A criminal group called ResumeLooters has stolen the personal information of over two million job seekers from at least 65 different websites.

A cybercriminal group known as ResumeLooters has infiltrated 65 job listing and retail websites, compromising the personal data of over two million job seekers.

The group used SQL injection and cross-site scripting (XSS) attacks—both common techniques— to extract the sensitive information from the websites.

The attacks primarily focused on the Asia-Pacific (APAC) region, targeting sites in Australia, Taiwan, China, Thailand, India, and Vietnam. However, other compromised companies were located in other regions, including Brazil, Italy, Mexico, Russia, Turkey, and the US.

Researchers first detected the activity of the group in November 2023, and tracked the massive malicious campaign targeting employment agencies and retail companies. Due to the criminals’ focus on job search platforms and the theft of resumes, the researchers dubbed the group ResumeLooters.

The stolen data is hard to quantify given the amount of sources, but it may include names, phone numbers, emails, and dates of birth, as well as information about job seekers’ experience, employment history, and other sensitive personal data.

The stolen data were put up for sale on Chinese-speaking Telegram channels. This and other indicators make it very likely that the group is of Chinese origin.

If you want to find out how much of your own data is exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 2 million job seekers targeted by data thieves 

Your essential guide to toothbrush security.

February 7, 2024 - We look at a scam campaign on Facebook that continues to do the rounds, and how you can recover your compromised account.

February 6, 2024 - The State of Malware 2024 report covers some topics that are of special interest to home users: privacy, passwords, malvertising, banking Trojans, and Mac malware.

February 6, 2024 - Big Game ransomware is just one of six threats resource-constrained IT teams need to pay attention to in 2024.

February 6, 2024 - Safer Internet Day is all about raising awareness about a safer and better internet for all, and especially for children and young people.

February 5, 2024 - Clorox has reported losses of $49 million following a cyberattack in mid-2023.

 How to tell if your toothbrush is being used in a DDoS attack 

We look at a scam campaign on Facebook that continues to do the rounds, and how you can recover your compromised account.

Recently I wrote about a malvertising campaign on Facebook that has been going on for almost a year. Apparently Facebook is struggling to stop this campaign, so now this type of campaign is showing up in other languages than English.

I have seen two different types in German.

**First Facebook scam**

_Translation: Deadly accident on highway causes several fatalities_

Notable about this one is that it was posted as a fundraiser and does not allow comments, which blocks me from posting a warning that this is a scam.

I reached out to the person that owns the account to find out if he knew how his account got compromised. He had no idea, but told me that it seemed like a lot of people were having the same issues. Not only did he see the same type of posts, but he also got a lot of Messenger messages prompting him to click a link.

In the past we’ve seen campaigns on Messenger where clicking such a link would install a Facebook app that required posting permissions. These apps would then spread further from the compromised user account.

The host storage.googleapis.com gives the link a legitimate feel, but that feeling is not justified. Although googleapis.com is a legitimate service provided by Google, it’s being abused by all sorts of cybercriminals for phishing, tech support scams, and in this case fingerprinting. The script on that site looks at your IP address, your type of machine and whether you are using a VPN. Based on the analysis of that information you are forwarded to the type of scam that is likely to be the most profitable.

An example of a redirect URL shows some of the elements that were fingerprinted.

https://byxzz.altairaquilae[.]top/?pl=Yyo1IAH5aE2Q4g9YuOImuw&click_id=da5d3q51mm737150e7&sub_id=18222478-Edge%20(Chromium)%20for%20Windows-Windows

Malwarebytes has already blocked the windyplentiful.com domain for Malvertising.

_Malwarebytes Premium blocks the domain windyplentiful.com_

**Second Facebook scam**

The second example is easier to identify as a fake. Both the ambulance and the wrecked motorcycle hail from California, so this highly unlikely to have happened on the German autobahn.

_Translation: Accident causes several victims including a child_

Not only is the picture clearly not German, the grammar used in the sentence is another sign as it’s a bad translation.

When I set my VPN to pretend I was located in Germany, the script identified it as an anonymous proxy and stopped there.

Switching back to the Netherlands I got to “enjoy” sites with explicit content, scam sites where celebrities encourage investing in cryptocurrencies, and websites offering browser push notifications.

These browser push notifications are a very annoying type of advertising, often associated with tech support scams, explicit content, gambling, and anything else that pays a handsome referral bonus.

Several attempts on both images led to different domains as well. Other blocks we encountered during our research:

_Malwarebytes Premium blocks 188.114.96.0_

_Malwarebytes Premium blocks the subdomain oyglk.altairaquilae.top_

**How to recover from a Facebook scam**

You can recognize this type of scam because they usually tag several friends of the victim. And although the image looks like a click will start a video, it never has for me. The images were hosted at media.discordapp.net/attachments and although the pages contain a link to Vimeo, the videos there have already been removed or were never even there.

If you find your account has posted a message like this, you should assume that someone else has full control over your Facebook account. Simply changing the password is not always enough.

1.  Check for unknown and unused Facebook apps.
    *   Click your profile picture.
    *   Select **Settings & Privacy**, then click **Settings**.
    *   Click **Apps and Websites**.Go to the app or game you want to remove, then next to the name of the app or game, click **Remove**.
    *   Click **Remove** again to confirm.
2.  Enable two-factor authentication (2FA)
    *   Go to your **Security and Login Settings**.
    *   Scroll down to **Use two-factor authentication** and click **Edit**.
    *   Choose the security method you want to add and follow the on-screen instructions.
3.  Change your password on Facebook if you’re already logged in:
    *   Click your profile picture.
    *   Select **Settings & Privacy**, then click **Settings** (or **Accounts Center** if you’re on your phone).
    *   Click **Security and Login** (or **Password and Security** if you’re on your phone).
    *   Click **Edit** next to **Change password** (or just **Change password** if you’re on your phone).
    *   Enter your current password and new password.
    *   Click **Save Changes**.

If you’re logged in but have forgotten your password or it has been changed to something you don’t know, follow the steps above to change your password, then click **Forgot your password?** and follow the steps to reset it. Keep in mind that you’ll need access to the email associated with your account.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 Facebook fatal accident scam still rages on 

The State of Malware 2024 report covers some topics that are of special interest to home users: privacy, passwords, malvertising, banking Trojans, and Mac malware.

Released today, the Malwarebytes State of Malware 2024 report takes a deep dive into the latest developments in the world of cybercrime. 

As home users, many of the threats we cover will only affect you second hand, such as disruptions after a company suffers a ransomware attack, or when your private information is sold online after a data breach. Sadly, there’s not a lot you can do to prevent incidents like these yourself, other than stay on top of the news and protect yourself against identity theft. 

But other threats you can do something about. So in this article we’ll focus on what threats affect you directly and how you can protect yourself. 

**Privacy **

In the last year, the UK’s Online Safety Act attempted to challenge the status quo for social media and messaging companies. The act was widely interpreted as a demand that companies scan users’ messages for illegal material, and is a first warning about the directions in which privacy may continue to be threatened in the name of greater good.  

It also acts as a reminder to be careful about what you share, even if you are under the impression that you are using the internet securely. We have seen news of ChatGPT leaking user’s information and law enforcement asking for backdoors in encryption routines. 

**Passwords **

Google and Microsoft made good on their promise to back passkeys, an encryption-based alternative to passwords that can’t be stolen, guessed, cracked, or phished.

We’d like to see more companies embrace new methods of authentication and wave passwords goodbye: Too many breaches have shown us that user education only works for those that were already doing the right things. Keeping track of the hundreds of passwords an average user has, along with the relative complexity of using a password manager have convinced us it’s time for a better alternative. 

**Malvertising **

If the last year has taught us something, it’s that scammers and malware peddlers can afford to buy sponsored search results and outbid the brand owner so that their links come out on top. Cybercriminals create Google Search ads mimicking popular brands, which lead to highly realistic, replica web pages where users are scammed or tricked into downloading malware. 

Despite efforts on the side of search providers like Google, the cybercriminals remained one step ahead, able to consistently bypass ad verification checks all year. The type of malware that’s used varies with each campaign but infostealers (which gather information from your computer, such as usernames and passwords) were the most common type. 

**Banking Trojans **

Banking trojans are one of the most serious threats facing Android devices. Banking trojans come disguised as regular apps like QR code scanners, fitness trackers, or even copies of popular apps like Instagram. 

The malicious app asks the user for permissions that allow it to monitor what happens in other apps and will then create overlay screens for legitimate apps. This allows them to capture login credentials and even multi-factor authentication (MFA) tokens.

**Mac malware **

The days of “my Mac is safe” and “Macs don’t get malware” are definitely over. There are many signs that criminals are taking note of the platform’s increasing popularity by enabling attacks to target both Windows and Mac users at the same time. 

Contrary to outdated beliefs, malware for Macs has always existed, it was just considered less serious since most Mac malware was adware or potentially unwanted programs (PUPs). This is changing. For example, in September, 2023, Malwarebytes discovered a cybercriminal campaign spreading Atomic Stealer (AMOS) malware to Mac users through malicious ads. AMOS malware can steal passwords from browsers and Apple’s Keychain, as well as grab files.

**Malwarebytes  **

Malwarebytes has solutions to safeguard individuals’ data and identities. We can protect your Android and iOS devices, Macs, Chromebooks, and Windows systems. We also have software to protect your identity, safeguard your online privacy, and block unwanted ads and trackers.

 State of Malware 2024: What consumers need to know 

Big Game ransomware is just one of six threats resource-constrained IT teams need to pay attention to in 2024.

Today, Malwarebytes released its 2024 State of Malware report, detailing six cyberthreats that resource-constrained IT teams should pay attention to in 2024. Top of the list is “Big Game” ransomware, the most serious cyberthreat to businesses all around the world.

Big game attacks extort vast ransoms from organizations by holding their data hostage—either with encryption, the threat of damaging data leaks, or both. The report reveals that, awash with money, the number of known Big Game attacks surged by 68% in 2023, thanks to Ransomware-as-a-Service groups like LockBit and ALPHV.

Known ransomware attacks July 2022 – December 2023

Big Game ransomware is just one part of a thriving and highly organized cybercrime business—a multi-billion-dollar mirror to the legitimate economy it feeds off. Its ecosystem supports entire supply chains, dotted about with specialized organizations like access brokers and malicious software vendors. It has brand names, PR stunts, HR departments, incentive schemes, and “employees of the month.”

And like broader, law-abiding “Business” at large, cybercrime has settled on a collection of tools that work. Its activity is built around evergreen techniques like phishing, software exploits, and password guessing, along with mature malicious technologies like info stealers, trojans, and ransomware.

For years, the latest iterations of these ideas have only offered marginal improvements on their predecessors. As a result, innovation in cybercrime has increasingly shifted towards tactics—advancements that focus more on how attacks can succeed and less on what malware can do. The 2024 State of Malware report also details how ransomware gangs use Living of the Land (LotL) techniques to hide in plain sight, and how one gang, CL0P, turned to automated zero-day attacks to break ransomware’s scalability barrier.

The report also explains how cybercriminals turned to a tactic called “malvertising” in 2023, using search ads and disposable websites that mimic legitimate brands to distribute malware as an alternative to malicious emails and document macros.

And as Macs continued to buck the trend in declining PC sales, some criminals began to add Mac malware, like Atomic Stealer, to their Windows distribution channels.

As we enter 2024, malware is as dangerous as ever, but when it is used, it is just one link in an attack chain of multiple different threats. IT and security teams now face active adversaries, zero-day exploits, compromised accounts, social engineering, and a range of other threats that don’t meet the traditional definition of malware. Against this backdrop, security budgets are shrinking while resource-constrained IT and security teams firefight ever more complex environments.

When it comes to security, “more of the same” will not work in 2024, so this year’s report also outlines what effective cyberdefense in the year ahead will require.

To learn more about the most serious threats facing IT teams in 2024, and how to combat them, download the 2024 State of Malware report.

 Known ransomware attacks up 68% in 2023 

Safer Internet Day is all about raising awareness about a safer and better internet for all, and especially for children and young people.

February 6, 2024 is Safer Internet Day. When I was asked to write about the topic, I misunderstood the question and heard: “can you cover save the internet” and we all agreed that it might be too late for that. While we laughed about it, it made me think.

The internet has been around for quite some time now, and most of us wouldn’t know what to do without it. Personally speaking, I would not have this job, I would not be able to work from home, I would not have met a great many online friends, and I would have to go shopping in person a lot more.

When I started actively using the internet in 1996, it looked completely different than it does today. There were no social media sites to speak of, companies were selling antivirus and anti-Trojan solutions, but nobody cared about adware, PUPs, and assorted nuisances. Firewalls on the other hand were considered a lot more important back then.

The reasons why people get infected with malware have not changed that much though:

*   **Free stuff**. Why pay when you can get it for free? Well, basically, because you always end up paying a price. Whether that free version displays ads or comes bundled with other software which you didn’t want. Or maybe because it’s not even what they promised it would be: not the game, movie, TV show, or software you were looking for.
*   **Fear**. Alarming messages on the screen make us think that we must be doing something wrong and convince us to install fake security software or fall prey to tech support scammers.
*   **Phishing emails**. Emails telling us that we urgently need to respond to prevent something or get rich, healthy, and happy, so we feel we have to click that link or open that attachment.

But in our defense, criminals have gotten a lot better at convincing us to do the “wrong” things. Social engineering has become a science that cybercriminals are masters at, although the Nigerian prince that keeps telling me about the blocked fortune he has waiting for me is still around.

With the help of Artificial Intelligence (AI) these techniques will become even better and can be fine-tuned so they can be adapted to the intended victim and become more targeted. Only recently we learned about a finance worker that paid out $25 million after a supposed video call with his chief financial officer, that turned out to be a deepfake. After reading that story, I felt very sorry for that finance worker. Even knowing that almost everyone would have fallen for that setup, probably doesn’t relieve you of the guilty feeling.

Social media has gone from a way to keep in touch with distant friends to gigantic money making machines that are all about advertising and algorithms that keep you busy on the platform for as long as they possibly can. Governments are now scrambling to protect at least the children of this generation against the ruthless environment that these social media platforms have become.

At some point, celebrities like Angelina Jolie and Brad Pitt hired online bodyguards to monitor the internet and social media content that their children, who ranged from ages 6 to 13 at the time, encounter. Unfortunately, we don’t all have the funds to follow their example, so we have to be our children’s internet guardians.

Other government actions concerning the internet and social media are more focused on trying to limit the power of the tech giants, rather than on our online safety and privacy.

For now, it seems we have to rely on our own solutions to guard our online privacy and protection. For some pointers, check out our internet safety tips. You may find some useful nuggets that you hadn’t come up with yourself.

Safer Internet Day takes place on the same day in February each year to raise awareness about a safer and better internet for all, and especially for children and young people. Let’s make the internet a safer place. If not for us, then for our children.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Safer Internet Day, or why Brad Pitt needed an internet bodyguard 

Clorox has reported losses of $49 million following a cyberattack in mid-2023.

Cleaning products maker Clorox has reported losses of $49 million in connection to a cyberattack it suffered in August of last year.

On Monday, August 14, 2023, Clorox disclosed it had identified unauthorized activity on some of its IT systems. Despite a business continuity plan, the incident resulted in wide-scale disruptions to the company’s operations throughout the quarter, which ended September 30, 2023.

Clorox says it expects operational impacts from the cyberattack to continue into the second quarter, though the majority of order processing operations have returned to automated processes. Among other consequences of the cyberattack, net sales are expected to decrease between about $487 million and $593 million.

The company never revealed the nature of the attack, but based on a brief description, we must assume it was a ransomware attack. Ransomware experts have attributed the attack to ALPHV/BlackCat, but attribution is hard. This is especially true when the victim decides to pay the ransom, because their details aren’t made public by the attackers. When an organization refuses to pay, the attacking ransomware group will typically publish the organization’s details, along with its data, on their leak site, which are our main source of information about who did what to who.

The ALPHV ransomware gang is arguably the second most dangerous “big game” ransomware operator, as you can see in many of our monthly ransomware reviews.

The costs of the cyberattack, which included payments to third-parties that were hired to help investigate and remediate the attack amounted to $49 million.

Clorox was forced to shut down many of its systems due to the attack, which triggered order processing delays and significant product outages.

The fact that the disruptions lasted as long as they did, does not bode well for the business continuity plan. Add to that the suspicion that the ransom was paid, and we can conclude that backups were perhaps insufficient or not readily deployable.

These are things that, however cumbersome, need to be tested. Waiting for the actual emergency as the first test is never a good idea. Another indication that things may not have been up to par was the chief information security officer (CISO) leaving in November, while the company was still recovering from the cyberattack.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Clorox counts the cost of cyberattack 

A list of topics we covered in the week of January 29 to February 4 of 2024

February 2, 2024 - CISA has ordered all FCEB agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products.

February 2, 2024 - The FBI has removed malware from hundreds of routers in an effort to disrupt threat actors linked to the Chinese government.

January 31, 2024 - The MOAB may not be just recycled data after all.

January 31, 2024 - Threat actors are using all the tools at their disposal to deliver malware. Malicious ads are only one step in the chain, with compromised sites providing the free hosting and changing capabilities that can evade detection.

January 31, 2024 - Actions by the FCC and FTC have led to a decrease in unsollicited and scammy calls

 A week in security (January 29 &#8211; February 4) 

CISA has ordered all FCEB agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products.

In an emergency directive, the Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal agencies to disconnect all instances of Ivanti Connect Secure and Policy Secure solution products from agency networks no later than 11:59PM on Friday February 2, 2024.

Besides the Ivanti vulnerabilities actively exploited in massive numbers we wrote about on January 11, 2024, alerts sounded about two new high severity flaws on January 31, 2024.

CISA has taken this drastic step after noticing widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Policy Secure solutions with severe consequences:

> “Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems.”

Based on that, CISA determined that these conditions pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and requires emergency action.

FCEB agencies using Ivanti Connect Secure and Ivanti Policy Secure solution will find a list of required actions in the emergency directive Supplemental Direction V1: Emergency Directive 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities.

These actions include threat hunting on any systems connected to—or recently connected to—the affected Ivanti device. CISA notes that agencies running the affected products must assume domain accounts associated with the affected products have been compromised.

Agencies have permission to reconnect devices only if they’ve been factory reset and updated according to Ivanti’s instructions.

**How did it come this far?**

On January 10, 2024 Ivanti released advisories about two actively exploited vulnerabilities in all supported versions of Ivanti Connect Secure and Ivanti Policy Secure Gateways. Active exploitation dates back as far as December 3, 2023. These vulnerabilities were listed as CVE-2023-46805 and CVE-2024-21887.

Ivanti provided a workaround and said patches would be released on a schedule based on versions, with the first coming out in the week of January 22. The last version will come out the week of February 19.

Soon after, reports started surfacing about several groups exploiting the vulnerabilities amassing as many as 1,700 compromised devices, with 7,000 more that remained vulnerable. Also, some security firms noticed a Chinese APT was able to bypass the mitigations.

New vulnerabilities came to light on January 31, 2024 listed as CVE-2024-21888 and CVE-2024-21893 where Ivanti remarked that it was aware of “a small number of customers who have been impacted by CVE-2024-21893 at this time.” Customers can read this KB article for detailed instructions on how to apply the new mitigation and how to apply the patch as each version becomes available.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 CISA: Disconnect vulnerable Ivanti products TODAY 

The FBI has removed malware from hundreds of routers in an effort to disrupt threat actors linked to the Chinese government.

The FBI has used a court order to remove malware from hundreds of routers across the US, and alter the routers’ settings to prevent reinfection.

The routers are malware-infected NetGear and Cisco small office/home office (SOHO) devices that no longer receive updates because they have reached their End-of-Life.

The FBI did this because it believed the threat actor behind the botnet of routers is an Advanced Persistent Threat (APT) group known as “Volt Typhoon.”

The US Cybersecurity and Infrastructure Security Agency (CISA) warned US businesses in May, 2023 about Volt Typhoon, an elite squadron of hackers with ties to the Chinese government, that targets high-value entities like governments, large corporations, and critical infrastructure.

On January 31, 2024, FBI  director Christopher Wray warned in a House committee hearing that “cyber hackers working for the Chinese government are preparing to wreak havoc on the US.”

To stop this from happening, the FBI used court-authorized operations to take control of hundreds of routers that Volt Typhoon had been using as gateways to get inside sensitive infrastructure. They used the routers to hide the actual origin of malicious attempts to reach inside the utilities and other targets.

The FBI says it tested the malware removal extensively on the relevant Cisco and NetGear routers, as specified in the court documents, to avoid any impact on the legitimate functions of the hacked routers.

The FBI will inform owners of the affected routers, or their providers if the owner’s contact information is not available.

A router’s owner can reverse these mitigation steps by restarting the router. However, a restart that is not accompanied by mitigation steps similar to those the court order authorized will make the router vulnerable to reinfection.

The FBI warns that:

> “The remediated routers remain vulnerable to future exploitation by Volt Typhoon and other hackers, and the FBI strongly encourages router owners to remove and replace any end-of-life SOHO router currently in their networks.”

At the same time, Wray let the House committee know that US cyberdefense is badly outnumbered.

> “If you took every single one of the FBI cyber agents, intelligence analysts and focused them exclusively on the China threat, China’s hackers would still outnumber FBI cyber-personnel by at least 50 to 1.”

According to CISA Director Jen Easterly, who also testified before the House select committee on the Chinese Communist Party, it’s likely we’re only seeing the tip of the iceberg.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Source

Malwarebytes