Parsing the Distinction Between AI & Machine Learning
I had the privilege of giving a keynote on one of my favorite topics, busting myths around artificial intelligence (AI) and machine learning (ML), during DattoCon 2018 this week.
Webroot has been doing machine learning for more than a decade and consider this aspect one of our key differentiators for our solutions. However, for many small and medium-sized businesses (SMBs), that might not matter. They may have heard the terms AI or ML but aren’t sure how these advancements can help keep their company safe. Additionally, the managed service providers (MSPs) who provide millions of SMBs with security protection, might not know how this technology can help their customers either.
AI and ML are not the same thing. Marketing campaigns and news articles oftentimes confuse people into thinking that they are—and my insistence on clarifying their nuance might be overkill—but I think it’s important to know the difference so you can understand how each can help make cybersecurity stronger.
What is artificial intelligence?
Artificial intelligence interacts with people, whether emulating a human (think about chat bots) or pets. The AI component is that interactive component—the thing you can touch, feel, and see. AI technology is very nascent, and I expect great things to come in the near future.
What is machine learning?
Machine learning is artificial intelligence’s nerdy cousin. ML models are designed to analyze all of the data collected, behind the sciences, with no human interface. ML is the heavy science where all the data crunching takes place. This is the part of technology that a few companies, like Webroot, have been working in for a long time.
To dig in further, I decided to take to the streets (or aisles) of DattoCon 2018 in Austin, TX, and see what MSPs were hearing and thinking about in relation to AI and ML. I kicked things off by getting a grasp on what MSPs are being asked by their customers.
“Absolutely nothing,” said Steven Gomes, kloudfyre. “They don’t bring it up; it’s nothing I even talk about. I know AI is the future of processing speed and power — so it’s important to me because it means accuracy and intelligence. But my customers don’t ask.”
That’s the response I got across the board. MSPs know it is something key for the future of security, but their customers don’t ask about it at all. I’m heartened to learn MSPs understand the importance, but can they tell marketing hype from reality? I want to make sure they understand what’s important or key differentiators for AI and ML.
Identifying the problem, data and consumability are key.
First, you need to know what problem you’re trying to solve before you can engage ML models. Next is having substantial data to feed the models. Webroot analyzes 500 billion data elements a day that we link and push through our models to enhance our analysis. We have a lot of access to information that new players in the space simply do not. Data is key to training up a model. Finally, consumability is getting the ML models into the hands of the customer so that the solution can be actionable. It’s pretty easy to tune new models, but it’s not easy to get the models deployed and allow customers to get meaningful, actionable data from it.
What do MSPs hear from customers around what’s key with ML?
The general sentiment was that it’s a checkbox in that they know the words, and it’s a must, but there is no real data or understanding of the why. SMBs don’t know what it means or how it applies to their business other than making security generally better.Going one-step further, I get concerned people are enamored with the idea of the tech but not clear on the value it can provide.
AI and ML should help in three areas for customers.
First, it should help create new capabilities for the security stack while at the same time decreasing their costs and reducing their cycle time to detect and remediate threats. Second, it should help detect emergent, unexpected threat behaviors quickly enabling the security team or an orchestration solution to take action. Third, it should deliver value around people augmentation. It could be automation of remedial tasks or simply working around the clock while your human employees go home and sleep.
“MSPs are technologists. They have to take complex stuff for their clients and their clients have blind faith. So MSPs focus on effectiveness.” -Cameron Stone, sales, Webroot
When I dug in more about benefits, a recent MSP owner chimed in, “Almost all decisions are based on whether it reduces headaches and is an innovative tool for my customers; so if machine learning does that, I’m all for learning more. I’d be happy to read up on it, but my customers don’t have time to read or care about it.”
As a passionate fan of ML, I realized there is a lot more we in the industry need to do to help educate and make this technology easy to consume.
Machine learning’s super power is that the amount of data it can take it has no limits. Think about it the context of healthcare: what if the best doctors in the world could work on your issue, around the clock? ML can provide that value to cybersecurity.
I appreciate Datto letting me talk on my soapbox for a few minutes and hope to continue this conversation with more MSP partners.
Cyber News Rundown: Apple Bans Crypto Mining Apps
Apple Bans All Cryptocurrency Mining Apps from App Store
Apple has made several policy changes over the last few days that will effectively ban all cryptocurrency mining features from apps in the App Store. This change comes not long after Apple removed an app called Calender 2, which silently began background mining for Monero but later reappeared without it’s mining functionality. Due to the relatively weak hardware found in Apple devices, it would take a considerable amount of time and processing power to make mining even the easiest currencies feasible.
Hackers Steal Payment Info from Major UK Retailer
This past week officials announced that Dixons Carphone, a large electronics retailer from the UK, suffered a major breach of their payment systems nearly a year ago. The identified systems contained payment data for nearly 6 million customers, though most were protected by the use of a chip-and-PIN authentication system. Additional customer information was also compromised, though the full extent of the fraud being committed with the stolen information is still unclear.
Spanish Soccer App Found Spying on Users
A new app has been circulating through the Android marketplace recently that appears to be a normal sports app, but requests access to the device’s microphone and GPS location to spy on unauthorized viewing of broadcast sports. While the creator of the app, Spain’s top-flight soccer league, has gone on to defend its actions based on the annual losses from illegally broadcasted games, the recent revelation has brought in thousands of 1-star reviews for the app which currently has over 10 million downloads.
Top-level Domains Contain Highest Danger Risks
With just over 1,500 top-level domains (TLDs) like .com, .biz, and .work currently registered, it seems surprising that most sub-domains were linked to some form of spam or malware distribution. The worst offender was the .men TLD which was discovered to have 55% of 65,000 sub-domains registered as “bad” within the last month. The main reason for this influx of spammers is the extremely low cost of purchasing within these TLDs. Most sub-domains are available for less than $1 and can be sold in massive quantities to anyone interested.
Unguarded Botnet Server Reveals 43 Million Email Addresses
Researchers have stumbled onto a command and control server belonging to a botnet that has been distributing both Trik and Gandcrab ransomware. The server itself contained over 2000 text files, each holding an average of 20,000 unique email addresses, likely being used to facilitate other email spammers. A total of 43.5 million unique addresses were found. While many of the emails are likely from other data breaches in the past, they span over 100 individual domains from countries around the world.
3 MSP Best Practices for Protecting Users
Cyberattacks are on the rise, with UK firms being hit, on average, by over 230,000 attacksin 2017. Managed service providers (MSPs) need to make security a priority in 2018, or they will risk souring their relationships with clients. By following 3 simple MSP best practices consisting of user education, backup and recovery, and patch management, your MSP can enhance security, mitigate overall client risk, and grow revenue.
User Education
An effective anti-virus is essential to keeping businesses safe; however, It isn’t enough anymore. Educating end users through security awareness training can reduce the cost and impact of user-generated infections and breaches, while also helping clients meet the EU’s new GDPR compliance requirements. Cybercriminals’ tactics are evolving and increasingly relying on user error to circumvent security protocols. Targeting businesses through end users via social engineering is a rising favorite among new methods of attack.
Common social engineering attacks include:
- An email from a trusted friend, colleague or contact—whose account has been compromised—containing a compelling story with a malicious link/download is very popular. For example, a managing director’s email gets hacked and the finance department receives an email to pay an outstanding “invoice”.
- A phishing email, comment, or text message that appears to come from a legitimate company or institution. The messages may ask you to donate to charity, ‘verify’ information, or notify you that you’re the winner in a competition you never entered.
- A fraudster leaving a USB around a company’s premises hoping a curious employee will insert it into a computer providing access to company data.
Highly topical, relevant, and timely real-life educational content can minimize the impact of security breaches caused by user error. By training clients on social engineering and other topics including ransomware, email, passwords, and data protection, you can help foster a culture of security while adding serious value for your clients.
Backup and Disaster Recovery Plans
It’s important for your MSP to stress the importance of backups. If hit with ransomware without a secure backup, clients face the unsavory options of either paying up or losing important data. Offering clients automated, cloud-based backup makes it virtually impossible to infect backup data and provides additional benefits, like a simplified backup process, offsite data storage, and anytime/anywhere access. In the case of a disaster, there should be a recovery plan in place. Even the most secure systems can be infiltrated. Build your plan around business-critical data, a disaster recovery timeline, and protocol for disaster communications.
Things to consider for your disaster communications
- Who declares the disaster?
- How are employees informed?
- How will you communicate with customers?
Once a plan is in place, it is important to monitor and test that it has been implemented effectively. A common failure with a company’s backup strategy occurs when companies fail to test their backups. Then, disaster strikes and only then do they discover they cannot restore their data. A disaster recovery plan should be tested regularly and updated as needed. Once a plan is developed, it doesn’t mean that it’s effective or set in stone.
Patch Management
Consider it an iron law; patch and update everything immediately following a release. As soon as patches/updates are released and tested, they should be applied for maximum protection. The vast majority of updates are security related and need to be kept up-to-date. Outdated technology–especially an operating system (OS)–is one of the most common weaknesses exploited in a cyberattack. Without updates, you leave browsers and other software open to ransomware and exploit kits. By staying on top of OS updates, you can prevent extremely costly cyberattacks. For example, in 2017 Windows 10 saw only 15% of total files deemed to be malware, while Windows 7 saw 63%. These figures and more can be found in Webroot’s 2018 Threat Report.
Patching Process
Patching is a never-ending cycle, and it’s good practice to audit your existing environment by creating a complete inventory of all production systems used. Remember to standardize systems to use the same operating systems and application software. This makes the patching process easier. Additionally, assess vulnerabilities against inventory/control lists by separating the vulnerabilities that affect your systems from those that don’t. This will make it easier for your business to classify and prioritize vulnerabilities, as each risk should be assessed by the likelihood of the threat occurring, the level of vulnerability, and the cost of recovery. Once it’s determined which vulnerabilities are of the highest importance, develop and test the patch. The patch should then deploy without disrupting uptime—an automated patch system can help with the process.
Follow these best practices and your MSP can go a lot further toward delivering the security that your customers increasingly need and demand. Not only you improve customer relationships, but you’ll also position your MSP as a higher-value player in the market, ultimately fueling growth. Security is truly an investment MSPs with an eye toward growth can’t afford to ignore.
Cyber News Rundown: MyHeritage Breached
The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.
92 Million Genealogy Site Accounts Compromised
Earlier this week, genealogy and DNA testing site MyHeritage revealed it had suffered a breach that affects all 92 million of its users, making it the largest reported breach of 2018. The breach itself appears to have occurred in October of last year and affected the systems that store user emails and hashed variants of their passwords. Fortunately, neither DNA results nor payment systems were affected, as they are both stored separately from online account info. Following the breach, MyHeritage has begun implementing two-factor authentication and has strongly suggested that all users update their current passwords.
Apple’s Latest Beta Release Features Enhanced Security Measures
At this year’s Worldwide Developers Conference, Apple unveiled iOS 12 which includes several quality of life improvements for current apps along with new additions. Among the new features, Apple has hinted at one that forces users who are transferring data using a USB device to unlock their Apple device once per hour, to keep the transfer active. This feature is likely part of their continued response to the FBI and several security companies developing methods to bypass local device security to gain unauthorized access to the device.
Australian HR Firm Falls Victim to Data Breach
In the past two weeks, officials at Australian HR firm PageUp have been working to determine the scale of a data breach that occurred in the last week of May. The systems affected contained sensitive user information, minus payment data or written contracts, which are stored elsewhere. The company has since informed all affected customers of the issue and has taken several steps to ensure the malware that caused the breach has been removed.
Facebook Allowed Untrustworthy Chinese Firm to Access User Data
Following Facebook’s ongoing stream of litigation, they are once again under fire for allowing China-based Huawei to gather not only user data but also data from that user’s friend list, often without consent. Huawei and dozens of other developers were given access to Facebook’s API to assist in improving the user experience on various operating systems, though it is impossible to account for any misuse of the data from that point on.
Financial Sector Sees Major Increase in Keyloggers
Researchers analyzed the 100 malware infections that most recently affected the financial sector and found high volumes of keyloggers, as well as Emotet and Ursnif Trojans, which are commonly dropped from malicious Microsoft® Office documents. While it’s not unusual for keylogging software be used to steal sensitive financial info, the sheer quantity of variants indicates that, as these institutions have worked to increase their security, attackers have also been working to improve their own methods.
Is GDPR a Win for Cybercriminals?
GDPR represents a massive paradigm shift for global businesses. Every organization that handles data belonging to European residents must now follow strict security guidelines and businesses are now subject to hefty fines if data breaches are not disclosed. Organizations around the world have been busy preparing to comply with these new regulations, but many internet users are unaware of how GDPR will impact them. While this new oversight enhances user privacy protection, its implementation also opens the door for GDPR-specific cyber threats.
Anyone with even the slightest online presence has been subject to a barrage of new terms and conditions released by companies concerning GDPR, which became effective on May 25, 2018. Criminals are taking advantage of this overwhelming surge of new terms of agreements to execute scams.
A phishing scam purporting to come from Apple is the most popular that we’ve seen. It declares that “For Your Safety, Access To Your Apple ID Has Been Restricted”, then prompts users to update account information before being allowed back in. This particular campaign was designed to capitalize on fatigue from the myriad of updated terms of agreement and privacy policy notifications internet users have encountered in the weeks leading up to GDPR, hoping to catch them off guard. The idea behind the scam is that potential victims are less alert and more likely to agree to and click through anything related to updated terms and conditions. Here’s what the phishing page looks like:
Source: hxxps://www.securitycentre-appleid.com [phishing URL]
When victims click “Update Your Account”, they’re then presented with a fake login page designed to capture their Apple ID credentials.
Source: hxxps://www.securitycentre-appleid.com/Locked.php [Phishing URL]
Targeted Ransomware
Beyond simple phishing scams, GDPR brings new pressure criminals can leverage concerning personal data that companies are responsible for. Targeted ransomware has become popular recently, especially through the RDP attack vector. Cybercriminals are now in a much better position to demand substantially larger ransoms when dealing with company data belonging to EU residents than before.
Were criminals to target an organization handling EU resident data, they’d be in a position to leverage a ransom amount closer to fines meted out under GDPR laws once they’ve breached and encrypted the data. We expect to see an increase in targeted ransomware hoping to exploit the hefty GDPR fine structure.
Another win for cybercriminals comes in the form of the recent change to the WHOIS lookup, made in response to GDPR data privacy restrictions. The Internet Corporation for Assigned Names and Numbers (ICANN), the organization that manages the global domain system, has removed crucial bits of data from public WHOIS lookups to comply with GDPR.
Before this change, when queries were made on domains using WHOIS lookup, information such as registrant’s name, address, email, and phone number was accessible. This proved invaluable when tracking malicious domains linked to malware campaigns. Now, with GDPR, that information will no longer be available publicly, giving cybercriminals another edge. ICANN has since filed a lawsuit seeking to clarify the law as it relates to WHOIS data collection, according to Threatpost.
GDPR Fails
We’ve also seen some unfortunate failures from legitimate companies sending emails trying to educate and inform their customers of GDPR-related changes—and actually violating the regulations while doing so.
Source: @ashstronge on Twitter
In sending this email on blast to their contacts, the company above failed to hide email addresses, thereby sending their users’ contact information to everyone on their email list. A mistake like this may carry costly consequences under the EU’s new rules. It should serve as a reminder to businesses of all sizes– there’s a lot at stake when handling personal data. With only 42 percent of organizations in the U.S., U.K. and Australia reporting they are ready to comply with recent privacy regulations, ramping up information security safeguards will continue to be imperative in 2018.
Be on alert for scams related to GDPR. Interact carefully with the many privacy policy updates you’ve likely received in recent weeks. Remember to practice good cyber hygiene, and always double check website URLs whenever entering personal data.
What do you think about GDPR’s implications for the evolving threat landscape? Let us know in the comments below or join our Tech Talk discussion in the Webroot Community.
American Cybercrime: The Riskiest States in 2018
Nearly 50 percent of Americans don’t use antivirus software
That’s right; something as basic as installing internet security software (which we all know we’re supposed to use) is completely ignored by about half the US. You’d be amazed how common this and other risky online behaviors are. We did a survey of people’s internet habits across the United States, and the numbers aren’t pretty.
For reference, some very common (and very risky) online behaviors include:
- Not using antivirus software
- Sharing your account passwords
- Using too-simple passwords, or reusing the same password for multiple accounts
- Not using an ad or pop-up blocker
- Opening emails, clicking links, and downloading files from unknown sources
- Not installing security on mobile devices
State-by-state Breakdown of the Riskiest Cyber Behaviors
We analyzed all 50 states and Washington, D.C., to rank them on their cyber hygiene habits. This ranking system uses positive and negative survey questions weighted by the relative importance of each question. These questions address several topics, including infection incidents, identity theft, password habits, computer sharing, software update habits, antivirus/internet security usage, backup habits, understanding of phishing, etc.
Florida wins the dubious distinction of riskiest state with the worst cyber hygiene. But before anyone pokes fun, we’d like to point out that the average resident of any state in the nation has pretty poor cyber hygiene. Only 6 states in the nation had good cyber hygiene scores.
Impacts of Risky Behavior
When you engage practice poor cyber hygiene, you’re not just running the risk of getting infected or losing a few files.
In our research, we asked respondents who had suffered identity theft, “what were the main consequences of the identity theft incident?” Some of the self-reported fall-out was both surprising and tragic, including responses like divorced spouse, bankruptcy, failed to obtain mortgage, had to get second job, had to sell house, increased alcohol consumption, delayed retirement, and diminished physical health.
When we consider that identity theft can mean such devastating consequences as divorce, bankruptcy, and even damage to our health, it becomes clear just how important good cyber hygiene really is.
What the Riskiest States are Doing Wrong
Stats from the 5 riskiest states (Florida, Wyoming, Montana, New Mexico, and Illinois):
- Identity theft had little to no impact on their cyber hygiene habits. That means even after learning the consequences first hand, very few people changed their habits.
- These states had the highest per-person average (28 percent) of having experienced 10+ malware infections in a single year.
- 50 percent+ of respondents in Florida, Illinois, Montana, and 45 percent of respondents from New Mexico and Wyoming said they don’t use any kind of antivirus or internet security.
- 47 percent of respondents never back up their data.
- An average of 72 percent share their passwords.
What the Safest States are Doing Right
The 5 safest states had many behaviors in common that kept them ahead of the malware curve.
- Following cases of identity theft, nearly 80 percent of respondents from the 5 safest states reported that they had altered their online habits, and almost 60 percent changed their passwords.
- Only 14.4 percent of respondents the safe states experienced 10 or more infections a year.
- The safest states typically reported running paid-for antivirus/security solutions, rather than freeware, unlike their risky counterparts.
- Finally, nearly half (43 percent) of the 5 safest states automatically update their operating systems, and 35 percent of respondents regularly back up their data, either on a daily or continuous basis.
- And of the top 4, password sharing was hardly an issue (88 percent of respondents from those states reported they don’t share passwords at all.)
The Role of Demographics and additional findings
Given Florida’s reputation as a retirement hotspot, we wanted to point out that 50 percent of Florida’s respondents in our study were age 30 or below, and the national average of respondents aged 30 or below was 47 percent. This means age demographics in our survey were consistent throughout all 50 states and D.C. and our responses actually skew younger rather than older.
How to Increase Your Personal Cyber Hygiene Score (It’s not too late!)
Here’s a quick to-do list that will help keep you safe from malware, identity theft, and other online risks. It’s not as hard as you might think.
- Use antivirus software. And keep in mind, while there are plenty of free tools out there that are better than nothing, you get what you pay for. Your online security, and that of your family, is worth a little investment.
- Create strong passwords for each account, change them often, make sure each one is unique, and, if possible, add spaces for increased security. If you’re worried about keeping track of them all, use a password manager.
- Stop sharing your login credentials with friends, family, and coworkers. We mean it.
- Closely monitor your financial accounts for any fraudulent activity, and consider using a credit monitoring or identity protection service.
- Regularly update your operating system and software applications. Lots of infections start by exploiting out-of-date systems.
- Don’t open emails from people you don’t know, and don’t download anything from an email unless you’re certain it’s legitimate. And if you get a message that appears to be from an official or financial institution asking you to take an action, don’t click any links. Go straight to the institution’s official website, or call them to confirm whether the message you received was real.
- Back up your files and important data regularly to a secure cloud or physical drive.
There are a lot of risks out there, and as an internet user, you have a responsibility to use good judgement when you work, bank, shop, browse, and take other actions online. But by following these easy tips, you can dramatically change your cyber hygiene score, and reduce your risk of falling victim to cybercrime.
Update 8/15/18: The cyber hygiene survey previously embedded in this blog is now closed.
Cyber News Rundown: Hackable Mercedes
The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.
Mercedes Keyless Entry Leads to Car Theft
It was discovered this week that criminals are using an unusual technique to steal late-model that are equipped with keyless entry. By using a frequency relay box, the criminals can boost the signal from keys, often still within the home, to trick the car into thinking they are nearby and unlocking or starting the vehicle remotely. Unfortunately, this trick is also capable of deactivating pre-installed tracking systems, leaving the owner unable to locate the stolen vehicle.
Former Employee Cause of Coca-Cola Data Breach
Coca-Cola officials announced this week that a breach had taken place that could affect the personal data of at least 8,000 employees. The breach was discovered after law enforcement contacted the company regarding a mishandled hard drive. The drive itself was removed from the company by a former employee before he left, though it is still unclear if the information was used maliciously.
Honda India Leaves Unsecure Data on Thousands of Customers Online
It was recently revealed that two Amazon S3 buckets were left publicly exposed, leaving the sensitive information on over 50,000 customers widely accessible. The buckets, originally created for users of the Honda Connect app, contain everything from names and addresses to specific car details such as the VIN and Honda Connect login credentials. Additionally, the researcher who reported the exposed S3 servers also found a note from another researcher who discovered the leak and attempted to inform the owners nearly three months prior.
VPNFilter Botnet Nearing 500,000 Units Strong
Researchers have been monitoring a new botnet as it gains significant strength across the globe, currently affecting upwards of 500,000 unique devices. Using a multi-step process, VPNFilter can access the command and control server to begin gathering and sending data, along with allowing remote code execution. Unfortunately, it is nearly impossible to detect VPNFilter, as it remains relatively hidden while running its processes.
Major Canadian Banks Faced with $1 Million Ransom
Recently, officials from two of Canada’s largest banks announced that the financial information for almost 100,000 customers had been compromised and hackers are demanding $1 million to stop its public release. To make matters worse, neither bank was aware their client’s information had been stolen until the hackers demanded ransom payment, which raises concerns about what, if any, security measures they had in place.
Cyber News Rundown: Comcast Router Bug
The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.
Comcast Router Bug Leaves Credentials Unsecured
Researchers recently found a flaw in the Comcast user authentication process that would allow anyone with an account number and partial address to illicitly access WiFi networks and alter any credentials found there. Fortunately, Comcast was quick to take down the entire site and make the necessary changes so such detailed information can no longer be gathered without proper verification.
Scam Email Warns Users of Other Scammers
A new phishing campaign is gaining traction throughout the US, with users receiving emails regarding a bank transfer of several million dollars currently being held by the Bank of England. The email itself continues by listing off a respectable number of other “scammers,” warning the victim of potential fraud linked to the listed names. While bank transfers are relatively common, it should be clear that a suspiciously large amount of money offered without context should always be approached with caution.
Teen Monitoring Software Left Available Online
Recently, a mobile app that allows parents to monitor their child’s internet browsing has left two internal servers completely accessible to the internet. While the contained information did not include any payment data, it did have email addresses and passwords for nearly all the app’s clients. TeenSafe has since taken both servers offline, though the Amazon cloud buckets were available for an undocumented amount of time with no mention of unauthorized access during that period.
Fraudulent Fortnite Apps Preceding Official Launch
As Fortnite continues its steady rise in popularity following its latest release on iOS, hundreds of phony apps have already flooded the Google Play store in advance of the Android release. One specific was downloaded over 5,000 times before researchers reported the app to the Google Security team. By promising in-game currency for downloading and rating fake apps, the spyware-laden apps quickly begin gathering call and message logs from the device while simply displaying a Fortnite icon.
Sensitive Information Found on 200 Million Japanese Citizens
Likely accumulated from several data breaches over the last few years, a dataset has been found containing the personal information of at least 200 million individuals living in Japan. The data appears to have been gathered from dozens of websites with login credentials for up to 50 unique sites and stems back to 2013. While the source of the information is still unclear, researchers have found several previous attempts to sell smaller datasets on Chinese dark web pages.
Cyber News Rundown: Chili’s PoS Breached
Chili’s Restaurant Reveals Payment Card Breach
In the last week, officials have discovered a data breach that affects an unknown number of the chain’s 1,600 restaurants across the country. It is believed that the breach could affect customers who visited the restaurant between March and April of this year, and likely includes all payment information, though Chili’s doesn’t retain any additional customer data.
StalinLocker Requires Puzzle Code to Stop Deletion
A new screen-locking malware has been spotted that avoids the ransom and moves quickly to locking the entire screen. Once the lock screen is in place, a 10-minute countdown begins, and requests the user enter a specific code or it will begin deleting the contents of every mapped drive on the computer. Along with running a countdown timer, a picture of Joseph Stalin is displayed across the screen and the USSR anthem plays in the background.
Mexican Bank Funds Transferred Illicitly
Within the past month, the Interbank payment systems of the Mexican Central Bank were compromised, leaving millions of dollars unaccounted for. Abusing the interbank payment system allowed the attackers to immediately make the transfers and withdraw in cash. Even though some of the transfers were stopped for being suspicious, the final estimate rests at over $20 million. Fortunately for the bank’s customers, it appears that the stolen funds were from the bank’s accounts, not their clients.
Latest Dharma Ransomware Variant Uses .bip Extension
The most recent variant of the Dharma/Crysis ransomware has made some subtle changes since its previous iteration. Using a compromised RDP service, attackers are able to manually install the Dharma variant, which begins encrypting all files, including mapped and unmapped network drives with a .bip extension. Even though decryption hasn’t yet been made freely available, victims are still encouraged to attempt restoring from an external backup, as this variant will completely remove all shadow copies from the system.
Danish Train Network Hit with DDoS Attack
Thousands of Danish passengers found themselves unable to purchase train tickets from multiple sources after a DDoS attack took down the purchasing system. Some were fortunate enough to be able to purchase tickets directly from train officials, as even their staff was having difficulties communicating both internally and externally regarding the issue. Luckily, the systems were quickly restored to normal operation with no residual problems.
Bad Apps: Protect Your Smartphone from Mobile Malware
Smartphone apps make life easier, more productive, and more entertaining. But can you trust every app you come across? Malicious mobile apps create easy access to your devices for Android and iOS malware to wreak havoc. And there are many untrusted and potentially dangerous apps lurking around in app stores determined to outsmart your smartphone. With the average user having 35 apps installed on their phone, according to Google, it’s easy to see why smartphones can be such a easy target.
But my iPhone is safe, right?
Both Apple iOS and Android devices are targeted by hackers, and while the latter is a more popular target, both platforms are both susceptible to various types of cyberattacks. After all, Apple’s latest version of iOS 11 was cracked just one day after its release via vulnerabilities in the Safari web browser, according to ZDNet.
Protect yourself from bad apps:
All of this means that unprotected smartphones are soft targets for cybercriminals, with weaknesses that hackers can ultimately exploit to generate revenue. The first defense is knowing that you can’t trust all apps. These tips will also help you stay protected as you search for the good ones:
- Download apps from reputable stores. The major, reliable providers are Galaxy Apps (Samsung), the App Store (iOS), Amazon App Store, and Google Play (Android).
Google Play, for example, scans 50 billion apps daily to detect malware before publishing new ones. - Disable “Unknown Sources” for Android devices, which prevents installing apps from sources other than the Google Play Store. So, if you use Amazon App Store, you’ll need to enable “Unknown Sources”. In that case, be mindful before allowing any other app or website to install something on your phone. It should also be noted that changes to this functionality are coming with the latest update to Android’s Oreo operating system.
- Keep Android USB debugging off. It can prevent outside malware from accessing your phone through corded connections, such as from a public charging station.
- Don’t jailbreak your iPhone. Allowing access and changes to your phone’s software can allows outsider apps that may not be trustworthy.
- Beware of any website, text, email, or anything asking you to install an app. Search for your own apps at the store and research all apps before installing.
- Beware of granting excessive permissions. Apps that perform basic functions, such as a flashlight, don’t need to access your personal information, for example.
- Read app reviews before installing, and review and report sinister apps. Users working together as a community can help alert unsuspecting victims to phony apps.
- Be cautious about providing your credit card or banking information. Avoid making transactions over apps that are not well known to you or the user community and be careful about hidden charges such as microtransactions.
- Install OS and other software updates. It always recommended to keep your OS and apps updated with the latest patches. It’s also smart to consider phones from vendors that release prompt security patches. Many software updates are designed to defend against malware and other emergent threats.
- Use trusted internet security software. No matter how careful you are, it is wise to employ a reputable layer of online security.
Prevention, prevention, prevention.
Sometimes free mobile apps, including free security software apps from unknown providers, are suspect. The convenience of a quick download and excessive trust are not worth saving a few seconds or cents. Do your research, follow these 10 tips, and protect your well-being on any mobile device.
Cyber News Rundown: Excel JavaScript Support May Open Door to Exploits
Crypto Mining Makes the Jump to Excel
With the recent Microsoft release supporting JavaScript within Excel, it was only a matter of time before the scripting service was manipulated to mine cryptocurrency. Mere hours after the release, the first proof of concept appeared, with easy-to-replicate steps to get CoinHive functioning. While this proof of concept does require an Office Insider build to accomplish, it will likely be just as feasible when JavaScript is introduced into the publicly available version of Excel.
SynAck Ransomware Employs Unique Evasion Tactics
A relatively new ransomware variant, known as SynAck, has recently been spotted using an uncommon method for evading security measures. Using a procedure called Process Doppelganging, the malware can create a copy of a legitimate process and inject malicious code to be executed without running anything suspicious. Additionally, the malware is heavily obfuscated and targets numerous programs before encryption to shut down any running processes or tasks that may be necessary to encrypt.
Japanese Security Cameras Defaced
Over the past several weeks, Japanese officials have been dealing with complaints from victims whose security cameras have been hacked. These attacks arose due to negligence on the part of the camera owners, who disregarded proper security practices and failed to update the default passwords on the devices. To make matters worse, the frequency of these attacks has been steadily climbing in the last couple days, and have begun to include government-owned devices on secured networks.
Facebook Exploit Used for Crypto Mining
Researchers have recently discovered a malicious Chrome browser extension that attempts to steal account credentials for any cryptocurrency trading platform it finds on the system. By spreading through Facebook Messenger, FacexWorm can propagate quickly and begin any data gathering or cryptocurrency mining with relative ease. While most of its victims have been located in Southeast Asia, numerous occurrences have been spotted in Western European countries as well, demonstrating the extension’s reach and speed.
Phishing is Still Leading Mobile Infection Rates
In a recent report based on phishing statistics over the past year, officials found that Apple iOS® users had a significantly higher chance of receiving a phishing attempt than downloading malware. With over 4000 new phishing sites being created daily and over half of all internet usage occurring on mobile devices, it’s no surprise that attackers have shifted their focus to this immense group of users, who typically lack security software for their devices and typically don’t consider mobile security necessary.
Tech Support Scams: From Bad to Worse
Fake tech support scams aren’t going anywhere. In fact, recent data shows this type of social engineering attack is on the rise—with phony tech support calls, emails, and pop-ups peddling the digital equivalent of snake oil to unsuspecting internet users around the world.
While many people have grown wise enough to spot the warning signs of the typical tech support scam, a significant percentage fall victim, and exploiting their naivety can prove quite profitable for cybercriminals. A recent report from Microsoft describes a growing global problem: 153,000 reports were received from Microsoft customers involved in tech support scams in 2017, leading to a 24 percent rise in tech scams reported by Microsoft from the previous year. Those who lost money forked over an average of $200 and $400.
“It doesn’t require a great deal of technical knowledge to carry out a support scam, so it’s easy to see why criminals are choosing to jump into this field,” said Marcus Moreno, Supervisor of Threat Research at Webroot. “All that’s is needed is gaining the user’s trust and knowing more than they do about their computer. Whether criminals pay websites to host their fake support banners, or they proactively reach out to you, it doesn’t take much expertise.”
Due to the lucrative nature and relative success rate of these social engineering tactics, tech support fraud continues to propagate. The FBI’s Internet Crime Complaint Center (IC3) received around 11,000 cases of tech support scams in 2017, with victims claiming nearly $15 million in losses. That’s a shocking 86 percent increase from 2016!
The IC3 report also noted new variations of the typical tech support scam, with attackers resorting to posing as law enforcement to re-target previous victims by offering phony recovery assistance in exchange for a fee. Tech support scams are also turning to target cryptocurrency users, where the stakes can be higher, netting potentially thousands of dollars from a single victim.
Cold calls? Hold the phone!
The number one thing to keep in mind is that major tech companies—whether that’s Microsoft, your security software provider, or your device manufacturer—will never call you out of the blue. Beyond attempting to dupe a victim out of a fee for fake support services, cybercriminals can also try to gain remote access to your computer to steal personal information and install malware that can carry on the attack after the phone call has ended.
It’s also important to know that tech support scams also appear in the form of malvertising, such as pop-ups that can be found even on legitimate websites. These scam ads try to trick users with various fake system errors or malware infection warnings. Thousands of websites were recently discovered to be infected with malicious ads that lock users’ browsers and display a fake infection warning, according to SC Magazine. Web-based threats like this highlight the importance of keeping your devices updated and secure, as well as practicing safe browsing habits.
Visit our Cybersecurity Education Resources to understand more about common tech support scams and how to avoid falling victim. There you can also find blacklists of URLs and phone numbers known to impersonate Webroot and target our customers.