Quantcast
Channel: Webroot Blog
Viewing all 1110 articles
Browse latest View live

American Cybercrime: The Riskiest States in 2018

0
0
Reading Time: ~4 min.

Nearly 50 percent of Americans don’t use antivirus software

That’s right; something as basic as installing internet security software (which we all know we’re supposed to use) is completely ignored by about half the US. You’d be amazed how common this and other risky online behaviors are. We did a survey of people’s internet habits across the United States, and the numbers aren’t pretty.

For reference, some very common (and very risky) online behaviors include:

  • Not using antivirus software
  • Sharing your account passwords
  • Using too-simple passwords, or reusing the same password for multiple accounts
  • Not using an ad or pop-up blocker
  • Opening emails, clicking links, and downloading files from unknown sources
  • Not installing security on mobile devices

State-by-state Breakdown of the Riskiest Cyber Behaviors

We analyzed all 50 states and Washington, D.C., to rank them on their cyber hygiene habits. This ranking system uses positive and negative survey questions weighted by the relative importance of each question. These questions address several topics, including infection incidents, identity theft, password habits, computer sharing, software update habits, antivirus/internet security usage, backup habits, understanding of phishing, etc.

*Read the full report here.

Florida wins the dubious distinction of riskiest state with the worst cyber hygiene. But before anyone pokes fun, we’d like to point out that the average resident of any state in the nation has pretty poor cyber hygiene. Only 6 states in the nation had good cyber hygiene scores.

Impacts of Risky Behavior

When you engage practice poor cyber hygiene, you’re not just running the risk of getting infected or losing a few files.

In our research, we asked respondents who had suffered identity theft, “what were the main consequences of the identity theft incident?” Some of the self-reported fall-out was both surprising and tragic, including responses like divorced spouse, bankruptcy, failed to obtain mortgage, had to get second job, had to sell house, increased alcohol consumption, delayed retirement, and diminished physical health.

When we consider that identity theft can mean such devastating consequences as divorce, bankruptcy, and even damage to our health, it becomes clear just how important good cyber hygiene really is.

What the Riskiest States are Doing Wrong

Stats from the 5 riskiest states (Florida, Wyoming, Montana, New Mexico, and Illinois):

  • Identity theft had little to no impact on their cyber hygiene habits. That means even after learning the consequences first hand, very few people changed their habits.
  • These states had the highest per-person average (28 percent) of having experienced 10+ malware infections in a single year.
  • 50 percent+ of respondents in Florida, Illinois, Montana, and 45 percent of respondents from New Mexico and Wyoming said they don’t use any kind of antivirus or internet security.
  • 47 percent of respondents never back up their data.
  • An average of 72 percent share their passwords.

What the Safest States are Doing Right

The 5 safest states had many behaviors in common that kept them ahead of the malware curve.

  • Following cases of identity theft, nearly 80 percent of respondents from the 5 safest states reported that they had altered their online habits, and almost 60 percent changed their passwords.
  • Only 14.4 percent of respondents the safe states experienced 10 or more infections a year.
  • The safest states typically reported running paid-for antivirus/security solutions, rather than freeware, unlike their risky counterparts.
  • Finally, nearly half (43 percent) of the 5 safest states automatically update their operating systems, and 35 percent of respondents regularly back up their data, either on a daily or continuous basis.
  • And of the top 4, password sharing was hardly an issue (88 percent of respondents from those states reported they don’t share passwords at all.)

Find out which state your cyber hygiene puts you in. Take the survey below:

Please note that this survey is hosted by a third party, Typeform, SL. (“Typeform”). Your use of the Typeform survey platform will be subject to their Terms and Conditions. Any information you provide in answering the survey questions will be anonymized so that it cannot be used to identify you.

The Role of Demographics and additional findings

Given Florida’s reputation as a retirement hotspot, we wanted to point out that 50 percent of Florida’s respondents in our study were age 30 or below, and the national average of respondents aged 30 or below was 47 percent. This means age demographics in our survey were consistent throughout all 50 states and D.C. and our responses actually skew younger rather than older.

How to Increase Your Personal Cyber Hygiene Score (It’s not too late!)

Here’s a quick to-do list that will help keep you safe from malware, identity theft, and other online risks. It’s not as hard as you might think.

  1. Use antivirus software. And keep in mind, while there are plenty of free tools out there that are better than nothing, you get what you pay for. Your online security, and that of your family, is worth a little investment.
  2. Create strong passwords for each account, change them often, make sure each one is unique, and, if possible, add spaces for increased security. If you’re worried about keeping track of them all, use a password manager.
  3. Stop sharing your login credentials with friends, family, and coworkers. We mean it.
  4. Closely monitor your financial accounts for any fraudulent activity, and consider using a credit monitoring or identity protection service.
  5. Regularly update your operating system and software applications. Lots of infections start by exploiting out-of-date systems.
  6. Don’t open emails from people you don’t know, and don’t download anything from an email unless you’re certain it’s legitimate. And if you get a message that appears to be from an official or financial institution asking you to take an action, don’t click any links. Go straight to the institution’s official website, or call them to confirm whether the message you received was real.
  7. Back up your files and important data regularly to a secure cloud or physical drive.

There are a lot of risks out there, and as an internet user, you have a responsibility to use good judgement when you work, bank, shop, browse, and take other actions online. But by following these easy tips, you can dramatically change your cyber hygiene score, and reduce your risk of falling victim to cybercrime.

The post American Cybercrime: The Riskiest States in 2018 appeared first on Webroot Blog.


Is GDPR a Win for Cybercriminals?

0
0
Reading Time: ~3 min.

GDPR represents a massive paradigm shift for global businesses. Every organization that handles data belonging to European residents must now follow strict security guidelines and businesses are now subject to hefty fines if data breaches are not disclosed. Organizations around the world have been busy preparing to comply with these new regulations, but many internet users are unaware of how GDPR will impact them. While this new oversight enhances user privacy protection, its implementation also opens the door for GDPR-specific cyber threats.

Anyone with even the slightest online presence has been subject to a barrage of new terms and conditions released by companies concerning GDPR, which became effective on May 25, 2018. Criminals are taking advantage of this overwhelming surge of new terms of agreements to execute scams.

A phishing scam purporting to come from Apple is the most popular that we’ve seen. It declares that “For Your Safety, Access To Your Apple ID Has Been Restricted”, then prompts users to update account information before being allowed back in. This particular campaign was designed to capitalize on fatigue from the myriad of updated terms of agreement and privacy policy notifications internet users have encountered in the weeks leading up to GDPR, hoping to catch them off guard. The idea behind the scam is that potential victims are less alert and more likely to agree to and click through anything related to updated terms and conditions. Here’s what the phishing page looks like:

Source: hxxps://www.securitycentre-appleid.com [phishing URL]

When victims click “Update Your Account”, they’re then presented with a fake login page designed to capture their Apple ID credentials.

Source: hxxps://www.securitycentre-appleid.com/Locked.php [Phishing URL]

Targeted Ransomware

Beyond simple phishing scams, GDPR brings new pressure criminals can leverage concerning personal data that companies are responsible for. Targeted ransomware has become popular recently, especially through the RDP attack vector. Cybercriminals are now in a much better position to demand substantially larger ransoms when dealing with company data belonging to EU residents than before.

Were criminals to target an organization handling EU resident data, they’d be in a position to leverage a ransom amount closer to fines meted out under GDPR laws once they’ve breached and encrypted the data. We expect to see an increase in targeted ransomware hoping to exploit the hefty GDPR fine structure.

Another win for cybercriminals comes in the form of the recent change to the WHOIS lookup, made in response to GDPR data privacy restrictions. The Internet Corporation for Assigned Names and Numbers (ICANN), the organization that manages the global domain system, has removed crucial bits of data from public WHOIS lookups to comply with GDPR.

Before this change, when queries were made on domains using WHOIS lookup, information such as registrant’s name, address, email, and phone number was accessible. This proved invaluable when tracking malicious domains linked to malware campaigns. Now, with GDPR, that information will no longer be available publicly, giving cybercriminals another edge. ICANN has since filed a lawsuit seeking to clarify the law as it relates to WHOIS data collection, according to Threatpost.

GDPR Fails

We’ve also seen some unfortunate failures from legitimate companies sending emails trying to educate and inform their customers of GDPR-related changes—and actually violating the regulations while doing so.

Source: @ashstronge on Twitter

In sending this email on blast to their contacts, the company above failed to hide email addresses, thereby sending their users’ contact information to everyone on their email list. A mistake like this may carry costly consequences under the EU’s new rules. It should serve as a reminder to businesses of all sizes of what’s at stake with mishandling personal data.

Be on alert for scams related to GDPR. Interact carefully with the many privacy policy updates you’ve likely received in recent weeks. Remember to practice good cyber hygiene, and always double check website URLs whenever entering personal data.

The post Is GDPR a Win for Cybercriminals? appeared first on Webroot Blog.

Cyber News Rundown: MyHeritage Breached

0
0
Reading Time: ~2 min.

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

92 Million Genealogy Site Accounts Compromised

Earlier this week, genealogy and DNA testing site MyHeritage revealed it had suffered a breach that affects all 92 million of its users, making it the largest reported breach of 2018. The breach itself appears to have occurred in October of last year and affected the systems that store user emails and hashed variants of their passwords. Fortunately, neither DNA results nor payment systems were affected, as they are both stored separately from online account info. Following the breach, MyHeritage has begun implementing two-factor authentication and has strongly suggested that all users update their current passwords.

Apple’s Latest Beta Release Features Enhanced Security Measures

At this year’s Worldwide Developers Conference, Apple unveiled iOS 12 which includes several quality of life improvements for current apps along with new additions. Among the new features, Apple has hinted at one that forces users who are transferring data using a USB device to unlock their Apple device once per hour, to keep the transfer active. This feature is likely part of their continued response to the FBI and several security companies developing methods to bypass local device security to gain unauthorized access to the device.

Australian HR Firm Falls Victim to Data Breach

In the past two weeks, officials at Australian HR firm PageUp have been working to determine the scale of a data breach that occurred in the last week of May. The systems affected contained sensitive user information, minus payment data or written contracts, which are stored elsewhere. The company has since informed all affected customers of the issue and has taken several steps to ensure the malware that caused the breach has been removed.

Facebook Allowed Untrustworthy Chinese Firm to Access User Data

Following Facebook’s ongoing stream of litigation, they are once again under fire for allowing China-based Huawei to gather not only user data but also data from that user’s friend list, often without consent. Huawei and dozens of other developers were given access to Facebook’s API to assist in improving the user experience on various operating systems, though it is impossible to account for any misuse of the data from that point on.

Financial Sector Sees Major Increase in Keyloggers

Researchers analyzed the 100 malware infections that most recently affected the financial sector and found high volumes of keyloggers, as well as Emotet and Ursnif Trojans, which are commonly dropped from malicious Microsoft® Office documents. While it’s not unusual for keylogging software be used to steal sensitive financial info, the sheer quantity of variants indicates that, as these institutions have worked to increase their security, attackers have also been working to improve their own methods.

The post Cyber News Rundown: MyHeritage Breached appeared first on Webroot Blog.

3 MSP Best Practices for Protecting Users

0
0
Reading Time: ~3 min.

Cyberattacks are on the rise, with UK firms being hit, on average, by over 230,000 attacksin 2017. Managed service providers (MSPs) need to make security a priority in 2018, or they will risk souring their relationships with clients. By following 3 simple MSP best practices consisting of user education, backup and recovery, and patch management, your MSP can enhance security, mitigate overall client risk, and grow revenue.

User Education

An effective anti-virus is essential to keeping businesses safe; however, It isn’t enough anymore. Educating end users through security awareness training can reduce the cost and impact of user-generated infections and breaches, while also helping clients meet the EU’s new GDPR compliance requirements. Cybercriminals’ tactics are evolving and increasingly relying on user error to circumvent security protocols. Targeting businesses through end users via social engineering is a rising favorite among new methods of attack.

Common social engineering attacks include:

  • An email from a trusted friend, colleague or contact—whose account has been compromised—containing a compelling story with a malicious link/download is very popular. For example, a managing director’s email gets hacked and the finance department receives an email to pay an outstanding “invoice”.
  • A phishing email, comment, or text message that appears to come from a legitimate company or institution. The messages may ask you to donate to charity, ‘verify’ information, or notify you that you’re the winner in a competition you never entered.
  • A fraudster leaving a USB around a company’s premises hoping a curious employee will insert it into a computer providing access to company data.

Highly topical, relevant, and timely real-life educational content can minimize the impact of security breaches caused by user error. By training clients on social engineering and other topics including ransomware, email, passwords, and data protection, you can help foster a culture of security while adding serious value for your clients.

Backup and Disaster Recovery Plans

It’s important for your MSP to stress the importance of backups. If hit with ransomware without a secure backup, clients face the unsavory options of either paying up or losing important data. Offering clients automated, cloud-based backup makes it virtually impossible to infect backup data and provides additional benefits, like a simplified backup process, offsite data storage, and anytime/anywhere access. In the case of a disaster, there should be a recovery plan in place. Even the most secure systems can be infiltrated. Build your plan around business-critical data, a disaster recovery timeline, and protocol for disaster communications.

Things to consider for your disaster communications

  • Who declares the disaster?
  • How are employees informed?
  • How will you communicate with customers?

Once a plan is in place, it is important to monitor and test that it has been implemented effectively. A common failure with a company’s backup strategy occurs when companies fail to test their backups. Then, disaster strikes and only then do they discover they cannot restore their data. A disaster recovery plan should be tested regularly and updated as needed. Once a plan is developed, it doesn’t mean that it’s effective or set in stone.

Patch Management

Consider it an iron law; patch and update everything immediately following a release. As soon as patches/updates are released and tested, they should be applied for maximum protection. The vast majority of updates are security related and need to be kept up-to-date. Outdated technology–especially an operating system (OS)–is one of the most common weaknesses exploited in a cyberattack. Without updates, you leave browsers and other software open to ransomware and exploit kits. By staying on top of OS updates, you can prevent extremely costly cyberattacks. For example, in 2017 Windows 10 saw only 15% of total files deemed to be malware, while Windows 7 saw 63%. These figures and more can be found in Webroot’s 2018 Threat Report.

Patching Process

Patching is a never-ending cycle, and it’s good practice to audit your existing environment by creating a complete inventory of all production systems used. Remember to standardize systems to use the same operating systems and application software. This makes the patching process easier. Additionally, assess vulnerabilities against inventory/control lists by separating the vulnerabilities that affect your systems from those that don’t. This will make it easier for your business to classify and prioritize vulnerabilities, as each risk should be assessed by the likelihood of the threat occurring, the level of vulnerability, and the cost of recovery. Once it’s determined which vulnerabilities are of the highest importance, develop and test the patch. The patch should then deploy without disrupting uptime—an automated patch system can help with the process.

Follow these best practices and your MSP can go a lot further toward delivering the security that your customers increasingly need and demand. Not only you improve customer relationships, but you’ll also position your MSP as a higher-value player in the market, ultimately fueling growth. Security is truly an investment MSPs with an eye toward growth can’t afford to ignore.

The post 3 MSP Best Practices for Protecting Users appeared first on Webroot Blog.

Cyber News Rundown: Apple Bans Crypto Mining Apps

0
0
Reading Time: ~2 min.

Apple Bans All Cryptocurrency Mining Apps from App Store

Apple has made several policy changes over the last few days that will effectively ban all cryptocurrency mining features from apps in the App Store. This change comes not long after Apple removed an app called Calender 2, which silently began background mining for Monero but later reappeared without it’s mining functionality. Due to the relatively weak hardware found in Apple devices, it would take a considerable amount of time and processing power to make mining even the easiest currencies feasible.

Hackers Steal Payment Info from Major UK Retailer

This past week officials announced that Dixons Carphone, a large electronics retailer from the UK, suffered a major breach of their payment systems nearly a year ago. The identified systems contained payment data for nearly 6 million customers, though most were protected by the use of a chip-and-PIN authentication system. Additional customer information was also compromised, though the full extent of the fraud being committed with the stolen information is still unclear.

Spanish Soccer App Found Spying on Users

A new app has been circulating through the Android marketplace recently that appears to be a normal sports app, but requests access to the device’s microphone and GPS location to spy on unauthorized viewing of broadcast sports. While the creator of the app, Spain’s top-flight soccer league, has gone on to defend its actions based on the annual losses from illegally broadcasted games, the recent revelation has brought in thousands of 1-star reviews for the app which currently has over 10 million downloads.

Top-level Domains Contain Highest Danger Risks

With just over 1,500 top-level domains (TLDs) like .com, .biz, and .work currently registered, it seems surprising that most sub-domains were linked to some form of spam or malware distribution. The worst offender was the .men TLD which was discovered to have 55% of 65,000 sub-domains registered as “bad” within the last month. The main reason for this influx of spammers is the extremely low cost of purchasing within these TLDs. Most sub-domains are available for less than $1 and can be sold in massive quantities to anyone interested.

Unguarded Botnet Server Reveals 43 Million Email Addresses

Researchers have stumbled onto a command and control server belonging to a botnet that has been distributing both Trik and Gandcrab ransomware. The server itself contained over 2000 text files, each holding an average of 20,000 unique email addresses, likely being used to facilitate other email spammers. A total of 43.5 million unique addresses were found. While many of the emails are likely from other data breaches in the past, they span over 100 individual domains from countries around the world.

The post Cyber News Rundown: Apple Bans Crypto Mining Apps appeared first on Webroot Blog.

Parsing the Distinction Between AI & Machine Learning

0
0
Reading Time: ~4 min.

I had the privilege of giving a keynote on one of my favorite topics, busting myths around artificial intelligence (AI) and machine learning (ML), during DattoCon 2018 this week.

Webroot has been doing machine learning for more than a decade and consider this aspect one of our key differentiators for our solutions. However, for many small-to-medium businesses (SMBs), that might not matter. They may have heard the terms AI or ML but aren’t sure how these advancements can help keep their company safe. Additionally, the managed service providers (MSPs) who provide millions of SMBs with security protection, might not know how this technology can help their customers either.

AI and ML are not the same thing. Marketing campaigns and news articles oftentimes confuse people into thinking that they are—and my insistence on clarifying their nuance might be overkill—but I think it’s important to know the difference so you can understand how each can help make cybersecurity stronger.

What is artificial intelligence?

Artificial intelligence interacts with people, whether emulating a human (think about chat bots) or pets. The AI component is that interactive component—the thing you can touch, feel, and see. AI technology is very nascent, and I expect great things to come in the near future.

What is machine learning?

Machine learning is artificial intelligence’s nerdy cousin. ML models are designed to analyze all of the data collected, behind the sciences, with no human interface. ML is the heavy science where all the data crunching takes place. This is the part of technology that a few companies, like Webroot, have been working in for a long time.

To dig in further, I decided to take to the streets (or aisles) of DattoCon 2018 in Austin, TX, and see what MSPs were hearing and thinking about in relation to AI and ML. I kicked things off by getting a grasp on what MSPs are being asked by their customers.

“Absolutely nothing,” said Steven Gomes, kloudfyre. “They don’t bring it up; it’s nothing I even talk about. I know AI is the future of processing speed and power — so it’s important to me because it means accuracy and intelligence. But my customers don’t ask.”

That’s the response I got across the board. MSPs know it is something key for the future of security, but their customers don’t ask about it at all. I’m heartened to learn MSPs understand the importance, but can they tell marketing hype from reality? I want to make sure they understand what’s important or key differentiators for AI and ML.

Identifying the problem, data and consumability are key.

First, you need to know what problem you’re trying to solve before you can engage ML models. Next is having substantial data to feed the models. Webroot analyzes 500 billion data elements a day that we link and push through our models to enhance our analysis. We have a lot of access to information that new players in the space simply do not. Data is key to training up a model. Finally, consumability is getting the ML models into the hands of the customer so that the solution can be actionable. It’s pretty easy to tune new models, but it’s not easy to get the models deployed and allow customers to get meaningful, actionable data from it.

What do MSPs hear from customers around what’s key with ML?

The general sentiment was that it’s a checkbox in that they know the words, and it’s a must, but there is no real data or understanding of the why. SMBs don’t know what it means or how it applies to their business other than making security generally better.Going one-step further, I get concerned people are enamored with the idea of the tech but not clear on the value it can provide.

AI and ML should help in three areas for customers.

First, it should help create new capabilities for the security stack while at the same time decreasing their costs and reducing their cycle time to detect and remediate threats. Second, it should help detect emergent, unexpected threat behaviors quickly enabling the security team or an orchestration solution to take action. Third, it should deliver value around people augmentation. It could be automation of remedial tasks or simply working around the clock while your human employees go home and sleep.

“MSPs are technologists. They have to take complex stuff for their clients and their clients have blind faith. So MSPs focus on effectiveness.” -Cameron Stone, sales, Webroot

When I dug in more about benefits, a recent MSP owner chimed in, “Almost all decisions are based on whether it reduces headaches and is an innovative tool for my customers; so if machine learning does that, I’m all for learning more. I’d be happy to read up on it, but my customers don’t have time to read or care about it.”

As a passionate fan of ML, I realized there is a lot more we in the industry need to do to help educate and make this technology easy to consume.

Machine learning’s super power is that the amount of data it can take it has no limits. Think about it the context of healthcare: what if the best doctors in the world could work on your issue, around the clock? ML can provide that value to cybersecurity.

I appreciate Datto letting me talk on my soapbox for a few minutes and hope to continue this conversation with more MSP partners.

The post Parsing the Distinction Between AI & Machine Learning appeared first on Webroot Blog.

Social Media Malware is Deviant, Destructive

0
0
Reading Time: ~4 min.

We’ve seen some tricky techniques used by cybercriminals to distribute malware through social media. One common threat begins with a previously compromised Facebook account sending deceptive messages that contain SVG image attachments via Facebook Messenger. (The SVG extention is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation.)

Cybercriminals prefer this XML-based image as it allows dynamic content. This enables the criminals to add malicious JavaScript code right inside the photo itself—in this case, linking to an external site. Users who click on the image find themselves on a website posing as YouTube that pushes a popup to install a browser extension or add-on or to view a video. There are plenty of red flags here like the URL clearly not being YouTube.com, as well as the fact that YouTube does not require any extensions to view videos.

Facebook messenger spreading an SVG image containing a harmful script

An example of a fake YouTube page with malicious browser extension popup

Worm-like propagation

If a you were to install this extension, it will take advantage of your browser access to your Facebook account to secretly mass-message your friends with the same SVG image file—like a worm, this is how it spreads. Victims don’t need to have very many friends for this tactic to be successful at propagating. For instance, if you have over 100 friends, then you only need less than 1% of your friends to fall for this for the scam for it to continue to propagate.

To make matters worse, the extension also downloads Nemucod, a generic malware downloader generally used to download and install a variety of other threats. Usually the go-to threat is ransomware given it’s proven business model for criminals.

Social media managers at risk

Those who manage social media accounts on behalf of businesses are particularly at risk of advanced malware and other cyberattacks. Earlier this spring, a new Windows trojan dubbed Stresspaint was found hidden inside a fake stress-relief app and likely spread through email and Facebook spam campaigns to infect 35,000 users, according to researchers at Radware who discovered the malware.

Stresspaint was rather deviant in the way it stole Facebook account credentials and logged into accounts looking specifically for data such as “each user’s number of friends, whether the account manages a Facebook Page or not, and if the account has a payment method saved in its settings,” according to Bleeping Computer.

Allowing cybercriminals to gain control of brand social media accounts can carry grave consequences such as reputation damage, loss of confidential information, and deeper access into an organization’s network. Last year, HBO was humiliated on their social profiles when the notorious hacker group OurMine breached several the network’s accounts and posted messages before the company finally regained control of their logins.

Source: u/marialfc on Reddit.

Crypto users targeted

Following the recent trend in malware, sophisticated variants of existing strains are now aimed at cryptocurrency users. A malicious Google Chrome extension called FacexWorm, which spreads through Facebook Messenger, was found to have morphed with a new ability to hijack cryptocurrency transactions made on a host of popular online exchanges, according to Coindesk. This further underlines the importance of exercising caution with the information you share on social media to avoid being a target, particularly if you are a user of cryptocurrency.

Cryptocurrency scams are another common threat that spreads throughout social media. Twitter is particularly notorious an outbreak of crypto scam bots that pose as high-profile tech leaders and industry influencers. Learn more about this type scam in my previous post.

Don’t let your guard down

Given the nature of social networks, many are likely to consider themselves to be in the company of friends on sites like Facebook, Instagram and Twitter. However, this assumption can be dangerous when you begin to trust links on social sites more than you would in your email inbox or other websites. For instance, a simple bot-spam message on Twitter was able to grant a hacker access to a Pentagon official’s computer, according to a New York Times report published last year.

It’s wise to be wary of clicking on all links, even those sent by friends, family or professional connections, as compromised social media accounts are often used to spread scams, phishing, and other types of cyberattacks. After all, just one wrong click can lead to an avalanche of cyber woes, such as identity theft, data loss, and damaged devices.

Have you encountered malware or other threats on social media? Share your story or ask a question in the comments below!

The post Social Media Malware is Deviant, Destructive appeared first on Webroot Blog.

Cyber News Rundown: Weaponized USB Drives

0
0
Reading Time: ~2 min.

Weaponized USB Drives Targeting Japan and South Korea

In an effort to target air-gapped internal systems, a new wave of weaponized USB drives has been found throughout Japanese and South Korean organizations. While these attacks are relatively uncommon, that only heightens the threat as most companies are ill-prepared for such an attack and have created their air-gapped network systems in hopes of deterring them. As the systems utilizing this security method are typically extremely sensitive, this type of attack becomes increasingly focused on organizations or industry processes.

Hotel Booking Software Compromised

This week, officials for FastBooking, a Paris-based software companythat sells booking software to hundreds of hotels around the world, announced they had fallen victim to a data breach. The actual breach occurred over a week ago, and it took FastBooking employees nearly a week to discover the malicious software running on their servers. Unfortunately for customers, the data stolen seems to vary from hotel to hotel, as they all store data differently. The breach could affect millions of clients worldwide.

PythonBot Delivers Ads and Cryptominers to Windows Users

Researchers have recently discovered a new adware variant,written exclusively in Python, that not only spams your device with various ads, but also installs a cryptominer on the system for added financial gain. Ads are displayed by PBot using a malicious browser extension that attempts to redirect users to revenue-generating ad sites. In addition to its malicious activities, PBot also contains functionality to constantly receive updates to stay a step ahead of security software trying to remove it.

Flight-tracking Service Suffers Data Breach

Over the last few days, FlightRadar24, one of the largest flight tracking servicesin the world, suffered a data breach that could affect all of its 230,000 users. The breach only contained email addresses and hashed passwords, with the company swiftly pushing out password reset links to all affected customers along with disabling all current passwords. Fortunately, this breach contained no other personally identifying information or payment card data.

Nintendo Switch Hacked After DevMenu Leak

Recently, users of the Nintendo Switch have discovered illicit photos being used as profile pictures within games targeted at younger players. After an internal developer menu for the Switch was leaked, users could upload any small JPG file to an SD card and use the menu to change the avatar picture to anything they choose, including pornographic images. Unfortunately, Nintendo doesn’t currently moderate user profile pictures, but will likely have to make some changes if this behavior continues.

The post Cyber News Rundown: Weaponized USB Drives appeared first on Webroot Blog.


Cyber News Rundown: Adidas US customers’ personal information stolen

0
0
Reading Time: ~2 min.

Canadian college breach targets thousands

Last Friday, Algonquin College officials announced that an earlier data breachpotentially affected thousands of current and former students, as well as employees. While it is still unclear exactly what systems were affected, the officials have been working to contact all potential victims and inform them of the situation. What’s more interesting is Algonquin’s CISO’s comment in the article. You’d think that after the university’s first attack in 2014, they would have been better prepared this time around. At the very least, they could address the measures you’ve taken and plan on taking moving forward to prevent breaches.

Tinder implements major security upgrades

Tinder recently introduced fixes for two security vulnerabilitiesrelating to pictures insecurely stored on their servers and the ability to encrypt swipe responses. Those are pretty big vulnerabilities, considering Tinder has more than 50 million active users. The first fix involved Tinder securing their storage servers to keep hackers from accessing them through an unsecured WiFi network. The second fix revolved around making all swipe data the same size, as that was the differentiating factor between “likes” and “dislikes.”

Exactis data leak exposes info on 340 million users

A Florida-based marketing firm is currently under fire after the data for over 340 million customers was found on a publicly accessible server. It has not yet been determined for how long the information was publically accessible. The article title reads “Worse than Equifax.” I’d say. That’s all of America. Fortunately, Exactis was quick to lock down the server once they were alerted to the exposure. It has been confirmed that the data includes everything from names and addresses to types of pets and specific religious affiliations.

Adidas website falls victim to hackers

Adidas’ US website was breached this week, with sensitive data for millions of customers being stolen by unknown hackers. The company has since confirmed that no payment card information was included in the leak, only site usernames and passwords, which Adidas did properly store with strong levels of encryption. The company is still suggesting anyone who has ever made purchases from their website to change their password, regardless of whether it has been used for other sites or not. Take this as an opportunity to update all of your passwords—especially passwords on sites that you use as the same for your Adidas account.

Ticketmaster waits months to reveal data breach

Ticketmaster United Kingdom has finally released a breach statementmonths after Monzo bank, a UK-based mobile bank, informed the tickets sales giant of dozens of fraudulent charges. Even after being informed, the company wasn’t able to properly identify any data breach for over 2 months. I guess the bright side is that Ticketmaster has begun offering identity monitoring services to affected customers.

The post Cyber News Rundown: Adidas US customers’ personal information stolen appeared first on Webroot Blog.

3 Cyber Threats IT Providers Should Protect Against

0
0
Reading Time: ~3 min.

With cybercrime damages set to cost the world $6 trillion annually by 2021, a new bar has been set for cybersecurity teams across industries to defend their assets. This rings especially true for IT service providers, who are entrusted to keep their clients’ systems and IT environments safe from cybercriminals. These clients are typically small and medium-sized businesses (SMBs), which are now the primary target of cyberattacks. This presents a major opportunity for the managed service providers (MSPs) who serve them to emerge as the cybersecurity leaders their clients rely on to help them successfully navigate the threat landscape.

Before you can start providing cybersecurity education and guidance, it’s crucial that you become well-versed in the biggest threats to your clients’ businesses. As an IT service provider, understanding how to prepare for the following cyber threats will reinforce the importance of your role to your clients.

Ransomware

Ransomware is a type of malwarethat blocks access to a victim’s assets and demands money to restore that access. The malicious software may either encrypt the user’s hard drive or the user’s files until a ransom is paid. This payment is typically requested in the form of an encrypted digital currency, such as bitcoin. Like other types of malware, ransomware can spread through email attachments, operating system exploits, infected software, infected external storage devices, and compromised websites, although a growing number of ransomware attacks use remote desktop protocols (RDP). The motive for these types of attacks is usually monetary.

Why is ransomware a threat that continues to spread like wildfire? Simple: it’s easy for cybercriminals to access toolsets. Ransomware-as-a-Service (RaaS) sites make it extremely easy for less skilled or programming-savvy criminals to simply subscribe to the malware, encryption, and ransom collection services necessary to run an attack—and fast. Since many users and organizations are willing to pay to get their data back, even people with little or no technical skill can quickly generate thousands of dollars in extorted income. Also, the cryptocurrency that criminals demand as payment, while volatile in price, has seen huge boosts in value year over year.

Tips to combat ransomware:

  • Keep company operating systems and application patches up-to-date.
  • Use quality endpoint protection software.
  • Regularly back up company files and plan for the worst-case scenario: total data and systems loss (consider business continuity if budgets allow).
  • Run regular cybersecurity trainings with employees and clients.

Phishing

Phishing is the attempt to obtain sensitive information, such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons. Phishing is typically carried out by email spoofingor instant messaging, and it often directs users to enter personal information into a fake website, the look and feel of which are almost identical to a trusted, legitimate site.

Phishing is a common example of a social engineering attack. Social engineering is the art of tricking or manipulating a user into giving up sensitive or confidential information. The main purpose of a phishing attack can range from conning the recipient into sharing personal or financial information, to clicking on a link that installs malware and infects the device (for example, ransomware uses phishing as its primary infection route.)

Tips to combat phishing:

  • Ensure your employees and clients understand what a phishing email looks likeand how to avoid becoming a victim by testing your users regularly. Train them with relevant phishing scam simulations.
  • Hover over URLs in email to see the real address before clicking.
  • Use endpoint security with built-in anti-phishing protection.
  • Consider a DNS filtering solution to stop known phishing and malicious internet traffic requests.

Brute Force Attack

A brute force attack is a cyberattack in which the strength of computer and software resources are used to overwhelm security defenses via the speed and/or frequency of the attack. Brute force attacks can also be executed by algorithmically attempting all combinations of login options until a successful one is found.

It’s important to note that brute force attacks are on the rise. Earlier this year, Rene Millman of SC Magazine UK reported, “hacking attempts using brute force or dictionary attacks increased 400 percent in 2017.”

Tips to combat brute force attacks:

  • Scan your systems for password-protected applications and ensure they are not set to default login credentials. And if they’re not actively in use, get rid of them.
  • Adjust the account lockout policy to use progressive delay lockouts, so a dictionary or brute force combination attack is impossible.
  • Consider deploying a CAPTCHA stage to prevent automated dictionary attacks.
  • Enforce strong passwords and 2-factor authentication whenever possible.
  • Upgrade your toolset. RDP brute force is a major ongoing issue. Standard RDP is highly risky, but secure VPN paid-for alternatives make remote access much more secure.

Leveraging Common Cyber Attacks to Improve Business

As an IT service provider, it’s important to remember that communication is everything. With clients, I recommend you define what exactly you’re protecting them against in an effort to focus on their top cybersecurity concerns. If you “profile” certain attack vectors using common attacks types, like ransomware, phishing, and brute force attacks, you’ll be able to clearly communicate to clients exactly what it takes to protect against their biggest risks and which technologies are necessary to remain as secure as possible.

The post 3 Cyber Threats IT Providers Should Protect Against appeared first on Webroot Blog.

Cyber News Rundown: Ticketmaster Hack Reveals Mega Breach

0
0
Reading Time: ~2 min.

Ticketmaster Snafu Only Tip of the Iceberg

After last month’s Ticketmaster breach, a follow-up investigation found it to be part of a larger payment card compromising campaign affecting more than 800 online retail sites worldwide. The cause of the breach appears to stem from the third-party breaches of several Ticketmaster suppliers, which allowed hackers to integrate their own code within the software to compromise a far larger audience than originally realized.

Adobe Issues Patches for Over 100 Vulnerabilities

This month’s Patch Tuesday for Adobe introduced more than 100 unique fixes for vulnerabilities related to both Acrobat and Reader. Among the patches are fixes for unauthorized read issues that were allowing for the disclosure of sensitive information. Additionally, a patch was released for Flash Player that resolved a flaw allowing for unauthorized remote code execution, which could have had resulted in serious harm to any affected system.

Fitness Tracker App Reveals Locations of Military Personnel

Fitness app Polar Flow has recently come under scrutiny after the identity and locations of thousands of military personnel were easily revealed using the fitness map functionality. By displaying the activity map, users were could be traced to highly secretive locations, such as the White House and several other military bases around the world. The issue was caused by users swapping between public and private sessions closely tied to their individual user ID numbers when tracking fitness activities within the app.

Rahkni Ransomware Now Comes with a Choice

A longtime ransomware variant known as “Rahkni” was recently spotted in the wild with new functionality. The latest update has allowed Rahkni to decide between completely encrypting a system and deploying a crypto-miner. While mainly targeting Russian users, the ransomware is spread through malicious email attachments posing as a legitimate version of Adobe. In addition to its main operations, Rahkni also completes a thorough system scan and checks for virtualization and antivirus software before shutting down any OS-based defenses.

Chinese Hackers Compromise Australian University

After months of fending off cyberattacks, the Australian National University finally fell victim to a major data breach that has since been traced back to China. While the university believes that no student or staff information was stolen, the university serves as the main location for several national defense research organizations. This attack comes shortly after Australia implemented multiple new laws designed to reduce foreign intrusion.

The post Cyber News Rundown: Ticketmaster Hack Reveals Mega Breach appeared first on Webroot Blog.

Get to know Cathy Ondrak, Product Owner

0
0
Reading Time: ~3 min.

While one-click shopping on Amazon (or Webroot.com, for that matter) seems super easy when you’re the consumer, there are a lot of complex strategies and processes going on behind the scenes.

We chat with Cathy Ondrak, product owner for Webroot.com, to get a glimpse behind the curtain. In her role, Cathy works with developers, business analysts, and other stakeholders on a daily basis to ensure Webroot customers’ needs are being met online.

Tell us a bit about yourself.

I have three amazing kids—ages 9, 11, 13. We’re just getting to the teen years, which scares me to death. When I’m not working, I’m probably ushering my kids to one of their various activities. My life revolves around them; from baseball, softball, and soccer to basketball, parkour, or art activities, they stay busy and keep me on my toes. I also lead my nine-year-old’s Girl Scout troop and participate in my kids’ school accountability committee (SAC) meetings.

I was born in North Carolina (go Duke!) My parents moved us to Aurora, Colorado when I was a year and a half old. They still live in my childhood home. My sister and her family live about 2 miles from me, so you can regularly find my family attending one of the grandkids’ activities. (We travel in a large pack, and our kiddos always have a cheering section.)

How did you get into tech?

I began my career in public relations, moved to marketing, then product management. I worked on bringing US WEST Wireless to market a long time ago, which was my entry into tech. While at US WEST, I managed their website and eventually moved into a product manager position for their first wireless internet solution, BrowseNow. It was a very exciting time, but nothing like things are now. Everything was text-based, black and white, and not even a little pretty.

What does a day in your life at Webroot look like for you?

As the product owner for Webroot.com, I’m constantly checking emails, attending meetings, and collaborating with various internal teams. Beyond that, I oversee the web developers’ work and stay in constant communication with them. I work with developers, business analysts, and stakeholders daily to ensure deadlines are met and projects are completed as quickly as possible. We work in an agile environment, so we try to deliver solutions quickly and enhance as we need to.  It’s pretty exciting to see the changes over the years when you have time to look back.

Why do you like working at Webroot?

The thing I like best about Webroot is the people. Working with driven and intelligent people make what we do great and make me value the relationships I’ve formed. The other thing would be watching the continued success of the teams as we grow. The amount of work that flows through our team each day is amazing. The most rewarding thing is seeing how far we’ve come since we started! It’s inspiring to witness whole organization working together to bring new products to market.

Do you interface with external customers?

My day-to-day is filled with internal customers and teams at Webroot—mostly marketing teams who work with us to enhance the website and online user experience, and also provide more flexibility to sell our products.

Any advice for other women in tech?

Theonly advice I have applies to everyone, regardless of field or gender: do what you love, value the people, and success will come naturally. We all have control of our own outcomes, so be open, honest, and flexible. And for other Webrooters reading this, attend the Women of Webroot meetings, get to know your fellow colleagues, and enjoy every minute of it!

What’s the biggest lesson you’ve learned from working in the field?

My biggest lesson from the field was something someone told me years ago for when you’re trying to solve problems or work with developers. Ask yourself, “What are 3 possible solutions to anything you are doing?” Having options ready helps you think things through, so you can evaluate multiple possible solutions to determine which one is the most viable for your situation and resources. Options are key.

If you’re interested in a job at Webroot, check out our careers page, www.webroot.com/careers.

The post Get to know Cathy Ondrak, Product Owner appeared first on Webroot Blog.

Cyber News Rundown: Venmo Setting Airs Dirty Laundry

0
0
Reading Time: ~2 min.

Venmo’s Public Data Setting Shows All

Researchers recently uncovered just how much data is available through the Venmo API, successfully tracking routines, high-volume transactions from vendors, and even monitoring relationships. Because Venmo’s privacy settings are set to public by default, many users have unknowingly contributed to the immense collection of user data available for all to view. In addition to purchases, users can also leave a personalized note for the transaction, some of which range from drug references to more intimate allusions.

Spanish Telecom Suffers Major Data Breach

One of the world’s largest telecom providers fell victim to a data breach this week that could affect millions of Movistar customers. The breach allowed current customers to access the account of any other customer, simply by altering the alpha-numeric ID contained within the account URL. While parent company Telefonica was quick to resolve the issue, the communications giant could be forced to pay a fine upwards of 10 million EUR for not complying with new GDPR rules.

DDoS Attacks Target Gaming Publisher

Yesterday, Ubisoft announced via Twitter that they were in the process of mitigating a DDoS attack affecting many of their online gaming servers. At least three of Ubisoft’s largest titles were affected, leaving thousands of players unable to connect to online services. While Ubisoft has likely resumed normal activity, they are not the only gaming publisher to be the focus of these types of attacks. Blizzard Entertainment suffered a similar attack as recently as last week.

ProCare Health Under Fire for Patient Info Database

At least four companies handling the IT needs of the healthcare system in New Zealand have come forward to disclose an extremely large database containing of identifiable information (PII) for more than 800,000 patients. The database in question holds records for many thousands of patients, most of which were gathered without consent from patients, as the company has no direct dealings with them, but instead works with doctors to accumulate more data.  While having such a large volume of data in one place can be risky, the security measures should equal the value of the data itself, which is still under scrutiny.

South Korea No Longer Main Target of Magniber Ransomware

Researchers have noticed over the past few weeks a significant trend involving the Magniber ransomware variant branching out from its long-time focus on South Korea to other Asian countries. Additionally, the source code itself has been vastly improved and has begun using an older exploit for Internet Explorer that would allow Magniber to increase infection rates across unpatched systems.

The post Cyber News Rundown: Venmo Setting Airs Dirty Laundry appeared first on Webroot Blog.

6 Steps to Build an Incident Response Plan

0
0
Reading Time: ~4 min.

According to the Identity Theft Research Center, 2017 saw 1,579 data breaches—a record high, and an almost 45 percent increase from the previous year. Like many IT service providers, you’re probably getting desensitized to statistics like this. But you still have to face facts: organizations will experience a security incident sooner or later. What’s important is that you are prepared so that the impact doesn’t harm your customers or disrupt their business.

Although, there’s a new element that organizations—both large and small—have to worry about: the “what.” What will happen when I get hacked? What information will be stolen or exposed? What will the consequences look like?

While definitive answers to these questions are tough to pin down, the best way to survive a data breach is to preemptively build and implement an incident response plan. An incident response plan is a detailed document that helps organizations respond to and recover from potential—and, in some cases, inevitable—security incidents. As small- and medium-sized businesses turn to managed services providers (MSPs) like you for protection and guidance, use these six steps to build a solid incident response plan to ensure your clients can handle a breach quickly, efficiently, and with minimal damage.

Step 1: Prepare

The first phase of building an incident response plan is to define, analyze, identify, and prepare. How will your client define a security incident? For example, is an attempted attack an incident, or does the attacker need to be successful to warrant response? Next, analyze the company’s IT environment and determine which system components, services, and applications are the most critical to maintaining operations in the event of the incident you’ve defined. Similarly, identify what essential data will need to be protected in the event of an incident. What data exists and where is it stored? What’s its value, both to the business and to a potential intruder? When you understand the various layers and nuances of importance to your client’s IT systems, you will be better suited to prepare a templatized response plan so that data can be quickly recovered.

Treat the preparation phase as a risk assessment. Be realistic about the potential weak points within the client’s systems; any component that has the potential for failure needs to be addressed. By performing this assessment early on, you’ll ensure these systems are maintained and protected, and be able to allocate the necessary resources for response, both staff and equipment—which brings us to our next step.

Step 2: Build a Response Team

Now it’s time to assemble a response team—a group of specialists within your and/or your clients’ business. This team comprises the key people who will work to mitigate the immediate issues concerning a data breach, protecting the elements you’ve identified in step one, and responding to any consequences that spiral out of such an incident.

As an MSP, one of your key functions will sit between the technical aspects of incident resolution and communication between other partners. In an effort to be the virtual CISO (vCISO) for your clients’ businesses, you’ll likely play the role of Incident Response Manager who will oversee and coordinate the response from a technical and procedural perspective.

Pro Tip: For a list of internal and external members needed on a client’s incident response team, check out this in-depth guide.

Step 3: Outline Response Requirements and Resolution Times

From the team you assembled in step two, each member will play a role in detecting, responding, mitigating damage, and resolving the incident within a set time frame. These response and resolution times may vary depending on the type of incident and its level of severity. Regardless, you’ll want to establish these time frames up front to ensure everyone is on the same page.

Ask your clients: “What will we need to contain a breach in the short term and long term? How long can you afford to be out of commission?” The answers to these questions will help you outline the specific requirements and time frame required to respond to and resolve a security incident.

If you want to take this a step further, you can create quick response guides that outline the team’s required actions and associated response times. Document what steps need to be taken to correct the damage and to restore your clients’ systems to full operation in a timely manner. If you choose to provide these guides, we suggest printing them out for your clients in case of a complete network or systems failure.

Step 4: Establish a Disaster Recovery Strategy

When all else fails, you need a plan for disaster recovery. This is the process of restoring and returning affected systems, devices, and data back onto your client’s business environment.

A reliable backup and disaster recovery (BDR) solution can help maximize your clients’ chances of surviving a breach by enabling frequent backups and recovery processes to mitigate data loss and future damage. Planning for disaster recovery in an incident response plan can ensure a quick and optimal recovery point, while allowing you to troubleshoot issues and prevent them from occurring again. Not every security incident will lead to a disaster recovery scenario, but it’s certainly a good idea to have a BDR solution in place if it’s needed.

Step 5: Run a Fire Drill

Once you’ve completed these first four steps of building an incident response plan, it’s vital that you test it. Put your team through a practice “fire drill.” When your drill (or incident) kicks off, your communications tree should go into effect, starting with notifying the PR, legal, executive leadership, and other teams that there is an incident in play. As it progresses, the incident response manager will make periodic reports to the entire group of stakeholders to establish how you will notify your customers, regulators, partners, and law enforcement, if necessary. Remember that, depending on the client’s industry, notifying the authorities and/or forensics activities may be a legal requirement. It’s important that the response team takes this seriously, because it will help you identify what works and which areas need improvement to optimize your plan for a real scenario.

Step 6: Plan for Debriefing

Lastly, you should come full circle with a debriefing. During a real security incident, this step should focus on dealing with the aftermath and identifying areas for continuous improvement. Take is this opportunity for your team to tackle items such as filling out an incident report, completing a gap analysis with the full team,  and keeping tabs on post-incident activity.

No company wants to go through a data breach, but it’s essential to plan for one. With these six steps, you and your clients will be well-equipped to face disaster, handle it when it happens, and learn all that you can to adapt for the future.

The post 6 Steps to Build an Incident Response Plan appeared first on Webroot Blog.

Cyber News Rundown: Bluetooth Man-in-the-Middle

0
0
Reading Time: ~2 min.

Paired Bluetooth Devices Vulnerable to Man-in-the-Middle Attacks

A new vulnerability has been discovered that would allow an attacker to easily view the traffic sent between two Bluetooth-paired devices. The core of the vulnerability relies on the attacker’s device being within wireless range of both devices in the process of being paired. Signals from each device can then be intercepted and injected with malicious code before being forwarded to their intended destinations. Fortunately, the Bluetooth Special Interest Group has already implemented several updates so that a public-key validation is now required before pairing with a new device.

Vehicle Supplier Exposes Data for Key Car Manufacturers

A recent blunder from Level One Robotics left over 150 GB of data from several global car manufacturers on a completely unsecured server. The exposed data included factory schematics, secure request forms, and other highly sensitive information related to the assembly line process and personnel. Unfortunately, the server in question was left with public write privileges, enabling any malicious attacker to freely make changes to any of the data it contained.

Singapore Healthcare Provider Suffers After Major Data Breach

Nearly 1.5 million patients are being contacted after a data breach occurred at SingHealth, one of Singapore’s largest healthcare providers. The breach appears to have been thoroughly planned, as the high-level credentials were quickly attained after a single workstation was compromised. While no medical information was stolen, SingHealth has been reaching out to affected patients with regards to possible phishing scams that may result from the breach.

MoneyTaker Group Uses Unpatched Router to Carry Out Bank Heist

Russia’s PIR Bank recently fell victim to a rather sophisticated breach from the hacker group known as MoneyTaker, which has been responsible for over a dozen similar bank-related hacks over the past couple of years. By gaining access to the bank’s network using an outdated router, the group was able to successfully transfer portions of nearly $1 million to at least 17 different accounts before that money was withdrawn at various ATMs across the country. To make matters worse, it appears that the initial breach happened back in May, with the banks not discovering it until the day after the transfers took place.

Blackmail Scammers Cash in on Adult Site Visitors

Within the last week a campaign targeting visitors to several adult sites began making its way through thousands of email accounts. The scam focuses on scaring the victims with video captures of both their screen at the time they visited the adult site as well as video from the victim’s webcam, in hopes of extorting payments in Bitcoin. By viewing the traffic on the provided Bitcoin addresses, at least 30 individuals have paid the demanded price, gaining the scammers over $50,000 so far.

The post Cyber News Rundown: Bluetooth Man-in-the-Middle appeared first on Webroot Blog.


Crime and Crypto: An Evolution in Cyber Threats

0
0
Reading Time: ~6 min.

Cybercriminals are constantly experimenting with new ways to take money from their victims. Their tactics evolve quickly to maximize returns and minimize risk. The emergence of cryptocurrency has opened up new opportunities to do just that. To better understand today’s threat landscape, it’s worth exploring the origins of cryptocurrencies and the progress cybercriminals have made in using it to advance their own interests.

The FBI screen lock

Source: @DavidSGingras on Twitter

Many readers may remember the infamous FBI lock malware that would pop up and prevent users from using their computer at startup. The malware presented the (false) claim that the victim had downloaded copyrighted material illegally or had watched pornography.

This was a common and successful scam that made millions globally by localizing the “official” police entity in order to legitimize the threat. The money it made was transferred via Ukash and MoneyPak, which were essentially gift cards available at local convenience stores that could be loaded with specified amounts of cash. Victims would enter the pin on the back of the card to pay the criminals.

This method of collecting money wasn’t without risks for criminals, however. If enough victims reported the scam to law enforcement, they would try to find and identify those responsible (attention criminals obviously tried to avoid).

Bitcoin and Silk Road

While the Ukash and MoneyPack scams were still alive and well, another popular and anonymous black market called Silk Road was experimenting with Bitcoin as a payment system.

Silk Road was essentially an underground market on the encrypted dark web for goods otherwise illegal or extremely difficult to purchase in most countries. The site’s buyers and sellers remained effectively anonymous to one another and were almost impossible to track. For years this marketplace thrived and proved the efficacy of Bitcoin as a transactional system. Its success came to an abrupt halt in 2013, however, when the FBI seized Silk Road and arrested its founder.

The shutdown initially caused a nosedive in Bitcoin’s market price, but it quickly bounced back to surpass its value even at the height of the Silk Road.

So, what contributed to the shift?

Source: coindesk.com

Enter CryptoLocker

The first variants of Cryptolocker ransomware were seen in late September 2013. In terms of criminal endeavors, it was an instant success. Soon, many variants were infecting users around the world. Early editions accepted the still widely-used Ukash and MoneyPak as payment, but with a twist. Cryptolocker would provide a discount for Bitcoin payments. The proverbial Rubicon had been crossed in terms of cryptocurrencies receiving preferential treatment from cybercriminals. With ransomware rapidly rising to the top of the threat landscape, Bitcoin saw corresponding growth as fiat currencies were exchanged for it so ransoms could be paid.

Is Bitcoin Anonymous?

Not really. Since all Bitcoin transactions are recorded on a public ledger, they are available for anyone to download and analyze. Each time a victim pays a ransom, they’re given a Bitcoin address to which to send payment. All transactions to and from this address are visible, which, incidentally, is how the success of many ransomware campaigns is measured.

When a criminal wants to cash out Bitcoin, they typically need to use an exchange involving personal identifiable information. So, if a criminal isn’t careful, their victim’s Bitcoin wallet address can be tracked all the way to the criminal’s exchange wallet address. Law enforcement can then subpoena the exchange to identify the criminal. Criminals, however, are often able to keep this situation from unfolding by using tactics that prevent their “cash out” address from being flagged.

For a time, Bitcoin “mixers” offered to clean coins that were widely available on the dark web. Their methods involved algorithms that would split up and send dirty coins of varying amounts to different addresses, then back to another address clean, a process not unlike physical currency laundering. Yet, the process was not foolproof and did not work indefinitely. Once cryptocurrencies had gained significant legitimate adoption, several projects were started to search Bitcoin blockchain transactions for fraudulent activities. Chainalysis is one example.

Ransomware takes multiple cryptocurrencies

In the spring of 2014, a new cryptocurrency arrived. Dubbed Monero, it filled Bitcoin’s shoes, but without a public ledger that could be analyzed. Monero quickly became criminals’ most useful payment system to date. It uses an innovative system of ring signatures and decoys to hide the origin of the transactions, ensuring transactions are untraceable. As soon as criminals receive payment to a Monero wallet address, they’re able to send it to an exchange address and cash out clean, with no need to launder their earnings.

Source: Security Affairs

Monero started to see “mainstream” adoption by criminals in late 2016, when certain flavors of ransomware started experimenting with accepting multiple cryptocurrencies as payment, with Bitcoin, Ethereum, Monero, Ripple, and Zcash among the most common.

The Emergence of CryptoJacking

Monero has proven useful for criminals not just because it’s private. It also has a proof-of-work mining system that maintains an ASIC resistance. Most cryptocurrencies use a proof-of-work mining system, but the algorithm used to mine them can be worked by a specific chip (ASIC) designed to hash that algorithm much more efficiently than the average personal computer.

In this sense, Monero has created a niche for itself with a development team that maintains it will continually alter the Monero algorithm to make sure that it stays ASIC-resistant. This means Monero can be mined profitably with consumer-grade CPUs, sparking yet another trend among criminals of generating money from victims without ever delivering malware to their systems. This new threat, called “cryptojacking,” has gained momentum since CoinHive first debuted its mining JavaScript code in September 2017.

The original purpose of crypto-mining scripts, as described by CoinHive, was to monetize site content by enabling visitors’ CPUs to mine Monero for the site’s owners. This isn’t money from thin air, though. Users are still on the hook for CPU usage, which arrives in the form of an electric bill. While it might not be a noticeable amount for one individual, the cryptocurrency mined adds up fast for site owners with a lot of visitors. While CoinHive’s website calls this an ad-free way to generate income, threat actors are clearly abusing the tactic at victims’ expense.

We can see in the image above that visiting this Portuguese clothing website causes the CPU to spike to 100 percent, and the browser process will use as much CPU power as it can. If you’re on a newer computer and not doing much beyond browsing the web, a spike like this may not even be noticeable. But, on a slower computer, just navigating the site would be noticeably sluggish.

Cybercriminals using vulnerable websites to host malware isn’t new, but injecting sites with JavaScript to mine Monero is. CoinHive maintains there is no need block their scripts because of “mandatory” opt-ins. Unfortunately, criminals seem to have found methods to suppress or circumvent the opt-in, as compromised sites we’ve evaluated rarely prompt any terms. Since CoinHive receives a 30 percent cut of all mining profits, they’re likely not too concerned with how their scripts are used. Or abused.

Cryptojacking becomes 2018’s top threat

Cryptojacking via hijacked websites hasn’t even been on the scene for a full year, and already it has surpassed ransomware as the top threat affecting the highest number of devices. After all, ransomware requires criminals execute a successful phishing campaign to deliver their payload, defeat any installed security, successfully encrypt files, and send the encryption keys to a secure command and control server. Then the criminals still have to help them purchase and transfer the Bitcoin before finally decrypting their files. It’s a labor-intensive process that leaves tracks that must be covered up.

For criminals, cryptojacking is night-and-day easier to execute compared to ransomware. A cybercriminal simply injects a few lines of code into a domain they don’t own, then waits for victims to visit that webpage. All cryptocurrency mined goes directly into the criminal’s wallet and, thanks to Monero, is already clean.

That’s why you should expect cryptojacking to be the preferred cyberattack of 2018.

For more analysis of modern cyber threats, including cryptojacking, be sure to check out Webroot’s 2018 Threat Report. Questions? Drop me a line in the comments below.

The post Crime and Crypto: An Evolution in Cyber Threats appeared first on Webroot Blog.

Cyber News Rundown: Valve Bans Developer for Cryptojacking

0
0
Reading Time: ~2 min.

Cryptojacking “Game” Found on Steam Store

Valve has taken recent action against an indie-developed game available on Steam, the company’s game/app store, and removed their listing after many customers had complained about cryptomining slowing their systems, once launched. Additionally, the developers have been caught selling in-game items on third-party sites, that were falsely portrayed as being items for another game in hopes of scamming more money from users. Fortunately, Valve was quick to deal with the issue and banned not only the game, but also the developers from submitting new games after their deceptive practices.

In-depth Look at Deepfakes

As special effects technology becomes more advanced, so too are those that would abuse its capabilities to cause unrest. With the release of Deepfakes, a video software that allows anyone to put any face on a body, or into a video, the power once held only by major production studios is now available to anyone with a computer. While many Deepfakes users have opted to create fake pornographic videos using popular celebrities, the software has also been used to cause political tension by falsely placing a politician’s likeness into a video with completely different audio and then distributing it as a legitimate recording.

Personal Data Easily Found by Researcher

A security researcher recently discovered a security flaw that allowed him to access personal records for over half a million customers of Fashion Nexus. While the company claims that no financial data was revealed, the personally identifiable info (PII) would be more than enough for an attacker to start committing large volumes of identity fraud. After quickly resolving the security issue, the company issued a recommendation to all customers of multiple affected e-commerce sites to change their passwords.

Google Removes Android Apps Containing Windows Malware

At least 145 Android apps have been removed from the Google Play Store after researchers discovered that they all contained malicious executables for the Windows operating system. While they will have no effect on an Android device, it still raises questions about the developer and if the system they are creating apps in has been maliciously compromised. A bigger issue would be faced if any device with an infected app was connected to a Windows computer, as the malware itself appears to focus on gathering keyboard input and searching for sensitive information stored on the system.

Yale Discovers Data Breach Nearly a Decade Too Late

After doing some vulnerability testing on several of their servers, Yale University became aware of a data breach that had occurred sometime in 2008. Even though Yale did a complete wipe of the servers in 2011, they had no idea of the previous breach and have only just begun contacting affecting alumni. Data being stored on the servers contained everything from name and physical addresses to social security numbers and birthdays, which would give any attacker significant strides towards stealing identities.

The post Cyber News Rundown: Valve Bans Developer for Cryptojacking appeared first on Webroot Blog.

Between Two Worlds: An Interview with Reverse Engineer Eric Klonowski

0
0
Reading Time: ~4 min.

This week, I’ll be at Black Hat USA 2018 in Las Vegas. If you’ve ever been to Black Hat, then you know all about the flood of information and how hard it can be to take it all in. This year’s presentations will range from the newest trends in browser exploits, bots, and social engineering attacks, to the security status quo and how legal policies shape information security. And it’s anyone’s guess what the hottest topics around the water cooler will look like. To prepare, I reached out to Eric Klonowski, Principal Reverse Engineer at Webroot, to shed some light on his role at Webroot and what he and his peers bring to a major industry event like Black Hat.

Below is our interview, edited for length.

Tyler: Eric, tell us why a role like yours is valuable to security companies.

Eric: If you want to be successful in any industry, you have to have someone who understands the problems, down to the details, that your product is supposed to solve. That’s what I do. I work to understand threats, threat actors, and the malware that’s proliferating to help seal off the vulnerabilities they exploit and prevent attacks. 

How has your role at Webroot evolved over time?

When I first came on board in 2015, my role was about 70 percent research, 30 percent development. Now, it’s more like 10 percent research and 90 percent development. We have to stay on top of the latest and greatest invasive techniques. That means we’re doing a lot of development. We have a staff reverse engineer who takes malware apart to write software that will block it better.

It’s not a regular 9-5. I’m a security nut and this work fascinates me, so it’s always on my mind.

It probably helps in your line of work to be able to think like a hacker, except you’re one of the good guys. What’s it like to live in that duality each day?

First off, “hacker” is our word. You don’t use that word.

Whoa.

I’m kidding. But let’s take a second to talk about “hacking.” Back when I was getting proficient at software development, I hung out in hacker forums that were full of people who would use basically copy and paste someone else’s malware to break into systems. I have no respect for that. It doesn’t take any skill or smarts.

The ethical piece aside, I do have respect for people who develop exploits and sophisticated malware. What they do is very similar to what I do. We’re both trying to solve the same problems creatively, efficiently, and effectively. We’re just coming at it from different sides, and with a different goal in mind. So yes, you could call me a hacker, but I’d say I’m a “white hat.”

It’s always fun to poke around and see what you can do, but you do have to know when to draw the line. Sometimes, researching malware is like being a vigilante; you report what you see and make the compromised locations known.

How quickly does your team have to act when they discover a new threat?

Our pace can vary widely, but when we discover a new threat, we try to crush it quickly. We have to move fast to hand our research and development work to the product team so they can integrate a mitigation strategy into our product. For instance, with the WannaCry ransomware attack last year, my phone was buzzing like crazy before I even got out of bed. Some days are like that.

When other researchers release a report of a new malware variant or zero-day, we crack it open and try to get a better understanding of how it might spread. As an example, if we’re examining ransomware, we want to observe the encryption mechanisms it contains. In a way, we look to see if the author made any mistakes.

What types of tools do you use in reverse engineering?

By name, I typically utilize IDA, which is the industry standard. I also rely pretty heavily on WinDBG. When it comes down to it, those tools make your job easier. But someone in my position can use a pretty wide variety of tools to disassemble software and extrapolate what they are looking for.

You once told me reverse engineering was the “ultimate puzzle.” How did you discover this type of work?

I’ve always liked taking things apart and making them work better, and I started writing code when I was nine or 10. Later, I was hired as an intern for a defense contractor and had to do a lot of security-related research and software development. That’s really where it started, and I chose to stay on full-time for a few years. Until then, I was self-taught and didn’t really understand software on a large scale, but I learned so much about development from the people I was working with. I also worked on a lot of personal projects that propelled me forward on this path.

Where there any “aha moments” for you that made you decide this was the right career?

When I started at Webroot and became familiar with how the product functioned, I was pretty excited to see that we really do a great job here. We offer such a great product; the challenge to continue to make it better each day pretty motivating. And I’m very fortunate to have found a way to get paid to do something that’s always been a hobby I love.

Eric, thanks for the interview! I know we’re grateful you’re on our team at Webroot.

 

The post Between Two Worlds: An Interview with Reverse Engineer Eric Klonowski appeared first on Webroot Blog.

Cyber News Rundown: WannaCry Shuts Down Taiwanese Chipmaker

0
0
Reading Time: ~2 min.

Chipmaker Production Halts After WannaCry Attack

A recent WannaCry attack at a Taiwanese chip manufacturerhas brought production to a standstill and threatens delays for new Apple products yet to be released. The manufacturer has announced that after two days their systems are clear and production is able to continue, blaming their own negligence for the attack rather than a targeted breach. Fortunately, no business or personal information was compromised and the infection was handled promptly.

Routers Cause Spread of Global Cryptomining Attack

Researchers have been following the increasing spread of a cryptomining attackover the past week that has affected nearly 200,000 MikroTik routers across the globe. The attack appears to stem from a single attacker, who likely targeted the MikroTik devices due to their high-volume of usage within large corporations and even ISPs, giving them the largest possible net for potential cryptomining. Even though MikroTik implemented a patch for this type of vulnerability back in April, there are still thousands of unpatched devices just waiting to become part of a swift growing network of infected mining machines.

Hackers Hit Hong Kong Healthcare

Several computers within the Hong Kong Health Department were recently victimized by a ransomware campaignthat, surprisingly, doesn’t demand a ransom payment. Though the attack has been traced back to mid-July, the identity of the attacker and their motivations are still unknown. Luckily, systems containing personal data were unaffected by the attack, and proper backups of the targeted systems mean that no operations were halted by the encryption.

Patient Records System Infested with Bugs

The widely-used OpenEMR platform, a patient management system, was found to contain numerous bugsthat could have allowed the records for over 100 million patients worldwide to be exposed. Several of the bugs would have allowed anyone with minimal credentials to obtain sensitive data, ranging from the scheduling and billing of medical procedures to administrative access for health organizations. Patches were quickly implemented by OpenEMR after they were informed of the bugs by a third-party security team.

TCM Bank Applications Leaked

Up to 10,000 customers are possibly affected after a year-long breachby a third-party firm allowed their sensitive information to be compromised. The breach affects those customers who applied for a TCM credit card from March 2017 to July 2018, with TCM confirming that at least 25 percent of the total applications in that period were leaked as part of this issue. Within 24 hours of being notified, both TCM and the third-party vendor were working to resolve the leak and to find ways to prevent future security issues.

The post Cyber News Rundown: WannaCry Shuts Down Taiwanese Chipmaker appeared first on Webroot Blog.

Cyber News Rundown: Instagram Hack Baffles Users

0
0
Reading Time: ~2 min.

Instagram Hack Baffles Users

Hundreds of Instagram users have found themselves locked out of their accounts over the past week, with all methods of retrieving them having been removed as well. The episode began with many users noticing their accounts had been logged out and contact information changed, including email addresses with a .ru domain. Even though some users have been able to follow Instagram’s prescribed process to regain control of their accounts, many others hit roadblocks, frustration, and days of failed attempts.

Adobe Suite Receives Multiple Patches

Following Patch Tuesday, Adobe users found themselves on the receiving end of 11 total patches for Flash Player, Acrobat, and several other key programs. Most of the patches were related to remote code execution caused by improperly escalated access privileges. The company said it remains confident none of the flaws addressed were exploited before they were patched.

Millions Vanish in Indian Bank Hack

One of India’s largest banks announced that its systems had been hacked this week, with at least $14 million remaining unaccounted for. The largest chunk of funds were stolen with a cyberattack on the bank’s ATM servers that allowed hackers to simultaneously withdraw funds from ATMS in 28 different countries before transferring another couple of million dollars to a company based in Hong Kong. While officials are working closely with law enforcement to determine the attacker’s identities, it is very unlikely that they investigation will turn up anything of worth, judging by investigations of similar hacks in the past.

Finnish DDoS Attack Shuts Down Government Sites

On Sunday a handful of Finnish government sites became unavailable after a DDoS attack prevented users from logging into Suomi.fi, which handles identity verification for ministry-related sites. While some ministry sites don’t require the Suomi site for verification, this attack has prompted an increase in security measures used for sites that providing critical functions. Fortunately, the attack subsided after several hours and all affected sites were returned to normal by Sunday evening.

Fortnite Cheats Lead to Nothing but Infections

With Fortnite more popular than ever amongst the younger generation, a new wave of malicious “cheats” have been making their way around the internet hoping to entice young gamers with hopes of gaining advantages. Many of the available cheat tools offer free in-game currency, movement improvements, and even third-party downloaders for the game itself, all of which result in a malicious payload being installed on the computer while the user remains oblivious.

The post Cyber News Rundown: Instagram Hack Baffles Users appeared first on Webroot Blog.

Viewing all 1110 articles
Browse latest View live




Latest Images