We look at a mail claiming to offer enhanced online payment security. Just what is that QR code doing?
The post Phishing mail claims a 3D Secure upgrade is required appeared first on Malwarebytes Labs.

Today we took a look at a phishing mail pinning its hopes on a QR code linking to a bogus website. Scammers claim that your mail address has “not been registered for the 3D Secure Security Update”.

3D Secure phishing mail

The mail reads as follows:

Dear Sir / Madam,

Our administration has shown that the data linked to this email address: {redacted} has not yet been registered for the 3D Secure security update. From May 30, 2022, the new security system has come into effect.
We therefore request that you activate the 3D Secure security.

Scan the QR code below with the camera of your smartphone to be redirected to the security form.

You can then use the new 3D Secure password for online payments with your credit card.

For even more payment convenience, you can download the ICS App. You can then approve your online payments via the app and no longer have to remember a password.

We wish you a lot of ease of payment with your Card!

**What is 3D Secure?**

3D Secure is an additional layer of security for online payments. The name “3D Secure” refers to the 3 domains which interact whenever you make use of the protocol: Merchant, issuer, interoperability domain. 3DS2 is due to replace 3DS sometime in 2022 as the original is slowly phased out.

Encouraging potential victims to strengthen their security by inadvertently walking into a trap is a common tactic. Tying it in with 3D Secure is arguably more original than most, especially as it’s perhaps a bit of a niche aspect of secure payments. Perhaps confusing victims with some very specific technobabble is the point.

**The rogue website**

Victims arrive on the site via a redirect URL.

Fake login

The site emulates a well known organisation which issues credit cards in the Netherlands. It asks for name, date of birth, postcode and house number, mobile, and email.

After this, victims arrive on a “please wait while we check your details” notification. The details entered have already been sent, and they’ll be waiting on that page for a very long time. Curiously, no request for card details is made. We suspect whoever runs the site will follow up by mail or phone and finish the scam off by asking for payment information.

**The QR Code factor**

Quick Response (QR) code scams come around every so often. Sometimes rogue codes are pasted over, or close to, genuine codes. Other times, codes are tampered with. They’re also a feature of Bitcoin ATM scams.

Where phishing is concerned, it’s important to not misunderstand how these attacks work and cause unnecessary panic. Most QR code scanners on mobile devices will show you a preview of the URL you’re about to visit, so it boils down to being able to recognise the signs of a dubious URL, just as it would if the attackers had incldued a link. (This is probably why the attack used a redirect.)

As a result, best practices for regular phishing attacks still apply.

Phishing mail claims a 3D Secure upgrade is required

FAQ for the new Follina zero-day vulnerability. What you can do to protect your computers right now.
The post FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day appeared first on Malwarebytes Labs.

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 for a zero-day remote code vulnerability, ‘Follina’, already being exploited in the wild via malicious Word documents.

_**Q: What exactly is Follina?**_

A: Follina is the nickname given to a new vulnerability discovered as a zero-day and identified as CVE-2022-30190. In technical terms it is a Remote Code Execution Vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT).

_**Q: But what does it mean, and is this a serious vulnerability?**_

A: An attacker can send you a malicious Office document that will compromise your machine with malware when you open it. It is serious since it is already actively being exploited in the wild and doesn’t require users to enable macros.

**_Q: What is Microsoft doing about it?_**

A: Microsoft has offered mitigation steps that disable the MSDT URL Protocol. However, users should proceed with caution because of possible conflicts and crashes with existing applications.

_**Q: Does Malwarebytes protect against Follina?**_

A: Yes, it does. Please see additional steps below based on your product to ensure you are protected.

**How to add protection with Malwarebytes**

We are working on releasing a new version of Anti-Exploit that won’t require adding new shields and will provide more holistic protection. For immediate mitigation, please follow the instructions below.

**Malwarebytes Premium (Consumer)**

Follow the instructions below to add sdiagnhost.exe as a new protected application.

**Malwarebytes Nebula (Enterprise)**

Follow the instructions below to add sdiagnhost.exe as a new protected application.

FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day

Threat actors are using a new method to take over WhatsApp accounts. It starts with tricking the victim into forwarding their calls.
The post WhatsApp accounts hijacked by call forwarding appeared first on Malwarebytes Labs.

In a short post on LinkedIn  Rahul Sasi, founder and CEO of CloudSEK, explains how WhatsApp account takeovers are possible.

The methods consists of several steps and it takes some social engineering skills, but it’s good to be aware of the possibility and how it works. It starts with the threat actor reaching out to a victim and convincing them to call a specific number.

**Call forwarding**

The number the threat actor will try to convince you to call is not always the same, but most of the times it will look like this **67*<10 digit number> or *405*<10 digit number>.

Both numbers trigger call forwarding, which redirects a telephone call to another number. It is available on most, if not of all, phone carrier’s systems and supported by most modern phones.

****67*<10 digit number>** forwards all your calls to the 10 digit number.

***405*<10 digit number>**  forwards calls, if your number is busy, to the 10 digit number.

The numbers between asterisks are not the same for every phone carrier, but according to Sasi, these two are likely to render the best success rates. The 10-digit number is always a phone number controlled by the attacker.

**WhatsApp**

While you are calling one of the numbers, the threat actor triggers the WhatsApp registration process for your phone number and chooses the option to send a One Time Password (OTP) via phone call.

To protect your account, WhatsApp will send you a push notification when someone tries to register a WhatsApp account with your phone number. If an attacker is trying to take over your account, they need the verification code sent to your phone number to do so. Without this code, any user attempting to verify your number can’t complete the verification process and use your phone number on WhatsApp.

But since your number is busy, either of the call methods mentioned earlier will forward the OTP to the threat actor, who receives the OTP code they need to take over your WhatsApp account, unless you have enabled two-step verification. Once the threat actor has taken over your account they will undoubtedly enable this to make it harder for you to take back control.

**Mitigation**

It is worth saying that you should be wary of strangers asking you to call strange numbers. Remember that no matter what the technicalities are, scammers almost always want you to act hastily, so take your time in the face of strange and unexpected requests.

You may also want to look up the call forwarding methods that your phone carrier uses, so you can recognize attempts of this kind.

To secure your WhatsApp account with Two-step verification, follow these steps:

1.  Open WhatsApp settings
2.  Tap Account > Two-step verification > Enable
3.  Enter a 6 digit PIN and confirm.
4.  Provide an email address in case you ever need to reset the PIN.
5.  Tap next. Confirm email.
6.  Tap save or done.

To help you remember your PIN, WhatsApp will prompt you to periodically enter it. Unfortunately, there isn’t an option to disable this without disabling the two-step verification feature.

Remember this can happen to your friends and family too. WhatsApp fraud already is booming and if the threat actor actually controls the WhatsApp account of someone you trust, their success rate will be even bigger.

**Aftermath**

WhatsApp is end-to-end encrypted and messages are stored on your device, so someone accessing your account on another device can’t read your past conversations.

But it is prudent, if you suspect someone else is using your WhatsApp account, to notify family and friends as this threat actor could impersonate you in chats and groups as they try to monetize their access.

If you lose access to your WhatsApp account or suspect someone else is using your account, refer to the WhatsApp FAQ article Stolen accounts.

Stay safe, everyone!

WhatsApp accounts hijacked by call forwarding

RansomHouse, a new extortion group, distances itself from ransomware. However, it seems like it had ties to ransomware groups in the past.
The post Threat profile: RansomHouse makes extortion work without ransomware appeared first on Malwarebytes Labs.

Cybersecurity is an industry known for many hats: white hats, black hats, and grey hats. White hats refer to “the good people” in the industry for those who are not in the know. They are malware analysts, security researchers, and penetration testers. Black hats are the opposite of white hats, and we collectively refer to them as cybercriminals.

The existence of a third hat is intriguing but not surprising. It denotes black hats have the potential to be and do good. On the other hand, white hats can put one foot on the dark side while leaving a reassuring foot in the light.

Security researchers have speculated that a new extortion group called RansomHouse is a collection of “frustrated” white hats who have collectively been pushed to the point of punishing organizations that continue to have lax security in their infrastructure.

**RansomHouse 101**

RansomHouse is a new extortion group that gets into victims’ networks by exploiting vulnerabilities to steal data and coerces victims to pay up, lest their data is sold to the highest bidder. And if no criminal is interested in buying the data, the group leaks it on their leak site.

This group is also unique in the way it extorts money from victims. They appear to market themselves as penetration testers and bug bounty hunters more than your average online extortionist. After stealing data from targets, they offer to delete it and then provide a full report on what vulnerabilities they exploited and how.

Like ransomware groups, they also have channels in place—a Telegram account and a leak site—to communicate with victims, journalists, and those who want to track their activities.

RansomHouse’s main page and leak page where the group lists its victims. (Source: Marcelo Rivero | Malwarebytes)

RansomHouse is believed to have emerged in December 2021 and currently has four victims, the first of which was Canada’s Saskatchewan Liquor and Gaming Authority (SLGA), a regulator of alcohol, cannabis, and most gambling in the province, which first reported a breach in that same month and year.

According to the “About” page on RansomHouse’s Onion site, they call themselves “a professional mediators community.”

Below are reprints of sections from that page:

    We have nothing to do with any breaches and don't produce or use any ransomware. Our primary goal is to minimize the damage that might be sustained by related parties.
    
    We believe that the culprits are not the ones who found the vulnerability or carried out the hack, but those who did not take proper care of security. The culprits are those who did not put a lock on the door leaving it wide open inviting everyone in.
    
    But evolution cannot be stopped, fitting structures emerge in every environment, and so groups of enthusiasts have emerged on the grounds of data negligence, eager to get paid honestly by streamlining this chaos through public punishment. These methods of making money and pointing out companies' mistakes may be controversial, and when you recall that we are talking about billion-dollar corporations on the opposing side, it becomes clear why the RansomHouse team is so important to engage in dialogue. That is what this project is all about - bringing conflicting parties together, helping them to set up a dialogue and make informed, balanced decisions. The team works hard to find a way out of even the most difficult situations and allow both parties to go forward without changing rules as they go along. Incompetence and fuss is unacceptable when dealing with such cases, which is exactly what happens most often. Here and now we are creating a new culture and streamlining this industry.

The “About” page, which reads more like a manifesto, is telling. First, it openly declares that organizations, not the cybercriminals after their data, are the real “culprits” for certain types of cyberattacks. Second, the bug hunters who find flaws in systems or networks owned by organizations, which may not have a bounty program in place, must be recognized for the time and effort to find these flaws and be compensated appropriately.

Cyberint’s Shmuel Gihon indicated that RansomHouse is “practically forcing ‘penetration testing service’ on organizations that never used their services or rewarded bug bounties.”

Lastly, the group puts itself at the center as an entity that’ll make things right, calling this entire endeavor a “project” instead of what it really is: an extortion scheme with the facade of a good samaritan. The group’s actions benefit no one but them and their associates, embolden others to act out their frustration, and—if they are indeed white hats in a midlife crisis—slowly erode the foundations of trust and integrity the cybersecurity industry stands on.

**Links with ransomware groups**

RansomHouse has been firm about its non-use of ransomware in its exploits despite the group’s name. They also reportedly do not encrypt files they stole from organizations. However, it is worth noting that the group has a history of collaborating with ransomware gangs, such as White Rabbit.

BleepingComputer pointed out the group was mentioned in one of White Rabbit’s ransom notes.

One can also see RansomHouse’s possible link to the Hive ransomware group.

Hagar Margolin, cyberanalyst for Webz.io, a company providing machine-defined web data, pointed out the uncanny similarities of Hive’s leak site post to that of RansomHouse’s.

A side-by-side comparison of Hive ransomware’s victim post versus a victim post from RansomHouse’s Tor site. (Source: Webz.io)

**Are they really disgruntled bug bounty hunters?**

Bug hunting could be a way of living. Much like many of the jobs within the cybersecurity industry, it’s not as glamorous as some people make it.

Of course, getting rich hunting for inherent flaws would depend on the severity of the bug found and the availability of a bounty program in an organization. Bug hunting wouldn’t be as lucrative if one or both of these aren’t fully satisfied.

Gihon assessed that RansomHouse “might have a blue and red team background and might even be disgruntled bug bounty hunters looking to be taken more seriously by organizations.” In cybersecurity, a “blue team” plays the role of Defender in a cyberattack. In contrast, a “red team” plays the role of Adversary.

What led Cyberint to this theory is RansomHouse’s overall professional demeanor when communicating with others. They were seen as polite and focused, not easily swayed away into irrelevant conversations. The group also claimed they’re “pro-freedom,” “very liberal,” and won’t have anything to do with radical hacktivists or espionage groups.

Cyberint also touched on a known problem within the bug bounty community that is currently brewing.

“Many of the bug bounty hunter community members have been complaining for some time now about companies that do not want to pay the bounty for their hard labour while still enjoying its fruits,” Gihon said. “Bug bounty programs also increase their commissions making the bug bounty hunter a very frustrating profession.”

The struggles with bug hunting may be real, but according to one expert, even calling RansomHouse a group of bug hunters could be inaccurate.

In an interview with BleepingComputer, Emsisoft Threat Analyst Brett Callow said that actors behind the White Rabbit ransomware may be behind RansomHouse:

> “The RansomHouse platform is supposedly used by ‘club members’ who carry out attacks using their own tools—and, according to them, those tools include ransomware such as White Rabbit. I suspect, however, that their claims are untrue and that the same individuals who carry out the attacks are also behind RansomHouse.”

Regardless of the group’s origins, one thing is clear: they are going after organizations that they have decided are not doing enough to secure their clients’ data. They pose a threat similar to ransomware groups. This should be enough reason for organizations of any size to work with their IT teams in strengthening the business’s overall security posture.

Threat profile: RansomHouse makes extortion work without ransomware

We take a look at a Runescape-themed phishing mail targeting players of the smash MMORPG title, and explain how they steal the data.
The post Runescape phish claims your email has been changed appeared first on Malwarebytes Labs.

A Runescape-themed missive landed in our email inbox today, claiming action is required to secure our account.

The malicious email and the scam behind it are perfect examples of one of the more reliable tactics in the world of phishing—fooling a victim into thinking they need to take some action as part of a larger, ongoing process. With this tactic, phishing email recipients could ask themselves: Is this a mis-sent mail? Should I jump in halfway through whatever’s being proposed and course correct? Will I be sent additional worrying emails if I don’t?

As bait, it’s perfect.

**The scam**

This email is being fired out to random addresses; it’s not a targeted attack. The phisher is simply hoping that of all the recipients, a few have an account with the service they’re imitating. In this case, the mail is spoofing players of Runescape, the popular free MMORPG title from Jagex. It reads as follows:

“Your email address has been changed”

> _YOUR EMAIL ADDRESS  
> HAS BEEN CHANGED_
> 
> _You have successfully changed the registered email address for your RuneScape and Old School RuneScape account._
> 
> _Your account log-in details remain unchanged but your registered email address for all future password resets will be: \[email removed\]_
> 
> _To cancel this change, please click on the button below._
> 
> _CANCEL CHANGE_
> 
> _Button not working for you? Copy the URL below into your browser:_

Recipients may panic that their address has been accidentally added to someone else’s account and want to fix it as soon as possible. Alternatively, they may actually _have_ a Runescape account and worry at the sight of seeing an unfamiliar email address as the “new” address for the account. Either way, people will click the link to see what this is all about.

**The scam site**

The site claims to be Old School Runescape, making use of a URL similar to the real thing. It asks visitors for a variety of data. First up is email / username and password.

Bogus login request

Secondly, it asks for the visitor’s authenticator code. Lastly, the site asks for their bank PIN.

“Enter the bank pin”

In Runescape, the “bank” is where the player stores their items. Someone with access to all of this can perform a fairly comprehensive clean-out of the victim’s account.

**Discordant behaviour**

The manner of sending the victim’s information is quite interesting. Looking at the code on the final submission page reveals the following reference to Discord:

Discord Webhooks

This is a technique where JavaScript is used to send automated messages to Bots in Discord channels via Webhooks. The email, password, authenticator code, and bank PIN will in theory all be posted to whichever channel the Bot resides. From there, people may be sitting waiting for new messages to pop up and then steal the account manually before the authentication codes expire.

**Avoiding Runescape phishing attempts**

Runescape has plentiful support guides to help steer players away from harm. A list of the most popular scam attempts can be found on their forum. Note that “Your email address has been changed” is listed, along with the following explainer:

> _Note how a phishing email says the change will be made unless you click something. If someone tries to change your email, Jagex will send an email to confirm the change before any changes are made. No changes are made if you don’t confirm it._

There’s also a dedicated phishing report centre, and several support articles which cover:

*   Suspicious emails
*   Fake websites
*   Staff impersonation

For a more detailed dive into phishing and tips for avoiding all manner of phish attack techniques, read our in-depth guide.

Runescape phish claims your email has been changed

The FBI warns of education sector credentials being placed for sale on the dark web. We take a look at the risks involved.
The post FBI warns of education sector credentials on dark web forums appeared first on Malwarebytes Labs.

The FBI is warning academics to be on their guard, as an embattled education sector continues to experience attacks and breaches, with data spilling onto the so-called dark web. The government agency’s Private Industry Notification \[PDF\] cites US academic credentials up for grabs from a variety of sources.

**A stepping stone to compromise**

From the summary:

> _The FBI is informing academic partners of identified US college and university credentials advertised for sale on online criminal marketplaces and publicly accessible forums. This exposure of sensitive credential and network access information, especially privileged user accounts, could lead to subsequent cyber attacks against individual users or affiliated organizations._

Data for sale is not unusual. Phishing, social engineering, and credential stuffing are often the end result. Dumps of education/university data can offer specific in-roads into campus networks, or further harvesting of student and employee credentials or personal information. Additionally, the FBI warns:

> _If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder, or use for subsequent attacks against affiliated organizations._

**A wide range of data possibilities**

Private sites and regular forums aren’t the only cause for concern. The FBI also observed data sitting on instant messaging platforms too. Some of their findings:

*   **Late 2020**: 2,000 unique username/password .edu combinations were up for sale on the dark web. Payment for this was made via donations to an unspecified Bitcoin wallet.
*   **May 2021**: Over 36,000 email/password combinations for .edu addresses were observed on a “publicly available instant messaging platform.” This apparently fed into other unnamed illegal activities.
*   **January 2022**: “Russian cyber criminal forums” were offering network and VPN credentials, both for sale or free to access. Screenshots showing the attacker’s proof of access is common on portals such as this. Prices of stolen accounts ranged from “a few to multiple thousands of US dollars.”

**Keeping the education sector safe: an uphill struggle**

This warning comes at a time of sustained cyber attacks in and around education. Last year, the FBI warned of an increase in ransomware targeting institutions. Sure enough, in 2022 we’ve seen colleges close down and data lost. There’s also constant concerns over cyber security funding to contend with.

The FBI recommends colleges, universities, and other academic entities establish and maintain strong relationships with the FBI field office in their region, along with observing the various mitigation strategies in their notification alert. We expect to see more data dumps and breaches over the coming months, but hopefully careful observation of security procedures and mitigations will make a dent in some criminal’s plans.

**Tips from the FBI**

*   Keep operating systems up to date, and patch in a timely fashion. Beware of End of Life (EOL) support for systems and applications.
*   Implement user training to reduce the risk of phishing and social engineering.
*   Use strong passwords, avoid password reuse, and establish lock-out rules for incorrect attempts.
*   Encourage the use of multifactor authentication (MFA) for as many services as possible, including webmail, VPN, and critical systems.
*   Reduce credential exposure by restricting where accounts can be used alongside local device credential protection features.
*   Segment networks to help prevent spread of malware and unauthorized access.
*   Automate security scanning, and use monitoring tools to help identify network abnormalities and compromise attempts.
*   Secure and closely monitor remote desktop protocol (RDP) use, alongside restricting login attempts and using additional authentication measures for logging in remotely.

FBI warns of education sector credentials on dark web forums

Dutch scientists have demonstrated the next step towards a quantum-based Internet that will make communications immediate and private
The post Is quantum teleportation the future of secure communications? appeared first on Malwarebytes Labs.

“Beam me up Scotty” will always remain my first association with teleportation. And as it stands now, we are still a long way from teleporting matter, but the teleportation of information has recently made a huge step forward. Researchers in Delft say they have succeeded in teleporting quantum information across a rudimentary network.

This teleportation technology will not enable us to send information to any “out of this world” destinations, but it could allow us to send information to parts of this world instantly.

The scientists have demonstrated the immediate transfer of one bit of information. This means the information does not travel along a path, so it cannot be intercepted. This is just a small step on a very long journey, but if we follow the journey all the way to the end the implications for the future of the Internet and secure communication are enormous.

**One bit**

Quantum computing harnesses the laws of quantum mechanics to solve problems too complex for classical computers.

In quantum computing the basic unit of information is the quantum bit, or qubit. A qubit is different from the binary bits most current computers are based on—binary bits have two states: 0 and 1, while qubits have three states: The 0 and 1 that binary bits have, and a state that will return TRUE for both 0 and 1. You could say the third state is both 0 and 1 at the same time.

Quantum networking uses quantum mechanics to “teleport” qubits of information between the quantum computers on the network instantly and securely.

**Connected**

Teleporting information relies on quantum entanglement, where two or more quantum particles form an “inseparable whole”, so that actions performed on one particle affect the other instantaneously, even if they are thousands of miles apart.

The sender and the receiver need to be in an “entangled” state before they can exchange information, and doing this requires a physical connection.

What was new about the step the Dutch scientists demonstrated is the fact that the sender and receiver were not directly connected. The sender, Alice, and the receiver, Charlie, both had a physical connection to Bob, the intermediary.

For this, Alice and Bob create an entangled state between their processors. Bob then stored his part of the entangled state. Next, Bob creates an entangled state with Charlie. A quantum mechanical “sleight of hand” is then performed. Bob sends the entanglement on, as it were, by carrying out a special measurement in his processor. Results: Alice and Charlie are now entangled, and the teleporter is ready to be used!

**Not sending the information over the connection**

The actual teleportation from Charlie to Alice can now take place. For that purpose, Charlie carries out a joint measurement with the message on his quantum processor and on his half of the entangled state (Alice has the other half). What happens is something that is possible only in the quantum world: As a result of this measurement, the information disappears on Charlie’s side and immediately appears on Alice’s side.

Alice carries out the relevant quantum operation for decrypting the quantum bit. After Alice has carried out the correct operation, the quantum information is suitable for further use. The teleportation has succeeded!

**More research needed**

While this was an important step in their research the scientist needs to solve several other problems before this technology is ready to replace the communication technology we use today.

One essential step for everyday use is finding a method to store the quantum information to be teleported while the entanglement is being created. Only then can the teleportation be carried out completely on request.

The network used in the demonstration is inside one building. Sending quantum information between these processors is not easy. One possibility is to send quantum bits using light particles but, due to the inevitable losses in glass fiber cables, especially over long distances, the light particles will very likely not reach their destination. As it is fundamentally impossible to simply copy quantum bits, the loss of a light particle means that the quantum information is irrecoverably lost.

In the lab, the researchers will focus on adding more quantum bits to their three-node network and on adding higher level software and hardware layers.

PhD student Matteo Pompili, who is part of the team working on this research, said:

> “Once all the high-level control and interface layers for running the network have been developed, anybody will be able to write and run a network application without needing to understand how lasers and cryostats work. That is the end goal.”

For those interested in all the technical details, the full research paper was published in Nature.

Is quantum teleportation the future of secure communications?

Researchers around the world are working to understand a new remote code vulnerability in Microsoft Office dubbed Follina.
The post Microsoft Office zero-day “Follina”—it’s not a bug, it’s a feature! (It’s a bug) appeared first on Malwarebytes Labs.

Several researchers have come across a novel attack that circumvents Microsoft’s Protected View and anti-malware detection.

The attack vector uses the Word remote template feature to retrieve an HTML file from a remote webserver. It goes on to use the ms-msdt protocol URI scheme to load some code, and then execute some PowerShell.

All of the above methods are features, but if we tell you that put together this allows an attacker to remotely run code on your system by tricking you into clicking a link, that sounds quite disturbing doesn’t it?

Well, you’d be right to be concerned. That little sequence of features adds up to a zero-day flaw in Microsoft Office that is being abused in the wild to achieve arbitrary code execution on Windows systems.

Jerome Segura, Malwarebytes’ Senior Director, Threat Intelligence:

> This elegant attack is designed to bypass security products and fly under the radar by leveraging Microsoft Office’s remote template feature and the ms-msdt protocol to execute malicious code, all without the need for macros.

The most prominent researchers working on the issue have dubbed the vulnerability in Microsoft Office **Follina**, because a sample uploaded to VirusTotal included the area code for the Italian comune Follina.

**Affected versions**

Under normal circumstances, files from potentially unsafe locations are opened as read only or in Protected View. However, this warning can be easily bypassed by changing the document to a Rich Text Format (RTF) file. By doing so, the code can run without even opening the document via the preview tab in Explorer.

While the research is ongoing and the info security community is testing and probing, we are receiving some mixed signals whether the latest, fully patched, version of Office 365 is vulnerable to this type of attack or not. Older versions are certainly vulnerable, which already makes it a problem with a huge attack surface.

Researcher Kevin Beaumont provides the example where an attacker can send an email with this text as a hyperlink:

ms-excel:ofv|u|https://blah.com/poc.xls

And Outlook will allow the user to click the hyperlink and open the Excel document. Because the document isn’t attached to the email, and the URI doesn’t start with http or https, most email gateways are going to let that slide straight through as nothing appears malicious.

As we stated earlier, even looking at a specially crafted file in the preview pane of Windows Explorer could trigger the attack. Microsoft has been made aware of the issues and the possible consequences. While its first reaction was that there was no security issue, it seems this needs to be fixed.

**Mitigation**

There are a few things you can do to stop some or all of the “features” used in this type of attack.

**Unregister the ms-msdt protocol**

Will Dormann, a vulnerability analyst at the CERT/CC has published a registry fix that will unregister the ms-msdt protocol.

Copy and paste the text into a notepad document:

*   Click on **File**, then **Save As…**
*   Save it to your Desktop, then name the file disable_ms-msdt.reg in the file name box.
*   Click **Save**, and close the notepad document.
*   Double-click the file disable_ms-msdt.reg on your desktop.

Note, if you are prompted by User Account Control, select **Yes** or **Allow** so the fix can continue.

*   A message will appear about adding information into the registry, click **Yes** when prompted
*   A prompt should appear that the information was added successfully

**Disable preview in Windows Explorer**

If you have the preview pane enabled, you can:

*   Open File Explorer.
*   Click on **View** Tab.
*   Click on **Preview Pane** to hide it.

**Enable Malwarebytes’ Block penetration testing attacks**

The Malwarebytes’ **Block penetration testing attacks** setting is an aggressive detection setting that will block this attack. It is not enabled by default because while enabling it provides additional blocking capabilities for Exploit Protection it can increase false positives, or result in other application conflicts.

To enable it:

*   Open **Settings**
*   Click **Security**
*   Choose **Advanced settings**
*   Tick **Block penetration testing attacks**

Microsoft Office zero-day “Follina”—it’s not a bug, it’s a feature! (It’s a bug)

An organisation dedicated to providing food for those in need suffered a double-whammy of fraud costing them upwards of $63,000.
The post Double-whammy attack follows fake Covid alert with a bogus bank call appeared first on Malwarebytes Labs.

The BBC has revealed details of how a food bank in the UK was conned out of about $63,000 (£50,000) by scammers who used two separate attacks to fleece their victims.

A food bank is a way for people to ensure they don’t starve. They are a backstop during times of economic uncertainty, and have been hugely important during the pandemic. An attack on a food bank is an attack on the most vulnerable that’s likely to have a significant impact on a community, and which could have a terrible knock-on effect.

There’s no indication that the fraudsters deliberately targeted the food bank, but whether they did or not, it loses little in awfulness to hospitals impacted by ransomware outbreaks.

This is how the two attacks occurred:

**Part 1, a bogus NHS Test and Trace message**

The initial attack was a fake NHS Test and Trace message.

From PPE offers to test and trace messages, COVID has been a mainstay of phishing since early 2020. No matter the region, the pandemic ushered in an age of fake delivery notifications and bogus “You may be infected” websites.

In this case, an SMS message was sent to the target claiming they had been in close contact with somebody who was Covid-19 positive.

We have seen these kinds of messages is sent out by SMS and email. Scammers may claim that tests are mandatory (they are not). Sites may collect the victim’s name, address, phone number, email, or more besides, and at the end of the flow, they may ask for a “postage fee” and your payment details.

In this case the scammers asked for payment for a PCR test. The demand for payment might once have been a red flag, but since the end of free testing in the UK, it isn’t.

For most people, this is where the scam ends. Sadly this isn’t the case here. The small payment was used as a stepping stone to significantly greater losses.

**Part 2, a call from a fake bank**

The victims called their bank, suspicious of fraud. By an unfortunate coincidence, the criminals called the food bank trustees back pretending to be their bank.

It’s possible the fraudsters took the card details given to them in the first scam and figured out which bank it belonged to. For example, the first 4 to 6 digits of a Bank Identification Number (BIN) can reveal the card issuer. Armed with this information, the scammers would know which bank they need to pose as. (It’s also possible they never mentioned the bank at all—someone already in touch with a bank may not suspect anything amiss from a supposed follow-up call.)

Either way, the scammers asked if any “linked accounts” could have been affected. Concerned for the food back, the victims handed over its bank account details. The scammers proceeded to empty the account of “well over $63,000” across a two-day period.

**Tips to avoid this scam**

Routine contact tracing ended in the UK in February 2022, so any messages that don’t arrive via the official NHS app should be treated as bogus.

If you receive a call from your bank, call them back using a number from their website. Don’t use a phone number (or any other information) provided by the caller, and don’t provide any identifying information until you are sure you are talking to your bank.

Double-whammy attack follows fake Covid alert with a bogus bank call

Australia, India, Japan, and the US recently met to discuss pressing matters in the Info-Pacific, including cybersecurity.
The post The Quad commits to strengthening cybersecurity in software, supply chains appeared first on Malwarebytes Labs.

The United States, Australia, and its Asian partners—India and Japan—have agreed to work on several cybersecurity initiatives on software, supply chain, and user data.

The countries’ leaders, who convened in Tokyo on May 24, 2022, have met annually four times since the revival of the alliance—formally called the Quadrilateral Security Dialogue, or simply the Quad—during the 2017 ASEAN Summits in Manila, Philippines.

A year ago, they supported regional countries to build cybersecurity resilience and counter disinformation. The group also assisted the Indo-Pacific in countering the growing ransomware threat and countering cybercrime.

US President Joe Biden, Australian Prime Minister Anthony Albanese, Indian Prime Minister Narendra Modi, and Japan Prime Minister Fumio Kishida issued a joint statement, stating their renewed commitment to deepening cooperation in addressing some pressing challenges currently facing the Indo-Pacific region: The ongoing COVID-19 pandemic, infrastructure, climate change, peace and stability (in light of the Ukraine invasion), and cybersecurity.

“In an increasingly digital world with sophisticated cyber threats we recognize an urgent need to take a collective approach to enhancing cybersecurity,” the White House said. “To deliver on the Quad Leaders’ vision for a free and open Indo-Pacific, we commit to improving the defense of our nations’ critical infrastructure by sharing threat information, identifying and evaluating potential risks in supply chains for digitally enabled products and services, and aligning baseline software security standards for government procurement, leveraging our collective purchasing power to improve the broader software development ecosystem so that all users can benefit.”

The Quad also plans to create a Quad Cybersecurity Partnership. They will coordinate “capacity building programs” within the region and launch a Quad Cybersecurity Day to “help individual Internet users across our nations, the Indo-Pacific region, and beyond to better protect themselves from cyber threats.”

The White House said the Quad will meet again next year in Australia.