This week on the Lock and Code podcast, we speak with Cait Conley about CISA's election security measures and why your vote can't be hacked.

_This week on the Lock and Code podcast…_

The US presidential election is upon the American public, and with it come fears of “election interference.”

But “election interference” is a broad term. It can mean the now-regular and expected foreign disinformation campaigns that are launched to sow political discord or to erode trust in American democracy. It can include domestic campaigns to disenfranchise voters in battleground states. And it can include the upsetting and increasing threats made to election officials and volunteers across the country.

But there’s an even broader category of election interference that is of particular interest to this podcast, and that’s cybersecurity.

Elections in the United States rely on a dizzying number of technologies. There are the voting machines themselves, there are electronic pollbooks that check voters in, there are optical scanners that tabulate the votes that the American public actually make when filling in an oval bubble with pen, or connecting an arrow with a solid line. And none of that is to mention the infrastructure that campaigns rely on every day to get information out—across websites, through emails, in text messages, and more.

That interlocking complexity is only multiplied when you remember that each, individual state has its own way of complying with the Federal government’s rules and standards for running an election. As Cait Conley, Senior Advisor to the Director of the US Cybersecurity and Infrastructure Security Agency (CISA) explains in today’s episode:

“There’s a common saying in the election space: If you’ve seen one state’s election, you’ve seen one state’s election.”

How, then, are elections secured in the United States, and what threats does CISA defend against?

Today, on the Lock and Code podcast with host David Ruiz, we speak with Conley about how CISA prepares and trains election officials and volunteers before the big day, whether or not an American’s vote can be “hacked,” and what the country is facing in the final days before an election, particularly from foreign adversaries that want to destabilize American trust.

>  ”There’s a pretty good chance that you’re going to see Russia, Iran, or China try to claim that a distributed denial of service attack or a ransomware attack against a county is somehow going to impact the security or integrity of your vote. And it’s not true.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Why your vote can&#8217;t be &#8220;hacked,&#8221; with Cait Conley of CISA (Lock and Code S05E23) 

A ransomware attack against the City of Columbus, Ohio—which drew public scrutiny following the city government’s attempt to silence a researcher...

A ransomware attack against the City of Columbus, Ohio—which drew public scrutiny following the city government’s attempt to silence a researcher who told the public about the attack—has received a little more detail from an unexpected source: The Attorney General for the state of Maine.

In a data breach notification filed by the Attorney General for the state of Maine, the cybersecurity incident that affected Columbus, Ohio impacted half a million people.

The City of Columbus was attacked by a ransomware group on July 18, 2024. Due to the timing, it was at first unclear whether the disruption in the public facing services was caused by the CrowdStrike incident or if it was in fact an attack. The attack was later claimed by the Rhysida ransomware group on their leak site, where the group posts information about victims that are unwilling to pay.

On September 12, 2024, the city of Columbus issued a notice of breach that was sent to its clients. The notice reads:

> “On July 18, 2024, the city discovered that it had experienced a cybersecurity incident in which a foreign cyber threat actor attempted to disrupt the City’s IT infrastructure, in a possible effort to deploy ransomware and solicit a ransom payment from the City.”

Until now, though, the public at large did not know how many people were affected by the attack. Because of the data breach notification from Maine’s Attorney General, that number now has a little more clarity.

During the incident, the cybercriminals may have gained access which included data in connection to the Columbus City Auditor.

The City Auditor’s Office examines City operations to identify an opportunity to reduce costs, increase efficiency, quality and effectiveness, or otherwise improve management of a city function, program, service or policy.

According to the official statement, the ransomware group was also able to view and access certain sensitive personal information, which may have included first and last name, date of birth, address, bank account information, City employee account number and position, City employment and payroll records, Social Security Number (SSN), and other identifying information.

Later, a security researcher disclosed information about the content of the stolen data with the media. From what the researcher shared it became clear that the data contained unencrypted personal information not only of city employees but also residents.

At which point the City of Columbus decided to sue the researcher for alleged damages for criminal acts, invasion of privacy, negligence, and civil conversion. With half a million affected people, it like safe to say the attack did not just impact City employees.

****Protecting yourself after a data breach****

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 City of Columbus breach affects around half a million citizens 

If you searched for your bank's login page via Bing recently, you may have visited a fraudulent website enabling criminals to get your credentials and even your two-factor security code.

We identified a new wave of phishing for banking credentials that targets consumers via Microsoft’s search engine. A Bing search query for ‘Keybank login’ currently returns malicious links on the first page, and sometimes as the top search result. We have reported the fraudulent sites to Microsoft already.

While Microsoft’s Bing only has about 4% of the search engine market share, crooks are drawn to it as an alternative to Google. One particularly interesting detail is how a phishing website created barely two weeks ago is already indexed and displayed before the official one.

In this blog post, we take a look at how criminals are abusing Bing and stay under the radar at the same time while also bypassing advanced security features such as two-factor authentication.

**Bing search engine poisoning**

We first noticed a phishing campaign coming from Bing’s search engine and targeting Keybank customers on November 29. A malicious link is displayed as the first result and pretends to be Keybank’s login page.

The domain name used is _ixx-kexxx\[.\]com_ which was registered on November 15. Given that it is only two weeks old and yet came up before _ibx.key.com_ (the real website), we surmise that the attackers are abusing Bing’s search algorithms.

**Indexing and cloaking in one go**

Upon clicking on the link, users are redirected to a friendly and helpful website before getting redirected again to the actual phishing page. However, we need to pause right here in order to see a couple of “blackhat” techniques.

That first page is only meant for crawlers and scanners (and users who aren’t of interest) which will both scrape the content and index it, as well as see that the page is clean. This technique is fairly common, and we actually see similar examples with ad fraud. The idea is about creating content that looks real, like a blog, but with malicious intent (monetization or other).

Actual victims do not get to see that page because they are immediately redirected to another website, this time completely malicious. The redirect happens server-side based on user attributes such as their browser profile, IP address and others.

That page uses the official branding and is a login portal for KeyBank. Once a victim types their user ID and password, criminals will receive the data immediately. Note that the phishing site is using https, which means strictly nothing here (the information will be encrypted while in transit but received in clear text by the recipient).

**Bypassing multi factor authentication**

In some phishing campaigns, criminals are notified in real time when a new victim attempts to login into their fraudulent page. One thing we noticed on the phishing page after the first screen, was a message claiming that the internet connection was poor. This is a disguise for what’s happening behind the scenes:

It’s often necessary for criminals to get past a few hurdles first. They need to login from the same location as the victim (their fake site gives them the IP address and they can use a proxy) and they may need to get through multi-factor authentication. Sometimes, the easiest thing to do is simply to ask for it.

Multi-factor authentication is still highly recommended, but users should be aware that criminals can directly ask for verification codes while pretending to be the real bank. We should also note that SMS verification is one of the weakest methods for two-factor authentication.

Security questions (usually 3 of them) are also used to either reset a password or for some other verification purpose (maybe a login from a new browser or location). This phishing kit also asks the victims to enter that information:

**Conclusion**

Phishing is one of the biggest threats consumers face every day. Malicious links can be sent to them via email, text message, social media or they may simply come across them via a search engine.

In this particular example, Bing was tricked into indexing a website that looked legitimate but turned out to be a gateway to a phishing portal. As the domain name was unknown to Microsoft at the time, it failed to protect users.

We highly recommend anyone to adopt more phishing-proof ways to login into important websites. Passkeys come to mind immediately since they do not involve passwords at all. In other words, if you don’t need to type a password… there’s no password to steal.

Unfortunately, not all websites offer the latest technologies to protect their customers. While it is important to add a second factor for authentication, you may want to upgrade to an Authenticator app, instead of the less trustworthy SMS verification. Perhaps the most important thing to remember is that criminals can also try to request those one-time codes from you and you should always be extremely vigilant before entering them in any online website (or replying to an unknown text).

Malwarebytes Browser Guard already protected users from this phishing campaign without having seen the malicious websites before. This is because of the built-in anti-phishing heuristic rules which intercept the connection and display a warning message:

If you suspect your banking information has already been stolen, try to take action as quickly as possible by contacting your financial institution(s) and resetting all your passwords (especially if you reused any of them for different websites).

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

**Indicators of Compromise**

Cloaking domains

ixx-kexxx\[.\]com

Phishing domains

xxx-ii-news\[.\]net  
xxx-ii-news\[.\]com  
ixxx-blognew\[.\]com  
xxx-ii-news\[.\]net  
new-bllog-i\[.\]com  
info-blog-news\[.\]com  
xv-bloging-info\[.\]com  
xxx-new-videos\[.\]com

Hosting server

200.107.207\[.\]232

 Crooks bank on Microsoft&#8217;s search engine to phish customers 

A list of topics we covered in the week of October 28 to November 3 of 2024

November 1, 2024 - Fraudsters running the Phish 'n Ships campaign infected legitimate website and used SEO poisoning to redirect shoppers to their fake web shops

October 31, 2024 - Android malware FakeCall can intercept calls to the bank on infected devices and redirect the target to the criminals.

October 30, 2024 - Chrome issued a security update that patches two critical vulnerabilities. One of which was reported by Apple

October 29, 2024 - Apple has issued patches for several of its operating systems. The ones for iOS and iPadOS deserve your immediate attention.

October 28, 2024 - There is a whole ecosystem behind the sales and distribution of counterfeit goods. Best to stay away from them.

 A week in security (October 28 &#8211; November 3) 

Fraudsters running the Phish 'n Ships campaign infected legitimate website and used SEO poisoning to redirect shoppers to their fake web shops

Researchers at the Satori Threat Intelligence and Research team have published their findings about a group of cybercriminals that infect legitimate web shops to create and promote fake product listings.

The threat, dubbed “Phish ‘n Ships” by the researchers, reportedly infected more than 1,000 websites and built 121 fake web stores to trick consumers. Estimated losses are in the region of tens of millions of dollars over the past five years.

The group infected legitimate web shops with a malicious payload that would redirect visitors to web shops under their own control. While visiting such an affected web shop the visitor would be served fake product listings. When they clicked on the link for that item, hundreds of thousands of victims were redirected.

The fraudsters also made sure that their fake product listings contained metadata that put them near the top of search engine rankings for those items. SEO poisoning is a technique employed by cybercriminals to manipulate search engine results, making harmful websites or advertisements appear at the top of search results.

On the fake web shop, one of four targeted third-party payment processors collects credit card info and confirms a “purchase,” but the product never arrives.

The fraudsters used several established vulnerabilities to infect a wide variety of web shops.

For the users it’s not just the payment for an article they’ll never receive and the disappointment about not getting that sought-after article, but there is also the risk of providing cybercriminals with their payment card information.

The campaign has been disrupted for a large part due to the efforts of the researchers, but they warn that part of it is still active.

**So, what can consumers do to stay safe?**

Keep an eye on the website displayed in the address bar. Did the advertisement you clicked on take you to the expected web shop? And when the checkout process runs through a different web shop, this is another reason for alarm.

Be especially cautious when you are looking for hard-to-get items, because this is what the group specializes in.

If you are suspicious, it’s a good idea to try the input validation of the shipping information. The fraudsters do not care whether you fill out a real phone number or street address since they have no intention of shipping anything, so the validation process does not work. On a legitimate web shop this should work and warn visitors about invalid entries.

Malwarebytes’ web protection module and Browser Guard block the IP addresses in use by this group.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 1,000+ web shops infected by &#8220;Phish ‘n Ships&#8221; criminals who create fake product listings for in-demand products 

Android malware FakeCall can intercept calls to the bank on infected devices and redirect the target to the criminals.

An Android banking Trojan called FakeCall is capable of hijacking the phone calls you make to your bank. Instead of reaching your bank, your call will be redirected to the cybercriminals.

The Trojan accomplishes this by installing itself as the default call handler on the infected device. The default call handler app is responsible for managing incoming and outgoing calls, allowing users to answer or reject calls, as well as initiate calls.

As you can imagine handing these options to a malicious app comes with some serious risks.

Last time FakeCall reared its head, BleepingComputer reported that the malware was being distributed as fake banking apps that impersonate large financial institutions, as well as being distributed in phishing emails. When the receiver clicked a link in the email they’d download an Application Package (APK file) which acted as a dropper for the malicious app.

Likely without realizing, when the user gives the app permission to set it as the default call handler, the malware gains permission to intercept and manipulate both outgoing and incoming calls.

The FakeCall malware abuses this trust by hijacking the user’s call to a financial institution. To better understand how the attackers use this, you’ll need to know that FakeCall is a very versatile tool. It can also steal sensitive information from the infected devices which enables the cybercriminals to deploy targeted attacks against the owners of infected devices.

They will know which bank the target primarily uses and will send them offers that might be of interest to them, via in-app notifications or vishing (voice-phishing). The cybercriminals may, for example, offer a loan with a low interest rate and ask the target to call if they’re interested.

Regardless, whether the target uses the displayed phone number or tries to directly call the number of his bank, the call will get redirected to the criminals.

The FakeCall app is hard to detect since it uses several methods to evade detection, and it uses several names to mimic legitimate banking apps. This is where Malwarebytes for Android can help you, by identifying these apps and removing them.

Malwarebytes for Android detects FakeCall as Android/Trojan.Banker.Fakecall.

 Android malware FakeCall intercepts your calls to the bank 

Chrome issued a security update that patches two critical vulnerabilities. One of which was reported by Apple

Google has released an update for its Chrome browser which includes patches for two critical vulnerabilities.

The update brings the Stable channel to versions 130.0.6723.91/.92 for Windows and Mac and 130.0.6723.91 for Linux.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click **Settings > About Chrome**. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is restart the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

Chrome is up to date

This update is crucial as it addresses two major security vulnerabilities. Previous Chrome vulnerabilities reported by Apple turned out to be exploited by a commercial spyware vendor.

**Technical details**

One of the vulnerabilities was reported to Google by Apple Security Engineering and Architecture (SEAR), which reported the issue on October 23, 2024. This vulnerability, tracked as CVE-2024-10487, can be used by cybercriminals as a drive-by download. That means that a victim’s device could be compromised just by visiting a malicious website or advertisement.

The vulnerability was found in Dawn, an open source and cross-platform implementation of the WebGPU\-standard. WebGPU is a JavaScript Application Programming Interface (API) provided by a web browser that enables webpage scripts to use a device’s graphics processing unit (GPU).

In this case, the discovered vulnerability could allow attackers to write data beyond the allocated memory, potentially leading to code execution or system crashes.

The other vulnerability, tracked as CVE-2024-10488, was reported by researcher Cassidy Kim. That vulnerability in Chrome’s WebRTC (Web Real-Time Communication) component could lead to the execution of arbitrary code or cause a crash. It could be used for potential data theft or system crashes.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Patch now! New Chrome update for two critical vulnerabilities 

Apple has issued patches for several of its operating systems. The ones for iOS and iPadOS deserve your immediate attention.

Apple has released security patches for most of its operating systems, including iOS, Mac, iPadOS and watchOS.

Especially important are the updates for iOS and iPadOS which tackle vulnerabilities which could potentially leak sensitive user information. You should make sure you update as soon as you can.

To check if you’re using the latest software version, go to **Settings > General > Software Update**. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

Update options

**Technical details**

Noteworthy are four vulnerabilities in Siri and another vulnerability in Accessibility which would allow an attacker with physical access to view sensitive user information. This may not seem very urgent at first, but if your device gets stolen then the thief can learn things about you which is far from ideal.

These are some of the vulnerabilities that jumped out at us.

CVE-2024-44274: a vulnerability in Accessibility that could allow an attacker with physical access to a locked device to view sensitive user information. This issue is fixed in iOS 17.7.1 and iPadOS 17.7.1, watchOS 11.1, iOS 18.1 and iPadOS 18.1 with improved authentication.

CVE-2024-44282: a vulnerability in Foundation where parsing a file could lead to disclosure of user information. This issue is fixed in tvOS 18.1, iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, macOS Ventura 13.7.1, macOS Sonoma 14.7.1, watchOS 11.1, visionOS 2.1 by improved input validation. Foundation serves as a fundamental framework that offers a base layer of functionality for Apple’s operating systems. Among others it’s responsible for file system access.

CVE-2024-40867: a vulnerability in iTunes caused by a custom URL scheme handling issue that could be used by an attacker to break out of Web Content sandbox. This issue is fixed in iOS 18.1 and iPadOS 18.1 by improved input validation. Breaking out of the Web Content sandbox allows a malicious website or attacker to potentially access sensitive data, control other parts of the system, and compromise the overall security of the device beyond the intended limitations of the web browser.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Update your iPhone, Mac, Watch: Apple issues patches for several vulnerabilities 

There is a whole ecosystem behind the sales and distribution of counterfeit goods. Best to tay away from them.

With the holidays around the bend, many are looking for gifts for their family and friends. And since we somehow decided we want to give more each time, we’re also looking for good deals.

But European law enforcement agency Europol issued a warning about buying fake goods. Sure, they are cheaper, but they do come with a dark side.

According to Europol’s report titled “Uncovering the ecosystem of intellectual property crime, ”approximately 86 million fake items were seized in the European Union (EU) in 2022 alone, with an estimated total value exceeding EUR 2 billion (US$ 2.1 billion).

Not only does this ecosystem provide buyers with substandard goods, it also enables crimes like intellectual property (IP) crime, cybercrime, money laundering, and environmental crime.

Intellectual property is what drives innovation. Criminals don’t come up with new inventions, they just create cheap copies of popular items without regards for safety of the product, working conditions, or environmental regulations. The only thing counterfeiters are innovating are ways to exploit consumer demand for counterfeit and pirated goods.

The report states:

> “The rise of social media, influencers and online commerce have changed consumers’ behavior, increasing their appetite for IP infringing goods or content, while having a low awareness of risks.”

Criminals fully abuse the social media platform algorithms that reach potential buyers using customized ads that speak to their personal interests and preferences. These are often removed after automated reviews.

So, there is another critical role in advertising counterfeit goods, which are influencers. Through their channels, influencers may direct customers to product listings on online stores that evade security protocols about counterfeit adverts.

By buying counterfeit goods you are also unwittingly enabling cybercriminals that are engaged in fraud, corruption, labor exploitation, environmental crime, money laundering, and cybercrime.

On the other hand, the risks of getting caught and the relatively low penalties make IP crime a low-risk, high-benefit criminal activity.

Consumers, however, are not always aware of the fact they are buying counterfeit goods. As sophisticated technologies are used to replicate holograms, logos, and packaging, unaware consumers are more likely than ever to be deceived, and recognizing counterfeit items has become a task that requires specific knowledge and an expert eye.

**How to avoid counterfeit goods**

Nonetheless, there are a few pointers to be given on how to avoid buying counterfeit goods.

*   Where possible, buy from the brand’s own store. When that’s not an option look for authorized retailers. Many brands publish lists of authorized sellers on their websites. And some of the larger webstores use “Authenticity Guarantee” badges on their listings.
*   When it comes to pricing, follow the old saying: “If it’s too good to be true, it probably is.”
*   A legitimate webstore should have contact information, look professional, and specify consumer rights.
*   Review advertisements on social media, influencer channels, and chat platforms with a little bit of extra caution.
*   Look for consumer reviews. Interestingly, it could be a red flag if the reviews of the product and company are universally bad—or if there are no bad reviews at all.

If you’re not completely sure about the product or the website, at least make sure to use a secured payment page and preferably use your credit card, in case you need to recover your money.

If you have bought a counterfeit product:

*   Stop and think before you use it, to consider whether it is safe to use. The materials used for production are likely to be sub-standard and could pose a risk to your health.
*   Report it to the platform where you made the purchase and to the legitimate brand.
*   Report it to the proper authorities.

Use Malwarebytes Browser Guard to block advertisements, scams, and trackers. It’s a free browser extension for Chrome, Firefox, Edge, and Safari.

 Europol warns about counterfeit goods and the criminals behind them 

A list of topics we covered in the week of October 21 to October 27 of 2024

October 28, 2024 - There is a whole ecosystem behind the sales and distribution of counterfeit goods. Best to tay away from them.

October 25, 2024 - Change Healtcare has confrimed that at least 100M US citizens personal data were impacted by their February data breach

October 24, 2024 - Pinterest is facing a complaint because it failed to comply with GDPR rules about using personal data for personalized advertising.

October 23, 2024 - Tax preparation firms shared user information with Google and Meta without proper consent by using tracking pixels

October 23, 2024 - The #opentowork hashtag may attract the wrong crowd as criminals target LinkedIn users to steal personal information, or scam them.

Source

Malwarebytes