to release a much-needed security update when an emergent threat comes knocking.

Secure is the new smart

Before you run home and to rip your Nest or other IoT connected device off the wall, read on. There are ways to keep your home smart and secure.

“Smart homes are still a new space as far as security goes,” says Moffit. “Down the road, we expect security to be protecting internet connected devices. But for now, we recommend a layered approach and taking all the proper precautions. Similar to antivirus, pay for the well-reviewed, vetted products.”

Here are a few more tips for being a smart IoT consumer:

Update login info

Update your usernames and passwords (the stronger the better). Do this for every device you have, and avoid using the same password twice. While you’re at it, change the passwords on your other accounts, too — especially if you’ve had the same one since you opened your first email account in 1998.

Secure wireless networks

Set up two different networks to help reduce the risk of hacking across devices — one for smartphones, computers, and tablets, and another for your smart home products. Add a strong password and give your home network a random name having nothing to do with your username, password, or address. Also, make sure your home network is protected by the Wi-Fi Protected Access II (WPA2) protocol, disable guest access, and most importantly, disable remote access. 

Update software and firmware

Updating helps ensure the latest security measures are being implemented by your device. Many smart home devices don’t update automatically, so check for them about once a month.

Install security software and malware protection

Because there is no singular solution for protecting your smart home products themselves, it’s important to use a layered approach for your security measures. Safeguarding your network, for example. Adding security apps and software to your computer and smartphone can protect against attackers accessing information via a malicious site or app.

Invest in proven solutions

Since so many companies are trying to get on the smart home train and many aren’t keeping security top-of-mind, it’s important to invest in proven solutions and stick to well-known brands that have a reputation for being secure. This helps guard against the aforementioned problem of timely updates not being available, too.

Oh, and you know those home gadgets that come with a hard-coded password? Don’t buy them.

Cyber News Rundown: MoviePass App Tracks Your Every Move

Reading Time: ~2 min.

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

MoviePass Subscription Service Tracks More Than Your Viewing Habits

The CEO of MoviePass recently revealed the full extent of its tracking functionality, which was originally thought to use your location to find a nearby theater. The application can track any user from their home to the theater, and then onward through the rest of their journey, keeping notes on businesses and restaurants the user may visit. While this data is said to only be used to help enhance the user’s evening, it does seem to be a massive breach of privacy given that there is nothing in the terms of service that mentions the full extent of the tracking.

Latest Crypto-Miner Introduces Kill List for Competitive Processes

A new cryptocurrency miner has recently been discovered that seems to have an edge over its competition: the ability to terminate conflicting processes to maintain control over the device’s processing power. While the use of a ‘kill list’ isn’t new to malware in general, this does seem to be the first program that uses it for mining purposes, rather than continuing to propagate.

MacOS Users Getting Browsing Security Update

Within the last week, Google has announced it will begin rolling out a new security feature for MacOS that will give Chrome users additional warnings when attempting to access malicious or compromised websites. While these features have been functional for Windows users for quite some time, it will begin implementing them for MacOS in April of this year. As Mac malware continues to proliferate, the necessity of these features grows right alongside it.

ComboJack Malware Targets Multiple Cryptocurrencies

Recently, researchers have spotted a new email spam campaign that downloads ComboJack, malware that seeks out several types of cryptocurrency wallet addresses currently stored on the device’s clipboard. By running endless checks on the clipboard for any cryptocurrency wallet address information, ComboJack will immediately replace any found address with one belonging to the attacker, while it continues to check for others.

School Employee W-2 Info Stolen in Phishing Scam

Officials have recently been contacting employees of an Alabama school district after a successful phishing attempt led to tax information being sent to a fake email address supposedly belonging to the superintendent of the district. The phishing scam affected at least 30 employees and has forced them to file their taxes manually, rather than electronically, as some returns had already been illicitly filed by the attacker.

Antimalware Testing is Hard, Disputing a Flawed Test is Even Harder

Reading Time: ~3 min.

First thing’s first—I’d like to introduce myself. I’m senior security analyst Randy Abrams, and I’m delighted to be part of the Webroot team and our online community.

Prior to joining the team, I was a research director responsible for analyzing and reporting the test results of antimalware products. I also helped create test methodologies and looked for anomalies in the testing process. Before that, I worked as a director of technical education, where my role was very similar to my mission here at Webroot: to help all users stay more secure on the internet. Everything else I do is the means to meet these ends.

Earlier in my career, I spent 12 years at Microsoft working closely with researchers from major antimalware companies, as well as from several smaller antivirus companies, to ensure we did not release infected software. As a result, I bring a unique perspective to my role here at Webroot. I am a consumer (I use Webroot on my laptop). In the past, I have been an enterprise customer, worked at a test lab, and served on the vendor side of the industry.

Testers are Human. They Do Not Always Get it Right.

One of the most contentious parts of working in the security industry is antimalware testing. I used to joke that the reason antimalware testers are so arrogant is because antimalware researchers created them in their own image. Relationships between the testers and vendors have improved quite a bit in the past few years, but there still is a lot of friction. Scoring poorly on a test not only affects sales, but when the reason for the poor score was due to mistakes in testing, users do not get the quality of information they need to properly compare products.

Unfortunately, antimalware testing is really, really hard to get right. And it is not because of incompetence. You will never hear me say, or even imply, that testers are incompetent. The reason that testing is so hard to get right is because antimalware products have become so complex. There are interdependencies on cloud-based protections, reputation systems, whitelisting and blacklisting, scanning and remediation, and in some cases, like ours, system rollback. Additionally, sample acquisition and selection are problematic.

In the past, I have seen some serious mistakes resulting in products offering high-quality protection appear mediocre or worse. For vendors, a deeper problem arises when trying to dispute the test results. The public tends to think that testers always get it right and that vendors are just whining because they didn’t receive the score they thought their product deserved. No vendor was ever acquitted of a bad test in the court of public opinion.

In coming blogs, I will discuss some of the challenges testers face, and the impact these have on accurately presenting the information needed to make informed choices when selecting security software. As a former research director for a test lab, I dealt with issues, like the selection of samples, that could seriously impact reported results. Sample selection and acquisition is much more difficult than it would seem. When you see vendors score 100 percent, then the sample selection was too small.

When measuring performance, the ratio of file types (exe, .bmp, .mp3, .docx, etc.), as well as compression methods used in the file set, make a huge difference in real-world performance results. Even the files selected for false positive testing can affect the perceived quality of a product. Which is more important, detection of a file we see attacking tens of thousands of users, or the file we saw three times six months ago and never again? Given equal protection scores, would you rather have a product with one false positive or one with three false positives? These are a few of the issues that affect the quality of testing and understanding of what was actually tested. Believe it or not, one of the biggest problems with testing is not the results, it is the lack of meaningful analysis.

Have any questions or comments? I look forward to continuing the discussion on the Webroot Community.

Cyber News Rundown: A Wild Thanatos Appears!

Reading Time: ~2 min.

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

Thanatos Ransomware Causing Major Damage for Victims

A new ransomware variant has recently appeared and is proving to be more troublesome than most that came before it. By using individual encryption keys for each file, which it does not save, decryption is nearly impossible, even after paying the relatively small ransom of $200. Thanatos is also the first ransomware to accept Bitcoin Cash as a payment method.

Cryptojacking Found on LA Times Site

Researchers have stumbled onto yet another unsecured Amazon AWS server running a cryptominer. This time, the LA Times’ Homicide Report is at fault. Initially, the researchers found that the widely-accessible server had public write access turned on, which they reported to the server’s owner. Unfortunately, the researchers weren’t the first to find the server, which is how the Monero miner was placed on a single, moderately trafficked site within the LA Times network.

UK School CCTV Feeds Popping Up on US Websites

Recently, surveillance videos from several UK schools made their way onto a US-based website that hosts unsecured camera footage from around the world. While the footage was mainly from the exterior of the schools, it still causes concern over the safety and privacy of the students the cameras are meant to protect. While the breach can be traced back to the camera manufacturers, who did not implement strong device security, responsibility also falls on the staff who set up the cameras in the first place. This news serves as a reminder to always take cybersecurity precautions and change manufacturer default settings.

Cryptocurrency Miner Packed with Annoying Adware

A new cryptocurrency miner named UpdateChecker has been making the rounds over the last few days. The program is distributed as a fake Flash Player update and comes with the bonus of ads that run at hour-long intervals. The malware itself is downloaded from fake Adobe update websites and will immediately begin optimizing itself for the local machine and checking for updates to its own files. Unfortunately for victims of UpdateChecker, it is rather troublesome to remove, as it will relaunch itself if you kill the process, and can restart the miner anytime you shut it off.

Apple Repair Center Generating Excessive Emergency Calls

Since late last year, emergency dispatchers and police departments in Sacramento County, California have received over 1,600 calls originating from a local Apple repair facility. The calls are likely from one of two devices Apple manufactures that can make emergency calls without a SIM card or service provider. While this isn’t the first case of Apple devices triggering hundreds of emergency calls, the company is working with local law enforcement agencies to find a resolution.

Security Awareness Training: How to Get Started

Reading Time: ~3 min.

In the past, security awareness training for user education—i.e. empowering users to make more savvy IT decisions in their daily routines—was considered a “nice to have,” not a necessity. The decision to adopt user education was typically passed over because of budget, lack of in-house expertise, and the general lack of availability of high-quality, low-cost, computer-based training. In particular, small- to medium-sized businesses (SMBs) have suffered from these types of constraints, compared to larger, more resource rich organizations.

Today, it’s clear that end user education isn’t just “nice to have,” and SMBs know it. As recently as August of 2017, a Better Business Bureau study on the State of Cybersecurity revealed that almost half of SMBs with 50 employees and under regard security awareness training among their top 3 security expenditures, alongside firewalls and endpoint protection.

The increase in interest and budget allocation for end user education is understandable. On average, SMBs face $80,000 in annual losses following a ransomware or data loss breach. Users are on the front lines of your business, and even the most advanced security can’t stop them from willingly, if unwittingly, handing over sensitive access credentials. If you’re not educating your users, then you are putting your organization at an unnecessary and costly risk.

Getting your end user education program started

Introduce to Stakeholders

Like any new program, building a foundation for success begins when you engage your stakeholders and management teams. Send an email explaining the value of security awareness to management, share details and reports around your first phishing and training campaigns, and loop in IT. Not sure how to craft that first email? Check out Webroot’s Security Awareness Training for help and templates to get you started.

Start out with a Phishing Campaign

Consider starting your security awareness program with a simulated phishing campaign. The results of the simulation can also be used to demonstrate value to any more skeptical or reluctant IT decision-makers. Use the first phishing campaign as your baseline to gauge the level of awareness your end users already have. Webroot Security Awareness Training comes with a variety of template options to help you get started. We recommend using a template that mimics an internal communication from HR or the IT department to get the most eyes on the email. For early campaigns, it’s also a good idea to use Webroot’s “404 Page Note Found” template so users who fall for the phishing lure are unaware. This will help keep water cooler talk at a minimum, giving you a more accurate baseline. After that, be sure to link your phishing campaigns to training pages and courses to maximize the training opportunity.

Share results with End Users

Use feedback to inspire smarter habits. A key objective for security awareness training is to engage end users and raise the level of cyber awareness throughout the organization. For instance, sharing results of a simulated phishing campaign can help employees understand the impact of poor online habits and motivate them to practice better behaviors.

Webroot Security Awareness Training lets admins see who clicked what in a phishing simulation. Bear in mind: the point of sharing results is not to shame the unwitting marks who fell for the scam. Instead, try capitalizing on everyone’s engagement by sharing an overall statistical report, so users can recognize whether they clicked or avoided the phishing lure, without fear of embarrassment. More importantly, such a report would show the statistics around the organization as a whole, opening the door for further training programs to fill security gaps and provide a continuous learning experience.

Continuous Training: Set up your phishing and training program

Once end users are engaged and understand the value, the next step is setting up a training program. There is no one-size-fits-all program, but we recommend running at least one to two phishing campaigns per month and a minimum of one to two training courses per quarter. Depending on the needs of each organization, you may want to increase the frequency and adjust intervals throughout the year. Webroot Security Awareness Training includes numerous pre-built phishing templates you can use, including real-world phishing scenarios (defanged from the wild.) It also offers professionally developed and engaging topical training courses, which you can be proud to share with your company. Courses range from cybersecurity best practices and 5-minute micro-learning courses to in-depth compliance courses on PCI, HIPAA, GDPR, SEC/FINRA, and more.

When you start seeing the significant impact that relevant, high-quality, and proven security awareness education has on your employees, you’ll wonder how your business ever managed without it.

Cyber News Rundown: Linux OS Hacked onto Nintendo Switch

Reading Time: ~2 min.

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

Hackers Run Linux OS On Nintendo Switch

When gaming consoles get hacked, it’s usually by someone who wants to play pirated games. Not this time. Recently, a group of hackers found an exploit that allowed them to deploy a full Linux OS onto the Nintendo Switch. The flaw is contained within the specific Tegra X1 chips used by the Switch for core functionality. These are not easily patched and would likely require a recall if the flaw becomes a major problem.

California Employee Data Breach

Employees working in the Department of Fish and Wildlife for California were recently notified that their Social Security numbers had been exposed in a data breach from late last year. The breach appears to have stemmed from a former employee downloading the data and removing it from the premises, prior to having left the company. This type of breach is extremely common, as many companies don’t enforce more strict data policies for current and former employees.

Facebook Bug Spams Users With 2FA System

In the last week or so, several Facebook users have taken to other social media platforms to announce a nearly endless stream of spam being sent to the phone numbers they had used for 2-factor authentication. The spam then began posting the user’s replies to their Facebook wall, even after multiple attempts to stop the messages. While Facebook has since resolved the issue, they have remained vague about when they’ll finally discontinue the program functionality that caused the issue in the first place.

Don't Get Hacked

Crypto-miners Found on Tesla Servers

Following the breach of Tesla’s cloud server last year, company engineers have been discovering cryptocurrency miners on several of their internal servers. The initial breach occurred because their Kubernetes console lacked a password, and, once in, the hackers set up a complex mining operation that used multiple techniques to avoid detection.

FedEx Breach Exposes Personal Information

Over the last few days, officials have confirmed that over 119,000 individual forms of scanned identification belonging to Bongo International, an international sales broker that was bought by FedEx in 2014, were left exposed to the public. The data, which was found on an Amazon S3 server, was likely forgotten about amidst the acquisition and was available for an unknown amount of time.

 

Malvertising: Avoid Bad Ad Invasion

Reading Time: ~3 min.

The way people shop has changed drastically over the last 10 years. E-commerce continues to boom. In fact, 80% of Americans made an online purchase in the past month, according to the Omni-Channel Retail Report from BigEcommerce. Because what’s not to love about shopping online, receiving your items in just two days, and not having to put pants on?

Not surprisingly, the increase in online shopping has been accompanied by a spike in online advertisements. And in recent years, thanks to malvertising, things like display ads and social media promotions have gone from annoying to dangerous.

A Threatening Combination

The term malvertising is a merger of two words, malicious and advertising. It is defined as the use of online advertising as a vehicle to spread malware.

Malverts are created when cyber criminals embed malware-laden or malicious code into normal-looking online ads like pop-ups (fake browser updates, anti-virus programs, etc.), paid ads using Google AdWords, display ads, drive-by downloads, in-text or in-content advertising, and more.

These ads are then placed on the pages of legitimate websites — such as The New York Times, the BBC, MSN, and AOL, to name a few—by an agency or an automated ad server. Infections are then very difficult to avoid when you visit a site running malverts. In fact, users don’t even have to click on anything to have their device compromised. Sometimes, all it takes is loading the page.

Online Wolves in Sheep’s Clothing

To understand how malvertising sneaks onto sites, you first have to understand how online ads are placed. Many large, popular websites use third-party vendors or software called an ad server to find the ad that will make the site the most money. To get an ad on a vendor’s network, oftentimes all you need to do is sign up and submit. Because of this, many cybercriminals will submit clean advertising to ad networks for weeks to gain legitimacy and circulation, and ultimately get their work through the system. Once they do, they quickly switch out their ads for malverts. These booby-trapped ads are usually only active for a few hours before the attackers switch back to legitimate ones.

Since ad servers typically don’t have strict vetting processes or are automated, it’s relatively easy for attackers to slip malverts through without anyone knowing. In fact, the cyber security firm Confiant reported that some attackers, like the Zirconium group, set up 28 fake ad agencies in 2017 through which to create and submit their malverts.

What’s more, these third-party networks often display different ads on the same page, meaning two people could visit the site and only one would be infected — again making malverts even harder to track down and stop.

Defend your devices from malvertising

Even though large, sophisticated malware campaigns were mounted in 2017, there are #cybersmart ways to protect yourself against an attack in the year to come:

  • Use an ad-blocker. Ad-blockers remove all online advertising, significantly reducing malvertising’s effects on the user. There have been cases of sophisticated malverts bypassing ad-blockers, but using one is still a great place to start.
  • Keep your devices updated and secure. Make sure your operating system and plugins are updated, keep software patched, only run the latest browsers, and invest in a good anti-virus or malware detection program.
  • Lock down your Java and Flash settings. Enable click-to-play plugin settings on your browser configuration for Java and Flash, which makes you give your device permission before running those plugins. Or disable Java and Flash altogether. You probably won’t miss them.
  • Stay on top of WordPress. WordPress continues to be one of the most popular targets for hackers. The plugins have been exploited and abused the same way as Adobe, Flash, Java, and Silverlight have. If you use WordPress, protect yourself by keeping your website up to date, updating themes and plugins to the patched versions, and staying aware of the latest WordPress-related vulnerabilities.
  • Practice safe browsing. Since malvertising can affect you even if you’re staying on legitimate sites (i.e. not trying to buy a kidney on the darknet), using safe browsing practices can greatly decrease your risk. Set up browser plugins to increase security and privacy, keep browsers and applications up-to-date, regularly check which plugins are being used and disable unnecessary ones, scan files before downloading, and watch out for phishing attacks.

And of course, using a reliable internet security product is the best way to protect yourself from cybercriminals. For extra credit, here are a few more general tips to protecting your devices.

  • Skip public WiFi networks
  • Pay with credit cards over debit cards online when possible
  • Deactivate Bluetooth in public settings
  • Always back up your files

Cyber News Rundown: Malware Attack Targets 2018 Winter Olympics

Reading Time: ~2 min.

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

Winter Olympics Disrupted by Malware Attack

The Winter Olympics are in full swing, and cybercriminals seem to be working just as hard as the athletes. Their nefarious minds are focused on distributing malware that targets several internal WiFi and television systems. In addition to a delay during the opening ceremonies, the malware caused major damage to the networks by wiping non-critical network files and using stolen credentials to traverse the networks with ease. With plenty of international information on hand, it’s surprising the attack focused more on destruction over data collection.

Cryptocurrency Scams from Celebrities on Twitter

At least two dozen fake Twitter accounts impersonating celebrities, and others closely tied to cryptocurrencies, have been promising to distribute various currencies to followers. These accounts are all very similar to the real celebrities’ user accounts, barring small spelling changes, and can be found commenting amongst their target’s posts. Although Twitter appears to be working swiftly to remove these types of accounts, more continue to appear.

News Site Offers Compromise to Disabling Ad-Blockers

With the increasing popularity of cryptojacking—the process of using cryptomining scripts on highly-trafficked sites to generate revenue—Salon.com is now offering a choice to visitors: disable your ad blocker or let them use your CPU for cryptomining. While this new offering may seem unusual, it’s likely to become more prevalent, since many sites depend on ad revenue to remain operational. The logic is that most users would prefer to allow mining scripts to run over being subjected to ads.

Telegram Leaves Zero-Day Bug Unfixed for Months

Researchers discovered a vulnerability within the Telegram messenger client that would allow attackers to send malware by using a specific character to mask the actual file without making any additional changes to it. This method can be used to fully commandeer a system by sending victims a simple downloader over SMS. The downloader deploys a variety of malicious tools onto the system itself. Telegram has since resolved documented issues, which appear to have targeted mainly Russian victims from as long ago as March 2017.

Canadian Telecom Firm Faces Security Flaw

A hacker has contacted Canadian Telecom firm Freedom Mobile to inform them of the security risks that their nearly 350,000 customers could face if a flaw in their system isn’t fixed. The flaw would allow any attacker to use a brute force attack on the account login page to compromise customer information. The hacker doesn’t appear to be acting maliciously, and he has posted proof of his findings, along with a strong recommendation that Freedom Mobile re-examine its security offerings.

Valentine’s Day Sends Mobile, Online Dating Scammers on the Prowl

Reading Time: ~3 min.

In a month where matchmaking is in high demand, we took a look at recent trends around online dating sites using Webroot Brightcloud Threat Intelligence Platform. What did we find? Valentine’s Day sends cybercriminals on the prowl, and not for a soulmate.

On average, visits to dating websites increase by 53 percent in the month of February, relative to the three months prior. There is also a 342 percent increase in visits to greeting card domains on Valentine’s Day relative to Christmas Day.

Cybercriminals take advantage of this massive spike in dating interest to take advantage of victims. The heart-breaker: In the week leading up to Valentine’s Day, there is an astounding 220 percent increase in malicious URLs from the week prior. The week following Valentine’s sees a dramatic 50 percent drop in malicious URLs.

We’ve even found WordsOfHeart.com—a dating website that will find your perfect match based on your password! We can’t stress enough how much of a bad idea this is.

WordsOfHeart.com Image

While the website does specify that you should not use the same password as your email or Facebook account, it’s still quite bizarre that your password would be a focal point for matching. At first glance, the appears to be a clever phishing attempt, but the site does indeed match you with other people. During initial sign up–using a weak password, no matches were found.

When trying again using the obviously weak password of password, we found hundreds of matches. Most of these “matches” appeared to be blank profiles that weren’t created for any real romance, but were rather just other people testing to see if this site was legitimate, and some were just trolling. Regardless of the functionality of the site, the entire premise behind it is something that everyone should steer clear.

Users should also exercise caution when dealing with more legitimate and established dating services. It has recently come to light that Tinder is not as secure as presumed. Tinder’s iOS and Android apps do not use basic HTTPS encryption for photos. What this means is that anyone using the same Wi-Fi network that your phone is on can potentially see your Tinder photo traffic.

Tinder Drift Demo Image

Source: CheckMarx, Tinder drift demo on YouTube.

To make matters even creepier, it’s possible for hackers to actually inject photos into your Tinder photo stream, as seen in a YouTube video by security researchers at CheckMarx. Be sure to keep this in mind when connected to public WiFi at coffee shops, libraries, airports, etc. It is worth noting that this lack of encryption is only an issue on the mobile Tinder apps, and using Tinder on your laptop browser would be fully encrypted. A recent survey by Mozilla shows that still only 68% of the internet is HTTPS encrypted, which is basic level protection. We expect that Tinder will be updating their mobile apps to address this soon.

Another stigma with dating websites is the overwhelming presence of bots. This isn’t a new development and the Ashley Madison hack a couple years back revealed that overwhelming number of women on the site which led to 80% of men to purchase, according to Gizmodo. This year, China is trying to crack down on mobile apps with fake female user accounts that send automated messages to solicit new users for gifts and money, according to the BBC. Over 600 people were arrested for this lucrative “business model” that generated over $150 million for these apps. With artificial intelligence getting smarter and smarter, we expect scams like this to continue, so make sure to watch out for these tactics.

Practice safe online dating

Avoid swiping on dating apps when connected to public, unsecured networks. Make sure you’re using two-factor authentication to help ensure your online data is more secure. As soon as an account’s credentials have been compromised, it’s very common to then use that account to try and scam others since the profile is (up to that point) legitimate and not suspicious. Another option when browsing on public WiFi is to use a VPN (virtual private network).

Overall, use good judgement when it comes to online dating. Be extra vigilant about dating websites you visit, keeping note of the URLs and mobile apps you access.

Cyber News Rundown: Scarab Ransomware Strikes Back

Reading Time: ~1 min.

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

New Variant of Scarab Ransomware

With a few interesting changes to the original Scarab ransomware, Scarabey is quickly targeting Russian-speaking users with brute force attacks on unsecured RDP connections, rather than with the spam email campaigns used by its predecessor. Additionally, Scarabey takes the ransom a bit further by deleting 24 files from the encrypted machine for every 24 hours that the ransom remains unpaid.

Botnets Used to Spread Cryptocurrency Miners

Following the Shadow Brokers release of NSA exploits last summer, the use of EternalBlue continues with the latest trend of using the exploit to compromise machines and turn them into cryptocurrency miners. By expanding the botnet to cover over 500,000 unique machines, the attackers have successfully brought in more than $3 million since May of 2017. The use of such a large-scale botnet can effectively mine for the more resource-intensive currencies with ease and even disrupt businesses from their normal workflow for days at a time.

Bitcoin Ads Circumvent Facebook Ban

In the past week, Facebook officially implemented a ban on all cryptocurrency-related advertisements on their site. However, the ads have continued to appear for many users with characters in the phrase ‘bitcoin’ simply misspelled. The ban was initially set to block misleading financial services and products that unknowing users might click on due to the apparent legitimacy of the ads.

 

Do you live in one of the most-hacked states?

Mac Software Sites Distributing Crypto Miners

As crypto miners continue to gain popularity among cyber criminals, it was inevitable that they would begin focusing on Macs. MacUpdate, a well-known software download site, was recently found to be bundling miners with commonly used applications. Luckily, some of these bundles are poorly written and often fail to launch the decoy app, which is intended to draw users’ attention away from the malicious activity. To make matters worse, several other download sites were also affected and waited far too long to remove the malicious download links from their servers.

Tech Scammers Exploit Chrome Flaw

Tech scammers have long been the bane of legitimate software companies and their support teams. The latest trick, however, can easily bring an unsuspecting user to a full panic attack by simply rendering a Chrome browser completely unusable. First it displays an error message and then silently forces the browser to save a random file to disk at such a pace that the machine’s CPU maxes out and leaves the computer in a ‘locked’ state in the hopes that the victim will actually contact the phony support number being displayed.

Page 5 of 94« First...34567...Last »