When Endpoint Detection and Response (EDR) is not enough

As cybercriminals continue to validate the reality that no prevention-based security control is going to stop every threat every time, companies are expanding beyond prevention-only approaches and closing the gap with endpoint detection and response solutions. But as we consider this strategy, on...

Avoid these Doctor Who Series 11 scams

The new season of Doctor Who has finally landed on television screens around the world, and we’ve started to see the first few signs of spam and other assorted nonsense lumbering online. A rash of YouTube accounts claiming to offer up the new series are making the rounds, all of which generally...

A week in security (October 1 – 7)

Last week, Malwarebytes welcomed National Cybersecurity Awareness Month by renewing our pledge to do what we do best: offer the best protection for our customers and promote security awareness for all. On Labs, we raised the question of whether it is a good idea to bring your own security or not,...

Fileless malware: part deux

In part one of this series, we focused on an introduction to the concepts fileless malware, providing examples of the problems that we in the security industry face when dealing with these types of attacks. In part two, I will be walking through a few demonstrations of fileless malware attacks th...

LoJack for computers used to attack European government bodies

Security researchers have detected the first known instance of a UEFI bootkit being used in targeted campaigns against government entities across Central and Eastern Europe. The attack focuses on UFEI-enabled computers and relies on a persistence mechanism that has been stolen from a legitimate,...

Bring your own security (BYOS): good idea or not?

We've talked about the concept of Bring Your Own Device, or BYOD, on the blog before. BYOD is a popular policy whereby employees can bring personally-owned devices, such as laptops, tablets, or smartphones, to work and use them to access data and applications. It helps to cut costs and can increa...

Fortnite gamers targeted by data theft malware

The new season of the incredibly popular video game Fortnite is upon us, and so too are the scams. It’s no surprise that con artists would jump on this bandwagon, eager to peddle their fakeouts. Only this time, scammers had something a little more dangerous in mind than your typical low-level...

A week in security (September 24 – 30)

Last week on Labs was a busy one. We discussed how SMS phishing attacks target the job market, issued a warning for TV Licensing phishes, commented on how Apple confused Safari users with recent changes to how OSX handles browser extensions, and elaborated on holes found in Mojave’s privacy...

Malwarebytes is a champion of National Cybersecurity Awareness Month

October is here. For most of us in the US cybersecurity industry, it’s the month when we commemorate National Cybersecurity Awareness Month NCSAM. For those who are unfamiliar with this campaign, NCSAM generally aims at driving awareness for safe Internet use, whether you're a regular consumer or...

Millions of accounts affected in latest Facebook hack

Update 2018-10-18: According to the Wall Street Journal, the hack on Facebook was perpetrated by spammers rather than a nation state. Facebook also revised its numbers down, saying that about 30 million accounts had been compromised. Facebook announced earlier today that its social network had be...

How to protect your data from Magecart and other e-commerce attacks

In today's golden age of online shopping, consumers take to the Internet, punch in a few credit card details, and happily receive products at their doorstep, safe in the knowledge that their online vendor is well-known, vetted, and therefore their website has to be secure, right? Dut did you know...

Phone spampocalypse: fighting back in the age of unwanted calls

When Nigel Guest, then president of the Council of Neighborhood Associations CNA, sent an email with the subject line, “test,” and the small letter “x” in its message body, the city of Berkeley, CA, went into a frenzy. You see, Mr. Guest thought he sent it only to himself, but he actually posted...

Buggy implementation of CVE-2018-8373 vulnerability used to deliver Quasar RAT

A variant of a remote code execution vulnerability with Internet Explorer's scripting engine known as CVE-2018-8373 patched last August has been found in the wild. Looking at the IOCs posted by our colleagues at TrendMicro, we recognized the infrastructure serving this exploit. The same static...

Holes found in Mojave’s privacy protection

macOS Mojave was released on Monday, September 24, with much promise of increased privacy protections. In particular, apps are now required to get permission from users before they can access data in certain locations, such as Mail data, contacts, calendar events, Safari user data, and more...

Safari users: Where did your extensions go?

Safari 12 has brought with it some changes to how OSX handles browser extensions. At WWDC in June, Apple announced that Safari would block legacy extensions installed from outside the Extensions Gallery, which itself would now be deprecated. As a replacement, Safari will now rely on "app...

100 channels and nothing on, except TV Licensing phishes

We’ve seen a lot of people referencing fake TV Licensing emails they’ve received over the last few days. The majority so far appear to be fake refund notices, asking potential victims to log in to a phony TV License website and provide payment details for refunds. It's definitely keeping customer...

Mobile Menace Monday: SMS phishing attacks target the job market

Recently, a co-worker received an enticing SMS message from ASPXPPZUPS Human Resources. It read: Tired of your old job? Join our team today, work from home and earn $6,200 per month: hire-me-zvcbrvpffy.hidden.com. Could it be that our dream job awaits via random text message? On the contrary, thi...

A week in security (September 17 – 23)

Last week, we took a look at a low level spam campaign on Twitter, explored the signs of falling victim to phishing, and examined a massive WordPress compromise. We also explained some SASL vulnerabilities and covered a breaking Emotet spam campaign. Other cybersecurity news: NewEgg attacked by...

Emotet on the rise with heavy spam campaign

The threat landscape is changing once again, now that the ocean of cryptocurrency miners has shrunk to a small lake. Over the last couple months, we've seen cybercriminals lean back on tried and true methods of financial theft and extortion, with the rise of a familiar Banking Trojan: Emotet...

Simple Authentication and Security Layer (SASL) vulnerabilities

Simple Authentication and Security Layer SASL is an authentication layer used in Internet protocols. SASL is not a protocol, but rather a framework that provides developers of applications and shared libraries with mechanisms for authentication, data integrity–checking, and encryption. Within the...

Mass WordPress compromises redirect to tech support scams

Content Management Systems CMSes such as WordPress, Drupal, or Joomla are under a constant barrage of fire. Earlier this year, we detailed several waves of attacks against Drupal, also known as Drupalgeddon, pushing browser-based miners and various social engineering threats. During the past few...

6 sure signs someone is phishing you—besides email

There are several common and, unfortunately, frequently successful avenues of attack that cybercriminals can use to part you from your personal contact and financial information. These phishing attack methods include email, phone calls, corrupted software or apps, social media, advertisements, an...

A month of giveaway spam on Twitter

We've observed a low level spam campaign working its way through Twitter, with just under 2,000 posts visible on public search since September 1. Click to enlarge The posts promote what appears to be CBD oil. For those who don't know And I was one of them—still not sure if this oil is supposed to...

A week in security (September 10 – 16)

Last week on Malwarebytes Labs, we assessed the security of a portable router, identified ways to waste a scammer's time, named the many faces of omnichannel fraud, questioned the security of 2FAs, profiled a massive tech support scam operation, and exposed a new HMRC phishing campaign. Other...

HMRC phish swipes email login, payment details

It's not tax season in the UK, but that hasn't deterred scammers from sending out mail looking to swipe both card details and email logins in one fell swoop. The email, which claims UKGOV has issued a tax refund to the tune of 542.94 GBP, arrives under the following title, which is spectacularly...

Is two-factor authentication (2FA) as secure as it seems?

Two-factor authentication 2FA was invented to add an extra layer of security to the—now considered old-fashioned and insecure—simple login procedure of entering a username and password. One of the most well-known examples of 2FA is when you try to log into a familiar website from a different...

Partnerstroka: Large tech support scam operation features latest browser locker

Tech support scams continue to be one of the top consumer threats in 2018, despite actions from security vendors and law enforcement. Scammers are constantly looking for new ways to reel in more victims, going beyond cold calls impersonating Microsoft to rogue tech support ads using the good name...

The many faces of omnichannel fraud

The rise of new technologies, social networks, and other means of online communication have brought about compelling changes in industries across the board. For example, in retail, organizations use digital tools such as websites, email, and apps to reach out to their current and potential client...

5 safe ways to get back at spammers: a guide to wasting time

Everyone hates spam apart from the people who send it. While many people simply report spam and delete, a few look for ways to get back at the spammers wasting their time. In fact, a common question we’re asked is, “How can we waste their time?” My own opinion on this is a little loaded with...

A week in security (September 3 – 9)

Last week on Malwarebytes Labs, we looked at spyware going mainstream, how the popular game Fortnite sparks security concerns for Android users, and how certain Mac App Store apps are stealing user data. Other cybersecurity news: Microsoft announced Windows 7 Extended Security Updates in a blog...

Assessing the security of a portable router: a look inside its hardware

Network administrators should perform security assessments of hardware that they will provide their users, or particularly paranoid users might want to poke at their devices just to be extra sure. In this blog post, we will demonstrate the techniques used to assess security on a generic portable...

Mac App Store apps are stealing user data

There is a concerning trend lately in the Mac App Store. Several security researchers have independently found different apps that are collecting sensitive user data and uploading it to servers controlled by the developer. This is referred to as exfiltrating the data. Some of this data is actuall...

Fortnite’s Google Play rebuff sparks security concerns for Android users

There's been no small outbreak of chaos in mobile land recently, all because of an astonishingly popular game called Fortnite. Here's the thing: people refer to Android as "open platform," saying that, in theory, you can do what you want with it. In practice, you buy an Android phone and then...

When spyware goes mainstream

Stealware. Surveillanceware. Stalkerware. These are terms alternately used to effectively identify a file-based threat that has been around since 1996: spyware. More than two decades later, consumer or commercial spyware has gone mainstream, and the surprising number of software designed, openly...

A week in security (August 27 – September 2)

Last week, we looked at dubious antics in mobile land, a peculiar case of spam on the official Cardi B website, and we deep dived into fileless malware. We also explored the inner workings of Hidden Bee, and gave an explainer of Regex. Other cybersecurity news: Huge data breach affects Chinese...

Explained: regular expression (regex)

Regular expression, or "regex" for short, is a mathematical term for the theory used to describe regular languages. But in computing, regexes are used to search for patterns in files and databases, and their functionality is incorporated into many modern programming languages. Regex search patter...

Reversing malware in a custom format: Hidden Bee elements

Malware can be made of many components. Often, we encounter macros and scripts that work as malicious downloaders. Some functionalities can also be achieved by position-independent code—so-called shellcode. But when it comes to more complex elements or core modules, we almost take it for granted...

Fileless malware: getting the lowdown on this insidious threat

Traditionally, malware attacks as we have always known them are files written to disk in one form or another that require execution in order to carry out their malicious scope. Fileless malware, on the other hand, is intended to be memory resident only, ideally leaving no trace after its executio...

Official Cardi B website plagued by spammers

We come bearing tidings of proper website maintenance and general housekeeping for singer Cardi B or rather, for her web development team. At first glance, it appeared as though her website had been hacked a few days ago. But a look under the hood told a different story. We were surprised to see...

Mobile Menace Monday: FakeGift is the gift that keeps on frustrating

Last spring, we found yet another piece of riskware on Google Play we call Android/PUP.Riskware.FakeGift. Based on Hindi characters found in the code, we can assume it originates from India. With over 50,000 installs before being removed from Google Play, FakeGift apparently kept on...

A week in security (August 20 – August 26)

Last week on Labs, we took a look at insider threats, doubled back on the privacy of search browser extensions, profiled green card scams, revisited Defcon badgelife, and talked about what happens to a user's accounts when they die. Other cybersecurity news There was an archiving error in Twitch...

Green card scams: preying on the desperate

Thanks to @nullcookies for providing leads. Most online scams depend on two things for success: a broken or otherwise onerous process to deal with a legitimate entity, and a desperate target population. With immigration, there are many, many burdensome processes to navigate, and most applicants...

Can search extensions keep your searches private?

One of the most common things most of us do on the Internet is search, whether we are looking up the price of the latest gadget or we need to find the address of that great restaurant recommended by a friend. The dizzying number of Google search queries per second more than 40,000, on average tel...

Badgelife: A Defcon 26 retrospective

One more year gone, one more Defcon completed. Defcon is the longest-running security conference in existence and one that I have been attending since Defcon 18. It is an opportunity to see and interact in real life with industry peers that would forever remain a digital persona otherwise. It is...

The digital entropy of death: BSides Manchester

Last week, I gave a talk at BSides Manchester based on a previous blog series for Malwarebytes Labs called "The digital entropy of death." What do you do when a relative or close friend dies, leaving all of their digital accounts lying around for anyone to break into and make use of? Which...

A week in security (August 13 – August 19)

Last week on Malwarebytes Labs, we talked about how Process Doppelgänging meets Process Hollowing in the Osiris dropper, provided hints, tips, and links for a safer school year, gave a recap of Black Hat USA 2018, offered some tips for a secure content management system, highlighted a silly...

The enemy is us: a look at insider threats

They can go undetected for years. They do their questionable deeds in the background. And, at times, one wonders if they're doing more harm than good. Although this sounds like we're describing some sophisticated PUP you haven’t heard of, we're not. These are the known attributes of insider...

Liar, liar, pants on fire! Barclays phish claims cards explode

We feel compelled to relay the dire warning from this Barclays snail-mail letter, which we acquired through social media, therefore it must be true. Warning: Barclays debit cards may catch fire! The letter reads as follows: Dear costumer, Many of our bank costumers have reported that their debit...

How to secure your content management system

Suppose you want to start your own blog or set up a website where you can easily manage its content, the way it looks, and how often it changes. What you need is a content management system CMS. WordPress, Drupal, and Joomla are some of the most popular content management systems used by both...

Black Hat USA 2018: ransomware is still the star

The Malwarebytes team was at the annual Black Hat USA event held in Las Vegas at the Mandalay Bay Hotel from August 4–9. Large crowds walked through the expo floor, attended talks, and participated in trainings. Among the many topics discussed, ransomware came up as one of the main issues that bo...