Month: April 2020

People in lockdown are watching more movies and TV shows,
and some users are getting their content from pirate streaming services and
torrents. It turns out that attackers are using those channels to install and
run coin miners.

Using torrents and pirated materials to distribute
malware is not something new. It’s been going on for a while, but the lockdown
determined a rise in illegal downloads. As you can imagine, besides the illicit
aspect of the situations, users are also exposing themselves to other risks.

In the case of the campaign discovered by Microsoft
Security Intelligence, the malware planted by attackers consists of coin
miners. These applications are using the power of the PCs to dig up cryptocurrencies.
It could very well be some malware that steals credentials or that monitors the
keyboard.

The method used by attackers is not all that complicated.
As people download their favorite movies, they are actually downloading ZIP
files, which runs a VBScript.

“The VBScript runs a command line that uses BITSAdmin to download more components, including an AutoIT script, which decodes a second-stage DLL. The in-memory DLL then injects a coin-mining code into notepad.exe through process hollowing,” says Microsoft.

The coin mining software itself will use the PC’s
hardware, and users will most likely notice slowdowns. The campaign was
observed being deployed in parts of Spain and South America.

The campaign only goes to show that criminals will use
any means necessary to share malware or to increase their reach, no matter the
channels or attack vectors.

At the very least, users should have a security solution
in place and active at all times. And, it goes without saying that it’s illegal
to download and share pirated content in the first place.

In a bid to keep user accounts safe, Twitter has decommissioned SMS-based tweeting in most countries around the globe.

The social media platform did not specify which countries are excluded from the ‘ban,’ however, it did provide a short statement on the official Twitter support page:

“We want to continue to help keep your account safe. We’ve seen vulnerabilities with SMS, so we’ve turned off our Twitter via SMS service, except for a few countries. Everyone will still have access to important SMS messages needed to log in to and manage their accounts”.

Users flocked nervously on Twitter’s support page demanding restoration of the SMS functionality, or, at least a heads up before removing the option.

“Maybe an SMS message telling everyone what you were going to do BEFORE doing it would have been nice”, said one Twitter user, while others reported uninstalling and reinstalling the app in attempt to fix the issue.

Twitter aficionados using the platform via SMS are advised to “log in at https://twitter.com or download the mobile app to enjoy the full Twitter experience”, and set up notifications.

This is not the first time the company has suspended the SMS function. Last year, several Twitter accounts were hijacked, Jack Dorsey’s (the CEO of Twitter). A week after this episode, the platform temporarily removed the ability to tweet via SMS.

According to the company, the incident was possible due to a security vulnerability with the mobile provider:

“The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number.”

Wether the microblogging platform will cement its recent move remains to be seen. In the meantime, Twitter users will need to forego some convenience in the interest of security.

I doubt any of us would claim to be fans of CAPTCHA – the puzzles that a website asks you to complete to prove if you’re a human being or not.

Unscrambling a distorted graphic to try to read the letters jumbled within, or select only the images containing a traffic night, can be too much of a challenge for some of us to successfully complete on our first (and sometimes even our second and third) attempt.

But they do, of course, lend a hand in keeping automated bots away – helping to prevent them from creating bogus accounts or leave spammy messages on a website comment form.

And, in fairness, modern implementations like Google reCAPTCHA version 3 have changed the way that CAPTCHA systems work, often asking users just to click a box saying “I’m not a robot.” rather than detect all the images with a bicycle.

But researchers at Barracuda say that they are seeing cybercriminals deploying Google’s reCAPTCHA anti-bot tool in an effort to avoid early detection of their malicious campaigns.

As the researchers explain, criminals are using reCAPTCHA walls to block the content of their phishing pages from being scanned by URL scanning services.

In other words, the reCAPTCHA system doesn’t just block malicious bots – it also successfully prevents benign bots, such as an automated system which checks the safety of URLs in an email before a feeble-minded human clicks on them.

In short, automated URL analysis systems cannot access the actual content of the phishing page, and so they are not able to use any of the information contained upon it when assessing if a link is safe to click on or not.

Furthermore, the researchers claim that humans may actually find the presence of a reCAPTCHA test reassuring, and as a consequence find the phishing site more believable.

Barracuda’s team point to a recent phishing campaign sent to over 128,000 email addresses as an example of the technique in operation.

The phishing attack posed as a new voicemail notification, which encouraged recipients to open an attachment to listen to the voice message that they had missed.

The attached file was an HTML file that redirected users to a webpage containing nothing but a Google reCAPTCHA.

Completing the reCAPTCHA resulted in users being redirected to a phishing page, which in this case purported to be the genuine Microsoft login page – but designed to steal passwords.

Remember this – no security solution is likely to be 100% effective, and the presence of a Google reCAPTCHA does not guarantee that what it is protecting can be trusted.

Always exercise careful judgement about where you enter sensitive information, and consider using a password manager.

Good password managers continue to be a strong defence against phishing. A password manager will not prompt you to enter your passwords on a domain that it does not recognise – meaning that even if a phishing site looks like a genuine webpage, it will not offer to enter your credentials unless it recognises the URL in the browser bar. Phishing prevention is one of the best reasons to run a password manager, but often overlooked.

Bitdefender identified a new phishing campaign directed at the Standard Bank of South Africa, with tens of thousands of malicious emails sent in April.

Phishing campaigns are a constant problem, but the COVID-19 pandemic gave bad actors a new pressure point. We’ve observed new phishing campaigns using the epidemic in the past couple of months but from different angles.

Sometimes, attackers promise information about potential cures or vaccines or ask for donations. The malicious emails were also laced with malware, and in some cases, using inflammatory messages related to the pandemic.

But the same type of messages can be used for more indirect attacks against companies or their customers. The latest campaign detected by Bitdefender was directed at the Standard Bank of South Africa customers, trying to trick people into sharing their banking credentials.

The email messages were crafted in such a way as to appeal to both regular customers and business owners, proposing different financial strategies to alleviate the economic impact of the pandemic.

“Absa Bank has announced a number of measures to help individuals and businesses hit by the coronavirus. This support could include deferring payments (or part thereof) for a suitable period, extending existing loan periods or extending additional credit to manage short term cashflow shortfalls.”

As usual, people are asked to check out the attachment and to make sure that they have Adobe Reader installed to view an attached PDF file. People are also directed to a fake login page, where they would have to enter their credentials.

“Standard Bank has announced a second wave of relief to help its customer base navigate financial commitments as Covid-19 continues to impact the livelihood of many individuals across the country.

1. Please Download attached SBSA COVID-19 Financial Relief to receive your R15000.00 government issued financial relief
2. Login to veiw transaction.
3. Approve the amount of R15000.00 into your account.”

The number of spam and phishing COVID-19 related campaigns is ever increasing, as attackers try to take advantage of the inherent insecurity of the global situation. Most likely, this current phishing campaign is the work of a single operator.

It goes without saying that people should not be opening emails from unknown senders. Phishing campaigns will try to imitate banking institutions, health and state authorities, and other official sources.

Please keep in mind that banks or other financial institutions will never ask private information over emails or other online channels. If you don’t know if an email comes from an official source, you can always contact the real purported sender and verify if the email is real.

Over the past month, criminals have continued to leverage the high demand medical supplies, plaguing the digital world with fake coronavirus-related items that threaten the lives and pockets of consumers everywhere. Stumbling upon medical equipment and sanitary product listings should always make you second-guess the credibility of the vendor – most listings are fake or require writing a fat check.

So while consumers are in a frenzy search of personal protective equipment (PPE), the dark web is oozing with a stock of Covid-19 related gear and medical products.

This month, a team of security researchers from the Australian National University (ANU) Cybercrime Observatory analyzed 20 dark web markets for listings of Covid-19 products, identifying a range of vaccines, antiviral medication, testing kits and personal protective equipment (PPE) such as surgical or N95 masks.

The analysis shows 645 listings for 222 unique COVID-19 related products found in 12 underground markets. Around 45% of the postings were PPE such as masks, sanitizers, gowns and gloves, with quantities and prices varying according to each seller.

For example, a vendor on the Agartha marketplace was offering ‘CORONA MEDICAL FACE MASK’ for $500, while a DarkBay seller advertised ‘Factory Supply Anti Virus Cotton Reusable N95 1860 Face Mask for Corona Virus’ for $1. The price tag varies for bulk offers. 10,000 face masks were selling for a whopping A$17,952.

Other popular listings include antimalarial and antiviral drugs, highly featured in the media for having curative properties against the novel virus:

• ‘Hydroxychloroquine Hcqs 400mg 100 Pills $139 Miracle Drug For Coronavirus’
• Favipiravir Pills 10 Pills Per Bottle COVID19 CURE’ for A$165
• ‘Order Azithromycin for Coronavirus – COVID-19’ for A$329’
• Combination of ‘Favipiravir, Chloroquine, Lopinavir and Ritonavir’ from A$674

No vaccine? No problem! The surveyed underground markets have it all. Researchers found that 6% of the postings were offering coronavirus vaccines originating from China – no detailed composition provided.

“There may also be experimental vaccines illegally diverted from research laboratories conducting animal or human trials, or even sourced from patients who have recovered from COVID-19”, said researchers.

The average cost of this miracle vaccine is around A$575, but some vendors charge between US$10,000 to US$15,000. Testing kits were also available for purchase. From the 28 listings found by researchers, the price could go as high as A$3,287 for 500 ‘Corona Virus Test/COVID-19 Test Kits’.

“The sale of fake vaccines and other compromised medical items poses a real risk to the health and safety of the public and needs to be dealt with swiftly. These results will assist our law enforcement partners in tackling this concerning issue,” said the Deputy Director of the Australian Institute of Criminology.

Phishing and business-email-compromise (BEC) schemes are on the rise, causing losses in the $50,000 to $100,000 range to small businesses across the United States. More than a third of organizations said they received an email from someone pretending to be a senior manager or business partner.

New research from German insurer HSB reveals an increase in suspicious emails targeting small businesses across the United States over the past year. According to the study, employees nation-wide are falling for phishing schemes asking them to transfer tens of thousands of dollars in company funds into fraudulent accounts.

Emails impersonate senior managers and/or partners

58% of business executives polled by Zogby Analytics for HSB said suspicious emails had increased in the past year. More than a third of the polled organizations received an email from someone pretending to be a senior manager or vendor requesting payments.

In a key finding, almost half of employees receiving fraudulent emails took the bait and responded by transferring company funds, resulting in losses most often in the $50,000 to $100,000 range (37 percent) and rarely less than $10,000 (only 11 percent).

The study doesn’t quantify potential loss of business resulted from reputation damage, diminished customer trust, and other dents left in the wake of a typical cyber incident. History has shown that these hidden costs appear later down the line and are often much greater than the initial damage.

“The scam is convincing because cyber thieves in many cases gain access to business email accounts and assume the false identities of company managers. With millions of Americans working remotely from home since the outbreak of the coronavirus, business email schemes could become an even bigger threat,” said Timothy Zeilman, HSB Vice President.

Zeilman cautions that now it’s more important than ever to employ good cybersecurity practices and thoroughly vet requests for payments.

“Don’t rely on email alone – call the person and confirm the payment is legitimate before releasing any funds,” the VP stressed.

How to keep your small office safe from fraudsters

Bitdefender Small Office Security caters to small businesses everywhere by providing a single management console that IT admins can deploy in minutes and get centralized control of up to 20 Windows, Android, macOS or iOS devices. It helps prevent data loss, thwarts hackers and malware, and secures transactions by processing your payments in a dedicated browser to prevent fraud and financial data theft. Bitdefender engineers are on call 24/7 and are easy to reach by email, phone or chat whenever your office needs help with security matters. Management of all connected devices can be done from the Bitdefender Central platform by your IT admin – no super cyberskills required. Learn more at https://www.bitdefender.com/solutions/small-office-security.html.

The network systems of UseNeXT and Usenet.nl, two popular Usenet providers, have recently experienced a major data breach that may have led to the theft of customer payment details.

Both companies point the finger to an unnamed partner company, claiming that “unauthorized persons have accessed our infrastructure via a security hole in a partner company.”

Established in 1979, prior to the implementation of the World Wide Web, Usenet is considered one of the world’s oldest networks, allowing individuals to exchange information freely. Over the past three decades, the network has evolved considerably, encompassing hundreds of thousands of newsgroups, where online users discuss different topics and debate the latest news.

While both providers have shut down their websites entirely, a data breach notification was posted, offering additional information to their users.

A snippet of UseNeXT’s notice reads: “We are currently analyzing what damage may have occurred. For security reasons, all systems are currently offline. Therefore, we cannot be reached via the Internet, email or call center”.

The two providers have also warned potential victims about the risks of unauthorized access to their account information that may include full name, billing address and payment data used for their subscription, such as IBAN and account number.

Since the perps may have stolen personal identifiable information and financial details, the companies are urging subscribers to be vigilant and take the following preventive measures:

• Change the password for your Usenet account and any other online accounts that shared the same login credentials
• Review your account settings and check if the automatic forwarding of messages is enabled – as this could indicate unauthorized access
• Keep an eye out for any suspicious charges on your accounts
• Ignore any suspicious emails that might appear in your Inbox and do not click on any links or provide additional personal information

The two platforms remain offline for now, and there’s no ETA for the services’ restoration.

Epic Games announced that two-factor authentication (2FA)
will now be required periodically for people who claim free games from April 28
to May 21. The reasons for this particular decision are unclear, but any added
layer of protection is welcome.

Other companies, including Epic Games, have been trying
to convince users to adopt two-factor authentication for a long time, and they
had some success. But the Epic Games Store appeared on the market much more
recently than the others.

The store has a very aggressive marketing policy and
offers free games regularly, trying to get a larger share of the pie. The new
measure announced by the company will only apply to people trying to claim free
games, which is a little bit weird.

When other stores chose to implement two-factor
authentication, the measure applied to all the users and logins, but Epic Games
is not doing the
same.

“If you do not have two-factor authentication enabled on
your account, you will see the following message when attempting to claim a
free game: “Two Factor Authentication Required.’”

“Claiming this free game requires you to have Two-Factor
Authentication setup on your account. Two-Factor authentication provides an
additional level of security to your Epic Games account and will help prevent
unauthorized access.”

The security feature is available to everyone; it can be
activated at any time, and have it enabled is recommended. Users who do have
the security feature already enabled will sometimes be required to provide the
codes when claiming new games.

While there’s no official reason for this particular security measure or the announced timeframe, it does arrive very soon after Nintendo asked people to enable two-factor on their devices, following a data leak that affected 160,000 accounts.

Even if the Epic Games gave users a time frame for their
new security measure, it would be a good idea to keep two-factor enable at all
times.

New data showing the impact of the COVID-19 crisis on online fraud in the first quarter of 2020 shows that 26.5% of all transactions were fraud and abuse attempts, which is a 20% increase over the previous quarter. And with new fraud campaigns driven by automation, there has been a sharp decline in human-driven attacks originating from low-cost ‘sweatshop’ resources.

Arkose Labs researchers said this was the highest attack rate ever seen, as consumer behavior is in flux and digital transactions are on the rise.

“Organized fraud operations have been quick to mobilize, targeting spikes in digital activity,” researchers said.

The United States came out as the top originator of cyberattacks, with attack levels increasing 20% since Q4 2019. Researchers also recorded a substantial increase in attacks originating from the United Kingdom, Germany and Canada – all well-established economies.

“The speed at which the cybercrime ecosystem adapts to changing socio-economic circumstances is highlighted by changing attack methods,” researchers said, adding that new data shows a sharp decline in human-driven attacks originating from low-cost ‘sweatshop’ resources.

The reason? Early lockdowns in traditional fraud hubs within Asia, researchers reasoned.

The recorded spikes in fraudulent activity were largely driven by automation, as mechanized campaigns are easier to scale up, allowing fraudsters to quickly take advantage of the changing landscape.

Changes in consumer behavior due to COVID-19 is causing fraudsters to shift their focus on industries like Retail and Travel, with the attack rate doubled from 13% of transactions to 26%, driven by attacks on ecommerce companies as travel tailed off due to restrictions. Gaming isn’t far off either. With a 30% rise in gaming traffic, the industry was hard hit with a 23% increase in attack rates, researchers said.

In the Information Technology sector, attacks on tech platforms have risen 16% as both personal and professional collaboration and communication shifted online.

The Arkose Labs report makes several key predictions, including that automation will drive the bulk of fraud attempts in the near future, that fraudsters will soon move to a distributed model as low-skill fraudsters take advantage of online tutorials and readily available fraud toolkits, and that new attack vectors will emerge as opportunistic fraudsters widen their reach amidst the pandemic.

Analysts are also anticipating a dramatic rise in attacks as fraudsters take advantage of economic uncertainty and new individuals are pushed into cybercrime due to high unemployment.

Here at Bitdefender we focus on protecting your devices from malicious activity and threats of all kinds. Now more than ever, we need autonomy and safety as we interact with the world through our internet-enabled devices. That’s why we have extended the trial for our best security suite, ensuring that you can take care of your family’s devices for up to 90 days. If you’re already set up, why not make an unexpected gift to your loved ones who might not be aware of emerging cyber threats?

The group behind the Shade ransomware has closed up shop
and distributed around 750,000 decryption keys, along with decryption software,
apologizing to everyone that was affected by their malware.

There are numerous types of ransomware in use today, and
Shade was one of them for more than half a decade. Also known under the name of
Troldesh, it’s been around since around 2014, and was mainly deployed in
Russia, the United States, Japan, parts of Europe, Canada, and a few other
countries.

Shade activity was a constant in the past few years, but
it slowed down by the end of 2019. The reason for the supposed shutdown is
unclear or whether it was genuine. It wouldn’t be the first time when a group
shuts down an operation, only to open up another one, under a different name.

The large collection of decryption keys was posted on
GitHub, along with a message. “We stopped its distribution in the end of 2019,”
says
the group.

“Now we made a decision to put the last point in this
story and to publish all the decryption keys we have (over 750 thousands at
all). We are also publishing our decryption soft; we also hope that, having the
keys, antivirus companies will issue their own more user-friendly decryption
tools.”

They also claim to have destroyed the malware’s source
code and apologized to everyone that was affected by their trojan. While it
might seem like a nice sentiment, let’s not forget that their malware caused
immense losses to numerous industries and people for a long time.

Publishing the decryption software is good news as it
makes it easier for affected parties to recover lost data, and for security
companies to provide more robust solutions.

Despite the supposed retirement of Shade, there are still
numerous other active groups right now, such as Sodinokibi or Maze, and that
have changed their modus operandi to include blackmail with stolen data.