Browser push notifications: a feature asking to be abused

“I’m seeing a lot of ads popping up in the corner of my screen, and the Malwarebytes scan does not show there is anything wrong. It says my computer is clean. So what's happening?” Our support team runs into questions like this regularly, but the volume seems to be increasing lately. In most of...

Realtek-based routers, smart devices are being gobbled up by a voracious botnet

A few weeks ago we blogged about a vulnerability in home routers that was weaponized by the Mirai botnet just two days after disclosure. Mirai hoovers up vulnerable Internet of Things IoT devices and adds them to its network of zombie devices, which can then be used to launch huge Distributed...

Has Facebook leaked your phone number?

Unless you keep your social media at a pole’s distance, you have probably heard that an absolutely enormous dataset—containing over 500 million phone numbers—has been made public. These phone numbers have been in the hands of some cybercriminals since 2019 due to a vulnerability in Facebook that...

A zero-day guide for 2020: Recent attacks and advanced preventive techniques

Zero-day vulnerabilities enable threat actors to take advantage of security blindspots. Typically, a zero-day attack involves the identification of zero-day vulnerabilities, creating relevant exploits, identifying vulnerable systems, and planning the attack. The next steps are infiltration and...

Houzz data breach: Why informing your customers is the right call

Houzz is an online platform dedicated to home renovation and design. Today February 1, 2019, they notified their customers about a data breach that reportedly happened in December 2018. Data breaches unfortunately have become a common event. In fact, we dubbed 2018 the year of the data breach...

Has two-factor authentication been defeated? A spotlight on 2FA’s latest challenge

Multiple news reports about the defeat of two-factor authentication 2FA have been making rounds lately. In November 2018, our friends at ESET discovered a purported Android battery utility tool called “Optimization Android” from a third-party app store. This app was designed to steal money from a...

The forgotten malvertising campaign

In recent weeks, we have noted an increase in malvertising campaigns via Google searches. Several of the threat actors we are tracking have improved their techniques to evade detection throughout the delivery chain. We believe this evolution will have a real world impact among corporate users...

What role does data destruction play in cybersecurity?

When organization leaders think about cybersecurity, it's usually about which tools and practices they need to add to their stack—email protection, firewalls, network and endpoint security, employee awareness training, AI and machine-learning technology—you get the idea. What's not often consider...

Study explores clickjacking problem across top Alexa-ranked websites

Clickjacking has been around for a long time, working hand-in-hand with the unwitting person doing the clicking to send them to parts unknown—often at the expense of site owners. Scammers achieve this by hiding the page object the victim thinks they’re clicking on under a layer or layers of...

Amazon Sidewalk starts sharing your WiFi tomorrow, thanks

Amazon smart device owners only have until June 8 to opt out of a new program that will group their Echo speakers and Ring doorbells into a shared wireless network with their neighbors, a new feature that the shopping giant claims will provide better stability for smart devices during initial set...

How gamers can protect against increasing cyberthreats

A few years ago, cybersecurity scryers predicted that the video gaming industry would be the next big target of cybercriminals. Whether this will come true in the future or not, the average gamer may have little to no idea of what awaits them, much less be prepared for it. In fact, while generall...

A coin miner with a “Heaven’s Gate”

You might call the last two years the years of ransomware. Ransomware was, without a doubt, the most popular type of malware. But at the end of last year, we started observing that ransomware was losing its popularity to coin miners. It is very much possible that this trend will grow as 2018...

Latest iPhone exploit, FORCEDENTRY, used to launch Pegasus attack against Bahraini activists

Researchers from Citizen Lab, an academic research and development lab based in the University of Toronto in Canada, has recently discovered that an exploit affecting iMessage is being used to target Bahraini activists with the Pegasus spyware. The Bahrain government and groups linked to them—suc...

Research claims Google Pixel phones share 20 times more data than iPhones

If youre an Android phone user, now might be a good time to invest in a good pair of ear plugs. Fans of iPhones arent known for being shy when it comes to telling Android users that Apple products are superior, and things may be about to get worse, thanks to a new research paper pdf. Researchers ...

[Update: CISA issues Log4j vulnerabilities scanner] Log4j zero-day “Log4Shell” arrives just in time to ruin your weekend

If youre running a service that relies on Apache Struts or uses the popular Apache Log4j utility we hope you havent made plans for the weekend. An exploit listed as CVE-2021-44228 was made public on December 9, 2021. The exploit is simple, easy to trigger, and can be used to perform remote code...

Remcos RAT delivered via Visual Basic

This blog post was authored by Erika Noerenberg Introduction Over the past months, Malwarebytes researchers have been tracking a unique malspam campaign delivering the Remcos remote access trojan RAT via financially-themed emails. Remcos is often delivered via malicious documents or archive files...

Update now—July Patch Tuesday patches include fix for exploited zero-day

It’s time to triage a lot of patching again. Microsoft’s July Patch Tuesday includes an actively exploited local privilege escalation vulnerability in the Windows Client/Server Runtime Subsystem CSRSS. This vulnerability immediately made it to the Cybersecurity & Infrastructure Security Agency CI...

Why Data Privacy Day matters

Our Lock and Code special episode on Data Privacy Day, featuring guests from Mozilla, DuckDuckGo, and Electronic Frontier Foundation can be listened to here. Today, January 28, is Data Privacy Day, the annual, multinational event in which governments, companies, and schools can inform the public...

[updated] You can update now: Microsoft patches 97 bugs including 6 zero-days and a wormable one

How time flies sometimes. Microsoft yesterday released the first patch Tuesday security updates of the year 2022. The update includes fixes for six zero-day vulnerabilities and a total of 97 bugs. This includes two Remote Code Execution RCE vulnerabilities affecting open source libraries. None of...

The Malwarebytes 2021 State of Malware report: Lock and Code S02E04

This week on Lock and Code, we discuss the top security headlines generated right here on Labs. In addition, we tune in to a special presentation from Adam Kujawa about the 2021 State of Malware report, which analyzed the top cybercrime goals of 2020 amidst the global pandemic. If you just pay...

Researchers go hunting for Netflix’s Bandersnatch

A new research paper from the Indian Institute of Technology Madras explains how popular Netflix interactive show Bandersnatch could fall victim to a side-channel attack. In 2016, Netflix began adding TLS Transport Layer Security to their video content to ensure strangers couldn’t eavesdrop on...

The Advanced Persistent Threat files: APT10

We've heard a lot about Advanced Persistent Threats APTs over the past few years. As a refresher, APTs are prolonged, aimed attacks on specific targets with the intention to compromise their systems and gain information from or about that target. While the targets may be anyone or anything—a...

Netflix scam warning

Always be on your toes While we are used to receiving scam attempts pretending to be from banks, online shops, credit card companies, and international courier services that does not mean all the other emails are safe. Far from it. To demonstrate this point we will show you a scam aimed at Netfli...

RDP abused for DDoS attacks

We have talked about RDP many times before. It has been a popular target for brute force attacks for a long time, but attackers have now found a new way to abuse it. Remote access has become more important during the pandemic, with as many people as possible try to work from home. Which makes it...

Knowing when it’s worth the risk: riskware explained

If there’s one thing I like more than trivia quizzes, it’s quotes. Positive, inspirational, and motivational quotes. Quotes that impart a degree of ancient wisdom, or those that make you stop and consider. Reading them melts our fears, sorrows, and feelings of inadequacy away. Some of the most...

How to block ads like a pro

In part one of this series, we had a look at a few reasons why you should be blocking online advertisements on your network and devices. From malvertising attacks and privacy-invading tracking systems to just being an outright annoyance, online ads and trackers are a nuisance that provides an...

Malware analysis: decoding Emotet, part 1

Emotet Banking Trojan malware has been around for quite some time now. As such, infosec researchers have made several attempts to develop tools to de-obfuscate and even decrypt the AES-encrypted code belonging to this malware. The problem with these tools is that they target active versions of th...

TrickBot comes with new tricks – attacking Outlook and browsing data

Last year we reported about a new modular malware using a network protocol similar to Dyreza - you can read about it here. The malware was not very stealthy and some parts were looking to be under development, but we noticed its potential and capability to be easily extended. Indeed, authors of...

Malwarebytes’ 2019 security predictions

Every year, we at Malwarebytes Labs like to stare into our crystal ball and foretell the future of malware. Okay, maybe we don't have a crystal ball, but we do have years and years of experience in observing trends and sensing shifts in patterns. When it comes to security, though, we can only kno...

VPN Android apps: What you should know

Months ago, we told readers about the importance of using a VPN on their iPhones, and while those lessons do apply to Android devices—a VPN for Android will encrypt your Android’s web activity and app traffic, and it will stop your mobile carrier from monetizing your data—Android users should...

Inter skimming kit used in homoglyph attacks

As we continue to track web threats and credit card skimming in particular, we often rediscover techniques weve encountered elsewhere before. In this post, we share a recent find that involves what is known as an homoglyph attack. This technique has been exploited for some time already, especiall...

Explained: digital forensics

What is it? Digital forensics is a modern day field of forensic science, which deals with the recovery and investigation of material found in digital devices. When needed, this is often because of a cyber crime, whether suspected or established. The most common reasons for performing digital...

Cisco Small Business routers vulnerable to remote attacks, won’t get a patch

In a security advisory, Cisco has informed users that a vulnerability in the Universal Plug-and-Play UPnP service of Cisco Small Business RV110W, RV130, RV130W, and RV215W routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart...

Fake Instagram assistance apps found on Google Play are stealing passwords

We all want those Instagram likes and followers. Many apps on Google Play claim they can assist you with that effort. But what if the app that’s supposed to be helping you is also stealing your username and password? As a matter of fact, that’s exactly what we found in three fake Instagram...

Max Schrems: lawyer, regulator, international man of privacy

Almost one decade ago, disparate efforts began in the European Union to change the way the world thinks about online privacy. One effort focused on legislation, pulling together lawmakers from 28 member-states to discuss, draft, and deploy a sweeping set of provisions that, today, has altered how...

VMWare vulnerabilities are actively being exploited, CISA warns

The Cybersecurity & Infrastructure Security Agency has issued an Emergency Directive ED 22-03 and released a Cybersecurity Advisory CSA about ongoing, and expected exploitation of multiple vulnerabilities in several VMware products. Chaining unpatched VMware vulnerabilities The title of the...

Say hello to Lord Exploit Kit

Just as we had wrapped up our summer review of exploit kits, a new player entered the scene. Lord EK, as it is calling itself, was caught by Virus Bulletin's Adrian Luca while replaying malvertising chains. In this blog post, we do a quick review of this exploit kit based on what we have collecte...

Own an older iPhone? Check you're on the latest version to avoid this bug

In December, 2022, we warned our readers about an actively exploited vulnerability in Apples WebKit. Back then we wondered why Apple specifically stated that the issue may have been actively exploited against versions of iOS released before iOS 15.1. At the time, our resident Apple expert Thomas...

Explained: YARA rules

YARA rules are a way of identifying malware or other files by creating rules that look for certain characteristics. YARA was originally developed by Victor Alvarez of Virustotal and is mainly used in malware research and detection. It was developed with the idea to describe patterns that identify...

Millions of Arris routers are vulnerable to path traversal attacks

Security researcher Derek Abdine has published an advisory about vulnerabilities that exist in the MIT-licensed muhttpd web server. This web server is present in Arris firmware which can be found in several router models. muhttpd web server muhttpd mu HTTP deamon is a simple but complete web serv...

Trojan Source: Hiding malicious code in plain sight

Researchers at the University of Cambridge, UK, have released details of a cunning and insidious new class of software vulnerability that allows attackers to hide code in plain sight, within the source code of computer programs. The techniques demonstrated by the researchers could be used to pois...

Nextdoor neighborhood app sends letters on its users’ behalf

Dutch police departments and consumer organizations issued warnings about the use of the Nextdoor neighborhood app because people received letters yes, as in snail-mail pretending to come from someone in their neighborhood, which the alleged senders did not send or deliver. So, everyone figured...

BadRabbit: a closer look at the new version of Petya/NotPetya

Petya/NotPetya aka EternalPetya, made headlines in June, due to it's massive attack on Ukraine. Today, we noted an outbreak of a similar-looking malware, called BadRabbit, probably prepared by the same authors. Just like the previous edition, BadRabbit has an infector allowing for lateral...

Working from home? You’re probably being spied on

One year ago, as countless employees settled into new routines for working from home WFH, a Reddit user shared a video online of a strange contraption: A wire coat hanger bent out of shape, one side gripping an external USB mouse, the other side latched onto an oscillating fan. As the fan swished...

Mobile Menace Monday: Android Trojan raises xHelper

Back in May, we classified what we believed was just another generic Android/Trojan.Dropper, and moved on. We didn’t give this particular mobile malware much thought until months later, when we started noticing it had climbed onto our top 10 list of most detected mobile malware. Henceforth, we fe...

Advanced tools: Process Hacker

Process Hacker is a very valuable tool for advanced users. It can help them to troubleshoot problems or learn more about specific processes that are running on a certain system. It can help identify malicious processes and tell us more about what they are trying to do. Background information...

[update]Two year old vulnerability used in ransomware attack against VMware ESXi

On Friday and over the weekend, several Computer Emergency Response Teams CERTs sounded the alarm about an ongoing large scale ransomware attack on VMware ESXi virtual machines. With some discrepancies between Shodan queries from various researchers, most agree that an estimated 500 entities were...

UDP Technology IP Camera firmware vulnerabilities allow for attacker to achieve root

Researchers at RandoriSec have found serious vulnerabilities in the firmware provided by UDP Technology to Geutebrück and many other IP camera vendors. According to the researchers the firmware supplier UDP Technology fails to respond to their reports despite numerous mails and LinkedIn messages...

Movie stream ebooks gun for John Wick 3 on Kindle store

We discovered a novel spam campaign over the weekend, targeting fans of John Wick on the Amazon Kindle store. The scam itself involves paying for what appears to be the upcoming third movie, turns into a bogus ebook, and goes on to hyperlink potential victims to a collection of third-party...

Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware

The Google Threat Analysis Group TAG has revealed that of the nine zero-day vulnerabilities affecting Chrome, Android, Apple and Microsoft that it reported in 2021, five were in use by a single commercial surveillance company. Did I hear someone say Pegasus? An educated guess, but wrong in this...