Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Malicious Web-based Java applet generating tool spotted in the wild

Despite the prevalence of Web based client-side exploitation tools as the cybercrime ecosystem’s primary infection vector, in a series of blog posts, we’ve been emphasizing on the emergence of managed/hosted/DIY malicious Java applet generating tools/platforms, highlighting the existence of a growing market segment relying on ‘visual social engineering’ vectors for the purpose of tricking end users into executing malicious/rogue/fake Java applets, ultimately joining a cybercriminal’s botnet.

We’ve recently spotted yet another Web based Java drive-by generating tool, and decided to take a peek inside the malicious infrastructure supporting it. read more…

Webroot returns from Automation Nation 2014

Webroot_AN14_-4845Webroot, the market leader in cloud-based, real-time Internet threat detection, recently returned from the fifth annual Automation Nation in Orlando, hosted by LabTech Software.  Labtech, a robust remote monitoring and management (RMM) platform design and built for managed service providers, hosted the event at the Hilton Bonnet Creek from June 2nd through the 4th.  Hosting over 425 MSP partners and 600 attendees, the event has grown significantly since the previous years.  This was Webroot’s first time attending the conference, coming in as a Diamond Sponsor.

Kicking off the event, Webroot CMO David Duncan helped present during the keynote with the support of Andrew Bagnato, a system engineer for Webroot. Speaking on how security doesn’t have to suck, and that with the integration into LabTech and the advances in the Webroot Intelligence Network (WIN), MSPs had the opportunity to not only manage their clients remotely, but ensure they are protected as well.

Talking about the Webroot Partner Program and the security solutions offered, the onsite team showed that the solutions provided just work, can drive profits, and ultimately don’t suck. With pigs flying left and right, over hear and over there, it was not long until the booth was filled to capacity with partners wanting to learn about the intelligent cloud-based security solutions.  Also shown were demos of LabTech Software integration, which was designed to bring the tools of the Webroot console direct to the MSP’s most used console, saving time in the monitoring of Webroot protected endpoints.

While at the conference, Andrew Bagnato also hosted a breakout session presenting on the next generation of anti-malware, packing the room beyond capacity.  Showing how legacy solutions were not keeping up with the new tricks of incoming threats, Andrew presented on the power of the Webroot Intelligence Network and just how it can help protect endpoints across all the networks from even the most advanced threats.

With the event going non-stop for 3 days, the team is glad to have some rest, but excited to have introduced the security offerings to the LabTech partners.

Long run compromised accounting data based type of managed iframe-ing service spotted in the wild

In a cybercrime ecosystem dominated by DIY(do-it-yourself) malware/botnet generating releases, populating multiple market segments on a systematic basis, cybercriminals continue seeking new ways to acquire and efficiently monetize fraudulently obtained accounting data, for the purpose of achieving a positive ROI (Return on Investment) on their fraudulent operations. In a series of blog posts, we’ve been detailing the existence of commercially available server-based malicious script/iframe injecting/embedding releases/platforms utilizing legitimate infrastructure for the purpose of hijacking legitimate traffic, ultimately infecting tens of thousands of legitimate users.

We’ve recently spotted a long-run Web-based managed malicious/iframe injecting/embedding service relying on compromised accounting data for legitimate traffic acquisition purposes. Let’s discuss the managed service, its features, and take a peek inside the (still running) malicious infrastructure behind it.

More details:

read more…

A peek inside a newly launched all-in-one E-shop for cybercrime-friendly services

Cybercriminals continue diversifying their portfolios of standardized fraudulent services, in an attempt to efficiently monetize their malicious ‘know-how’, further contributing to the growth of the cybercrime ecosystem. In a series of blog posts highlighting the emergence of the boutique cybercrime-friendly E-shops, we’ve been emphasizing on the over-supply of compromised/stolen accounting data, efficiently aggregated through the TTPs (tactics, techniques and procedures) described in our “Cybercrime Trends – 2013” observations.

We’ve recently spotted a newly launched all-in-one cybercrime-friendly E-shop, offering a diversified portfolio of managed/DIY services/products, exposing a malicious infrastructure worth keeping an eye on. Let’s take a peek inside the E-shop’s inventory and expose the fraudulent infrastructure behind it.

More details:

read more…

Malicious JJ Black Consultancy ‘Computer Support Services’ themed emails lead to malware

Relying on the systematic and persistent spamvertising of tens of thousands of fake emails, as well as the impersonation of popular brands for the purpose of socially engineering gullible users into downloading and executing malicious attachments found in these emails, cybercriminals continue populating their botnets.

We’ve recently intercepted a currently circulating malicious campaign, impersonating JJ Black Consultancy.

More details:

read more…

A peek inside a subscription-based DIY keylogging based type of botnet/malware generating tool

Cybercriminals continue to systematically release DIY (do-it-yourself)type of cybercrime-friendly offerings, in an effort to achieve a ‘malicious economies of scale’ type of fraudulent model, which is a concept that directly intersects with our ‘Cybercrime Trends – 2013‘ observations.

We’ve recently spotted yet another subscription-based, DIY keylogging based botnet/malware generating tool. Let’s take a peek inside its Web based interface, and expose the cybercrime-friendly infrastructure behind it.

More details:

read more…

AV Isn’t Dead. It’s Evolving.

Since the WSJ report was released, endpoint security solutions have received a lot of media attention. As many have started to ask “Is AV really dead?”, I felt it was a good idea to talk about it from my perspective.

Let’s get this out of the way right off the bat: no, AV is not dead. However, what is dead, and has been for many years now, is the traditional, reactive AV protection approach that uses signature-based detection. Within the security industry, it is common knowledge that this approach to threat prevention doesn’t scale to address the tactics used by today’s cybercriminals.

In the realm of providing defenses from an increasingly sophisticated adversary, endpoint protection has never been more important. The endpoint is the primary point of entry in most corporate compromises. To keep up with modern malware, the methods for discovering and addressing new endpoint threats needs to change. AV isn’t dead; it’s evolving.

From our perspective at Webroot, we recognized the inadequacies of traditional AV many years ago, which is why our current endpoint security products are vastly different from traditional technology. When we released our SecureAnywhere™ product family in 2011, we also discontinued our legacy technology offerings as they represented the traditional signature-based security model, which we could see was nearing obsolescence.

Providing defense against today’s cybercriminal tactics required a complete rethink of how to approach the problem. When it comes to defending against an attack, it is crucial to be able to realize when an attack has occurred. The traditional model was not well equipped to handle massive scale distribution of new malware variants at very low volume. The result is very low detection rates due to a lack of awareness. To successfully defend against this tactic, you need visibility into every application on every endpoint. This is a core component to the success of SecureAnywhere solutions: granularity and actionable insight into applications encountered by every Webroot user worldwide.

Beyond rapidly identifying new incidents, our threat intelligence engine resides in the cloud so there is no need for definition updates. All endpoints are always up to date, and as new threats are identified, all users are protected in real time.

There are many other topics I could discuss – remediation, compromise prevention in the face of an active infection, and the impact on system performance – which have undergone complete rethinks for Webroot SecureAnywhere® solutions. The end result speaks for itself. In the third fiscal quarter in 2014 Webroot added 1.4 million new endpoint customers, increasing the contextual awareness of our intelligence network even further and, thereby, improving our capacity to identify never-before-seen attacks as they emerge. Our bookings from new business grew by nearly 200%, and 5,000 businesses trust Webroot technology to secure their networks and endpoints.

Clearly, AV is not dead. In fact, endpoint security has never been more important! The issue at hand is that we can’t let our technology get stagnant. Organizations need a layered protection approach, as well as cloud-based security technology that is designed to grow, learn and continue to evolve to combat the tactics used by today’s cybercriminals. After all, the malware writers don’t rest. Neither should we.

Spamvertised ‘Error in calculation of your tax’ themed emails lead to malware

Cybercriminals continue populating their botnets through the persistent spamvertising of tens of thousands of legitimately looking malicious emails, impersonating popular brands, in an attempt to trick socially engineered users into clicking on the malicious links found within the emails.

We’ve recently intercepted an actively circulating spamvertised campaign which is impersonating HM’s Revenue & Customs Department and enticing users into clicking on the malware-serving links found in the emails.

More details:

read more…

Symantec’s “AV is Dead” Is Not News

On Monday, an executive at Symantec declared “AV is dead.” He went on to repeat to several media outlets that protecting customers on their PC and Mac computers had become an impossible battle that they were ready to concede. He indicated that Symantec desktop AV products are only able to stop viruses and malware about 45% of the time. Based on this analysis, what the exec was really saying was “Symantec AV is dead!”

What really should have been communicated was that traditional signature-based AV protection does not work – the criminals have figured out how to get around it. Symantec, like all signature-based security products for PC and Mac computers, uses a nearly identical methodology for determining whether a file is malicious or safe. This approach has changed very little since it was developed in the 1980s. Criminals identified the chinks in this armor long ago and have been developing more clever, more aggressive and more dangerous strains of malware for years.

Symantec is not alone in declaring the end of desktop AV solutions. There has been increasing product investment in the industry into solutions that are not focused on protection, but on after-the-breach detection and remediation. We see this as a disturbing trend. If your internet security company is no longer focused on protection, but has signaled surrender to the cybercriminals, they are exposing millions of customers to serious financial and data loss.

At Webroot, we reject the notion that a highly effective desktop AV solution cannot be created. We did it three years ago. Our Webroot SecureAnywhere products for consumers and businesses are radically different and extraordinarily effective at protecting customers from viruses, malware, rootkits, ransomware, identity theft, phishing attacks, and advanced persistent threats. SecureAnywhere solutions turned the old traditional 1980s model on its ear by doing nearly everything in a different way – no signatures, no huge malware definition files to update every day. Just real-time, worldwide protection for every customer using the power of cloud computing, threat intelligence, and some fiendishly clever data modeling.

Our cloud-based security approach has resulted in very happy customers (95% customer satisfaction rates) and outstanding levels of protection (over 99% as measured by actual customer support incidents.)

Desktop and mobile AV solutions should still be a critical part of any company’s layered security model. Otherwise, if you truly think AV is dead, you might just have the wrong AV solution.

To quote Neil Rubenking, editor of Security Watch at PCMag.com, “AV is not dead, and saying so is not news.”

Malicious DIY Java applet distribution platforms going mainstream – part two

In a cybercrime ecosystem, dominated by client-side exploits serving Web malware exploitation kits, cybercriminals continue relying on good old fashioned social engineering tricks in an attempt to trick gullible end users into knowingly/unknowingly installing malware. In a series of blog posts, we’ve been highlighting the existence of DIY (do-it-yourself), social engineeringdriven, Java drive-by type of Web based platforms, further enhancing the current efficient state of social engineering driven campaigns.

Let’s take a peek inside yet another Web based DIY Java applet distribution platform, discuss its features, and directly connect to the Rodecap botnet, whose connections with related malicious campaigns have been established in several previously published posts.

More details:

read more…

Android.Koler – Android based ransomware

Recently, a new Android threat named Android.Koler has begun popping up in the news.  According to an article by ARS Technica, it reacts similar to other pieces of ransomware often found on Windows machines.  A popup will appear and state “Your Android phone viewed illegal porn. To unlock it, pay a $300 fine”.  This nasty little piece of malware is infecting people who visit certain adult websites on their phone. The site claims you need to install a video player to view the adult content. Although I can’t say for sure since I haven’t seen the malicious sites, I’m guessing there is a nice walk through on how to allow the installation of apps from unknown sources, or anything not in the Google Play store.

If you have Webroot SecureAnywhere® Mobile installed, it will detect Android.Koler on the internal storage if you run a scan before installing or after you open the app to install it. If you didn’t have SecureAnywhere Mobile installed, things are going to get a bit trickier. The app will open itself very often, so when you press the home button and try to install WSA, or do anything else, it’s near impossible before the screen of shame pops back up. The app claims you are viewing banned/illegal adult content. It then demands you pay a fine of $300 to unblock your device, or it will remain blocked on top of facing felony charges; which, of course, is false. A researcher at BitDefender claims he was able to quickly uninstall the app before it popped back up, but I was unsuccessful with this myself. This is the screen that keeps popping up, and icon you should be looking for:

There is a legitimate “BaDoink” app, which uses the same icon however. This will make it tricky if you’re hoping to get the real version.

What should you do if this happens to you? Many manufacturers have a built-in “safe mode” on their devices’ version of Android. With a little bit of searching on the internet using your device’s model and “safe mode”, you may be able to find instructions on how to get there on that particular device. For example, “Motorola Droid 4 Safe Mode” was all it took to find instructions for the Droid 4 phone.

Once booted into safe mode, you will able to uninstall the malicious app easily because safe mode stops any non system apps from starting on boot up. Once this is done, power off the phone and power it back on to get out of safe mode.

To ensure preventative protection, installing security software such as Webroot SecureAnywhere® Mobile will prevent these issues before they even happen.