January Cyber Bytes

Malicious USB drives are being posted to businesses

Source: Graham Cluley via tripwre.com on January 13, 2022

A notorious cybercrime gang, involved in a series of high profile ransomware attacks, has in recent months been sending out poisoned USB devices to US organizations. As The Record reports, the FBI has warned that FIN7 – the well-organized cybercrime group believed to behind the Darkside and BlackMatter ransomware operations – has been mailing out malicious USB sticks in the hope that workers will plug them into their computers. According to the FBI, anyone who plugs in the USB drives into their devices runs the risk of becoming victim of a "BadUSB" attack.

A BadUSB device uses the USB stick's microcontroller to impersonate a keyboard, and sends malicious commands to any computer to which it is attached. It's effectively the equivalent of allowing a malicious hacker to walk into your building, sit at an unlocked computer, and start typing. On this occasion, the automated keystrokes run PowerShell commands that download and install malware onto the computers and allow malicious hackers to gain unauthorized remote access. Attackers could then use a variety of tools to deploy ransomware inside an organization.

A security alert issued by the FBI warns that the dangerous USB sticks, which are branded LilyGO, have been mailed out via the United States Postal Service and UPS to businesses working in the transportation, insurance, and defense industries. The packages are said to often be accompanied by letter which refer to COVID-19 guidelines, or pretend to be a gift sent via Amazon, arriving in "a decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB."

The FBI warns that it has received reports of the packages being received by targeted organizations since August 2021, and as recently as November a US company working in the defense sector received a malicious USB stick accompanied by a fake Amazon thank you letter. BadUSB attacks – although a standard part of any penetration-tester's arsenal – have tended historically to be more of a theoretical threat than a danger that most businesses were likely to encounter.

However, with organized cybercriminal gangs now using the technique in their attempts to break into companies, plant ransomware, and steal data it's clearly more important than ever before to educate users about the risks of plugging in unknown devices. One way in which organizations might reduce the threat would be for network administrators to consider disabling PowerShell on users' workstations if there is no legitimate use for the automation framework.

FBI warning: Crooks are using fake QR codes to steal your passwords and money

Source: Liam Tung, Contributor to ZDNet on January 19, 2022

As businesses turned to QR codes for contactless payments during the pandemic, scammers seized on the trend to steal cash and financial credentials. QR codes are useful shortcuts to online resources via a phone's camera, but scammers are now tampering with them to direct victims to phishing pages and cryptocurrency scams. QR or 'Quick Response' codes have been connecting scanners to real-world objects since the 1990s but got widely adopted during the pandemic as businesses moved to contactless communication and payments via QR codes on restaurant menus, parking meters and other public spaces. But scammers are now targeting the QR code's increased familiarity by tampering with the pixelated barcodes and redirecting victims to sites that steal logins and financial information, according to an FBI alert.

"Businesses use QR codes legitimately to provide convenient contactless access and have used them more frequently during the COVID-19 pandemic. However, cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim's device, and redirecting payment for cybercriminal use," the FBI notes in its alert.

It doesn't cite any recent examples of QR scams but follows the use of QR codes in phishing emails to steal Microsoft 365 credentials in October. The QR codes were useful to attackers because the barcode images bypassed email filters that use URL scanners to block malicious links. The FBI in October said it had recently started to receive reports about malicious QR codes being used, particularly in cryptocurrency scams. "Crypto transactions are often made through QR codes associated with crypto accounts… making these transactions easy marks," the FBI noted.  "Do not scan a randomly found QR code," the FBI warned.

Ars Technica reported about scammers placing fraudulent QR code stickers on parking meters in major Texas cities. These aimed to trick people into paying for parking to a fraudulent website. The social engineering element was that parking meter terminals today frequently have signs with QR codes to direct users to a non-city, third-party parking payment app.

The FBI's alert addresses this type of scam, too: "A business provides customers with a QR code directing them to a site where they can complete a payment transaction. However, a cybercriminal can replace the intended code with a tampered QR code and redirect the sender's payment for cybercriminal use." QR codes can also load malware to steal financial information and then withdraw funds from victim accounts, the FBI warns.

There are parallels between email phishing and malicious QR codes stuck on public spaces. How do people know which ones to trust? Employee cyber-awareness training usually tells users not to click on links from unsolicited email, but they still do. Some of the FBI's self-defense advice warns against following common practices when using a QR code, but the overall message is to exercise caution when entering information from a website accessed via a QR code. "Law enforcement cannot guarantee the recovery of lost funds after transfer," it warns.

The FBI's tips for smartphone users include:

  • Check the URL after scanning a QR code because the URL may look like the legitimate site.
  • Be careful when entering credentials or financial information on a site visited via a QR code.
  • Avoid downloading an app from a QR code and instead use an official app store.
  • Call the organization if it sent a bill in email, allowing payment through a QR code in order to verify its authenticity.

Also, don't download a QR code scanner because most phones have one built into the camera. (The iPhone got one in 2011 in iOS 11, with Android makers quickly following suit.) Finally, avoid making payments through a site navigated to from a QR code, the FBI warns. Instead, manually enter a known and trusted URL to complete the payment.

$240K student loan fraud scheme busted, say Calgary police

Source: CBC News on November 02, 2021

Calgary police have laid charges in a student loan scam that defrauded several schools and a provincial agency out of more than $240,000. The investigation started in October 2019 when a provincial peace officer with the Advanced Education Special Investigations team contacted Calgary police after noticing multiple inconsistencies with several student loan applications, according to a release on Tuesday. Investigators determined it was part of a scheme run by two men from May 2017 to May 2020 to defraud Alberta Student Aid and several private post-secondary institutions.

It's believed the culprits used stolen identities from 21 unsuspecting people — whose personal information had been stolen in data breaches — to fraudulently apply for student loans. The two men used the stolen identities to enroll at numerous post-secondary schools and to open bank accounts to receive the financial aid. "The suspects would physically attend the school, posing as a student under a fraudulent identity, to satisfy the requirements for obtaining the loan payouts," the release said. Most of the loan applications resulted in initial loan approvals ranging from $25,000 to $38,000 for each fake student. "To secure the second loan payout, the suspects would phone the Alberta Student Aid office posing as the applicable student and request a release of the remaining funds. The total payout for each loan was as high as $27,000," the release said.

Dave Guylenz Mitchell Beauvais, 32, faces several charges, including money laundering and fraud over $5,000. His next court appearance is set for Nov. 10.  His alleged accomplice, Kader Dahchi, 30, is wanted on warrants for one count of using a forged document and one count of identity fraud. Calgary police say there has been a spike in identity offences committed online since the beginning of the pandemic. In 2019, there were 148 online identity crimes reported in Calgary. In 2020, that number rose to 261.

How to check if a website is safe: 6 quick tips

Source: MILLIE via ExpressVPN on December 6, 2021

Before you input your address and credit card information into a website, you probably pause to think: Can I trust this site? Or what about just clicking into a link on a page? Could this lead to a malware download? Or will the site be able to know who you are and where you're located? Usually, we're more trusting of big-name sites (although Big Tech comes with its own data-collection problems). Here are a few simple ways you can be confident that a site is safe to use and not out to scam you.

1. Check if the URL starts with https or http

When you're visiting a website, check whether its domain name starts with "https"—which indicates it's SSL-certified and keeps your data encrypted from the moment it enters a web browser to reaching its server. If the website has an SSL, there should also be a padlock icon you can see in the address bar.

When you use an https website, your internet service provider and other third parties might be able to see which sites you're visiting, but they can't see what you're doing on those sites or any information you enter the site. Meanwhile, http websites, which do not have an SSL certificate, leave your personal data exposed. A majority of legitimate, modern websites are https. It's easy and affordable to get an SSL when the website is being set up. Most browsers also alert you when you're visiting an unsecured site. But it doesn't hurt to check the URL and decide whether to proceed if you're warned that the website isn't secure. But just because the website you're visiting is SSL-certified doesn't mean your online activity is safe. A website with SSL will encrypt the information that enters it—but it can't hide your IP address and online activity like a VPN.

2. Judge if a website looks old

In the case of websites, do judge it by its appearance. We should think twice when visiting a website with a theme that isn't modern-looking, as it can say a lot about its security, not just its brand or style. Old-looking website themes mean the code is not regularly updated and might include security vulnerabilities, bugs that make the site difficult to use, and compatibility errors that might prevent you from using it at all.

3. Be wary if payment options are limited

On e-commerce sites, it's a red flag if the payment options are obscure. Legitimate websites usually offer Visa and Mastercard as payment methods, as well as other popular payment gateways like PayPal and Stripe, which encrypt your transactions. Be on guard if it only offers options like wire payment, bank transfers, or cryptocurrency.

4. Look for a privacy policy

A privacy policy communicates how your data is collected, used, stored, shared, and protected. It's legally required by many regions, such as the EU, Australia, and Canada. It's always a good idea to look for and read over the privacy policy when you're visiting a website—especially one that requires you to enter your information. Realistically, most people do not read privacy policies. But at the very least, look out for its accessibility and location. A trustworthy website should have one that's located in the footer or where it requests your personal information—but not buried deep within the site. It should still have a privacy policy if it won't collect any of your personal data and states so clearly.

5. Be skeptical of pop-up overload

It's not at all weird for a website to show you pop-ups that ask for your attention to join their newsletter or grab their offers. But if a website shows you a lot of pop-ups, it could be "malvertising"—advertising that directs you to malware. Clicking on them could direct you to a website that looks legitimate but will trick you into surrendering your personal information—a form of phishing. It could also download spyware, viruses, or other types of malware on your device. If you happen to visit a website that blows up with pop-ups, best to close the website. Even if it's not malicious, you don't need that kind of annoyance in your life. Take your business elsewhere.

6. Use Google's website safety checker

Google's Safe Browsing service lets you check if it has identified a website as being unsafe. It does so by checking URLs against its regularly updated lists of unsafe web resources. You can simply paste the URL of the website into the search bar and hit "Enter"—and it'll report back any unsafe content found. Often, an "unsafe" site is a legitimate one that has been compromised in some way.

Apple Pays Out $100,000 for Webcam, User Account Hacking Exploit

By Eduard Kovacs via SecurityWeek on January 26, 2022

A security researcher claims to have received a significant bug bounty from Apple for reporting a series of Safari and macOS vulnerabilities that could have been exploited to hijack a user's online accounts and webcam. In 2020, researcher Ryan Pickren earned $75,000 from Apple for several Safari vulnerabilities that could have been exploited to hijack the camera and microphone of iOS and macOS devices. Exploitation required tricking the targeted user into visiting a malicious website.

In 2021, he continued looking at the security of Apple software and identified another exploit chain that could have an even bigger impact. In a recent blog post, Pickren said the latest exploit chains four different vulnerabilities. Two of them have been assigned CVE identifiers — CVE-2021-30861 and CVE-2021-30975 — while the other two were considered design flaws rather than actual vulnerabilities. Triggering the exploit required the victim to click on an "Open" button on a malicious website. If the exploit had been successfully executed, it would give the attacker access not only to the victim's webcam, but also to their account on every website they visit in another tab in Safari. This included Gmail, iCloud, Facebook and PayPal accounts.

The exploit chain involved a universal cross-site scripting (UXSS) vulnerability in Safari, abuse of a default iCloud sharing application called ShareBear, and bypassing Gatekeeper checks. The victim would be tricked — via ShareBear — into allowing the attacker to plant a file that they could later execute without needing any user interaction. And even if the initially planted file was not malicious, the attacker could later change the file's content and extension without the victim's knowledge. When ShareBear was used to share a file, the user only had to click the "Open" button once. That file could then be executed at any time remotely without needing the user's permission again.

The vulnerabilities leveraged in this attack were reported to Apple in mid-July 2021. Apple patched some of the security flaws found by Pickren in the fall of 2021 and remaining issues were addressed by early 2022.

The researcher said Apple awarded him a total of $100,500 for his findings.