4658 matches found
Facebook’s plain text misstep, and other password sins
Two days after an article by Brian Krebs disclosed that hundreds of millions of Facebook account passwords had been stored in plain text for years, Facebook released a statement indicating they hash and salt passwords, more or less in accordance with industry best practice. Plain text storage of...
Plugin vulnerabilities exploited in traffic monetization schemes
In their Website Hack Trend Report, web security company Sucuri noted that WordPress infections rose to 90 percent in 2018. One aspect of Content Management System CMS infections that is sometimes overlooked is that attackers not only go after the CMSes themselves—WordPress, Drupal, etc.—but also...
A week in security (March 18 – 24)
Last week on Malwarebytes Labs, we touched on the susceptibility of hospitals against phishing attacks, password reuse, the risk of interactive TV shows to side-channel attacks, and Facebook's new and out-of-character plan to promote privacy in the platform. Other cybersecurity news A study...
Researchers go hunting for Netflix’s Bandersnatch
A new research paper from the Indian Institute of Technology Madras explains how popular Netflix interactive show Bandersnatch could fall victim to a side-channel attack. In 2016, Netflix began adding TLS Transport Layer Security to their video content to ensure strangers couldn’t eavesdrop on...
Are hackers gonna hack anymore? Not if we keep reusing passwords
Enterprises have a password problem, and it’s one that is making the work of hackers a lot easier. From credential stuffing to brute force and password spraying attacks, modern hackers don’t have to do much hacking in order to compromise internal corporate networks. Instead, they log in using wea...
Facebook’s history betrays its privacy pivot
Facebook CEO Mark Zuckerberg proposed a radical pivot for his company this month: it would start caring—really—about privacy, building out a new version of the platform that turns Facebook less into a public, open “town square” and more into a private, intimate “living room.” Zuckerberg promised...
New research finds hospitals are easy targets for phishing attacks
New research from Brigham and Women’s Hospital in Boston finds hospital employees are extremely vulnerable to phishing attacks. The study highlights just how effective phishing remains as a tactic—the need for defense against and awareness of email scams is more critical than ever. The research w...
A week in security (March 11 – 17)
Last week on Malwarebytes Labs, we looked at the Lazarus group in our series about APT groups, we discussed the introduction of Payment Service Directive 2 PSD2 in the EU, we tackled Google’s Nest fiasco, and the launch of Mozilla's Firefox Send. In addition, we gave you an overview of the...
Reputation management in the age of cyberattacks against businesses
Avid readers of the Malwarebytes Labs blog would know that we strive to prepare businesses of all sizes for the inevitability of cyberattacks. From effectively training employees about basic cybersecurity hygiene to guiding organizations in formulating an incident response IR program, a...
Mozilla launches Firefox Send for private file sharing
Mozilla look to reclaim some ground from the all-powerful Chrome with a new way to send and receive files securely from inside the browser. Firefox Send first emerged in 2017, promising an easy way to send documents without fuss. The training wheels have now come off and Send is ready to go...
Emotet revisited: pervasive threat still a danger to businesses
One of the most common and pervasive threats for businesses today is Emotet, a banking Trojan turned downloader that has been on our list of top 10 detections for many months in a row. Emotet, which Malwarebytes detects as Trojan.Emotet, has been leveled at consumers and organizations across the...
Google’s Nest fiasco harms user trust and invades their privacy
Technology companies, lawmakers, privacy advocates, and everyday consumers likely disagree about exactly how a company should go about collecting user data. But, following a trust-shattering move by Google last month regarding its Nest Secure product, consensus on one issue has emerged: Companies...
Explained: Payment Service Directive 2 (PSD2)
Payment Service Directive 2 PSD2 is the implementation of a European guideline designed to further harmonize money transfers inside the EU. The ultimate goal of this directive is to simplify payments across borders so that it's as easy as transferring money within the same country. Since the EU w...
The Advanced Persistent Threat files: Lazarus Group
We've heard a lot about Advanced Persistent Threats APTs over the past few years. As a refresher, APTs are prolonged, aimed attacks on specific targets with the intention to compromise their systems and gain information from or about that target. While the targets may be anyone or anything—a...
A week in security (March 4 – 11)
Last week, Malwarebytes Labs released its in-depth, international data privacy survey of nearly 4,000 individuals, revealing that every generation, including Millennials, cares about online privacy. We also covered a novel case of zombie email that involved a very much alive account user, delved...
Google Chrome zero-day: Now is the time to update and restart your browser
Update 2019-03-21 A proof of concept for CVE-2019-5786 was published by Exodus Intel. In our earlier post we exercised caution before claiming we would have blocked this zero-day, but we can now say with confidence that an older version of Malwarebytes 1.12.1.122 would have mitigated this attack:...
Zombie email rises from grave after eight years of radio silence
In a novel twist on “What happens to our accounts when we die,” we have “what happens to our abandoned accounts while we're still alive”. In this case, UK ISP TalkTalk kept an old customer’s email account alive some eight years after she closed it—which left it wide open for takeover by spammers...
The not-so-definitive guide to cybersecurity and data privacy laws
US cybersecurity and data privacy laws are, to put it lightly, a mess. Years of piecemeal legislation, Supreme Court decisions, and government surveillance crises, along with repeated corporate failures to protect user data, have created a legal landscape that is, for the American public and...
Spotlight on Troldesh ransomware, aka ‘Shade’
Despite the decline in the number of ransomware infections over the last year, there are several ransomware families that are still active. Ransom.Troldesh, aka Shade, is one of them. According to our product telemetry, Shade has experienced a sharp increase in detections from Q4 2018 to Q1 2019...
Labs survey finds privacy concerns, distrust of social media rampant with all age groups
Before Cambridge Analytica made Facebook an unwilling accomplice to a scandal by appropriating and misusing more than 50 million users’ data, the public was already living in relative unease over the privacy of their information online. The Cambridge Analytica incident, along with other, seemingl...
A week in security (February 25 – March 3)
Last week, we delved into the realm of K-12 schools and security, explored the world of compromised websites and Golang bruteforcers, and examined the possible realms of pay for privacy. We also looked at identity management solutions, Google’s Universal Read Gadget, and did the deepest of dives...
Spectre, Google, and the Universal Read Gadget
Spectre, a seemingly never ending menace to processors, is back in the limelight once again thanks to the Universal Read Gadget. First seen at the start of 2018, Spectre emerged alongside Meltdown as a major potential threat to people’s system security. Meltdown and Spectre Meltdown targeted Inte...
Key considerations for building vs. buying identity access management solutions
Time and time again, organizations learn the hard way that no matter which security solutions they have in place, if they haven’t properly secured the end user, their efforts can be easily rendered moot. The classic slip-up most often associated with end-user-turned-insider-threat is falling for ...
Will pay-for-privacy be the new normal?
Privacy is a human right, and online privacy should be no exception. Yet, as the US considers new laws to protect individuals’ online data, at least two proposals—one statewide law that can still be amended and one federal draft bill that has yet to be introduced—include an unwelcome bargain:...
New Golang brute forcer discovered amid rise in e-commerce attacks
E-commerce websites continue to be targeted by online criminals looking to steal personal and payment information directly from unaware shoppers. Recently, attacks have been conducted via skimmer, which is a piece of code that is either directly injected into a hacked site or referenced externall...
What K–12 schools need to shore up cybersecurity
Crumbling infrastructure. Gaps in curriculum. Antiquated devices. Difficult COPPA laws. Lack of funding. Those are just a few of the obstacles facing K–12 schools looking to adopt technology into their 21st century learning initiatives. Now add security concerns to the list, and you can see why...
A week in security (February 18 – 24)
Last week on Malwarebytes Labs, we explored the world of crack hunting, gave you a 101 on the world of bots and their threats and advantages, and took a look at some clever phishing scams. We also explained how a Mac fends off malware, posted a handy “lazy person's guide to cybersecurity,” and du...
Max Schrems: lawyer, regulator, international man of privacy
Almost one decade ago, disparate efforts began in the European Union to change the way the world thinks about online privacy. One effort focused on legislation, pulling together lawmakers from 28 member-states to discuss, draft, and deploy a sweeping set of provisions that, today, has altered how...
The Advanced Persistent Threat Files: APT1
We've heard a lot about Advanced Persistent Threats APTs over the past few years. As a refresher, APTs are prolonged, aimed attacks on specific targets with the intention to compromise their systems and gain information from or about that target. While the targets may be anyone or anything—a...
The lazy person’s guide to cybersecurity: minimum effort for maximum protection
Are you tired of that acquaintance who keeps bugging you with computer questions? Do you avoid visiting certain people because you know you will spend most of the evening cleaning up their machine? My uncle Bob is one of those people. He’s a nice guy, but with computers, he’s not just an accident...
How does macOS protect against malware?
Mac users often are told that "Macs don't get viruses." This is not really true, of course. Macs can and do get infected. However, it is true that macOS provides some basic protection against malware. This protection can be quite effective in some ways, but, unfortunately, quite ineffective in...
Sophisticated phishing: a roundup of noteworthy campaigns
Phishing is a problem nearly as old as the Internet. Yet, criminals continue to reach into their bag of phishing tricks in 2019 because, in a nutshell, it just works. Dialing into the human psyche and capitalizing on emotions such as fear, anxiety, or plain laziness, phishing attacks are successf...
Good bots, bad bots: friend or foe?
One of the most talked about technologies online today is the ubiquitous bot. Simultaneously elusive yet also responsible for all of civilisation’s woes, bots are a hot topic of contention. If we went purely by news reports, we’d assume all bots everywhere are evil, and out to get us or just...
A week in security (February 11 – 17)
Last week on Malwarebytes Labs we discussed the return of the Sextortion Bitcoin scams, we gave you an early overview of the exploit kits in the winter of 2019, we talked about the destruction of VFEmail service, for consumers we discussed whether you should remove yourself from social media, for...
Crack hunting: not all it’s cracked up to be
People sometimes ask us in the forums if a keygen or software crack is safe to use. Sometimes, these programs do what they say on the tin. Other times, they’re not what they say they are. In this post, I’ll describe what happened when I went crack hunting, and why it is often unsafe to carry out...
Tackling the shortage in skilled IT staff: whole team security
Is your IT department understaffed, overworked, and are you looking for reinforcements in vain? Maybe these hard-to-hire reinforcements can be hired from within, rather than having to outsource or hire expensive, short-term extra help. While this was usually only done if your own staff was fallin...
Should you delete yourself from social media?
You're feeling like you've had enough. All the recent news—from Facebook's Cambridge Analytica snafu to various abuses of Twitter vulnerabilities—has you wondering: Should I delete myself from social media? Social networking does have its positive aspects. You can stay in touch with distant or no...
Hacker destroys VFEmail service, wipes backups
An email service called VFEmail was essentially put out of business after a hack intended to delete everything in and out of sight. "Yes, @VFEmail is effectively gone. It will likely not return. I never thought anyone would care about my labor of love so much that they’d want to completely and...
Businesses: It’s time to implement an anti-phishing plan
Businesses: phishers aren’t just coming for you. They’re coming for your employees and your customers, too. Phishing attacks are on the rise this year, thanks in part to massive Emotet and TrickBot campaigns, which make use of phishing emails to deliver their payloads. If you don't already have o...
Exploit kits: winter 2019 review
Active malvertising campaigns in December and the new year have kept exploit kit activity from hibernating in winter 2019. We mostly observed Fallout and RIG with the occasional, limited GrandSoft appearance for wider geo-targeting. In addition, narrowly-focused exploit kits such as Magnitude,...
Sextortion Bitcoin scam makes unwelcome return
Heads up: a particularly nasty sextortion Bitcoin scam from at least the middle of 2018 is making the rounds once again. The scam involves making use of old breach dumps, then emailing someone from the list and reminding them of their old password. When something lands in your mailbox with “Hey,...
A week in security (February 4 – 8)
Last week on Malwarebytes Labs, we took a closer look at the technical and reputational challenges for Facebook as it tries to integrate secure messaging across Messenger, WhatsApp, and Instagram. We explored Google’s latest attempts to change how the public sees—literally—web browser URLs, gave...
Compromising vital infrastructure: communication
Have you ever been witness to a Wi-Fi failure in a household with school-aged children? If so, I don’t have to convince you that communication qualifies as vital infrastructure. For the doubters: when you see people risking their lives in traffic just to check their phone, you'll understand why...
Merging Facebook Messenger, WhatsApp, and Instagram: a technical, reputational hurdle
Secure messaging is supposed to be just that—secure. That means no backdoors, strong encryption, private messages staying private, and, for some users, the ability to securely communicate without giving up tons of personal data. So, when news broke that scandal-ridden, online privacy pariah...
Google Chrome announces plans to improve URL display, website identity
“Unreadable gobbledygook” is one way to describe URLs today as we know them, and Google has been attempting to redo their look for years. In their latest move to improve how Chrome—and of course, how the company hopes other browsers would follow suit—displays the URL in its omnibox the address ba...
New critical vulnerability discovered in open-source office suites
A great number of attack techniques these days are using Microsoft Office documents to distribute malware. In recent years, there has been serious development on document exploit kit builders, not to mention the myriad of tricks that red-teamers have come up with to bypass security solutions. In...
How to browse the Internet safely at work
This Safer Internet Day, we teamed up with ethical hacking and web application security company Detectify to provide security tips for both workplace Internet users and web developers. This article is aimed at employees of all levels. If you’re a programmer looking to create secure websites, visi...
Movie stream ebooks gun for John Wick 3 on Kindle store
We discovered a novel spam campaign over the weekend, targeting fans of John Wick on the Amazon Kindle store. The scam itself involves paying for what appears to be the upcoming third movie, turns into a bogus ebook, and goes on to hyperlink potential victims to a collection of third-party...
A week in security (January 28 – February 3)
Last week, we ran another in our interview with a malware hunter series, explained a FaceTime vulnerability, and took a deep dive into a new stealer. We also threw some light on a Houzz data breach, and what exactly happened between Apple and Facebook. Other cybersecurity news Kwik Fit hit by...
Houzz data breach: Why informing your customers is the right call
Houzz is an online platform dedicated to home renovation and design. Today February 1, 2019, they notified their customers about a data breach that reportedly happened in December 2018. Data breaches unfortunately have become a common event. In fact, we dubbed 2018 the year of the data breach...