A week in security (June 11 – June 17)

Last week on Malwarebytes Labs, we discussed how to protect the online privacy of children, we gave you a spring 2018 overview of exploit kits, rounded up the ongoing discussions about the VPNFilter malware, and discussed the struggles of UK law enforcement with modern-day cybercrime. Other news...

UK law enforcement: an uphill struggle to fight hackers

About 16 years ago in the UK, I walked into a local police station to report a computer crime, because walking into local police stations is how they did things back then. There may well also have been penny farthing bicycles, real pea souper fogs, Mary Poppins, and Jack the Ripper, though I coul...

VPNFilter malware still making waves

Last month, a piece of malware called VPNFilter caused chaos for owners of MikroTik, Lynksys, TP-Link, and Netgear equipment. Roughly 500,000 devices worldwide fell victim, with the unwanted parasite able to listen to traffic, steal credentials, damage devices, and more. Until patches started to...

Exploit kits: Spring 2018 review

Since our last report on exploit kits, there have been some new developments with the wider adoption of the February Flash zero-day, as well as the inclusion of a new exploit for Internet Explorer. We have not seen that many changes in the drive-by landscape for a long time, although these are th...

Internet Safety Month: How to protect your child’s privacy online

June marks the beginning of summer. It is also National Internet Safety Month. This is the perfect time to remind vacationers that while it is essential to check that everything you need is packed and ready for a trip, it is equally vital for the family to take steps in securing their devices and...

A week in security (June 4 – June 10)

Last week on Labs, we took a look at hidden mobile ads, the perils of social media spam, and how to shore up your landline defenses. We also took a deep dive into Emotet malware analysis, and gave you some summertime safety tips. Other news Update your Adobe Flash player if you haven't already...

Tips for safe summer travels: your cybersecurity checklist

Summer is just around the corner in the Northern Hemisphere, and with it comes vacation plans for many. Those looking to take some time away from work and home are likely making plans to secure their home, have their pets taken care of, and tie up loose ends at work. But how about securing your...

Malware analysis: decoding Emotet, part 2

In part two of our series on decoding Emotet, you can catch up on part 1 here, we'll cover analysis of the PowerShell code. Before we do that, however, it is a good idea to list some of the functions and calls that are used in the code for the execution. System.Runtime.InteropServices.Marshal: us...

PSA: Users with landlines are more vulnerable to scams

It’s time to have “the talk” with your parents, relatives, and loved ones. Anyone still using a landline must be warned: having a home phone makes you particularly vulnerable to scams. We know here at Malwarebytes that our readers are often the unofficial “IT” department for their families,...

Social media: A treasure trove of spam and scams

There are two kinds of spam associated with social media. There are spam ads that actually live on social media, and there is spam that comes in your inbox, courtesy of social media. Both thrive by using data from your social media accounts. But how do spammers know how to target you and send you...

A week in security (May 28 – June 3)

Last week on Labs, we talked about the significance of SEO poisoning in the world of search marketing, blackmail attempts against financial institutions in Canada, voice command flaws in smart assistants, survey and potential phishing scams on Instagram, and the latest changes in Office 365. We...

Mobile Menace Monday: A race to hidden ads

Who doesn’t love a good motorcycle racing game, right? How about one easily available on Google Play, a “safe” place for all your Android app desires? How about a bike racing game that sticks with you so much, you can’t easily uninstall it? And it displays hidden ads? Wait, what!? That’s right! I...

Blocks for Flash and others coming to Office 365

If you're a user of Microsoft Office products such as Word and Excel, you're probably aware that they've been used as inroads for malware for a long, long time. But what about malware attacks without Macros? Sure. Macro malware for Macs? That, too. Malicious documents and spying tools? Danger, Wi...

A conversation with America Geeks

Thanks to NeeP for contributing significant research. You can check out NeeP's YouTube channel here. Malwarebytes has written quite a bit about tech support scammers, typically focusing on new scam techniques as they arise with new threat actor groups. But sometimes our research discovers scammer...

Instagram story spam claims free Apple Watch

I have to admit, I'm not 100 percent sure who Elton Castee is. "Who's that?" you ask? Digging around revealed that he's big on YouTube, has done some films, and raises money for dogs, which is very cool. He's also popular on Instagram, with 400k+ followers. With that in mind, we've seen a few...

Researchers discover vulnerabilities in smart assistants’ voice commands

Virtual personal assistants VPA, also known as smart assistants like Amazon’s Alexa and Google’s Assistant, are in the spotlight for vulnerabilities to attack. Take, for example, that incident about an Oregon couple’s Echo smart speaker inadvertently recording their conversation and sending it to...

Two major Canadian banks blackmailed after alleged data breach

While the US was celebrating Memorial Day on Monday, Canada was dealing with an unusual data breach affecting two popular financial institutions: Simplii Financial and Bank of Montreal BMO. The CBC broke the story and updated it throughout the day to mention that some 90,000 customers were possib...

SEO poisoning: Is it worth it?

Search Engine Optimization SEO poisoning basically comes down to getting your web page high in the rankings for relevant search results without buying advertisements or using legitimate, but tedious, SEO best practices. Instead, threat actors use illegal means to push their page to the top...

A week in security (May 21 – May 27)

Last week we told you about a Mac cryptominer using XMRig, an overview of Dreamcast related scams, part 1 of decoding Emotet, and what to do about bad coding habits that die hard. We also published the results of our second CrackMe contest. Other news How a pioneer of machine learning became one ...

Malware analysis: decoding Emotet, part 1

Emotet Banking Trojan malware has been around for quite some time now. As such, infosec researchers have made several attempts to develop tools to de-obfuscate and even decrypt the AES-encrypted code belonging to this malware. The problem with these tools is that they target active versions of th...

Happy anniversary to Dreamcast…and its scams

This month marks 20 years since the legendary SEGA Dreamcast console was first announced. Looked on fondly by gamers, it revolutionised many aspects of gaming and brought cheapish online console gaming to the masses. Click to enlarge SEGA has endured many, many calls for it to come back as...

Why bad coding habits die hard—and 7 ways to kill them

Developers are usually the focus of blame when software vulnerabilities cause organizational breaches. Sometimes, quality assurance engineers are included in the flame. Interestingly, though, hardly anyone looks at why bad coding habits form in the first place. We're talking about the culture, th...

Malwarebytes CrackMe 2: contest summary

About three weeks ago, we published our second CrackMe. It triggered a lot of interest, and we got many high-quality write-ups. Choosing the winner was really difficult! In this post, I am going to summarize the contest and comment on the received submissions. CrackMe 2 challenge The topic of the...

New Mac cryptominer uses XMRig

A new Mac cryptominer was discovered this week, after affected users saw their fans whirring out of control and a process named "mshelper" gobbling up CPU time like Cookie Monster. Fortunately, this malware is not very sophisticated and is easy to remove. The malware became public knowledge in a...

A week in security (May 14 – May 20)

Last week, we looked at the deluge of incoming policies caused by GDPR, tackled Adobe Reader zero days, and ran through some iPhone security tips. We also caught some helpline scammers in the act, explored advergaming, got our Senate Bill game face on, and deep dived into Drupal vulnerabilities...

Vote for Malwarebytes Labs: European Security Blogger Awards 2018

It's nearly time for Infosec Europe 2018, and that means it's also time to consider voting for your favourite security blogs, podcasts, video channels, and more for the upcoming European Security Blogger Awards. Thanks to your generous votes, we've been fortunate enough to pick up the award for...

Why tech companies wanted Senate Bill 315 vetoed

When Georgia Senate Bill 315 SB-315 was introduced, people in the tech world anxiously awaited its fate, regardless of their geographic location. They knew that some laws initially restricted to single states become more widespread after politicians set precedents. And they knew that this law cou...

A look into Drupalgeddon’s client-side attacks

Drupal is one of the most popular Content Management Systems CMS, along with WordPress and Joomla. In late March 2018, Drupal was affected by a major remote code execution vulnerability CVE-2018-7600 followed by yet another CVE-2018-7602 almost a month later, both aptly nicknamed Drupalgeddon 2 a...

Exploring the virtual worlds of advergaming

Games and analytics services ran into one another headfirst recently, in a spat related to the game Conan Exiles. Developers had to remove a tracking service, which allowed game developers to track where Steam players had come from. By generating an API key and integrating it into the game,...

Fake Malwarebytes helpline scammer caught in the act

An estimated one in every 10 American adults lost money in a cyber scam in the past 12 months, according to a report released by the FTC earlier in the month. On average, each scam victim lost $430, totaling about $9.5 billion overall. To put this in perspective, that’s over 22 million Americans...

Seven security tips for staying safe on an iPhone

iPhones have a reputation for being notoriously secure. After all, they caused quite the kerfuffle between Apple and the FBI because they are, from the FBI's point of view, too secure! However, don't let that lull you into a false sense of security. Using an iPhone is not an automatic guarantee o...

Adobe Reader zero-day discovered alongside Windows vulnerability

During the first half of 2018, we have witnessed some particularly interesting zero-day exploits, including one for Flash CVE-2018-4878 and more recently for Internet Explorer CVE-2018-8174. The former was quickly used by exploit kits such as Magnitude, while it is only a matter of time before we...

GDPR causes a flood of new policies

The European Union claims that the General Data Protection Regulation GDPR, which comes to term on May 25, is the most important change in data privacy regulation in 20 years. Many companies have spent months preparing for the changes, working on policy and compliance, and introducing changes to...

A week in security (May 7 – May 13)

Last week on Labs, we looked at the case of a fake Android AV, an annoying adware that goes by the name of Kuik, the return of threat actors behind the Shopper Stop tech scam, a new Netflix phishing scam, the recent zero-day vulnerability in Internet Explorer, and the insufficiency of merely...

Where did the tech support scam blacklist go?

For about five years, we've maintained a blacklist of recognized tech support scammers, along with websites and phone numbers they might use to contact victims. The blacklist was part of our Tech support scams: help and resource page, which tells readers how scams work, what tricks to look out fo...

Internet Explorer zero-day: browser is once again under attack

Update 2018-05-25: CVE-2018-8174 has been added to the RIG exploit kit MDNC. Update 2018-05-22: Security researcher Richard Warren mentioned that a fully working IE zero-day now patched with payload was uploaded to VirusTotal. We decided to test Malwarebytes against it, since last time we only ha...

Parenting in the Digital World: a review

Before I became a new mum not so long ago, I did the best I could to prepare myself to take care of my little one by reading a lot books. From learning how to discern possible meanings behind baby's various cries to finding out what you can and can't feed your baby once they begin eating solids. ...

Netflix phish claims your membership is on hold

The days of ugly-looking phish pages hosted on something akin to a Geocities page are slowly receding into the distance. For quite some time now, phish attacks have made attempts to look fairly sophisticated and stand a decent chance of fooling anyone not keeping their guard up. Today, we have a...

HTTPS: why the green padlock is not enough

When goods get sold in large quantities, the price goes down. This might not be the first law of economics, but it’s applicable. An extrapolation of this is that if there are practically no production costs and no raw materials involved, prices of such goods will drop to zero. Usually, they will ...

Kuik: a simple yet annoying piece of adware

Some pieces of malware can be so simple—and yet such a pain to get rid of—especially when they start interfering with your system's configuration. This much is true for the Kuik adware program, which surprised us all by forcing affected machines to join a domain controller. The perpetrators are...

Tech support scam uses fake Shoppers Stop site to lure thousands

Update 2018-05-17: Shoppers Stop is a legitimate company based out of India and their brand was abused by scammers. These days, there are a lot of browser locker campaigns fueled by malvertising or redirection from hacked sites. But the Shoppers Stop tech scam campaign is actually a bit of both,...

Mobile Menace Monday: re-emergence of a fake Android AV

Back in early 2013, a new mobile antivirus AV company called Armor for Android emerged into the mobile security software industry that had everyone perplexed. It seemed eerily like malware known as a Fake AV, and some even gave it that label. As a younger mobile researcher, I was one of those who...

A week in security (April 30 – May 6)

Last week on Labs, we examined the Spartacus ransomware, reported about a new tactic used by the Necurs malspam campaign, informed you about the recommended Twitter password change, and discussed engaging students to start considering careers in cybersecurity. Other news NTML credentials can be...

Twitter security snafu: change your passwords

If you're logging into Twitter after having been AWOL for a day or two, you'll likely be seeing one of these pop-ups talking about account security: Click to enlarge Don't panic, it's nothing that can't be fixed. The message reads as follows: Keeping your account secure When you set a password fo...

Engaging students in cybersecurity: a primer for educators

Give a man a fish and you feed him for a day; teach a man to fish and you feed him for a lifetime. Maimonides The education sector has had its share of breaches. And schools, like medical and retail institutions, continue to struggle when it comes to securing their highly-priced assets: student a...

Internet Shortcut used in Necurs malspam campaign

The Necurs botnet continues to be one of the most prolific malicious spam distributors, with regular waves of carefully-crafted attachments that are used to download malware. The majority of malspam campaigns that we track are targeting Microsoft Office with documents containing either macros or...

SamSam ransomware: what you need to know

SamSam ransomware is a custom infection used in targeted attacks, often deployed using a wide range of exploits or brute-force tactics. Based on our own run-ins with the infection, we've observed that attacks were made on targets via vulnerable JBoss host servers during a previous wave of SamSam...

Spartacus ransomware: introduction to a strain of unsophisticated malware

Spartacus ransomware is a new sample that has been circulating in 2018. Written in C, the original sample is obfuscated, which we will go over as we extract it to its readable state. Spartacus is a relatively straight-forward ransomware sample and uses some similar techniques and code to others w...

A week in security (April 23 – April 29)

Last week, we dug into behavioral biometrics, explored a new crossrider variant, and embraced the power of "no." We also launched another CrackMe challenge, took a deep dive into smart toys, and finished up with a look at digital privacy in the age of IoT. Other news LinkedIn does battle with...

Please don’t buy this: smart toys

Smart toys attempt to offer what a lot of us imagined as kids—a toy that we can not only play with, but one that plays back. Many models offer voice recognition, facial expressions, hundreds of words and phrases, reaction to touch and impact, and even the ability to learn and retain new...