We take a look at an incredible scam which involves an entire village faking cricket matches for an online betting ring.
The post Fake streamed cricket matches knocks victims for six appeared first on Malwarebytes Labs.

An incredible scam which resembles hidden camera prank shows has been shut down by police. Four men were arrested last week in connection with the con-job involving fake cricket and online betting. It begins in Russia, takes a trip to India, and ends up back in Russia. Here’s how it unfolded:

**Setting the stage**

People living in India who are interested in betting on sports tend to gravitate online. One of the men allegedly involved in this scam had previously worked in a bar in Russia. He’d convinced his contacts there to show interest in cricket betting, which turned out to be the starting point for all of the below.

Our intrepid bar worker returned to India, and what followed is an amazing exercise in online deception, offline activities, fictional visions of reality, and at least 20 people playing roles day in and day out.

Before we get to the real world shenanigans, let’s take a look at the YouTube angle.

**The YouTube cricket carnival**

The fake cricket matches were all hooked to one Youtube channel called Century Hitters T20. At time of writing, the channel is still live and we suspect it’ll be kept that way while investigations proceed. It’s racked up 809 subscribers with 49k views across 47 videos since it was created roughly a month ago.

It’s not possible to embed any of the streams, because the account creators have disabled that feature. Apart from the absolutely awful cricket pitch, a lot of effort has gone into lighting, visuals, camera equipment, screen graphics, even the various cricket team outfits. This leads us neatly on to the real-world component of this large scale fake out.

**Fake it till you make it**

This isn’t some small time operation with a fake office in a basement somewhere. The people behind this thought big and stuck to their goal. A _small village_ was used as the staging area for the scam. According to reports, “nearly two dozen locals” were paid to act as cricket teams, umpires, and organisers. One person even imitated a well-known cricket commentator.

Players were paid $5 per game. Fake umpires used walkie-talkies to talk to organisers, and directed the shape of each supposed cricket match. The organisers would converse with people making bets via Telegram.

To simulate the roar of the cricket-loving crowds, running commentaries complete with cheering were piped through speakers close to the cricket ground. And by cricket ground, I mean “muddy mess with a bit of grass poking up through the soil”.

> Here it is, the moment you’ve all been waiting for….
> 
> Footage of the Fake IPL, which somehow conned people in Russia into betting on it.
> 
> ‘Chennai Fighters’ off to a solid start, pitch looking in good condition. pic.twitter.com/XtaL5W5zli
> 
> — Jordan Elgott (@JElgott) July 11, 2022

They presumably picked their Russian marks well. Nobody even vaguely familiar with professional cricket would believe that real players would grace that monstrosity with their presence. There’s no mention of losses incurred by those the scammers preyed on. For now all we can do is wait and watch how this one plays out in court. Hopefully with fewer fake crowd recordings.

Fake streamed cricket matches knocks victims for six

PyPI is rolling out a 2FA requirement for maintainers of critical projects. 
The post PyPI starts rolling out required 2FA for important projects appeared first on Malwarebytes Labs.

The Python Package Index (PyPI) says it has begun rolling out a two-factor authentication (2FA) requirement which enforces maintainers of critical projects to have 2FA enabled to publish, update, or modify them. PyPI plays an important role in the Python developers’ ecosystem.

**Python repository**

PyPi is _the_ repository of software for the Python programming language. Python is a high-level, interpreted, general-purpose programming language. And it is a very popular language often used on servers to create web applications.

Many web developers, and others, use Python packages or add-on libraries from other developers as building blocks to develop their own projects. The Python Software Foundation (PSF) manages the PyPI repository where Python developers can get third-party developed open-source packages for their projects.

**Critical projects**

The projects rated as critical by the PSF are those that are in the top 1% of downloads. Maintainers of such projects should have received an email about the new requirement. The requirement will go into effect in the coming months. Based on the 1% rule, over 3,500 projects have received the critical designation.

The good news is that every project has the option to set 2FA as required. And, to ensure that maintainers of critical projects have the ability to implement strong 2FA with security keys, the Google Open Source Security Team has provided a limited number of security keys to distribute among critical project maintainers.

**The reason**

As you can imagine, unauthorized access to a project that many other depend on opens up the possibilities of a software supply chain attack. So, introducing the 2FA factor for critical projects decreases the possibility that someone might introduce malicious code into a popular project.

We have all seen the problems with Log4j. For those that missed it, Log4j is an open source logging library written in Java developed by the Apache Software Foundation. Millions of applications use it, and some of them are enormously popular, so the potential reach of this problem turned out to be enormous.

A similar problem that remains unresolved by these new requirements is the use of packages which are purposedly named after popular projects to confuse users into downloading a malicious version.

**Mixed feelings**

As you would expect on Twitter, there are some mixed feelings among those impacted by this new requirement. Ranging from developers saying goodbye to their popular project to those wondering why 2FA wasn’t already mandatory in the first place.

For all those with unanswered questions, PyPI has put up a FAQ about the 2FA implementation, along with the key giveaway.

PyPI starts rolling out required 2FA for important projects

Popular comics site Mangatoon has been breached due to a poorly secured database.
The post Insecure password leads to Mangatoon data breach appeared first on Malwarebytes Labs.

The hugely popular Manga comics platform Mangatoon has fallen victim to a data breach. No fewer than 23 million user accounts could be at risk, thanks to a poorly secured database. Worse still, Mangatoon doesn’t seem to be responding to messages from the breacher, or people notifying it that the breach has taken place.

**A limited edition run of exposed accounts**

Mangatoon allows comics fans to read a variety of web comics for free via the app, with the option to “unlock” whole comics for a fee. Unfortunately for Mangatoon, its Elasticsearch database was compromised leading to several attempts to get its attention.

> Anyone got a security contact at @MangatoonEN? DMs are closed and apparently they haven't been responding to emails attempting to reach them.
> 
> — Troy Hunt (@troyhunt) July 4, 2022

No response was forthcoming by email or even social media. While it’s possible everyone involved is too busy fixing the problem, the complete lack of a reply is concerning.

**Checking for exposure**

The breach data, which occurred in May, has been loaded into popular breach checking service Have I been pwned.

You can search for your email address on that site, and if your mail is tied to any data breaches (not just Mangatoon), the site will let you know which sites, what data, and when it was breached.

> New breach: Mangatoon had 23M accounts breached in May. The breach exposed names, email addresses, genders, social media account identities, auth tokens from social logins and salted MD5 password hashes. 27% were already in @haveibeenpwned https://t.co/LGaAniKeSA
> 
> — Have I Been Pwned (@haveibeenpwned) July 6, 2022

**Password disasters of our time**

The 23 million or so accounts have been exposed purely because of bad password management. All of this data was, incredibly, sitting behind the “password”.

Mangatoon changed the password after the system breacher notified it. However, no customers have been notified and anyone unaware would think everything is currently business as usual. The truth is that things couldn’t be further from the case. Are there other, similarly poorly secured databases? Has the password been changed to something that isn’t “password123”?

Elasticsearch makes use of a variety of security features for all manner of configurations, so will Mangatoon be making use of these in future?

So many unanswered questions in a situation such as this isn’t massively reassuring.

**Lock down your databases**

Poorly secured Elasticsearch databases are juicy targets for those up to no good. At least 450 ransom notes were discovered demanding payment in return for files found on Elasticsearch databases back in June of this year. Sadly for anyone paying up to recover the stolen files, there’s a good chance the attackers had already deleted them. This is, of course, a valuable reminder to back up your data.

This is especially true considering Elasticsearch sits alongside both Redis and MongoDB as some of 2022’s top exposed databases.

If you use Mangatoon you should change your password to your account now. If you’ve used the same username and password combination on other accounts, you should change those too.

Insecure password leads to Mangatoon data breach

The most important and interesting computer security stories from the last week.
The post A week in security (July 4 – July 10) appeared first on Malwarebytes Labs.

*   Partner Success Story
*   Marek Drummond
    
    Managing Director at Optimus Systems
    
    "Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected."
    
*   See full story

A week in security (July 4 – July 10)

The EU is warning Meta that it needs to make big changes to the way it handles data transfers between the Europe and US.
The post Europe threatens to ban Facebook over data transfers to the US appeared first on Malwarebytes Labs.

If regulators have their way, data transfers from Facebook and Instagram between Europe and the United States could stop this summer. (WhatsApp, another Meta service, will not be affected by the decision as it has a different data controller within Meta.) This could force Meta, Facebook’s parent company, to undergo some radical changes with the way it handles data from Europe, such as setting up local data centers. Otherwise, it will have no choice but to pull out of Europe.

The Irish Data Protection Commission (DPD) sent a draft of its final decision on Thursday to its European counterparts regarding banning Meta from receiving user data from Europe.

A Meta spokesperson told the Telegraph, “This draft decision, which is subject to review by European Data Protection Authorities, relates to a conflict of EU and US law which is in the process of being resolved.”

“We welcome the EU-US agreement for a new legal framework that will allow the continued transfer of data across borders, and we expect this framework will allow us to keep families, communities and economies connected.”

Ireland is the country overseeing Facebook’s data practices as it is Facebook’s legal headquarters in Europe. Any ruling in Ireland would apply to all of Europe.

In 2020, the Court of Justice of the European Union (CJEU) repealed the EU-US Privacy Shield, a legal framework regulating the transatlantic transfer of European data to the US, calling it invalid as it failed to keep European personal data from being excluded from US surveillance. This event is commonly known as the Schrems II case.

However, data from the EU to the US continue to flow. While the CJEU annulled Privacy Shield, it also confirmed the legitimatimacy of the Standard Contractual Clauses (“SCCs”), which Facebook (and other US businesses) used as an alternative to lawfully transfer data from the EU to the US. Should the regulators’ decision become final, Meta will be forced to stop relying on the SCC as well.

“Suspending data transfers would be damaging not only to the millions of people, charities and businesses in the EU who use our services, but also to thousands of other companies who rely on EU-US data transfers to provide a global service,” a Meta spokesperson told SiliconRepublic.com. “A long-term solution on EU-US data transfers is needed to keep people, businesses and economies connected.”

In an interview with The Telegraph, Max Schrems, the privacy campaigner responsible for Privacy Shield getting binned, expected Facebook to use the Irish legal system to delay the implementation of the data transfer ban. He also added that Irish police would need to “physically cut the cords before these transfers actually stop”.

Europe threatens to ban Facebook over data transfers to the US

We waited three decades for macro blocking...and now it's going away again!
The post Microsoft appears to be rolling back Office Macro blocking appeared first on Malwarebytes Labs.

We’re seeing several reports indicating that Microsoft may have rolled back its decision to block Macros in Office. Currently no official statement exists—the reports rely on a post by a Microsoft employee in the replies of the original article where the plan to block macros was announced.

Earlier this year, Microsoft decided to disable macros downloaded from the Internet in five Office apps, by default. Users trying to open files downloaded from the Internet that contained macros would see a message, with a link to an article explaining the block.

> SECURITY RISK: Microsoft has blocked macros from running because the source of this file is untrusted

Malicious macros have been popular with criminals for more than three decades, and the step was welcomed by the security community. However, some users of Microsoft products have queried a surprising change. Dangerous files downloaded from the internet are _not_ being treated as expected in Office.

**The shifting sands of macro blocking**

Bizarrely, we’ve only experienced a few months of no macro worries as people discover the currently changing situation. A recent comment on the article describing the block mentioned that macro blocking has now been removed in Office Current Channel:

> Is it just me or have Microsoft rolled this change back on the Current Channel?
> 
> I was trying to reproduce the pinkish-red ‘Security Risk… Learn More’ notification in the Message Bar, in preparation for demonstrating the new default behaviour for a YouTube video I’m putting together about my company’s macro-enabled toolkit.
> 
> Created a simple .xlsm to show a MsgBox in the open event of the workbook, saved it and uploaded it to cloud storage, deleted it from my local storage, re-downloaded it from cloud storage (to a non-trusted location, my Downloads library)… did not use the Unblock checkbox on the Properties dialog to remove the mark of the web… then opened up the file.
> 
> It first went into Protected View (expected behaviour), but then after I clicked Enable Editing, instead of getting the pink/red message about macros being blocked altogether, I just got the old ‘Security warning…’ message with the ‘Enable Content’ button. The file’s VBA project wasn’t digitally signed, wasn’t saved to a Trusted Location, and still had the mark of the web on it… so macros should have been blocked.

A response came from someone called Angela Robertson, billed as “A Microsoft employee on the Microsoft Tech Community”:

> Based on feedback received, a rollback has started. An update about the rollback is in progress. I apologize for any inconvenience of the rollback starting before the update about the change was made available.

**Waiting for more information**

At the time of writing, we can’t say what this community feedback is or why it’s been so influential in triggering the apparent decision to disable macro blocking. The response in security circles is somewhat less than enthusiastic, and there’s no new information outside of waiting to see what’s contained in the promised “update”.

Indeed, all we have currently is a second Microsoft post which confirms the rollback:

> …based on feedback, we’re rolling back this change from Current Channel production. We appreciate the feedback we’ve received so far, and we’re working to make improvements in this experience. We’ll provide another update when we’re ready to release again to Current Channel. Thank you.

We will update this article as soon as Microsoft clarifies what exactly is going on.

Microsoft appears to be rolling back Office Macro blocking

A Youtuber has hacked into the CCTV cameras of an office used by tech support scammers and recorded them being arrested by the police.
The post Tech support scammers caught by their own cameras appeared first on Malwarebytes Labs.

A Youtuber has hacked into the CCTV cameras of an office used by tech support scammers and reported them to the police. The video feed of what is going on in that office ends with the arrest of the scammers.

**CCTV**

The Youtuber, acting under the handle Scambaiter, turned his attention to Punjab in India to spy on a group of Tech Support scammers.

“Scambaiting” means scamming the scammers, often by pretending to take their bait and wasting their time. The reasoning is that while the scammer is busy trying to reel the scambaiter in, they don’t have time to victimize someone else. Which makes it doing a good deed while having some fun.

Scambaiter, goes a little further than simply wasting scammers’ time. He has amassed almost 1.5 million YouTube followers by “hacking back” against the scammers and exposing where and how they work—in this case by using the scammers’ own CCTV cameras against them.

Scambaiter also hacked into some of the systems the scammers were using to defraud US citizens out of thousands of dollars. So, besides footage of the scammers, his hack also included taking screenshots from the laptops that the scammers were using while “at work”.

One thing that jumps out is that this is a very small and badly secured organization. Which came in handy because it enabled Scambaiter to show us several sides of the operation.

**The video**

Scambaiter condensed a weeks’ worth of footage into a 20 minute clip. In the beginning we see the scammers at work, posing as Best Buy’s Geek Squad tech support employees.

We get a good look at how these scammers are organized and how they operate. If you didn’t know they were talking people out of their money for non-existent services, it would look like any other, legitimate, office.

During the video Scambaiter explains how he found information about the scammers and their physical location, until he had gathered enough evidence to convince the local police to spring into action.

At the end of the CCTV footage you can see the police officers enter the building, shut down the electricity on two floors, and arrest five of the main scammers.

Scambaiter then concludes the video with a police report stating the charges against the scammers, and a selection of the media coverage about the incident.

**Follow the rules**

In case you want to take part in the fun the past we have posted a guide to get back at spammers safely.

Even though the video by Scambaiter has a happy end, it is important to understand that what Scambaiter did is just as illegal as the Tech Support scammers’ activity. Hacking into computer systems is illegal unless you are equipped with permission (say, the terms of a bug bounty) or a warrant, even if the victims are criminals and the hacking is in a good cause.

Stay safe, everyone!

Tech support scammers caught by their own cameras

When it comes to insurance, better security means better savings.
The post 4 ways businesses can save money on cyber insurance appeared first on Malwarebytes Labs.

So, your business has just suffered a data breach and it’s time to dig deep in your pockets to pay all the resulting expenses. Without cyber insurance, you can expect to pay a dizzying amount of cash.

In 2022 alone, the average cost of a data breach for businesses under 1,000 employees was close to $3 million—and these costs are coming from activities that cyber insurers typically cover, such as detecting and responding to the breach.

Indeed, with liability limits ranging from $1 million to $5 million or more, cyber insurance policies can cover a good chunk of the damage caused by a data breach.

But if you’re looking to apply for cyber insurance, there’s a few things you should know first—especially if you want the lowest possible premium. 

Here are four ways your business can save money on its insurance.

**How is cyber insurance priced?**

Before we dive in any futher, it’s important to understand how cyber insurance policies are priced to begin with.

A 2019 paper published to the _Journal of Cybersecurity_ analyzed over 235 cyber insurance policies from New York, Pennsylvania, and California, as well as policies posted publicly on carriers’ websites. They found that cyber insurance companies price their policies one of in four ways:

*   **Base rate**. Insurers provide a base premium based on your organization’s annual revenues or assets (or number of employees/students). The basic logic is that more revenue equals more risk, therefore higher premiums, and vice versa.

*   **Base rate with security questions**. Insurers look at your organization’s security posture to determine the final premium pricing. This was by far the most widely-used approach by insurers (57 percent of policies analyzed). 

*   **Fixed rate.** Insurers provide a fixed rate regardless of firm or industry. This was most common for smaller businesses.

*   **Fixed rate with hazard groups**. This is the same as fixed rate, but with a single modifier based on the amount of perceived risk a business has (such as how much sensitive information is stored on its website). Again, typical for small businesses.

**How to save money on cyber insurance **

While it’s clear that the size of your business and the industry you’re in can affect costs, still a large portion of cyber insurance providers are looking at your security to determine premiums. 

So, what are some of the security controls that can lower your premium? 

For this article, we looked at security tips from the top five biggest cyber insurance companies—AXA XL, Chubb, AIG, Travelers, and AXIS—and found four commonalities across what they had to say. 

**1\. Use multi-factor authentication (MFA)**

Did you know that, according to Verizon’s 2022 Data Breach Investigations Report, 50 percent of data breaches start with stolen credentials? 

Given this statistic, it’s no surprise that using multi-factor authentication (MFA) could signal to cyber insurers that you’re less of a risk. By requiring you to use multiple forms of authentication, MFA makes it much more difficult for threat actors to pull off brute force attacks, or to use stolen passwords.

**2\. Implement a cybersecurity training program**

If stolen credentials are the most common initial attack vector in data breaches, then phishing is a close second—accounting for about 17 percent of all data breaches, according to the same Verizon report.

This is why implementing a cybersecurity training program for your employees is so important. 

A good training program should inform employees about common threats such as email phishing, spear phishing, and other common social engineering attacks. Cyber insurers are likely to view the implementation of such programs as a mark of high security maturity.

**3\. Disable Remote Desktop Protocol (RDP) services**

In about 50 percent of ransomware attacks, Remote Desktop Protocol (RDP) was the initial attack vector, according to a study by Palo Alto Networks.

RDP is a network communications protocol that allows users to remotely control their devices. Commonly used by remote workers, RDP is also used by IT staff to troubleshoot problems on employees’ devices.

However, hackers can easily search for computers that use RDP and them use a brute force attack to try to guess the password—and from there, they can carry out a ransomware attack. 

Securing RDP with best practices, such as following the principle of least privilege, removes a potential point of access for hackers. Read our article on how to protect RDP for more tips.

**4\. Deploy Endpoint Detection and Response (EDR)**

According to Ponemon’s 2020 State of Endpoint Security Risk report, the average financial loss from endpoint attacks was almost $9 million in 2019.

Not surprisingly, then, both Travelers and Axis cyber insurance explicitly mention endpoint protection as an important prevention measure.

Endpoint detection and response (EDR) is a form of endpoint protection that detects and protects against ransomware, malware, trojans, rootkits, backdoors, viruses, brute force attacks, and “zero-day” unknown threats. Learn more about how EDR can help secure your business.

**Better security means better savings**

Without cyber insurance, you can expect to pay a lot of cash to cover the cost of a data breach, and many companies are investing in it as a result. In this article, we explained how cyber insurance policies are typically priced, and how your organization’s assessed security posture is a prime consideration for many insurers. 

We also outlined four key processes and technologies that makes you a much more challenging target to attack, and consequetly a considerably less risky proposition for cyber insurers.

With Malwarebytes Endpoint Detection and Response, you can show cyber insurance companies you’re prepared to handle a cyberattack. To find out more, read how Mike Carney Toyota saved on cyber insurance by deploying Malwarebytes EDR.

4 ways businesses can save money on cyber insurance

CISA warns of an unusual ransomware.
The post North Korean APT targets US healthcare sector with Maui ransomware appeared first on Malwarebytes Labs.

State-sponsored North Korean threat actors have been targeting the US Healthcare and Public Health (HPH) sector for the past year using the Maui ransomware, according to a joint cybersecurity advisory (CSA) from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury.

CISA Director Jen Easterly also announced the CSA on Twitter.

The FBI started responding to incidents involving Maui in May 2021. This ransomware, which threat intelligence firm Stairwell first profiled, is relatively new.

> North Korean state-sponsored cyber-actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services. In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods.
> 
> – CSA Alert (AA22-187A)

Unlike the ransomware we usually see, that plagues organizations and regularly hits the news, Maui is never sold or offered to affiliates as a ransomware-as-a-service (RaaS) tool. It is, instead, developed and used privately for state-backed actors.

Most notably, attackers operate Maui manually. This is on purpose, so attackers have more control over which files to encrypt when Maui is executed.

“When executed at the command line without any arguments, Maui prints usage information, detailing supported command-line parameters,” Stairwell Principal Research Engineer Silas Cutler wrote in the report. “The only required argument is a folder path, which Maui will parse and encrypt identified files.”

“Embedded usage instructions and the assessed use of a builder is common when there is an operational separation between developers and users of a malware family.”

Maui also has other unusual features—it doesn’t drop a ransom note, and uses a three-layer encryption methodology reminiscent of Conti and ShiOne.

“Instead of relying upon external infrastructure to receive encryption keys, Maui creates three files in the same directory it was executed from containing the results of its execution. These files are likely exfiltrated by Maui operators and processed by private tooling to generate associated decryption tooling,” Cutler said.

The FBI shared the indicators of compromise (IOCs) in its advisory.

Malwarebytes detects Maui ransomware as Ransom.Maui.

**Dealing with Maui ransomware**

The advisory also provides mitigation steps organizations can to prepare for, or deal with attacks using Maui ransomware. Thankfully, although Maui may be a little different from run-of-the-mill ransomware, the steps to protect against it are not:

*   Maintain off-site, offline backups of data and test them regularly.
*   Create a cybersecurity response plan.
*   Keep operating systems, applications, and firmware up to date.
*   Disable or harden remote desktop protocol (RDP).
*   Require multi-factor authentication (MFA) for as many services as possible.
*   Require administrator credentials to install software.
*   Report ransomware incidents to your local FBI field office.

The various agencies involved also made it clear, once again, that they strongly discourage victims from paying ransoms. It does not guarantee you will get your data back, does not free you from recovery costs (because you still have to harden your system against the next attack), and it marks you as a target for repeat attacks.

Stay safe!

North Korean APT targets US healthcare sector with Maui ransomware

Researchers have given the world a glimpse of how the FBI's An0m devices were able to eavesdrop on criminals.
The post How the FBI quietly added itself to criminals’ instant message conversations appeared first on Malwarebytes Labs.

Motherboard has disclosed some information about Operation Trojan Shield, in which the FBI intercepted messages from thousands of encrypted phones around the world. These messages are now used in courts across the world as corroborating evidence.

**Operation Trojan Shield**

The US Federal Bureau of Investigation (FBI), the Dutch National Police (Politie), and the Swedish Police Authority (Polisen), in cooperation with the US Drug Enforcement Administration (DEA) and 16 other countries, carried out one of the largest and most sophisticated law enforcement operations to date in the fight against encrypted criminal activities with the support of Europol.

We wrote about the 800 arrests that were made with the help of the backdoored phones. Law enforcement agencies around the world have long campaigned for encryption backdoors, so they can see what criminals are saying to each other. End-to-end encryption hides the content of messages from unauthorized readers, so that only the sender at one end and the receiver at the other end (or, more precisely, the sending and receiving devices) can read the content.

Unable to break the encryption of messages as they pass from one device to another, the FBI and the Australian Federal Police (AFP) came up with an ingenious plan. They decided to put themselves on the sending and receiving devices, by creating a phone they could eavesdrop on, and then marketing it to criminals as a secure device ideally suited to the demands of organized crime.

To that end, the FBI became secretly involved in An0m, a company that was working on an early version of an app to enable end-to-end encrypted communication.

**New information**

Despite several requests from defense lawyers on behalf of some of the arrested suspects, the source code of An0m was kept secret. When asked for comment, the San Diego FBI told Motherboard in a statement that

> “We appreciate the opportunity to provide feedback on potentially publishing portions of the Anom source code. We have significant concerns that releasing the entire source code would result in a number of situations not in the public interest like the exposure of sources and methods, as well as providing a playbook for others, to include criminal elements, to duplicate the application without the substantial time and resource investment necessary to create such an application. We believe producing snippets of the code could produce similar results.”

By buying an An0m device from the secondary market after the law enforcement operation was announced, and a copy of the An0m APK as a standalone file, Motherboard started digging into the code.

Without revealing much of the source code, to protect various contributors that very likely had no idea what they were working on, the decompiled source code is described as if it was thrown together in a hurry. Apparently the app was based on an existing messaging app, and freely available online tools were added to complete the intelligence gathering capabilities.

**An extra end**

What does become clear form the revealed code is how the law enforcement agencies were able to eavesdrop on the end-to-end encrypted messages. They simply added an extra end to each conversation. You could compare this to a BCC contact in an email. Only in this case both the sender and the receiver had no idea that there was another end that was able to read the encrypted messages.

The app uses Extensible Messaging and Presence Protocol (XMPP), an open communication protocol designed for instant messaging, presence information, and contact list maintenance. XMPP works by having each contact use a handle that in some way looks like an email address. For An0m, these included an XMPP account for the customer support channel that An0m users could contact. Another of these was “bot”. And bot was a hidden or “ghost” contact that made copies of Anom users’ messages. Unlike the support channel, bot hid itself from Anom users’ contact lists and operated in the background. In practice the app scrolled through the user’s list of contacts, and when it came across the bot account, the app filtered that out and removed it from view so the end users could not see they were sending extra copies to a third party.