Scammers are asking people to download a remote access app onto their phones so they can steal their savings.
The post Beware scammers disguised as fraud busters appeared first on Malwarebytes Labs.

Fraudsters like confusing and disorienting people. Successful ones avoid obvious lines of approach and try things you wouldn’t expect. A recent story highlights this, with a particularly devious method of parting someone from their money.

The Daily Record reports scammers running off with an $11,000 haul from a lady in Scotland. They did this by subverting expectations and drawing attention to a theft that never happened.

**Distraction and subterfuge**

Impersonation fraud is a huge problem. It weaves into several forms of cybercrime, such as phishing, fake customer support agents, fake deliveries, and even bogus charity donations.

One of the most interesting choices fraudsters make is to run a scam that specifically draws the victim’s attention to fraudulent activity, real or otherwise. It sounds counter-productive, but it’s the last thing people would expect.

Someone calling and claiming to be your bank will raise multiple red flags, even before asking for banking details. Getting a call from someone saying they blocked a potential thief from stealing your savings? That will set many people at ease, which fraudsters are hoping for.

**Borrowing from the tech support scam playbook**

A scam such as this usually follows a pattern. The attacker:

1.  Calls, claiming to have spotted an attempted fraud or stopped an unauthorized transaction.
2.  Asks if you can help with inquiries related to the non-existent attack.
3.  Requests banking information.

The attack against the Scots lady splits off from this pattern somewhat, incorporating tactics more commonly seen in tech support scams. Instead of asking for banking information, the attacker says they can help prevent future fraud attempts and advises the target to download Any Desk, a legitimate app that acts as a remote access tool to someone’s phone.

The end result is that the attacker used their access to steal a significant chunk of the victim’s life savings. Inspector Laura Hamill, a member of the Paisley community policing team, told the Daily Record that the victim “…was left understandably distressed after having a large sum of cash stolen from her account through the use of an app which she was convinced to download to her device.”

**How to deal with fraud support**

Banks tend to have strict rules about how their fraud team calls operate. Here are some things you can look out for when deciding if a call is genuine or not.

*   If fraud is detected, banks will try outreach after putting a hold on your card. There may be automated calls, texts, or voicemails. These usually ask you to call a dedicated number on the bank’s website.
*   Regardless of the outreach method, the bank never asks you for full passwords, PINS, security codes, passwords, or anything displayed on authenticator devices.
*   Banks don’t send fraud warnings via email. If you receive one, with or without a clickable link, don’t reply. Call your bank.
*   Your bank may have its own banking app for online mobile banking. They will never ask you to download remote access tools.
*   If you doubt the correct bank contact numbers, your bank should at least have a helpline number printed on the back of your card.

Beware scammers disguised as fraud busters

Scammers are taking advantage of an Instagram feature that cleans up after them.
The post Warning! Instagram Stories hides a scam in plain sight appeared first on Malwarebytes Labs.

When someone finds their social media account compromised, they first think about letting their followers know. And they do. They warn others from reading any strange posts, usually containing a rogue link, before they sort out the matter behind the scenes.

Some curious followers who missed these posts backtrack the feed—only to find that nothing appears out of place. So where are they?

Clever attackers are using platform functionality to appear invisible. This way, the chances of catching them are small. Apart from the victims themselves, nobody may realize that something dubious was in full view of everybody in the first place.

**You don’t see it…**

Here’s a hijacked Instagram page.

_Well, you know what they say about cakes…_

Despite warnings by the account owner to avoid being ripped off by whoever took over their account, the page looks absolutely, positively _normal_.

_Warning from the panic-stricken account owner posted on Facebook. But there doesn’t seem to be cause for panic._

    Instagram page is still hacked!! This is not me ..... I do not have a spare £150 to give to 5 winners unfortunately........ If you reply you will be messaging some {redacted}. please just report the account if you can and you're on my instagram page. Instagram are sorting it although very slowly!!!

There are no odd links in the Bio; the photographs are untouched; the user name hasn’t been changed to anything peculiar. The page itself is acting as it should.

So what is the problem here?

**…and then you do**

Instagram has a feature called Stories, first introduced in 2016. It’s a quick and easy way to upload zinger-style posts, short clips, or anything else that’s supposed to be a passing thought. Stories only last for 24 hours and then self-delete.

A Story is designed to be evanescent—don’t log on to Instagram for 24 hours and you’ll miss it entirely.

As a result, people with bad intentions often hide their bogus postings in the Stories section instead of putting them directly onto the Instagram grid. This has a couple of advantages for the account hijacker:

*   The self-delete feature is the perfect way for scammers to hide their tracks. Why clean up the mess when the platform does it for you after 24 hours? The only evidence left behind is direct messages or communication away from the platform.
*   Account hijackers lure people into taking action. It might be blackmail, a promise of wealth, or a veiled malware download. Regardless, having these posts somewhat hidden away makes it feel more exclusive. If the offer sounds too good, they can argue that the take-up isn’t as significant as a victim may expect because only the lucky chosen few have spotted it.

**Clouds in my coffee (in my cake, too)**

Let’s go back to the Instagram page we were looking at previously.

Ignore the well-done cakes, and instead, let’s click the profile’s Stories.

_The scam hidden in plain sight_

    Everyone is getting this wrong... an ex policeman...lost his house, his car, and his girlfriend, what did he lose first???!! The winner get £150. Need just 5 winners.

This post is only visible for a few seconds, sandwiched between other Story images on the user’s “roll.” I do love a good riddle and decided to try my luck.

_“Send your PayPal or bank details,” they say._

At this point, we dropped communications and reported the account.

**Don’t fall for sleights of hand or risk losing money**

Sending this person your PayPal or phone number will undoubtedly not end there. If your email address isn’t secure, they could try and compromise and gain control of associated accounts. They could send you funds that may be stolen or try to tie you up in money mule scams.

Handing a stranger your bank details could land you in a similar situation. There’s always the risk of follow-up questions aimed at revealing more than you bargained for. Enough information provided could result in bogus direct debits. This also doesn’t exclude the possibility of them asking for credit card information at some point.

Next time you see a friend or stranger mention that their Instagram page has been hijacked, you’ll know exactly where to look if you can’t readily see the evidence.

Stay safe out there!

Warning! Instagram Stories hides a scam in plain sight

Google has been busy. After introducing badges for browser apps, it's also launched its "nutrition labels" for apps.
The post Google Play’s Data safety section empowers Android users to make informed app choices appeared first on Malwarebytes Labs.

Google has launched its new “nutrition labels” for apps, a feature it promised in the spring of 2021. This release came days after the Chrome team released badges for the Chrome Web Store for browser extensions.

The company said in a blog post that it’s rolling out the labels—which it calls the Google Play Data safety section—gradually to users.

The labels are released weeks ahead of the July 20 deadline, the date when developers are required to adequately disclose what their apps do. This includes what data they collect, how it is shared with third parties (if ever), and how they secure user data. “We heard from users and app developers that displaying the data an app collects, without additional context, is not enough,” Google said.

Indeed, the search giant followed Apple’s lead when it introduced app privacy labels in its App Store in December 2020.

The Data safety section’s design relied heavily on feedback from Android users, who also want to know for what purpose their data is collected and whether app developers are sharing it. Google added information on whether an app needs data to function or if data collection is optional. Below is a list of other information that developers can show in the Data safety section of their apps:

> – Whether a qualifying app has committed to following Google Play’s Families Policy to better protect children in the Play store.  
> – Whether the developer has validated their security practices against a global security standard (more specifically, the MASVS).

While this new feature is in place so Android users can make informed choices when it comes to trusting an app with their data, it’s still up to developers to disclose what their apps are capable of. Google said that if it finds a developer misstating their app’s features, the company will ask them to fix it instead of removing the app straight away. Action is only taken if the app remains uncompliant.

We will see if Google does a better job implementing its labels than Apple. If you recall, many labels in the App Store were found to be unreliable as they provided false information.

Here is the Google Play Help page for the Data safety section if you want to read more.

Google Play’s Data safety section empowers Android users to make informed app choices

We can't tell which party made the first move, but both the pro-Ukraine and Russian sides have been exchanging DDoS attacks.
The post Ukraine government and pro-Ukrainian sites hit by DDoS attacks appeared first on Malwarebytes Labs.

The Computer Emergency Response Team in Ukraine (CERT-UA) has announced that Ukraine government web portals and pro-Ukraine sites are subjected to ongoing DDoS (distributed denial of service) attacks. They don’t currently know who is behind these attacks.

The attack involves injecting a malicious JavaScript (JS)—officially named “BrownFlood”—into compromised WordPress sites, arming them with the ability to DDoS sites. The script, which is encoded in base64 to avoid detection, is injected into the HTML structure of the sites’ main files. Whoever visits these sites are then turned into an unknowing accomplice to an online attack they are unaware of.

Target URLs are defined in the code.

_BrownFlood in a compromised WordPress site (Source: CERT-UA)_

Even the owners of these compromised WordPress sites do not realize that they were involuntarily signed up for a cause against Ukraine.

BleepingComputer revealed that the same JS script shared on GitHub had been involved in a DDoS attack a month ago against a smaller pool of pro-Ukraine sites. It then came to light that a particular pro-Ukrainian site had used the same DDoS code to target Russian sites.

CERT-UA worked closely with the National Bank of Ukraine to strengthen its defensive stance against DDoS attacks. The agency also informed WordPress site owners of their compromise and provided guidance on detecting and removing the malicious JS.

_Screenshot of event log WordPress admins should watch out for to know if they are infected (Source: CERT-UA)_

CERT-UA listed three recommendations for WordPress site admins to follow, which we have replicated the translated version of below:

1.  Take steps to detect and remove malicious JavaScript code.
2.  Provide up-to-date \[active plug-ins\] and up-to-date support for website content management systems (CMS).
3.  Restrict access to website management pages.

The agency also provided a detection tool (scroll down to the bottom of the page) admins can use to scan their sites.

Ukraine government and pro-Ukrainian sites hit by DDoS attacks

We take a look at a report which indicates younger generations are struggling with being able to spot scams, and why that might be.
The post Why you should be taking security advice from your grandmother appeared first on Malwarebytes Labs.

We tend to accept that younger folks are supposed to be more tech savvy, given they’ve grown up with computers and the Internet pretty much their whole lives. If you go back about 15 or so years, a lot of security advice focused on the “warning your grandmother away from scams” routine.

The default assumption was that people over a certain age simply did not know about computers and the threats that come with them. Grandparents were the short-hand, go-to frame of reference for examples in posts about scams or fraud: Watch out for grandfather this; your grandmother will fall for that.

**Your grandfather knows what he’s doing**

Crude, age-based categorisations were always dubious, and they are looking more and more baseless as the years tick by. Tech has now been around for a long time, whether it had some Internet bouncing around inside it or not. The oldest gamers playing on machines like Binatones in the 1970s might now be approaching 70 years of age themselves. Many studies have come and gone in the last couple of years declaring certain age groups to be at risk at one time or another. The interesting part is that more and more are declaring that younger age groups are at the greatest risk.

Older folks are dodging COVID-19 scams and all sorts of other shenanigans. Meanwhile, the news is definitely not as good the lower down the age slide we go.

Over here, Barclays twenty-somethings are most likely to be caught by scams. Over there, The Better Business Bureau finds that year after year it’s the younger folks getting stung by scams. In this direction, the UK’s Local Government Association has warned that it’s 16-34 year olds mostly feeling fakeout wrath. Some of the surveys listed claim that those in both the 31-40 or 71+ ranges are more susceptible to forms of advance fee fraud, but that seems to be about the only real negative mark against them.

Everything else is grim reading for the younger netizens out there.

**Are digital natives in trouble?**

A new study has just landed and guess what? It’s more misery for the so-called “digital native” generation (and, perhaps, those just on the fringes).

The Financial Times reports that a joint study by Visa and Aston University’s Institute for Forensic Linguistics brings bad tidings for the young. One in four 18-34 year olds trust scam messages, which is “more than double” of those over 55.

Gen-X, forgotten again.

**Crunching numbers**

We cover the “urgent action” type scams a lot, because it’s a core component of so many fakeouts. Nothing has people clicking links they shouldn’t click faster than the threat of losing access to accounts or finances. According to the study, some 70% of messages analysed contained some kind of “Hurry up please” messaging.

Gift cards and Bitcoin—cybercriminals’ favourite currencies—feature heavily, as you’d expect. And it’s no surprise that aspects of younger culture are tied up in the most common scam messages.

More than 50% of 18-34 year olds had sent cash to fakers pretending to be friends or family. Again, this is likely another tick in the pandemic box. There’s a lot more stats in the report itself \[PDF\], but that’s not what I’m most interested in. Despite it being focused on the language of fraud, there’s one key aspect which isn’t really touched upon.

Reports state that a quarter of 18-34 year olds don’t check for spelling and grammar mistakes. As the PDF itself notes that poor spelling, typography, and grammar are often indicators of a scam message, we may wonder how this disconnect is happening—and how to address it.

**Annoying your spell-check for fun and profit**

Security advice nowadays tends to steer clear of the “Your grandfather doesn’t understand computers” routine for the previously mentioned reasons. It’s just a bit crass and not particularly accurate.

And there may be other age-related pieces of security advice to reassess too.

Misspelling and errors have been a feature of scams for years, and a useful red flag we could advise people to watch out for. But does that advice still work for a generation that’s grown up on social media and messaging apps, and loosened its adherence to language norms by communicating with emojis and paired-down, abbreatived, vowelless blasts of text?

Some People Write On Social Media Like This.

others write everything in lower case and don’t even bother to consider throwing in the occasional comma or even a full stop because their messages are still entirely understandable

The rules have mostly gone out the window, and the “watch out for typos” advice might have to go with it. After all, you can’t tell people to beware strange spelling when everyone is officially doing their own thing.

**Some good news for Gen Z and Millennials**

Thankfully, “watch out for typos” is far from the only piece of security advice we can give when warning people away from bogus SMS messages or suspicious emails. When we warn you away from a phish, we give you several things to look out for in combination. It’s the same for a malware scam, or a bogus phone download, or something targeting young gamers.

The survey recognises this, and stresses the importance of picking out combinations of factors to spot a scam. It’s not just typos: It’s _combinations_ of certain words, pressures exerted on the recipient, mismatches between sender and links given, and a dash of ambiguity. One of these alone probably won’t help, but a few of them together most likely will.

Why you should be taking security advice from your grandmother

For the second time, the FBI has warned the food and agriculture sector about the risk of ransomware attacks.
The post FBI warns food and agriculture to brace for seasonal ransomware attacks appeared first on Malwarebytes Labs.

The Federal Bureau of Investigation (FBI) recently released a Private Industry Notification warning agriculture cooperatives (also known as “farmers’ co-ops”) of the looming danger of well-timed ransomware attacks. The agency warns that during the critical planting and harvesting seasons, attacks could result in the theft of proprietary information, and operational disruption leading to financial losses and even food shortages.

This is the second time the FBI has warned the food and agriculture sector. In September 2021, the agency revealed that ransomware threat actors were ramping up attacks as the sector adopted more smart technologies.

“Since 2021, multiple agricultural cooperatives have been impacted by a variety of ransomware variants,” the agency said, “Initial intrusion vectors included known but unpatched common vulnerabilities and exploits and secondary infections from the exploitation of shared network resources or compromise of managed services.”

The FBI is concerened that threat actors might think agricultural cooperatives have an extra incentive to pay ransoms because some phases of their work are so time-sensitive.

**After-effects of ransomware attacks against the FA sector**

Attacks against organizations at the root of the food supply chain can cause significant downstream disruption.

During the same month as the FBI’s initial warning, in September 2021, BlackMatter ransomware hit Iowa’s NEW Cooperative, demanding a ransom of $5.9 million. The company was forced to take affected devices offline to stop the threat from spreading, and the ransomware gang was reportedly able to steal 1,000GB of data, including financial documents, employee data, and source code for a farming technology platform.

Two days after the NEW Cooperative attack, Crystal Valley Cooperative, a major farmer’s co-op in Minnesota, was hit by a still-unnamed ransomware strain. This stopped the group from processing major payment cards and caused its phone system some downtime.

In the last decade, the agriculture sector has been through a rapid technological transformation as traditional farm machinery—such as tractors—have joined the Internet of Things (IoT).

In a recent Lock and Code podcast about the vulnerability of agricultural technology, podcast host Davd Ruiz interviewed Sick Codes, a hacker who has taken a deep dive into the security of John Deere and other agricultural equipment manufacturers.

He told us that while the industry is beginning to think about the cybersecurity of its devices and systems, many vendors still struggle with the basics like where they store data and how to make it safe, leaving it open to easy exploitation. In one example of what might be possible, Sick explained that threat actors might be able to “game” the market for corn prices by intercepting unencrypted data about the crop as it moves from tractor fleets into the cloud:

> If somebody is to catch that data on the way out, they will be able to predict the price of corn. And corn is a commodity. It fluctuates daily. So actually if you have all that data, you’d be out to make serious money.

The FBI has taken stock of ransomware gangs that have hit organizations within the food and agriculture sector: BlackByte, BlackMatter, Conti, HelloKitty (aka Five Hands), LockBit, Sodinokibi (aka REvil), and SunCrypt.

**FBI recommendations**

The agency advises the sector to focus on protecting its networks, systems, and applications as threat actors can and will exploit vulnerabilities in them. It also offered some guidance on how to protect against ransomware attacks, including:

*   **Regularly back up data** to an offline, air-gapped location where it can’t be reached by attackers.
*   **Patch software** and firmware as soon as security updates become available.
*   **Segment networks** to slow down attackers, make finding them easier, and limit their damage.
*   **Use multi-factor authentication (MFA)** whenever possible.
*   **Use strong passwords** and avoid reusing them.

More guidelines can be found in the agency’s Private Industry Notification on the subject.

For a glimpse of the current state of cybersecurity in an Internet-connected agriculture sector, listen to our Lock and Code podcast below:

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

FBI warns food and agriculture to brace for seasonal ransomware attacks

Law enforcement believes that these hackers duping major tech companies are teenagers. But they are causing severe harm.
The post Hackers fool major tech companies into handing over data of women and minors to abuse appeared first on Malwarebytes Labs.

Posted: April 28, 2022 by

Some major tech companies have unwittingly opened harassment and exploitation opportunities to the women and children who they have pledged to protect. This happened because they provided information in response to emergency data requests from legitimate law enforcement accounts that hackers had compromised. This finding came from four federal law enforcement agencies and a couple of industry investigators.

Although the data provided was limited, it was enough for the hackers to work on and use to target and harass specific women or sexually extort minors. In some instances, the data was used to pressure victims to create and share more sexually explicit material or—in one sinister case—carve the perpetrator’s name into their skin and share photos of it.

Typically, no company is under any legal obligation to respond to emergency data requests as these don’t include court orders. However, it is accepted practice that tech companies comply with such requests as a sign of “good faith.”

Former Facebook Chief Security Officer (CSO) turned consultant Alex Stamos said in an interview with Bloomberg:

> “I know that emergency data requests get used in real life-threatening emergencies every day. It is tragic that this mechanism is being abused to sexually exploit children.”

When victims refuse, they are subjected to swatting, doxxing, and other harassment techniques.

People close to the issue revealed that Apple, Alphabet (Google’s parent company), Discord, Meta (Facebook’s parent company), and Twitter were the companies who complied with the bogus requests. The data that was handed over varies per company but generally includes the name, IP address, email address, and physical address.

Law enforcement and investigators consider the tactic of exploiting legitimate channels as “the newest criminal tool” to acquire data from tech companies. This is unsettling in several ways. First, attackers can successfully impersonate police officers by compromising their agency’s email systems. Second, there is no way for tech companies to identify if such requests are fraudulent or not. Third, victims can’t protect themselves from such attacks unless they completely delete their accounts.

This tactic has become prevalent in recent months.

According to Stamos:

> “Police departments are going to have to focus on preventing account compromises with multi-factor authentication and better analysis of user behavior, and tech companies should implement a confirmation callback policy as well as push law enforcement to use their dedicated portals where they can better detect account takeovers.”

Many believe that the perpetrators of these attacks are teenagers based in the US and also abroad. This is potentially based on their methods of retaliation against victims who resist them.

Unit 221b’s Chief Research Officer Allison Nixon told Bloomberg that law enforcement and the cybersecurity industry must prioritize threats led by underage perpetrators.

“We are now witnessing their transition to organized crime, and all the real world violence and sexual abuse that comes with it,” Nixon said. They are causing serious harm, so “we need to start treating them like adults,” she said—a sentiment echoed by many in the cybersecurity industry.

**RELATED ARTICLES**

February 17, 2021 - The audio-chat app Clubhouse is the latest rage in the social media landscape. What is it, and can we trust it?

Hackers fool major tech companies into handing over data of women and minors to abuse

Call of Duty cheats can expect a whole new world of embarrassment as a new anti-cheating feature called Cloaking is introduced.
The post Call of Duty cheats can expect embarrassment with new anti-cheat feature appeared first on Malwarebytes Labs.

Posted: April 28, 2022 by

In-game cheats are about to have an even harder time of things in triple AAA titles such as Call of Duty. Activision’s “Ricochet” software – a kernel level driver anti-cheat system – has added another twist to the tale of how players are protected via a new system called “Cloaking”.

**Making all new punishments fit the crime**

Anti-cheat software typically sniffs out people breaking the rules and penalises them. Ricochet adds some perks into the mix for people who aren’t cheating, whenever someone up to no good joins a gaming session.

As an example, if I’m using an aim-bot to assist me in scoring cheap kills and I join your Call of Duty server, I won’t just be instantly kicked out. Two things will happen:

1.  Mitigations are deployed to help regular players not lose unfairly to cheaters like me, running round with aim-bots and wall hacks.. The already existing “Damage Shield” disables critical damage applied to non-cheating individuals. This means I can do everything in my power to win, but it almost certainly won’t be enough thanks to the second thing that happens.
2.  The new feature called “Cloaking” kicks in, which combined with the Damage Shield will scupper my chances of victory forever. This is because, hilariously, all other players vanish from view. I can’t see their characters, their bullets, or even hear the noises they make. Essentially, I’ll be twirling around in an empty space, firing bullets that do no damage. The best is yet to come. From the FAQ:

“Legitimate players, however, can see cheaters impacted by Cloaking and can dole out in-game punishment. Similar to Damage Shield, Cloaking gives legitimate players a leg up on cheaters.”

**That’s nothing to brag about: Shaming cheater out of gaming**

Exploiters in games traditionally love bragging rights. Anything to score a cheap win is acceptable, and bragging rights arising from _that_ is one of the reasons people continue to do it.

Many common anti-cheat methods exist which involve loading up tools prior to game launch, seeing if anything is running which shouldn’t be, and then simply preventing a cheater from joining in the first place.

From experience, people just load up another game and try it there instead until they’re allowed in.

This system is a curious remix of more typical anti-cheat tactics. Not only are the developers accepting that cheats will eventually end up in a session somehow, they’re also obtaining valuable game data in real-time as to how the cheats react to this approach.

Can you imagine the embarrassment when other players in the session upload incredibly funny clips of cheaters helplessly spinning into walls and firing guns at lamp posts to YouTube or stream it on Twitch? It’s possible the threat of this alone will deter some people from that level of social shaming. Nobody’s cool factor can survive an encounter like that.

**No stopping the ban train**

Conscious of controversy surrounding anti-cheat tools, the developers have reassured players several times. The Ricochet system only operates when playing, and it isn’t always _running_ when playing. It also shuts down when the game is closed.

I don’t know for sure how many anti-cheat tools actually do run outside of a game being active. I suspect it’s not many, but it is good to see an organisation being very clear about what additional software needed to run a game does (and does not) do.

With 54,000 new account bans added to the 90,000 in March, the gamble seems to have paid off. We can expect to see more slightly weird and unusual approaches to shutting down cheaters in games. Letting them run free in a gaming hamster maze while both regular players and developers observe at their expense? This is simply too good an opportunity to pass up.

**RELATED ARTICLES**

Call of Duty cheats can expect embarrassment with new anti-cheat feature

Scammers are disguising their phishing page as a donation hub for Ukrainian refugees.
The post Fake USA for UNHCR site wants your Ukraine donations in Bitcoin appeared first on Malwarebytes Labs.

Since Russia began invading Ukraine in late February, many organizations have set up donation pages to aid the most heavily affected: Families who were forced out of their homes due to bombings and children separated from grown-ups who decided to stay and take arms.

We’ve also seen a considerable amount of scams preying on those who want to bring help to the helpless. During these times of struggle, donation and phishing scams abound, too.

**There’s a spam campaign encouraging you to donate to or support Ukraine**

Our email honeypot snagged dozens of samples belonging to a campaign that spoofed an email that receivers were meant to believe came from the United Nations or United Humanitarian.

Our Threat Intelligence Team took a closer look and found that the actual senders are work email addresses of individuals linked to legitimate services in Bangladesh. The emails appeared to be compromised.

    Hello
    
    We stand with our friends and colleagues in Ukraine during this heinous assault on their freedom, their independence and their lives. We are actively supporting our resilient team and are doing what we can to insure their safety, click on the Link to see more updates or photos and videos of the invasions from Russian. Donate and Support Ukrainian now to save lives.
    
    Visit: {redacted URL}
           {redacted URL}
    
    Thanks for your support.
    Regards
    UNITED HUMANITARIAN

Clicking the links in the email body, or copying and pasting them to your browser, opens this legitimate looking website:

We inspected the URL using a domain registrant and found it was created on April 19 2022, two days before we started receiving the spam emails.

**Be extra vigilant with “mirrored” sites**

The scam page looks slick, professional, and not what you may expect from a bogus donation portal. There’s a good reason for this. The entire site has been copied from _unrefugees.org_ using HTTrack, a free website copier.

_This is inside the code of the fake refugee website helping Ukraine families flee. Website copiers can make a fake site a spitting image of its original counterpart._

_Unrefugees.org_ is the USA for UNHCR (United Nations High Commissioner for Refugees). It is a Washington-based, not-for-profit organization whose mission is to provide food, shelter, and medical care to those fleeing their homes due to conflict, persecution, or violence.

While the fake site mirrors the legitimate site perfectly, it has one major exception: They switched out the genuine donation page for one of their own. The real site allows you to donate monthly via credit card, Google Pay, or PayPal. Donations made to the fake site, however, are made through Bitcoin.

_This is the form donors would have to fill in._

We checked multiple sources for information on the Bitcoin address provided. It doesn’t appear in scam databases or fraud reports and has neither sent nor received funds. This, combined with the site now failing to resolve, hopefully means the scammers got nowhere with their phishing attempt.

**How to tell if a donation site is what it says it is**

It’s very difficult to know at a glance which sites are real. This is especially true where donations are concerned. However, there are tools available to check.

You can check for registered charities online in most cases, and the genuine site is listed here against the BBB (Better Business Bureau) record. You can find similar types of checks in other countries.

There are very good reasons for making speedy donations. Even so, taking the time to ensure the site you’re donating to is the real deal is the best course of action for both you and the people you’ll be helping.

Stay safe out there!

Fake USA for UNHCR site wants your Ukraine donations in Bitcoin

NAS device vendors are dealing with several severe vulnerabilities in Netatalk, the open-source implemenation of AFP.
The post QNAP customers urged to disable AFP to protect against severe vulnerabilities appeared first on Malwarebytes Labs.

MacOS users that have a network-attached storage (NAS) device made by QNAP are being advised to disable the Apple Filing Protocol (AFP) on their devices until some severe vulnerabilities have been fixed. But QNAP is not the only vendor that needed to fix these vulnerabilities. Others have already done so, or have taken more drastic measures.

Taiwanese corporation QNAP has asked customers to disable the AFP file service protocol on its NAS appliances while it creates fixes for multiple, critical Netatalk vulnerabilities.

The vulnerabilities most urgently in need of mitigation or a fix are: CVE-2022-0194, CVE-2022-23121, CVE-2022-23122 and CVE-2022-23125. All of them are remote code execution (RCE) vulnerabilities, and all of them have a CVSS severity score of 9.8 out of 10.

In a security advisory, QNAP says it has fixed the Netatalk vulnerabilities for QTS 4.5.4.2012 build 20220419 and later, but it is still working to release security updates for all affected QNAP operating system versions. Given the severity of the vulnerabilities, keep an eye for updates.

**AFP and Netatalk**

A NAS device is a storage server connected to a computer network, storing data that can be accessed by a wide variety of devices, including Windows, macOS, and other systems. In real life this usually means they are used as an external hard-drive that can be accessed over an intranet or the Internet.

AFP is a proprietary network protocol, and part of the Apple File Service (AFS), that offers file services for macOS and the classic Mac OS. Many types of NAS devices support AFP so that macOS systems can access the data on them.

Netatalk is a free, open-source implementation of AFP that allows the Unix-like operating systems (that frequently power NAS devices) to serve as a file server for macOS systems.

Version 3.0 of Netatalk was released in July 2012. On  22nd of March 2022 the Netatalk team at Sourceforge announced Netatalk 3.1.13 with a new feature and several security updates.

**Not just QNAP**

Given the popularity of Netatalk, QNAP isn’t the only vendor that needs to deal with these vulnerabilities.

Another popular NAS device vendor, Synology, had issued Disk Station Manager version 7.1 to deal with the vulnerabilities. The update is expected to be available in all regions shortly but you can download it from the company’s website now if you want.

Western Digital removed Netatalk from its firmware, released on January 10, 2022. The company says that users can continue to access local network shares and perform Time Machine backups via SMB, a different file-sharing protocol.

TrueNAS says it fixed the vulnerabilities in TrueNAS Core 12.0-U8.1 on April 14, 2022.

**Mitigation**

Until an update has been made available, QNAP advises uses of affected devices to disable AFP and install security updates as soon as they become available.

To disable AFP on your QTS or QuTS hero NAS device, you will have to go to **Control Panel** > **Network & File Services** > **Win/Mac/NFS/WebDAV** > **Apple Networking** and select **Disable AFP (Apple Filing Protocol)**.

Stay safe, everyone!