Three tech giants used World Password Day to announce their commitment to a passwordless future using FIDO Alliance standards.
The post Google, Apple, and Microsoft step hand in hand into a passwordless future appeared first on Malwarebytes Labs.

While we recently “celebrated” World Password Day, almost every security outlet keeps telling us that passwords alone are not enough.

In practice, in the last few years this has meant pairing passwords with something else, such as a one-time code from an app or an SMS message, in a scheme called two-factor authentication (2FA).

But while pairing passwords with a second factor is much better than using a password by itself, it is just a way of working around some very serious, inherent flaws in password authentication. Which begs the question: If passwords are such a problem, why use them at all?

Now Apple, Google and Microsoft have announced that you don’t have to.

The trio of tech giants all used World Password Day to declare increased support for FIDO Alliance standards like FIDO2, a globally-recognized standard for passwordless authentication.

According to the alliance:

> In a joint effort to make the web more secure and usable for all, Apple, Google and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.

**Microsoft, Google, and Apple**

Last year, Microsoft announced that as of September 15, 2021 you can completely remove the password from your Microsoft account and use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to Microsoft apps and services.

On May 5, 2022, Google announced it will implement passwordless support in Android and Chrome, and Apple announced its support for new authentication capabilities enabled by the adoption of FIDO’s latest standard.

The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN.

With all three tech giants on board, we can expect passwordless FIDO sign-in across macOS and Safari; Android and Chrome; and Windows and Edge. This means that, for example, users will be able to sign in on a Google Chrome browser that’s running on Microsoft Windows, using a passkey on an Apple device.

**FIDO2**

Instead of using a password, which can be intercepted as it passes over the Internet, and has to be processed and stored by each service you use, FIDO2 uses public-key encryption. It performs the cryptographic operation that verifies who you are on a device you own, using a private key that never leaves your possession. This means that nothing of value is shared with or stored on the website or service you’re using, and the information sent back and forth during authentication is of no use to an attacker.

FIDO2 combines two standards: WebAuthn and CTAP. WebAuthn does the important job of setting out how web browsers authenticate to websites, but the real magic of FIDO2 is CTAP, the Client to Authenticator Protocol.

CTAP is what allows that crucial cryptographic operation to happen on a wide variety of devices (referred to as “roaming authenticators”), including hardware keys, phones, and laptops. These roaming authenticators are expected to have a mechanism to obtain a “user gesture” which authorises the cryptographic operation, such as a consent button, a password, a PIN, a fingerprint, or face recognition. And this is what allows you to approve your authentication to a website using your iPhone’s Touch ID or Windows Hello.

Devices that act as roaming authenticators can also communicate with other devices, so you can do things like signing in to websites you’re visiting on your laptop by using Touch ID on your iPhone or drawing a pattern on your Android tablet.

**Will it work?**

The idea of passwordless authentication is to create a login method that is secure and easy-to-use, and that eliminates the risks of phishing, password guessing, password reuse, and credential stuffing.

As with all security innovations, we don’t expect attackers to respond by giving up and going home, just to shift their attention to (hopefully) more difficult and expensive forms of attack.

When Microsoft announced in September that you no longer needed a password, we spoke to Per Thorsheim, one of the world’s leading experts on passwords. He had some major concerns about situations when people lose access to their choice of authenticator, and with that lose access to their Microsoft account.

> \[I am concerned about\] when people lose access to their choice of authenticator, and by that lose access to their Microsoft account. I’ve attempted account recovery with Microsoft before, and I know others who have tried and failed miserably. Account recovery is hard, usually to avoid making the process a prime target for hackers.

FIDO2 puts a heavy burden on the account recovery process. Will there be a backup method similar to a “forgot my password” procedure, or do I have to create a new account which can then be linked to my online persona? Either way, such a method could create create a backdoor for attackers to target instead of FIDO-protected authentication.

Passwordless authentication could also multiply the stress caused by a stolen or lost device. If an attacker can guess your PIN or pattern they have access to all of your accounts.

Fortunately, rate-limits on phones makes that very difficult. Even if you secure your device with a 4-digit PIN or a pattern, an attacker finding or stealing your device will have to be very lucky to guess it correctly before the device shuts them out altogether.

However, trusting someone with the access code to your phone will become the equivalent of handing them the key to your entire online life.

If the importance of device access increases, this could lead to more stringent authentication requirements on our pohnes. For example, PINs with 10 digits instead of four or six, or more complicated patterns. And perhaps we’ll say goodbye to default PINs as well.

Nevertheless, we look forward to the passwordless future, even if we may have to work out some details along the way. Passwords have outlived their use for important resources: Victims have been made despite doing everything right; and threat actors have made an industry out of phishing our passwords, keyphrases, and security questions, and from brute-force guessing our passwords.

It is time for something new and three tech giants working together with an established industry association on a passwordless future looks promising.

Stay safe, everyone!

Google, Apple, and Microsoft step hand in hand into a passwordless future

We take a look at reports that the Discord channel for the OpenSea NFT marketplace has been compromised and used to send out rogue links.
The post OpenSea warns of Discord channel compromise appeared first on Malwarebytes Labs.

OpenSea, the primary marketplace for buyers and sellers of non-fungible tokens (NFTs), has reported major problems with its Discord support channel. How major? Well, there’s a “potential vulnerability” which allowed spambots to post phishing links to other users. A problem that lead OpenSea Support to declare “please do not click any links in the Discord.”

> We are currently investigating a potential vulnerability in our Discord, please do not click on any links in the Discord.
> 
> — OpenSea Support (@opensea\_support) May 6, 2022

There’s no further information on how this occurred, but situations like this can happen if a channel’s administrator gets phished. If Discord had suffered a software vulnerability we would expect to see other channels being compromised too.

The spam messages originate from something called “Carl-Bot”. Discord channels typically make use of bots for low-level admin duties, general assistance and so on. Carl-Bot itself is a common sight across Discord, with lots of time saving features. Sadly, spamming phish links is not supposed to be one of them.

**Carl-bot! No!**

If Carl-Bot was present in the channel prior to the compromise, its purpose has been changed and not for the better. Here’s some of the spam Carl-bot was pushing out:

The spam message reads as follows:

> Important announcement
> 
> We have partnered with YouTube to bring their community into the NFT space, and we’re releasing a mint pass with them that will allow holders to mint their project for free along with getting other insane utilities for being a holder of it.

The bot then mentions the limited supply of free items it is definitely, absolutely giving away to “fortunate” individuals:

> You are able to get this mint pass below for 100% free. There will only be 100 of these however, once they are gone they won’t be coming back.
> 
> You can mint the YouTube Genesis Mint Pass here for free \[url removed\]

Fear of missing out (FOMO) is a huge driver in the NFT space, with the emphasis on scarcity of supply and rare, non-replicable items. In addition to that, YouTube has previously announced intentions to move into the NFT space. Seeing messaging like the above in the official OpenSea support Discord is bound to trick a lot of enthusiasts.

**The scam site recedes into the distance**

Here’s the site as it looked a few short hours ago:

The site right now is a blank page save for mention of a Twitter account, which has no content or likes posted to it. It could be the calling card of whoever did this, or it could be misdirection on the part of the site owner. Either way, Malwarebytes blocks the URL in question.

**Protecting Discord**

This is a developing story and information is thin on the ground. Having said that, there are still some things to keep in mind:

1.  **You can often avoid scams like these with a little common sense**. Even a trusted Discord channel can turn rogue if someone compromises the right account. But would a rare, NFT-themed giveaway _only_ be referenced in this _one_ channel and nowhere else? It seems unlikely.
2.  **Use 2FA and a password manager**. We don’t know what the phishing page was trying to obtain, but it will be something valuable, which probably means cryptocurrency or Discord logins. You can make it harder to steal your Discord login by using a password manager and two-factor authentication (2FA). While 2FA tokens can be phished, it sets a higher bar for scammers to clear, and a password manager will not enter your password into a phishing site.

**Protecting your cryptocurrency**

Protecting your cryptocurrency is all about keeping your private cryptographic keys and recovery phrases private. If you control them, you decide what happens to your money and what transactions to make. If somebody else controls them, they get to decide. Sites or random Discord accounts asking for recovery phrases should be avoided, as you risk losing all your funds for good.

The safest way to keep your keys safe is to store them offline, in a “cold wallet” that isn’t connected to the Internet. Even if you do that, your coins aren’t safe if you willingly send them to somebody though. Don’t send funds to Bitcoin addresses promising to double your payment, no matter which celebrity appears to be endorsing it.

OpenSea warns of Discord channel compromise

We take a look at a message from an Instagram contact promising big wins in Bitcoin profits. Is it everything that it seems?
The post Steer clear of these Instagram “Get rich with Bitcoin” scams appeared first on Malwarebytes Labs.

I don’t know about you, but I open Instagram to look at cool photos of pets, not to make a fortune via suspicious claims of riches by strangers.

Despite this, following someone whose photos I liked resulted in a very peculiar message.

It’s possible I waved goodbye to a path to untold riches. Maybe if I’d stayed the course I’d now have my own “Become a millionaire in six months or less” e-book.

However, it’s more likely I dodged a Bitcoin scam. The kind of scam where I’d have to use screenshots of my bank account slowly being drained of all available funds for my next blog post.

Shall we take a look?

****Introducing my good friend, Steven McBitcoin****

This is the message that greeted me from my newest Instagram contact, who for ease of reference I’ve dubbed Steven McBitcoin:

**Steven**: Hello 

Good day

Are you interested in bitcoin mining?

I mean, oh boy am I ever. Possibly not quite in the way they were expecting, though. I decided to go with the “I don’t know anything, tell me more approach” with the vaguely non-committal:

**Me**: Hello possibly, how come?

**Steven**: I’m willing to teach you about bitcoin, coach you on how to invest and earn your profits as soon as possible. With a minimum investment of $1,000 I guarantee you of making $10,000 directly into your bank account, bitcoin wallet or any withdrawal method of your choice.

Understood?

A definitely real promise of money beyond my wildest dreams

Well now, that’s _quite_ the promise. $10,000 dollars from $1,000 guaranteed? What could possibly go wrong…apart from everything?

**How do I make this kind of money?**

The messages continue to rumble on. Now we’re getting into the nuts and bolts of how this stack of digital currency shall be mine.

**Me**: Where would I invest and how?

**Steven**: Do you have cashapp, coinbase, crypto.com or Trust wallet?

It appears I’ve reached the “pretend you have one of the options mentioned and see what he says next” stage of the proceedings.

**Me**: Cashapp

**Steven**: OK good

Now go to your cashapp main page and send me the screenshot so I can give you direct guidelines on how to get paid.

You got it?

Generally speaking, sending people screenshots of the inside of your payment or bank portals is _not_ a great idea—you can give away a lot about yourself.

This is also often used as a distraction by people who simultaneously ask for other details, such as logins. Consider it a distant cousin of the “please turn off your anti-virus while installing the dolphin.exe file you got from Limewire” technique.

**The pinky-swear of digital currency**

I wanted to know a little more about the guaranteed return of $10,000. That’s quite the generous deal. Some people would say it’s almost too good to be true.

I am absolutely one of those people.

**Me**: i have a question. How do you guarantee that i make $10,000 from $1,000? is there a time limit on when i should hit the 10k? what happens if i don't or I end up with less? is the guarantee in writing or anything?

Let’s see what cast-iron agreement he has in store. I simply cannot wait to find out how good this is. Getting it in writing? Of course I’ll be getting it in writing.

**Steven**: You profit is safe and guaranteed that I can very well assure you and you'll also get your money in less than 2 hours

You won't end up less than but instead even an higher profit from your trade.

I need you to believe me when I say that you have absolutely nothing to worryabout, just follow my lead and you'll be the one to thank me later OK.

Send me the screenshot let's proceed with your trade now.

Turns out the guarantee is “dude, trust me”. At this point, in the best documentary tradition, I made my excuses and left (by which I mean I blocked and reported him).

Notice how insistently pushy he becomes towards the end of the conversation. I imagine he’s already moved on to beguiling the next victim with tales of gigantic Bitcoin victory. Hopefully they block and report Mr McBitcoin too.

**Common Instagram Bitcoin scams**

Sadly, people promising get rich quick Bitcoin schemes on Instagram are a growing market of garbage and dross. There is currently no end of people on Facebook bemoaning the loss of their account to any one of the scams listed below:

1.  **Big wins, short timespan**: Claims that you’ll make big returns on smaller investments rapidly are a red flag, as is pressure to transfer funds as quickly as possible. If someone you know suddenly starts talking about all the money they’re making thanks to their “Bitcoin mentor”—run away. It’s another very common scam related to compromised accounts.
2.  **Send me the money**: On a similar note, asking you to go off and buy digital currency then send it to another person’s wallet to “invest” are likely going to get you nothing but an empty wallet.
3.  **Held hostage to cryptocurrency**: Many videos regarding wild claims of Bitcoin success are actually incredibly creepy hostage videos. This is where people previously scammed out of their cash are made to film promos to keep the scam going.
4.  **A change in circumstances**: If you’re asked to change your login details / email address to something somebody else has given you, you’ll simply be locked out of your account and it’ll be used to spam others.
5.  **When profit becomes taxing**: Here’s one which started with a $1,000 deposit—just like the messages I received—and actually did finish up with a supposed profit of $15,000. Unfortunately for the victim, the scammer then asked for a $15,000 “tax payment” in order to release the now stolen funds. The thousand dollars are not coming back.

If you receive a get rich quick missive, you may wish to report it and block the sender. You can do this on Instagram by selecting the “…” next to the Follow button, then choosing **Report** > **report account** > **posting content that shouldn’t be on Instagram** > **scam or fraud**.

At the risk of resurrecting the “if it’s too good to be true…” dead horse, it has a fair bit of merit here. If someone had the secret to huge amounts of wealth, they wouldn’t be sharing it with random people on Instagram. Sadly, the only people making bank from this kind of deal or offer are the scammers pulling the strings in the first place.

Steer clear of these Instagram “Get rich with Bitcoin” scams

Sites offering premium apps are popping up all over YouTube comments and elsewhere. Are they legit?
The post Steer clear of fake premium mobile app unlockers appeared first on Malwarebytes Labs.

A site has been bouncing around YouTube comments for the past couple of weeks. The site sometimes changes, the messages alter slightly, but the essence remains the same: In all cases, people acting in suspiciously automated fashion ask if everyone is using this “glitch” or generator without ever clarifying what, exactly, either of them are, or do.

The site offers “tweaked apps”, apparently available with a single click and requiring “no jailbreak, no root.” (Jailbreaking is the practice of breaking out of the iPhone’s default, highly-restricted mode, and getting “root” is the rough equivalent on an Android device.) That’s what they _claim_, anyway. There’s an OnlyFans Premium, Netflix Premium, a Pokemon Go Spoofer Injector, and many more.

Get your premium content here…

No matter which app you select though, the outcome is the same.

A page informs you of the last time the app was updated, your IP address, whether the app is compatible with your device, and “no injection detected”.

They go on to say the following:

> App injection required!
> 
> Follow the steps on the next page. To get started, we first need to inject the content into this app. This is a simple process and you will only have to do this once to get access.

Despite claiming that this process will “only work” on mobile, they’re being somewhat liberal with the truth. You absolutely can start the so-called injection process on a desktop, because there is no injection process, it’s all fake.

Here’s a supposed “Premium Unlocker” for OnlyFans.

Fake OnlyFans Premium Unlocker

When you start the “injection process” a message saying “Injecting: connecting with your phone” pops up, whether you’re using a phone or not.

It’s all a fraud. We’re redirected to a domain aimed at promoting ad offers / surveys / deals to mobile users. We are, rather nostalgically, in the land of the survey scams. At one point these seemed to be the only form of fakeout in town, made massively popular by gating non-existent unicorn deals behind walls of clickthrough ads.

**A stack of empty promises**

If you were promised a game, you’d get a demo version. Money off vouchers? You’d likely have to spend more signing up to deals to receive one in the first place. In other words, it was a massive scam factory for people up to no good. Note the desperation on the prompt urging to you to keep opening up new offers before receiving your non-existent reward:

“Please install more!”

All you’re likely to get from this is:

*   Surveys or popups
*   Malicious mobile downloads
*   Signup offers that require personal information or payment.

You could easily go into this thing expecting free premium content for your service of choice, and exit with spyware or monthly payments for subscription services you don’t actually need. As a rule, free versions of paid-for apps offered on random websites simply do not exist. Sites which claim to offer hacks or generators for titles like Roblox, FIFA, or GTAV, are simply making it up. They will almost certainly be a survey scam or something else you don’t want to get involved in.

If you’re really in need of premium versions of services you use, you’re better off paying for them. At the very least, it has to be better than spinning the wheel on sites like the above and hoping you don’t get burned.

Steer clear of fake premium mobile app unlockers

You won't believe what some account-takeover scammers say.
The post How Instagram scammers talk users out of their accounts appeared first on Malwarebytes Labs.

If you’ve dealt with a scammer, you’ll know that making up stories is their bread and butter. Think about it: Just when you thought you’d heard all the infamous 419 scam backstories, scammers surprise you with a “stuck astronaut” scam, something so utterly hilarious, nonsensical, and otherworldly that you’ve just _got_ to tell your friends and families about it.

While the 419 cosmonaut backstory (surprisingly!) has layers of truth to it, your typical Instagram scam story doesn’t have an iota of fact it can stand on. But because the stories that hook someone were designed to trigger an instant emotional response and a sense of urgency, Instagram scammers are more effective at getting the job done speedily.

Mind you, scammers are not after _every_ Instagram user. They just need a handful of those people who will help someone without thinking. And since they’re not after money, just a bit of someone’s time, they already have one foot in the door.

Instagram scammer backstories vary, but the scams themselves follows one pattern: They ask you for help, tell you their backstory, and put their fate in your hands.

Here are some of the stories that scammers are known to use:

*   “I’m launching my own product line“.
*   “I’m in a competition and need you to vote for me“.
*   “I’m trying to get verified on Instagram and need people to confirm my fanbase with a link“.
*   “I need a help link to get into Instagram on my other phone“. (This is a very common tactic.)
*   “I’m contesting for an ambassadorship spot at an online influencers program“. This one is surprisingly popular, with fake ambassadors everywhere.

Regardless of the script they’re following, scammers will say you’ll receive a link on your phone via SMS. They will then ask you not to click the link but merely take a screenshot and send the image back to them.

The link is a legitimate Instagram “forgotten password” URL for your account, and scammers want you to screenshot it so they can use the URL to reset your password, take over your account, and lock you out.

It’s impossible to say what fraudsters will say next just to get you to screenshot a forgotten password link. Regardless, any requests for link screenshots should be treated with extreme suspicion. Whether product lines or ambassador programs, you can safely ignore these messages and report the sender.

Stay safe out there!

How Instagram scammers talk users out of their accounts

April 2022 saw the arrival of three new ransomware gangs and the unwelcome return of an old enemy.
The post Ransomware: April 2022 review appeared first on Malwarebytes Labs.

The Malwarebytes Threat Intelligence team monitors the threat landscape continuously and produces monthly ransomware reports based on a mixture of proprietary and open-source intelligence.

April 2022 was most notable for the emergence of three new ransomware-as-a-service (RaaS) groups—**Onyx**, **Mindware**, and **Black Basta**—as well as the unwelcome return of **REvil**, one of the world’s most notorious and dangerous ransomware operations.

**An old enemy returns**

**REvil** (aka Sodinokibi) first appeared in May 2020 and has been responsible for numerous high-profile ransomware attacks, including arguably the biggest ransomware attack of all time—a supply-chain attack on Kaseya VSA in July 2021 that is thought to have affected over 1,000 businesses.

REvil disappeared shortly after the Kaseya attack, only to emerge again a few months later, before being forced offline on October 21, 2021, by a multi-country operation. A string of arrests followed, and then in January—in an act of unprecedented co-operation—Russia’s Federal Security Service (FSB) announced that it had dismantled the REvil group and charged its members, thanks to information provided by the USA.

REvil now seems to have returned to the fray with new payloads, and a new leak blog displaying a mixture of new victims and old victims known to have been attacked by REvil.

**New gangs emerge**

**Black Basta** made a name for itself very quickly by coming out of nowhere and carrying out at least eleven successful breaches in April 2022. That ability to perform so many attacks so quickly has led some to speculate that Black Basta is a re-brand of an existing group that already has affiliates.

**Onyx** is a new ransomware gang based on the old Chaos builder. At first, some suspected that Onyx may be a wiper rather than ransomware because it destroyed files larger than 2MB instead of encrypting them. It seems likely that this behavior is the result of a bug in the notoriously poorly-written ransomware builder though.

Another newly-emerged gang is **Mindware**, which appears to have started operations in mid-March using a well-known ransomware strain called SFile2 (aka Escal)—but it was not until April that it began to practice “double extortion”, where data is stolen before it’s encrypted so that victims are faced with the twin threats of data they can’t decrypt, and leaks of sensitive information.

****Ransomware attacks in April 2022****

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

****Attacks by ransomware type****

Despite its rapid start, the activities of Black Basta and the other newly-emerged types of ransomware were dwarfed in April by three established threats: LockBit, Conti, and AlphV, which made up 60 percent of all the known breaches in our analysis.

Known ransomware attacks in April 2022 by type of ransomware

Known ransomware attacks in April 2022 by country

Known ransomware attacks in April 2022 by industry

****Ransomware mitigations****

Source: IC3.gov

*   Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
*   Implement network segmentation, such that all machines on your network are not accessible from every other machine.
*   Install and regularly update antivirus software on all hosts, and enable real-time detection.
*   Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
*   Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
*   Audit user accounts with administrative privileges and configures access controls with the least privilege in mind. Do not give all users administrative privileges.
*   Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
*   Consider adding an email banner to emails received from outside your organization.
*   Disable hyperlinks in received emails.
*   Use double authentication when logging into accounts or services.
*   Ensure routine auditing is conducted for all accounts.
*   Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.

****How Malwarebytes protects against ransomware****

Malwarebytes can protect systems against all ransomware variants in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies. This layer of protection detects the Ransomware binary itself. Detections can happen in real-time as the binary is run or the infection can be rooted out from an already-compromised machine by conducting a full system scan.

Anti-Ransomware is a signatureless technology in charge of monitoring system activity of processes against a certain subset of data in specific locations on the endpoint. Using patented technology, Anti-Ransomware assesses changes in those data files. If an internal scoring threshold is crossed by a monitored process, it triggers a detection from the Anti-Ransomware component.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

Ransomware: April 2022 review

We take a look at the latest FBI report on Business Email Compromise which reveals $43 billion in losses from 2016 to 2021.
The post The $43 billion Business Email Compromise threat appeared first on Malwarebytes Labs.

The FBI has released a public service announcement regarding the ever-present threat of Business Email Compromise (BEC). This comes hot on the heels of an earlier release from the Las Vegas FBI department in April. Losses continue to mount, and we’re currently facing a scam racking up domestic and international losses of $43 billion.

**What is Business Email Compromise?**

BEC attacks, also known as CEO/CFO fraud, is financial in nature and targets organisations of all sizes The basic game plan is to pretend to be someone at executive level, and then convince an employee to help them wire funds outside of the company. Loss numbers are frequently significant, and it’s a very appealing tactic for scammers looking to get rich quick.

As the FBI points out, the goal is not always a direct fund transfer:

> _One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even cryptocurrency wallet_s.

With any foothold gained inside the organisation, BEC attempts which run into frustration can potentially pivot into other areas of attack as we’ll mention later. With so many avenues of approach, it’s no wonder BEC attracts the attention of law enforcement at the highest levels.

**The FBI BEC numbers game**

*   $43 billion vanished between June 2016 and December 2021. There were 241,206 domestic and international incidents between those two dates.
*   The FBI observed a 65% increase in losses suffered between July 2019 and December 2021, which feels like a significant ramp-up.
*   The overwhelming number of organisations filing victim complaints to the IC3 between October 2013 and December 2021 were based in the US.

The report goes into more detail, but the short version is that US organisations are suffering quite a bit from this type of attack. It’s possible that BEC still isn’t as well known as it should be. It’s also possible that the pandemic has contributed to a lack of funds for appropriate security measures and training for employees. Whatever the reason, we’ve definitely reached the part where alarm bells are ringing loud and clear.

**The rise of cryptocurrency in BEC fraud**

As with so many forms of online criminal activity, law enforcement is noticing an increase in cryptocurrency use. This area of concern is particularly fascinating, first identified in BEC attacks in 2018 and continuing to build through to 2021 with just over $40m in exposed losses. This will almost certainly continue to increase. No BEC fraudster will turn down the chance of fast transactions easily made online with a degree of anonymity attached to the process. Here’s what the FBI has to say about some of the cryptocurrency tactics deployed:

> _The IC3 tracked two iterations of the BEC scam where cryptocurrency was utilized by criminals. A direct transfer to a cryptocurrency exchange (CE) or a “second hop” transfer to a CE. In both situations, the victim is unaware that the funds are being sent to be converted to cryptocurrency._

_Source: FBI report on BEC losses_

**6 tips to avoid BEC scams**

1.  Your business should have an approved method for money transfers and anything of a financial nature. If cash goes out of the organisation in any way, it has to stick to the process. Deviating under any circumstance is a tiny gap in your armour that could prove fatal. “We only did it one time” often results in “We just lost a terrifying amount of money somehow”. Urgent same-day requests for wire transfers? Head straight to the page which hopefully insists upon no urgent same-day wire transfer requests ever.
2.  Some form of authentication to confirm your CEO/CFO is pulling the money-lever for real should be in place. Phone conversations are great for this. Any accounts tied to exec level should also have some form of Multi-Factor Authentication (MFA) attached to it whether or not there’s financial activity involved. Email accounts? Internal logins? Anything at all? App-based authentication or a physical hardware token is the way to go. Sometimes attackers aren’t just spoofing real emails, they’re compromising them to send money requests too. Authentication will go a long way to ward this threat off.
3.  You can’t realistically hide who your executives are from the world at large. One way or another, they’re going to be on an “About Us” page. Limit the amount of data exposure. Consider placing generic “catch-all” email addresses on the contact page. It doesn’t _have_ to be their actual, personal email address. Don’t tell everyone on social media that the CEO is on vacation for a week, or even just travelling. When people targeted by BEC scams are potentially hard to get hold of, BEC fraudsters will likely strike.
4.  Email security plays a big part in cutting these attacks off at source. Deactivate accounts belonging to former employees, especially if they were part of the exec team: Malicious activity is a feature of old, abandoned addresses. Rules for suspicious looking emails coming into the organisation and also being sent around internally should be made use of. Any form of digital authentication/digital signatures to verify the sender will also help. Prominent “external sender” flags on mails are very handy tools to cut down on mail imitation.
5.  If the BEC tactics aren’t working, the attacker could decide to switch to malware instead. Emails from random addresses containing attachments such as fake invoices should be quarantined, especially when mail security tools detect potential keywords or phrases related to BEC indicators. Boobytrapped Excel sheets, for example, are one of the mainstays of ransomware compromise. Don’t dodge the BEC bullet only to be taken down by file encryption on a massive scale instead.
6.  Tell employees that it’s _totally fine_ to question requests for payment or money transfer, especially if totally out of the blue. Even more so if it’s not something they’d have any involvement in. Why _is_ the CEO asking someone in building maintenance to help them wire $30,000 through Hong Kong at 3 in the morning?

**The challenge of BEC compromise**

This is clearly a tricky problem to get to grips with, or else the FBI wouldn’t be publishing multiple alerts and public service announcements about it. The ever-increasing losses speak for themselves. The slowly growing relevance of cryptocurrency to BEC attacks paints a stark picture of where this tactic is headed. Try to implement as many of the tips above as possible.

Most importantly, don’t be pressured into sending money without doing some additional digging first. It may well prove to be one of the smartest work decisions you’ll ever make.

The $43 billion Business Email Compromise threat

Scamming, phishing and other data theft is all part of Nigeria Tesla's portfolio.
The post Nigerian Tesla: 419 scammer gone malware distributor unmasked appeared first on Malwarebytes Labs.

Agent Tesla is a well-known data stealer written in .NET that has been active since 2014 and is perhaps one of the most popular payloads observed in malspam campaigns.

While looking for threats targeting Ukraine, we identified a group we call “Nigerian Tesla” that has been dabbling into phishing and other data theft activities for a number of years. Ironically, one of the main threat actors seemingly compromised his own computer with an Agent Tesla binary.

In this blog, we expose some of the activities from a scammer who started off with classic advance-fee schemes and is now successfully running Agent Tesla campaigns. In the past two years, this threat actor was able to collect close to a million credentials from his victims.

**Spam campaign**

Our investigation started with an email targeting titled _Остаточний платіж.msg_ (Ukrainian for _Final payment.msg_). It contained a link to a file sharing site that downloads an archive containing an executable file.

Figure 1: Spam email with Agent Tesla

This executable is actually an Agent Tesla stealer, capable of exfiltrating data in multiple ways, though most commonly using SMTP. The technique is really simple as it only requires an email account that sends messages to itself containing stolen credentials for each victim that executed the malware on their computer.

**Test successful!**

The attacker sent a number of messages containing the body “Test successful!” from the same machine. Those emails should have been deleted for obvious reasons but this threat actor did not and leaked his own IP address allowing us to locate them in Lagos, Nigeria.

Figure 2: Test emails sent by the attacker

These messages are checks done by the threat actor to make sure communication with Agent Tesla is configured properly. This is typical and is often described in hacking forums where users ask for help with the ‘software’.

Figure 3: Forum post complaining about issue not receiving logs

There were an additional 26 emails sent from the same IP address that weren’t test emails but came from a real Agent Tesla execution. We don’t know exactly how, but the attacker managed to infect his own machine.

Figure 4: Information exfiltrated from the attacker’s machine

Here is a list containing some of the services that the Nigerian Tesla threat actor used:

*   PerfectMoney
*   Glassdoor signupanywhere (could be a source to get victims emails)
*   omail.io (service for extracting emails)
*   warzone.ws (Warzone RAT)
*   worldwiredlabs (NetWire RAT)
*   le-vpn.com and bettervpn.com zenmate.com tigervpn hotvpn (VPN provider)
*   securitycode.eu cassandra.pw (Code Protector)
*   esco.pw (office document protection)
*   monovm hostwinds.com firevps dynu 4server.su (VPS and dedicated servers)
*   dnsomatic.com cloudns.net (DNS services)
*   spam-lab.su
*   filesend.io 4shared (hosting files)
*   avcheck.net (offline av test)
*   bitshacking.com
*   archive.org (used like cloud storage)
*   xss.is hackforums.net exploit.in
*   titan.email (.pw accounts, various scams)

Rita Bent, Lee Chen and John Cooper are some of the names that have been used in the past along with dozens of different email accounts with passwords containing the string ‘1985’. The following image shows the activity from user rita398 in hackforums asking about Esco Crypter:

Figure 5: Rita398 interested in Esco Crypter

In that case, we see Rita complaining about some RDP suspension that happened eventually to one of his registered domains.

Figure 6: RDP shutdown complain

The following email accounts were used in various phishing and data stealing operations:

*   along.aalahajirazak.ibrahim@gmail.com
*   administracion@romexpert.es
*   administracioneforce@eforce.es
*   soceanwave244@gmail.com
*   barristeradamssetien@gmail.com
*   catalinafuster@palmaprocura.com
*   david01smith@yandex.com
*   davidsmith.ntx31@yandex.com
*   davids27smith@yandex.com
*   elisabet.valenti@ag.barymont.com
*   gestor3@afectadosvolkswagenabogados.com
*   info@borrellacerrajeros.com
*   info@crmarismas.org
*   info@cristaleriagandia.com
*   infogestinsur@grupogestinsur.com
*   instalaciones@gopamar.com
*   isabel@grupoatu.com
*   m.lopez@forestadent.es
*   nacho@alasvigilnevot.com
*   restaurante@elsecretodechimiche.com
*   soceanwave244@gmail.com
*   tienda@di-tempo.com
*   torremolinos3@copiplus.es
*   v.reino@gooddental.es
*   victor@sugesol.com
*   vives@viveselectricitat.com

Based on these profiles, we can see this threat actor has an extensive criminal record starting at least from 2014. Back then, they performed classic scams under the Rita Bent moniker.

Figure 7: Scam conducted by the same attacker in the past

One of their preferred scams was phishing for Adobe login pages. We have records indicating that several Adobe fake pages were deployed from 2015 until recently. Landing pages looked like the following:

Figure 8: Fake Adobe login page

Fast forward to 2020, and the threat actor has graduated to malware distributor. He protects his binaries with the Cassandra Protector obfuscator and then checks them against AVcheck\[.\]net.

Figure 9: Cassandra Protector

Figure 10: AVcheck\[.\]net

**Who is behind these attacks?**

The threat actor shared photos of himself back in 2016 and for some reason forgot about them.

Figure 11: Photos of the threat actor

E.K. was born in 1985 according to his driver license. Remember that 1985 was used in a lot of passwords collected from accounts that conducted these illegal activities.

Figure 12: Threat actor’s drivers license

At the moment, we do not have much information about other members in the team. But E. K. seems to be the most relevant figure, at least the one who started the scheme.

**From 419 scams to Agent Tesla**

Nigerian Tesla stole more than 800,000 different credentials from about 28,000 victims. This shows how simple and yet effective running one of these campaigns can be. In this case we see an interesting evolution from a threat actor that was performing the classic advance-fee scam (419 scam) before moving into the malware distribution world, more or less for the same end goal.

Malwarebytes users are protected against Agent Tesla. We detect this sample as Spyware.Password.Stealer.

Nigerian Tesla: 419 scammer gone malware distributor unmasked

Google has released updates for Android and its Pixel phone. We discuss the three vulnerabilities that were classified as critical.
The post Google fixes two critical Pixel vulnerabilities: Get your updates when you can! appeared first on Malwarebytes Labs.

Google has made updates available for Android 10, 11, 12 and 12L. The May Android Security Bulletin contains details of security vulnerabilities affecting Android devices.

The Pixel Update Bulletin contains details of security vulnerabilities and functional improvements affecting supported Pixel devices. Pixel phones are Google’s “pure Android” phones.

In total, these two bulletins mention three vulnerabilities rated as critical. Two of those vulnerabilities only concern Pixel users.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Below we will discuss the CVEs that were rated as critical.

**Bootloader**

CVE-2022-20120: A remote code execution (RCE) vulnerability in the bootloader. On Android, the bootloader is a piece of software that loads the OS every time you boot your phone. By default, it will only load software that was signed by Google. But if you unlock the bootloader, it will load whatever software you tell it to. The exact issue has (not yet) been disclosed, but depending on the level of access needed to exploit this vulnerability, this could be very serious.

**Titan-M**

CVE-2022-20117: An information disclosure (ID) vulnerability in Titan M. Titan M is an enterprise-grade security chip custom built for Pixel phones to secure the most sensitive on-device data and operating system. Titan M helps the bootloader make sure that you’re running the right version of Android. Again, details about the issue have (not yet) been disclosed. But being able to steal information from the part that is supposed to secure the most sensitive data doesn’t bode too well.

**Qualcomm**

Qualcomm’s chipsets are the most common ones in the Android smartphone space. The severity assessment of their issues is provided directly by Qualcomm.

CVE-2021-35090: CVSS 9.3 out of 10. Listed by Qualcomm as a Time-of-check Time-of-use (TOC TOU)  Race Condition in Kernel. And specified as a possible hypervisor memory corruption due to TOC TOU race condition when updating address mappings. In general a TOC TOU occurs when a resource is checked for a particular value, such as whether a file exists or not, and that value then changes before the resource is used, invalidating the results of the check. A race condition occurs when two or more threads can access shared data and they try to change it at the same time.

**Mitigation**

None of the vulnerabilities have been flagged as being used in the wild. Google discloses that the most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege (EoP) with user execution privileges needed, but does not tell us which of the four candidates that is.

For Google and other Android devices, security patch levels of 2022-05-05 or later address all issues in these bulletins. To learn how to check a device’s security patch level, see Check and update your Android version. We encourage all users to update to the latest version of Android where possible.

The Pixel 3a and Pixel 3a XL series will receive security updates for the last time this month. Then they reach the End-of-Life (EOL) stage when it comes to support. For the Pixel 4 and Pixel 4 XL, this will be the case in October 2022.

Stay safe, everyone!

Google fixes two critical Pixel vulnerabilities: Get your updates when you can!

A sample of the new REvil ransomware was found in the wild, signaling that, yes, REvil has indeed come back.
The post It’s business as usual for REvil ransomware appeared first on Malwarebytes Labs.

After the FBS arrested 14 of its members in January, and a subsequent lull in action, the REvil ransomware gang appears to be back. We say “appears” because it’s still unclear whether the group’s operations have indeed restarted.

To the trained eye, REvil’s movements seem out of sorts. When REvil’s old Tor infrastructure came back to life in April, it was modified to redirect visitors to URLs owned by a new ransomware group. The sites the nodes point to looked nothing like REvil’s. And its data leak blog is prepopulated with new ransomware victims and old REvil victims.

“And they are recruiting,” added Malwarebytes Threat Intelligence Analyst Marcelo Rivero.

**REvil ransomware: a brief look back**

When the REvil ransomware gang began its operations in 2019, it started strong. REvil, also known as Sodinokibi or Sodin, was _the_ new RaaS (ransomware as a service) of the criminal underground, filling the hole GandCrab left behind.

Like any “big-game hunting” operator, REvil only targets high-earning organizations. The logic behind this is that such targets are presumed to pay up, even a high ransom. They presumed correct.

2021 was the ransomware gang’s last year of activity. REvil attacked JBS, one of America’s largest meat and poultry processors, in June. JBS underwent recovery proceedings immediately after the attack, unlike other ransomware victims. It was revealed months after that the company paid REvil to the tune of $11M (£7.8M).

In July, REvil attacked Kaseya, the company behind Kaseya VSA, a popular remote monitoring and management software. The ransomware gang asked for a whopping $70M ransom, but the company didn’t pay. Instead, it used a decryption key “from a third party” to decrypt all its encrypted files.

Many suspected that something was up. Kaseya could not give any more details, as it was bound by an NDA (non-disclosure agreement), but the ransomware gang claimed that the decryptor was leaked by one of its operators.

**Is REvil really back?**

A ransomware sample is needed to dispel speculations on whether REvil has re-emerged or not. Sure enough, cybersecurity researcher Jakub Kroustek (@JakubKroustek) discovered one recently.

Multiple security researchers who looked into the sample said they noticed a few changes to the code based on old REvil ransomware code. The most notable changes in the encryptor are the version, the new accs configuration option, and the campaign and affiliate identifiers.

In an interview with BleepingComputer, Advanced Intel CEO Vitali Kremez said he believes this option “is used to prevent encryption on other devices that do not contain the specified accounts and Windows domains, allowing for highly targeted attacks.”

When asked about his thoughts, Rivero said, “I think this REvil sample is just a test file because it doesn’t encrypt.”

On top of this, the sample also adds a random extension name to affected files and creates a ransom note—both as text and HTML files—identical to old REvil’s. The web version of the ransom note links users back to new paid Tor sites and the new data leak blog.

The new REvil ransomware note.

Malwarebytes detects this new REvil sample as Sodinokibi.Ransom.Encrypt.DDS.

**What should previous victims do now?**

When REvil’s servers disappeared on an early Tuesday morning in July 2021, current victims of the ransomware gang were left stumped, not knowing what to do next. They were stuck in mid-negotiations, fearing they might never hear from the gang again, leaving their essential files encrypted forever.

With REvil back and the new operators apparently inheriting former victims of the old ransomware gang, what does this mean for victims?

It’s almost a year since REvil’s infrastructure went dark, and victim companies may have already moved on or sought help from law enforcement. Either way, REvil might one day come knocking at their digital doors to pick up where it left off.