Vital infrastructure: emergency services

Organizations in the emergency services sector are there for the public to provide help when situations get out of hand or are too much to handle. This can be because the problem requires special tools and skills to use them, and the organizations are set up to provide assistance at short notice...

300 shades of gray: a look into free mobile VPN apps

The times, they are a changin'. When users once felt free to browse the Internet anonymously, post about their innermost lives on social media, and download apps with frivolity, folks are playing things a little closer to the vest these days. Nowadays, users are paying more attention to privacy a...

A week in security (September 2 – 8)

Last week on Malwarebytes Labs, we looked at a smart social engineering toolkit, delved into TrickBot tampering with trusted texts, and explained five ways to help keep remote workers safe. Other cybersecurity news A new Chinese Deepfake app is under fire for privacy concerns related to the use o...

When corporate communications look like a phish

Many organizations will spend significant sums of money on phishing training for employees. Taking the form of regular awareness training, or even simulated phishes to test employee awareness, this is a common practice at larger companies. However, even after training, a consistent baseline of...

5 simple steps to securing your remote employees

As remote working has become standard practice, employees are working from anywhere and using any device they can to get the job done. That means repeated connections to unsecured public Wi-Fi networks—at a coffee shop or juice bar, for example—and higher risks for data leaks from lost, misplaced...

A week in security (August 26 – September 1)

Last week on Malwarebytes Labs, we analysed the Android xHelper trojan, we wondered why the Nextdoor app would send out letters on behalf of their customers, reported about a study that explores the clickjacking problem across top Alexa-ranked websites, wondered how to get the board to invest in...

TrickBot adds new trick to its arsenal: tampering with trusted texts

Researchers from Dell Secureworks saw a new feature in TrickBot that allows it to tamper with the web sessions of users who have certain mobile carriers. According to a blog post that they published early last week, TrickBot can do this by "intercepting network traffic before it is rendered by a...

New social engineering toolkit draws inspiration from previous web campaigns

Some of the most common web threats we track have a social engineering component. Perhaps the more popular ones are those encountered via malvertising, or hacked websites that push fraudulent updates. We recently identified a website compromise with a scheme we had not seen before; it's part of a...

Unprecedented new iPhone malware discovered

A post by Ian Beer of Google Project Zero released late yesterday evening sent the security community reeling. According to Beer, a small set of websites had been hacked in February and were being used to attack iPhones, infecting them with malware. These sites, which see thousands of visitors pe...

Making the case: How to get the board to invest in higher education cybersecurity

Security leaders in institutions of higher education face unique challenges, as they are charged with keeping data and the network secure, while also allowing for a culture of openness, sharing, and communication—all cornerstones of the academic community. And depending on the college or...

Study explores clickjacking problem across top Alexa-ranked websites

Clickjacking has been around for a long time, working hand-in-hand with the unwitting person doing the clicking to send them to parts unknown—often at the expense of site owners. Scammers achieve this by hiding the page object the victim thinks they’re clicking on under a layer or layers of...

Nextdoor neighborhood app sends letters on its users’ behalf

Dutch police departments and consumer organizations issued warnings about the use of the Nextdoor neighborhood app because people received letters yes, as in snail-mail pretending to come from someone in their neighborhood, which the alleged senders did not send or deliver. So, everyone figured...

Mobile Menace Monday: Android Trojan raises xHelper

Back in May, we classified what we believed was just another generic Android/Trojan.Dropper, and moved on. We didn’t give this particular mobile malware much thought until months later, when we started noticing it had climbed onto our top 10 list of most detected mobile malware. Henceforth, we fe...

A week in security (August 19 – 25)

Last week on Malwarebytes Labs, we reported on the presence of Magecart on a type of poker software; outlined how the Key Negotiation of Bluetooth KNOB attack works; followed the money on a Bitcoin sextortion campaign; looked back at DEF CON 27; and reported on continuing ransomware attacks on...

Ransomware continues assault against cities and businesses

Ransomware continues to make waves in the US, forcing multiple cities and organizations into tough choices. Pressed for cash and time, local government organizations are left with few options: Either pay the ransom as soon as possible and encourage criminals to continue bringing essential service...

The lucrative business of Bitcoin sextortion scams (updated)

Update 2019-09-04: A new wave of sextortion emails purporting to have originated from a group of hackers called ChaosCC—a play on the legitimate European white hat hacking community, Chaos Computer Club CCC—has recently caught the attention of the security world. Below is a sample email we captur...

Bluetooth vulnerability can be exploited in Key Negotiation of Bluetooth (KNOB) attacks

Those who are familiar with Bluetooth BR/EDR technology aka Bluetooth Classic, from 1.0 to 5.1 can attest that it is not perfect. Like any other piece of hardware or software technology already on market, its usefulness comes with flaws. Early last week, academics at Singapore University of...

DEF CON 27 retrospective: badge life redux

Kickstarter or DEF CON attendee? Be forewarned, this light overview contains some mild spoilers. If you want the purest “Da Bomb” experience with no web-based OSINT hints, read no further. I’m not revealing any earth-shattering secrets here, but figured it was worth mentioning. Also DEF CON is ov...

Magecart criminals caught stealing with their poker face on

Earlier in June, we documented how Magecart credit card skimmers were found on Amazon S3. This was an interesting development, since threat actors weren't actively targeting specific e-commerce shops, but rather were indiscriminately injecting any exposed S3 bucket. Ever since then, we've monitor...

A week in security (August 12 – 18)

Last week on Malwarebytes Labs, we took a look at the potential pitfalls of facial recognition technology, looked at ways domestic abuse survivors can secure their data, and explored the education threat landscape. We also kicked off a series looking at the Hidden Bee infection chain, and put...

How much personalization is too much?

This story originally ran in The Parallax on January 25, 2019, and was written by Dan Tynan. In 2012, when Target used data analytics to identify customers who were expecting a baby, then mailed them coupons for maternity clothing and nursery furniture, it inadvertently revealed a teenage girl’s...

QxSearch hijacker fakes failed installs

Recently, one of the more dominant search hijacker families on our radar has started to display some curious behavior. The family in question is delivered by various Chrome extensions and classified as PUP.Optional.QxSearch because of its description in listings of installed extensions, which tel...

The Hidden Bee infection chain, part 1: the stegano pack

About a year ago, we described the Hidden Bee miner delivered by the Underminer Exploit Kit. Hidden Bee has a complex and multi-layered internal structure that is unusual among cybercrime toolkits, making it an interesting phenomenon on the threat landscape. That's why we're dedicating a series o...

Trojans, ransomware dominate 2018–2019 education threat landscape

Heading into the new school year, we know educational institutions have a lot to worry about. Teacher assignments. Syllabus development. Gathering supplies. Readying classrooms. But one issue should be worrying school administrators and boards of education more than most: securing their networks...

Data and device security for domestic abuse survivors

For more than a month, Malwarebytes has worked with advocacy groups, law enforcement, and cybersecurity researchers to deliver helpful information in fighting stalkerware—the disturbing cyber threat that enables domestic abusers to spy on their partners’ digital and physical lives. While we’ve...

A week in security (August 5 – 11)

Last week on Malwarebytes Labs, we explained how brain-machine interface BMI technology could usher in a world of Internet of Thoughts, why having backdoors is problematic, and how we can improve the security of our smart homes. To cap off Hacker Summer Camp week, the Labs team released a special...

Facial recognition technology: force for good or privacy threat?

All across the world, governments and corporations are looking to invest in or develop facial recognition technology. From law enforcement to marketing campaigns, facial recognition is poised to make a splashy entrance into the mainstream. Biometrics are big business, and third party contracts...

Backdoors are a security vulnerability

Last month, US Attorney General William Barr resurrected a government appeal to technology companies: Provide law enforcement with an infallible, “secure” method to access, unscramble, and read encrypted data stored on devices and sent across secure messaging services. Barr asked, in more accurat...

Labs quarterly report finds ransomware’s gone rampant against businesses

Ransomware's back—so much so that we created an entire report on it. For 10 quarters, we've covered cybercrime tactics and techniques, covering a wide range of threats we saw lodged against consumers and businesses through our product telemetry, honeypots, and threat intelligence. We've looked at...

8 ways to improve security on smart home devices

Every so often, a news story breaks that hackers have made their way into a smart home device and stolen personal data. Or that vulnerabilities in smart tech have been discovered that allow their producers or other cybercriminals to spy on customers. We've seen it play out over and over with smar...

A week in security (July 29 – August 4)

Last week on Malwarebytes Labs we discussed the security and privacy changes in Android Q, how to get your Equifax money and stay safe doing it, and we looked at the strategy of getting a board of directors to invest in government cybersecurity. We also reviewed how a Capital One breach exposed...

How brain-machine interface (BMI) technology could create an Internet of Thoughts

She plugged the extension for car transportation in the brain-machine interface connectors at the right side of her head, and off she went. The traffic was relatively slow, so there was no need to stop working. She answered a few more emails, then unplugged her work extension. Weekend mode could...

Say hello to Lord Exploit Kit

Just as we had wrapped up our summer review of exploit kits, a new player entered the scene. Lord EK, as it is calling itself, was caught by Virus Bulletin's Adrian Luca while replaying malvertising chains. In this blog post, we do a quick review of this exploit kit based on what we have collecte...

Capital One breach exposes over 100 million credit card applications

Just as we were wrapping up the aftermath of the Equifax breach—how was that already two years ago?—we are confronted with yet another breach of about the same order of magnitude. Capital One was affected by a data breach in March. The hacker gained access to information related to credit card...

Everything you need to know about ATM attacks and fraud: part 2

This is the second and final installment of our two-part series on automated teller machine ATM attacks and fraud. In part 1, we identified the reasons why ATMs are vulnerable—from inherent weaknesses of its frame to its software—and delved deep into two of the four kinds of attacks against them:...

Making the case: How to get the board to invest in government cybersecurity

Security leaders are no longer simply expected to design and implement a security strategy for their organization. As a key member of the business—and one that often sits in the C-suite—CISOs and security managers must demonstrate business acumen. In fact, Gartner estimates by 2020, 100 percent o...

No summer break for Magecart as web skimming intensifies

This summer, you are more likely to find the cybercriminal groups Magecart client-side rather than poolside. Web skimming, which consists of stealing payment information directly from within the browser, is one of today's top web threats. Magecart, the group behind many of these attacks, gained...

QR code scam can clean out your bank account

“Excuse me sir, can I ask you for a favor? I want to pay for parking my car in this spot, but there are no machines around that accept cash. If I give you five dollars in cash, can you pay the parking for me? All you need to do is scan this QR code with your banking app.” Of course, John felt the...

Exploit kits: summer 2019 review

In the months since our last spring review, there has been some interesting activity from several exploit kits. While the playing field remains essentially the same with Internet Explorer and Flash Player as the most-commonly-exploited pieces of software, it is undeniable that there has been a...

How to get your Equifax money and stay safe doing it

UPDATE August 2, 2019: The US Federal Trade Commission has warned consumers that, due to the high number of claims made for a cash payout regarding the Equifax data breach, the actual value that will be paid out might be "far less" than the originally-stated $125. You can read the FTC's full...

Mobile Menace Monday: Dark Android Q rises

Android Q, the upcoming 10th major release of the Android mobile operating system, was developed by Google with three major themes in mind: innovation, security, and privacy. Today, we are going to focus mostly on security and privacy, although there are still many potential changes and updates o...

A week in security (July 22 – 28)

Last week on Malwarebytes Labs, we offered an extensive analysis into the Malaysian Airlines Flight 17 investigation, updated users on the newest feature set to AdwCleaner 7.4.0 it now detects pre-installed software, and provided a deep dive into Phobos ransomware. We also broke down the latest...

Good Twitter Samaritans accidentally prevent shoeshine scam

A few days ago, Indian news portals were buzzing with tales of a well-worn shoeshine scam making its way into social media. It’s a great example of how good-natured gestures can unwittingly aid scammers when we combine high-visibility accounts with potential lack of fact checking. Thankfully, it...

Changing California’s privacy law: A snapshot at the support and opposition

This month, the corporate-backed, legislative battle against California privacy met a blockade, as one Senate committee voted down and negotiated changes to several bills that, as originally written, could have weakened the state’s data privacy law, the California Consumer Privacy Act. Though the...

A deep dive into Phobos ransomware

Phobos ransomware appeared at the beginning of 2019. It has been noted that this new strain of ransomware is strongly based on the previously known family: Dharma a.k.a. CrySis, and probably distributed by the same group as Dharma. While attribution is by no means conclusive, you can read more...

FaceApp scares point to larger data collection problems

Last week, if you thumbed your way through Facebook, Instagram, and Twitter, you likely saw altered photos of your friends with a few extra decades written onto their faces—wrinkles added, skin sagged, hair bereft of color. Has 2019 really been that long? Not really. The photos are the work of...

Your device, your choice: AdwCleaner now detects preinstalled software

For years, Malwarebytes has held firm to a core belief about you, the user: You should be able to decide for yourself which apps, programs, browsers, and other software end up on your computer, tablet, or mobile phone. Basically, it’s your device, your choice. With the latest update to Malwarebyt...

Malaysia Airlines Flight 17 investigation shows Russian disinformation campaigns have global reach

A little background: on July 17, 2014, Malaysia Airlines Flight 17 was shot from the sky on its way from Amsterdam to Kuala Lumpur above the Ukraine. The plane was hit by a surface-to-air missile, and as a result, all 298 people on board were killed. At that time, there was a revolt of pro-Russia...

A week in security (July 15 – 21)

Last week on Malwarebytes Labs, we took an extensive look at Sodinokibi, one of the new ransomware strains found in the wild that many believe picked up where GandCrab left off. We also profiled Extenbro, a Trojan that protects adware; reported on the UK's new Facebook reporting tool, homed in on...

Parental monitoring apps: How do they differ from stalkerware?

In late June, Malwarebytes revived its long-running campaign against a vicious type of malware in use today. This malware peers into text messages. It pinpoints victims’ movements across locations. It reveals browsing and search history. Often hidden from users, it removes their expectation of,...