Malwarebytes DNS Filtering is a new module that helps block access to malicious websites and limit threats introduced by suspicious content. 
The post Introducing Malwarebytes DNS Filtering module: How to block sites and create policy rules appeared first on Malwarebytes Labs.

We’re happy to announce Malwarebytes DNS Filtering, a new module for the Nebula platform which helps block access to malicious websites and limit threats introduced by suspicious content.

But how exactly does it work, you ask?

In this post, we give a basic walkthrough of the module, starting off with how to create DNS filtering rules. We’ll then show you how to set exclusions to rules and filter by certain categories, as well as how to monitor and delete the rules that you create.

Let’s get into it!

**Table of Contents**

*   **Part 1: Accessing the module**
*   **Part 2: Creating rules**
*   **2.1: Setting rule exclusions**
*   **2.2: Naming rules and setting policies**
*   **2.3: Filtering categories**
*   **2.4: Allowing and blocking domains**
*   **Part 3: Monitoring**

**Part 1: Accessing the module**

Once you add DNS filtering to your Nebula subscription, you can access the DNS filtering page on the left hand navigation.

****Part 2: Creating rules****

First, let’s take a look at the **Rules** tab.

****2.1: Setting rule exclusions****

Start by adding global exclusions. Add your private and local domains here to prevent them from being blocked by any DNS filtering rules you create.

****2.2: Naming rules and setting policies****

Give this DNS rule a name and then select the policies you want to include.

****2.3: Filtering categories****

By default, **Use preconfigured settings** is enabled for Categories.

For further customization click on the arrow to expand the categories. Each security category has an additional description and details.

Under **Content categories**, you can expand each one for a more granular level of customization.

****2.4: Allowing and blocking domains****

Under allow lists you can add domains to exclude from this DNS rule. For now we’ll leave it blank.

You can also add domains to block certain domains. Remember that while allowing or blocking the domain will include the subdomains, allowing or blocking subdomain will not include the full domain.

****Part 3: Monitoring****

Now all the endpoints under the selected policies will follow this new DNS rule. Back on the **Rules** tab, you can disable and enable and also clone and delete rules.

On the **Activity** page, you can monitor and export data based on the rules you create.

And at the bottom, there’s a table where you can review each individual block and allow. Just like you can already do in Nebula, you can use column filter filters to create group level filters.

**Elevate threat prevention for safer web browsing today**

Malwarebytes DNS Filtering module makes it easy to block websites and content, helping you align internet access with your organization’s cybersecurity and any published “acceptable use” policies.

Introducing Malwarebytes DNS Filtering module: How to block sites and create policy rules

Somerset County in New Jersey has been sent back to 1977 after a ransomware attack shut down various historical record checks.
The post Ransomware attack turns 2022 into 1977 for Somerset County appeared first on Malwarebytes Labs.

1977 was quite the year. Led Zeppelin! Jimmy Carter! Saturday Night Fever!

We can now add “a ransomware attack” to this once static list. Somerset County, New Jersey, has been hit so hard by a network assault that they’ve ended up in the direst straits imaginable, with county databases unavailable to provide information on land records and probate records, and with title searches only available for paper records that were entered before 1977.

When a ransomware attack takes out an organization, they often revert to pen and paper to keep things ticking over. This is a common feature of healthcare compromises. Everything slows down a little, but they’re still able to function in the here and now for the most part. When ransomware locks down a chunk of historical data, things apparently become much more convoluted.

**Of probates and land records**

Somerset County’s statement reads as follows in relation to the attack which happened last Tuesday:

> _Somerset County offices and buildings remain open for business as the County continues to evaluate the severity of yesterday’s ransomware cyberattack. Network-linked computers remain turned off, and county emails cannot be received or responded to by county personnel._
> 
> _Somerset County Clerk and Surrogate services that depend on access to county databases are temporarily unavailable, such as land records, vital statistics, and probate records. Title searches are possible only on paper records dated before 1977._

There’s several possibilities as to why everything post 1977 is now unavailable. Perhaps records after that date have all made the leap to digital status only, with no backups available. Maybe there are backups, but those have been encrypted by ransomware too.

**Switching to Plan B**

In an effort to keep some services moving, temporary email addresses have been brought into play:

> _To ensure residents can reach the County we have created temporary Gmail addresses for the public to use to reach critical departments such as the County Commissioners, Health, Emergency Operations, the County Clerk, Sheriff, and Surrogate._

This is certainly better than doing nothing. However, there are several concerns with approaches such as this.

*   Are the email addresses secure? Hopefully “temporary” would still mean “locked down.” At the very least, 2 Factor Authentication (2FA) is needed here. The last thing they need is several email breaches due to weak passwords or other security concerns.
*   Introducing uncertainty into what official email addresses are supposed to look like can confuse customers. A wily phisher could easily set up their own fake temporary addresses. An even smarter one would create fake Gmail addresses which look like the temporary efforts.

**Good news and bad news…**

Somerset County have confirmed the following:

*   An upcoming Primary Election is unaffected as voting machines are “never connected to the county system.”
*   Courts and Jails are functioning as normal and 911/emergency services are unaffected.
*   According to The Register, systems may be offline for “at least” the rest of this week. This isn’t great, but the ad-hoc replacement system offered currently is better than nothing.

**Tips to avoid ransomware**

*   **Encrypt and back up your data**. Keep your data encrypted whenever possible, and back up your files regularly. Store your backups externally away from the main network. Ensure your backups are stored in a logical way and not a confused mess of folders and files. You can’t get to work on recovery if you’ve no idea where everything is.
*   **Update your security software**. Help what is often your first line of defense by ensuring it’s as up to date as possible. Automate your scans and updates.
*   **Avoid strange attachments**. Malicious Word/Excel documents are a common threat, especially where Macros are concerned.
*   **Keep devices updated**. Secure devices with the latest patches. Updating your Operating System is great, but that’s not where your updating journey ends. Outdated software and applications are frequently a launchpad for exploits leading to ransomware attacks.
*   **Strengthen remote access**. Unsecured remote services are hugely popular with ransomware authors. Provide a limit on password guess attempts for remote desktops. You can also combine remote services with multifactor authentication.
*   **Use browser controls for bad ads**. Malvertising is another technique to place ransomware where it shouldn’t be. Restricting certain features like JavaScript can help, though this may make some sites unusable. Dedicated extensions which control tracking, scripts, and untrustworthy ad networks will also help.

Ransomware attack turns 2022 into 1977 for Somerset County

Robocalls and scam calls have been a longstanding problem. For 2021, the FTC has recorded its highest number of victims yet.
The post More than a quarter of Americans fell for robocall scam calls in past year appeared first on Malwarebytes Labs.

More and more Americans have been falling victim to phone scams since 2019. According to the latest report from Truecaller (Google Docs upload of the entire report, separate blog here), a known spam blocker and caller ID app, 68.4 million Americans were victimized in the last 12 months, a substantial increase from the 59.4 million victims tallied up in 2021.

Collectively, victims lost a staggering $39.5 billion, a 32.5 percent increase from the previous year. In the report, Truecaller compared this amount to the budget specifically set aside in the American Rescue Plan Act—already a wide-ranging package of $1.9 billion—for child care services, a figure approaching some $39 billion.

> “The total money lost to scams is also comparable to the entire child care budget of $39 billion for the American Rescue Plan Act. If phone scam fraud was somehow eliminated, the amount saved could fund federally subsidized child care across the U.S. for a full year to help families and employers.”
> 
> Truecaller Insights 2022 US Spam and Scam Report

This increase in victims directly correlates with the increased number of scam calls received by Americans. More than half of these scam calls (61.1 percent) came from robocallers. This could mean two things: scammers have found a way to beat the framework, or the STIR/SHAKEN program is just not that effective.

STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) is an Federal Trade Commission (FCC) framework that “digitally validates the handoff of phone calls passing through the complex web of networks, allowing the phone company of the consumer receiving the call to verify that a call is in fact from the number displayed on Caller ID.” This framework was fully implemented on June 30, 2021.

**A change in attitude towards phone calls**

Truecaller has noted Americans’ change in preference when it comes to communication. Robocalls and spam calls have created “an environment of great distrust” regarding phone calls, the report said. As such, 60 percent of Americans have preferred communicating with people via other means, such as text, email, and social media.

Unfortunately, this learned habit of avoiding calls from unknown numbers has other side effects. According to the Truecaller report, because Americans attempt to avoid phone calls from numbers they don’t recognize, 63 percent also feel like they missed important calls. On top of that, people find it more difficult than ever to reach anyone via a phone call because calls are often ignored just to avoid spam.

Despite this, robocall scams persist, emphasizing the scale and severity of the problem.

More than a quarter of Americans fell for robocall scam calls in past year

German ISPs are working on the introduction of TrustPid. A supercookie that is intended to replace tracking cookies.
The post TrustPid is another worrying, imperfect attempt to replace tracking cookies appeared first on Malwarebytes Labs.

German ISPs are considering the introduction of TrustPid, a new type of “supercookie” that comprises of a unique identifier which will be issued for each customer that will be able to track what that customer is doing online.

The providers are trying to sell this idea by telling the public that the identifier can never be tracked back to an individual and that something needs to be done to keep the internet free.

**The end of the tracking cookie**

Where does this attempt come from, you may ask. Advertisers are seeing the end of the tracking cookie on the horizon and it’s coming closer.

Google has announced that it will stop the use of third-party cookies in Chrome by the end of 2023, joining a growing list of browsers that are saying farewell to the tracking cookies. And Apple already blocks default tracking everywhere.

Social media and tech giants, including Google, are already looking at other business models to replace tracking cookies since they are the ones that benefited the most from targeted advertising, by providing the most useful information to the advertisers.

What makes supercookies different is that they are unique identifiers that are inserted into the HTTP header by a service provider. Unlike normal cookies they do not get stored in browsers or browser plug-ins.

**Free internet**

The idea of a free internet—as communicated by some of these companies—is not that they are signing you up as a customer free of charge. Wouldn’t that be nice? No, the idea is that websites that are providing content need to make a living. And the usual income for most of those sites comes from advertising. Why the ISP providers feel that it is part of their job description to enable targeted advertising escapes me. But undoubtedly the goal is to improve the bottom line.

Targeted advertising is more rewarding than regular advertising since it supposedly enormously enhances the effect of the advertisement. At least, that’s the idea that most advertisers live by, and sell to their customers. But here’s something to consider: According to research by Cloudflare, 20 percent of websites that serve ads receive visits almost exclusively by fraudulent click bots, and that bots comprise roughly 50 percent of all Internet traffic. Imagine how much money advertisers could save by effectively tackling ad fraud. Plus, that sounds a lot better than tagging another tracker on us.

**Hiding consent**

The worst bit of your ISP enabling the tracking is that every user has to sign some sort of agreement with them. In this agreement the ISP can hide the TrustPid consent in a long End-user License Agreement (EULA) that almost no-one ever reads and which can probably not be declined partially. It’s all or nothing if you want or need this provider. And if one provider successfully monetizes this idea, I’m afraid others will quickly follow suite.

Another advantage of an ISP is that they know if and when the IP of your home connection changes and for mobile devices they can even enumerate the users within a household by identifying the individual devices.

**History**

The idea of ISPs issuing supercookies is certainly not new. Verizon was the example that should have served as a history lesson here. In 2016, Verizon had to settle with the FCC over its use of a supercookie, which tracked the websites visited by phones on its network. They were fined because they forgot to inform the customers or give them an opt-out option. Verizon had to pay a fine of $1.35 million and was ordered to receive customer permission before sharing tracking data with other companies or even within its own organization.

**How it works**

The network provider will first combine your mobile number and IP address to generate a pseudonymous network identifier, after which using that identifier they will generate a pseudonymous unique token (TrustPid).

This TrustPid is used to create additional marketing tokens for the websites of advertisers and publishers you visit (website specific tokens). Advertisers and publishers aren’t (shouldn’t be) able to identify you as a person via the website specific tokens.

Where you have given consent, advertisers and publishers will use the website specific tokens to provide you with targeted online marketing, or conduct analytics. The advertisers and publishers that you’ve consented to could be drawn up in a list that will be in the hands of the ISP, but you can manage your consent for those parties at any time via the Privacy Portal.

I inserted the “shouldn’t be” since we are all too aware that many good intentions have unexpected consequences. Let’s suppose that you fill out your details on one of the websites that you decided to trust. Introduce one XSS vulnerability and all your personal details could be linked back to your TrustPid.

**Mitigation**

Because of the lack of technical details provided about TrustPid, we are not completely clear how a user can avoid being tracked. But I asked German privacy expert Andreas Dewes and he responded:

> “a device level VPN with integrated DNS should be able to block this kind of tracking.”

Once we know more, there might be easier and simpler ways to get around this. We’ll keep you posted.

TrustPid is another worrying, imperfect attempt to replace tracking cookies

We break down three ways DNS filtering can help save your business from cyberattacks.
The post 3 ways DNS filtering can save SMBs from cyberattacks appeared first on Malwarebytes Labs.

If you’re an SMB, chances are that you’re already well-aware of the fact that cyber threats can wreak havoc on your business. 

Everything from rootkits to ransomware threaten not just financial losses, but also significant network downtime and reputational damage as well. Couple this with the fact that many cyberthreats are web-based, and you might be stuck wondering how best to secure your business online. 

That’s where DNS filtering comes in. 

But first, DNS in a nutshell. So normally, every time your customer types in your web address, their computer makes a request to a DNS server. The DNS server, in turn, tells the computer where to go. If all goes well, then voila, your customer is at your website. 

A DNS filter stops you from accessing unsafe websites—including those posing a strong malware risk. But which web-based cyberthreats in particular does DNS filtering stop, you ask? 

In this post, we’ll break down three ways DNS filtering can help save your business from cyberattacks. 

**1\. Blocks phishing websites**

Let’s say someone at your company gets an email from their “bank” asking them to update their password.  

Not knowing it’s a fake, this employee clicks a link taking them to a malicious website that looks exactly like the original. Your employee then fills in some  sensitive info, maybe even downloads a malicious file — and bam, just like that, criminals now have access to your network, allowing them to install malware, steal data and spread ransomware. 

You might recognize this as one example of phishing, an attack where cybercriminals trick potential victims into sharing sensitive information or giving the perpetrator privileged access to a network. 

Luckily, by blocking the domain names of phishing sites, a DNS filter can nip attacks in the bud. 

Here’s how it works: DNS filtering references databases of known nefarious domain names. Databases of malicious websites can also be sorted into threat categories, such as spyware, typosquatting, cryptomining, and so on. From there, your organization can block malicious sites like these sites to secure their environment against phishing attacks.  

In other words, if you have a DNS filter, as soon as that same employee clicks a link to a malicious website —they’re prevented from visiting it. 

**2\. Secures you against machine-in-the-middle attacks **

Imagine you’re at a cafe chatting with a trusted friend, sharing private details about your lives with one another. You probably wouldn’t appreciate it if some random stranger was tuning into the conversation, listening carefully to every word. 

Such a scenario roughly analogous to what a machine-in-the-middle attack (MITM, also referred to as a man-in-the-middle attack) is — except in a MITM attack, the stakes are much higher. Cybercriminals in MITM attacks can steal your personal information, passwords, or banking details by intercepting the data sent between you and an application.  

One type of man-in-the-middle attack businesses should worry about is DNS spoofing. 

In a DNS spoofing attack, a hacker sits in the middle of this process. So when the computer of that same customer makes a request to a DNS server, asking where your website is, a hacker can instead redirect your computer to a malicious website! 

From there, hackers can phish sensitive customer or business information — as described above. These types of attacks are where DNS encryption, included in any good DNS filter, is essential. It secures the connection between your computer and the DNS resolver, so that cybercriminals not sit between you and and feed you spoofed DNS entries.

**3\. Detects potential DDoS attacks **

The last thing any business wants is to suffer from a Distributed Denial of Service (DDos) attack. 

You can think of a DDos attack as being kind of like a zombie invasion. Using an army of bots called a botnet, a cybercriminal can use thousands or even millions of “zombie” computers to flood your website, ultimately overloading it and bringing it down. 

The end result? Brand damage, angry customers — and often even lost revenue. 

One type of DDos attack is called a DNS flood, where the cybercriminal uses their army of bots to overwhelm a DNS server and prevent it from directing legitimate requests to your website. 

And, as is the case with most cyberthreats, the earlier you spot a potential DNS DDos attack, the better. Being able to continuously monitor DNS activity is a great way to catch the warning signs of a DNS DDoS attack — and with a DNS filter, you can do exactly that. 

**Protect your end users and your organization from web-based threats **

The web is full of dangerous corners.  

It’s a breeding ground for phishing attacks, spyware, common viruses and malware, not to mention ransomware. And as these attacks continue to increase in frequency and sophistication, it’s never been more important for SMBs to secure themselves online.  

But while having a DNS filter is great way to do that, many small and mid-size organizations don’t invest in one — leaving them exposed. 

The Malwarebytes DNS Filtering module for the Nebula platform helps block access to malicious websites and limit threats introduced by suspicious content. It blocks phishing sites, encrypts all DNS requests, and tracks website traffic to detect potential DDoS attacks. 

To top it all off, Malwarebytes DNS Filtering controls are available in the same platform used for powerful threat prevention and trusted remediation — including our Incident Response, Endpoint Protection, and Endpoint Detection and Response offerings.

3 ways DNS filtering can save SMBs from cyberattacks

We look at a mail claiming to offer enhanced online payment security. Just what is that QR code doing?
The post Phishing mail claims a 3D Secure upgrade is required appeared first on Malwarebytes Labs.

Today we took a look at a phishing mail pinning its hopes on a QR code linking to a bogus website. Scammers claim that your mail address has “not been registered for the 3D Secure Security Update”.

3D Secure phishing mail

The mail reads as follows:

Dear Sir / Madam,

Our administration has shown that the data linked to this email address: {redacted} has not yet been registered for the 3D Secure security update. From May 30, 2022, the new security system has come into effect.
We therefore request that you activate the 3D Secure security.

Scan the QR code below with the camera of your smartphone to be redirected to the security form.

You can then use the new 3D Secure password for online payments with your credit card.

For even more payment convenience, you can download the ICS App. You can then approve your online payments via the app and no longer have to remember a password.

We wish you a lot of ease of payment with your Card!

**What is 3D Secure?**

3D Secure is an additional layer of security for online payments. The name “3D Secure” refers to the 3 domains which interact whenever you make use of the protocol: Merchant, issuer, interoperability domain. 3DS2 is due to replace 3DS sometime in 2022 as the original is slowly phased out.

Encouraging potential victims to strengthen their security by inadvertently walking into a trap is a common tactic. Tying it in with 3D Secure is arguably more original than most, especially as it’s perhaps a bit of a niche aspect of secure payments. Perhaps confusing victims with some very specific technobabble is the point.

**The rogue website**

Victims arrive on the site via a redirect URL.

Fake login

The site emulates a well known organisation which issues credit cards in the Netherlands. It asks for name, date of birth, postcode and house number, mobile, and email.

After this, victims arrive on a “please wait while we check your details” notification. The details entered have already been sent, and they’ll be waiting on that page for a very long time. Curiously, no request for card details is made. We suspect whoever runs the site will follow up by mail or phone and finish the scam off by asking for payment information.

**The QR Code factor**

Quick Response (QR) code scams come around every so often. Sometimes rogue codes are pasted over, or close to, genuine codes. Other times, codes are tampered with. They’re also a feature of Bitcoin ATM scams.

Where phishing is concerned, it’s important to not misunderstand how these attacks work and cause unnecessary panic. Most QR code scanners on mobile devices will show you a preview of the URL you’re about to visit, so it boils down to being able to recognise the signs of a dubious URL, just as it would if the attackers had incldued a link. (This is probably why the attack used a redirect.)

As a result, best practices for regular phishing attacks still apply.

Phishing mail claims a 3D Secure upgrade is required

FAQ for the new Follina zero-day vulnerability. What you can do to protect your computers right now.
The post FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day appeared first on Malwarebytes Labs.

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 for a zero-day remote code vulnerability, ‘Follina’, already being exploited in the wild via malicious Word documents.

_**Q: What exactly is Follina?**_

A: Follina is the nickname given to a new vulnerability discovered as a zero-day and identified as CVE-2022-30190. In technical terms it is a Remote Code Execution Vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT).

_**Q: But what does it mean, and is this a serious vulnerability?**_

A: An attacker can send you a malicious Office document that will compromise your machine with malware when you open it. It is serious since it is already actively being exploited in the wild and doesn’t require users to enable macros.

**_Q: What is Microsoft doing about it?_**

A: Microsoft has offered mitigation steps that disable the MSDT URL Protocol. However, users should proceed with caution because of possible conflicts and crashes with existing applications.

_**Q: Does Malwarebytes protect against Follina?**_

A: Yes, it does. Please see additional steps below based on your product to ensure you are protected.

**How to add protection with Malwarebytes**

We are working on releasing a new version of Anti-Exploit that won’t require adding new shields and will provide more holistic protection. For immediate mitigation, please follow the instructions below.

**Malwarebytes Premium (Consumer)**

Follow the instructions below to add sdiagnhost.exe as a new protected application.

**Malwarebytes Nebula (Enterprise)**

Follow the instructions below to add sdiagnhost.exe as a new protected application.

FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day

Threat actors are using a new method to take over WhatsApp accounts. It starts with tricking the victim into forwarding their calls.
The post WhatsApp accounts hijacked by call forwarding appeared first on Malwarebytes Labs.

In a short post on LinkedIn  Rahul Sasi, founder and CEO of CloudSEK, explains how WhatsApp account takeovers are possible.

The methods consists of several steps and it takes some social engineering skills, but it’s good to be aware of the possibility and how it works. It starts with the threat actor reaching out to a victim and convincing them to call a specific number.

**Call forwarding**

The number the threat actor will try to convince you to call is not always the same, but most of the times it will look like this **67*<10 digit number> or *405*<10 digit number>.

Both numbers trigger call forwarding, which redirects a telephone call to another number. It is available on most, if not of all, phone carrier’s systems and supported by most modern phones.

****67*<10 digit number>** forwards all your calls to the 10 digit number.

***405*<10 digit number>**  forwards calls, if your number is busy, to the 10 digit number.

The numbers between asterisks are not the same for every phone carrier, but according to Sasi, these two are likely to render the best success rates. The 10-digit number is always a phone number controlled by the attacker.

**WhatsApp**

While you are calling one of the numbers, the threat actor triggers the WhatsApp registration process for your phone number and chooses the option to send a One Time Password (OTP) via phone call.

To protect your account, WhatsApp will send you a push notification when someone tries to register a WhatsApp account with your phone number. If an attacker is trying to take over your account, they need the verification code sent to your phone number to do so. Without this code, any user attempting to verify your number can’t complete the verification process and use your phone number on WhatsApp.

But since your number is busy, either of the call methods mentioned earlier will forward the OTP to the threat actor, who receives the OTP code they need to take over your WhatsApp account, unless you have enabled two-step verification. Once the threat actor has taken over your account they will undoubtedly enable this to make it harder for you to take back control.

**Mitigation**

It is worth saying that you should be wary of strangers asking you to call strange numbers. Remember that no matter what the technicalities are, scammers almost always want you to act hastily, so take your time in the face of strange and unexpected requests.

You may also want to look up the call forwarding methods that your phone carrier uses, so you can recognize attempts of this kind.

To secure your WhatsApp account with Two-step verification, follow these steps:

1.  Open WhatsApp settings
2.  Tap Account > Two-step verification > Enable
3.  Enter a 6 digit PIN and confirm.
4.  Provide an email address in case you ever need to reset the PIN.
5.  Tap next. Confirm email.
6.  Tap save or done.

To help you remember your PIN, WhatsApp will prompt you to periodically enter it. Unfortunately, there isn’t an option to disable this without disabling the two-step verification feature.

Remember this can happen to your friends and family too. WhatsApp fraud already is booming and if the threat actor actually controls the WhatsApp account of someone you trust, their success rate will be even bigger.

**Aftermath**

WhatsApp is end-to-end encrypted and messages are stored on your device, so someone accessing your account on another device can’t read your past conversations.

But it is prudent, if you suspect someone else is using your WhatsApp account, to notify family and friends as this threat actor could impersonate you in chats and groups as they try to monetize their access.

If you lose access to your WhatsApp account or suspect someone else is using your account, refer to the WhatsApp FAQ article Stolen accounts.

Stay safe, everyone!

WhatsApp accounts hijacked by call forwarding

RansomHouse, a new extortion group, distances itself from ransomware. However, it seems like it had ties to ransomware groups in the past.
The post Threat profile: RansomHouse makes extortion work without ransomware appeared first on Malwarebytes Labs.

Cybersecurity is an industry known for many hats: white hats, black hats, and grey hats. White hats refer to “the good people” in the industry for those who are not in the know. They are malware analysts, security researchers, and penetration testers. Black hats are the opposite of white hats, and we collectively refer to them as cybercriminals.

The existence of a third hat is intriguing but not surprising. It denotes black hats have the potential to be and do good. On the other hand, white hats can put one foot on the dark side while leaving a reassuring foot in the light.

Security researchers have speculated that a new extortion group called RansomHouse is a collection of “frustrated” white hats who have collectively been pushed to the point of punishing organizations that continue to have lax security in their infrastructure.

**RansomHouse 101**

RansomHouse is a new extortion group that gets into victims’ networks by exploiting vulnerabilities to steal data and coerces victims to pay up, lest their data is sold to the highest bidder. And if no criminal is interested in buying the data, the group leaks it on their leak site.

This group is also unique in the way it extorts money from victims. They appear to market themselves as penetration testers and bug bounty hunters more than your average online extortionist. After stealing data from targets, they offer to delete it and then provide a full report on what vulnerabilities they exploited and how.

Like ransomware groups, they also have channels in place—a Telegram account and a leak site—to communicate with victims, journalists, and those who want to track their activities.

RansomHouse’s main page and leak page where the group lists its victims. (Source: Marcelo Rivero | Malwarebytes)

RansomHouse is believed to have emerged in December 2021 and currently has four victims, the first of which was Canada’s Saskatchewan Liquor and Gaming Authority (SLGA), a regulator of alcohol, cannabis, and most gambling in the province, which first reported a breach in that same month and year.

According to the “About” page on RansomHouse’s Onion site, they call themselves “a professional mediators community.”

Below are reprints of sections from that page:

    We have nothing to do with any breaches and don't produce or use any ransomware. Our primary goal is to minimize the damage that might be sustained by related parties.
    
    We believe that the culprits are not the ones who found the vulnerability or carried out the hack, but those who did not take proper care of security. The culprits are those who did not put a lock on the door leaving it wide open inviting everyone in.
    
    But evolution cannot be stopped, fitting structures emerge in every environment, and so groups of enthusiasts have emerged on the grounds of data negligence, eager to get paid honestly by streamlining this chaos through public punishment. These methods of making money and pointing out companies' mistakes may be controversial, and when you recall that we are talking about billion-dollar corporations on the opposing side, it becomes clear why the RansomHouse team is so important to engage in dialogue. That is what this project is all about - bringing conflicting parties together, helping them to set up a dialogue and make informed, balanced decisions. The team works hard to find a way out of even the most difficult situations and allow both parties to go forward without changing rules as they go along. Incompetence and fuss is unacceptable when dealing with such cases, which is exactly what happens most often. Here and now we are creating a new culture and streamlining this industry.

The “About” page, which reads more like a manifesto, is telling. First, it openly declares that organizations, not the cybercriminals after their data, are the real “culprits” for certain types of cyberattacks. Second, the bug hunters who find flaws in systems or networks owned by organizations, which may not have a bounty program in place, must be recognized for the time and effort to find these flaws and be compensated appropriately.

Cyberint’s Shmuel Gihon indicated that RansomHouse is “practically forcing ‘penetration testing service’ on organizations that never used their services or rewarded bug bounties.”

Lastly, the group puts itself at the center as an entity that’ll make things right, calling this entire endeavor a “project” instead of what it really is: an extortion scheme with the facade of a good samaritan. The group’s actions benefit no one but them and their associates, embolden others to act out their frustration, and—if they are indeed white hats in a midlife crisis—slowly erode the foundations of trust and integrity the cybersecurity industry stands on.

**Links with ransomware groups**

RansomHouse has been firm about its non-use of ransomware in its exploits despite the group’s name. They also reportedly do not encrypt files they stole from organizations. However, it is worth noting that the group has a history of collaborating with ransomware gangs, such as White Rabbit.

BleepingComputer pointed out the group was mentioned in one of White Rabbit’s ransom notes.

One can also see RansomHouse’s possible link to the Hive ransomware group.

Hagar Margolin, cyberanalyst for Webz.io, a company providing machine-defined web data, pointed out the uncanny similarities of Hive’s leak site post to that of RansomHouse’s.

A side-by-side comparison of Hive ransomware’s victim post versus a victim post from RansomHouse’s Tor site. (Source: Webz.io)

**Are they really disgruntled bug bounty hunters?**

Bug hunting could be a way of living. Much like many of the jobs within the cybersecurity industry, it’s not as glamorous as some people make it.

Of course, getting rich hunting for inherent flaws would depend on the severity of the bug found and the availability of a bounty program in an organization. Bug hunting wouldn’t be as lucrative if one or both of these aren’t fully satisfied.

Gihon assessed that RansomHouse “might have a blue and red team background and might even be disgruntled bug bounty hunters looking to be taken more seriously by organizations.” In cybersecurity, a “blue team” plays the role of Defender in a cyberattack. In contrast, a “red team” plays the role of Adversary.

What led Cyberint to this theory is RansomHouse’s overall professional demeanor when communicating with others. They were seen as polite and focused, not easily swayed away into irrelevant conversations. The group also claimed they’re “pro-freedom,” “very liberal,” and won’t have anything to do with radical hacktivists or espionage groups.

Cyberint also touched on a known problem within the bug bounty community that is currently brewing.

“Many of the bug bounty hunter community members have been complaining for some time now about companies that do not want to pay the bounty for their hard labour while still enjoying its fruits,” Gihon said. “Bug bounty programs also increase their commissions making the bug bounty hunter a very frustrating profession.”

The struggles with bug hunting may be real, but according to one expert, even calling RansomHouse a group of bug hunters could be inaccurate.

In an interview with BleepingComputer, Emsisoft Threat Analyst Brett Callow said that actors behind the White Rabbit ransomware may be behind RansomHouse:

> “The RansomHouse platform is supposedly used by ‘club members’ who carry out attacks using their own tools—and, according to them, those tools include ransomware such as White Rabbit. I suspect, however, that their claims are untrue and that the same individuals who carry out the attacks are also behind RansomHouse.”

Regardless of the group’s origins, one thing is clear: they are going after organizations that they have decided are not doing enough to secure their clients’ data. They pose a threat similar to ransomware groups. This should be enough reason for organizations of any size to work with their IT teams in strengthening the business’s overall security posture.

Threat profile: RansomHouse makes extortion work without ransomware

We take a look at a Runescape-themed phishing mail targeting players of the smash MMORPG title, and explain how they steal the data.
The post Runescape phish claims your email has been changed appeared first on Malwarebytes Labs.

A Runescape-themed missive landed in our email inbox today, claiming action is required to secure our account.

The malicious email and the scam behind it are perfect examples of one of the more reliable tactics in the world of phishing—fooling a victim into thinking they need to take some action as part of a larger, ongoing process. With this tactic, phishing email recipients could ask themselves: Is this a mis-sent mail? Should I jump in halfway through whatever’s being proposed and course correct? Will I be sent additional worrying emails if I don’t?

As bait, it’s perfect.

**The scam**

This email is being fired out to random addresses; it’s not a targeted attack. The phisher is simply hoping that of all the recipients, a few have an account with the service they’re imitating. In this case, the mail is spoofing players of Runescape, the popular free MMORPG title from Jagex. It reads as follows:

“Your email address has been changed”

> _YOUR EMAIL ADDRESS  
> HAS BEEN CHANGED_
> 
> _You have successfully changed the registered email address for your RuneScape and Old School RuneScape account._
> 
> _Your account log-in details remain unchanged but your registered email address for all future password resets will be: \[email removed\]_
> 
> _To cancel this change, please click on the button below._
> 
> _CANCEL CHANGE_
> 
> _Button not working for you? Copy the URL below into your browser:_

Recipients may panic that their address has been accidentally added to someone else’s account and want to fix it as soon as possible. Alternatively, they may actually _have_ a Runescape account and worry at the sight of seeing an unfamiliar email address as the “new” address for the account. Either way, people will click the link to see what this is all about.

**The scam site**

The site claims to be Old School Runescape, making use of a URL similar to the real thing. It asks visitors for a variety of data. First up is email / username and password.

Bogus login request

Secondly, it asks for the visitor’s authenticator code. Lastly, the site asks for their bank PIN.

“Enter the bank pin”

In Runescape, the “bank” is where the player stores their items. Someone with access to all of this can perform a fairly comprehensive clean-out of the victim’s account.

**Discordant behaviour**

The manner of sending the victim’s information is quite interesting. Looking at the code on the final submission page reveals the following reference to Discord:

Discord Webhooks

This is a technique where JavaScript is used to send automated messages to Bots in Discord channels via Webhooks. The email, password, authenticator code, and bank PIN will in theory all be posted to whichever channel the Bot resides. From there, people may be sitting waiting for new messages to pop up and then steal the account manually before the authentication codes expire.

**Avoiding Runescape phishing attempts**

Runescape has plentiful support guides to help steer players away from harm. A list of the most popular scam attempts can be found on their forum. Note that “Your email address has been changed” is listed, along with the following explainer:

> _Note how a phishing email says the change will be made unless you click something. If someone tries to change your email, Jagex will send an email to confirm the change before any changes are made. No changes are made if you don’t confirm it._

There’s also a dedicated phishing report centre, and several support articles which cover:

*   Suspicious emails
*   Fake websites
*   Staff impersonation

For a more detailed dive into phishing and tips for avoiding all manner of phish attack techniques, read our in-depth guide.