Information Technology

Although you want to grab the best deals this holiday weekend, remember that this is the perfect time for scammers to take advantage of you online.

Phishing emails — claiming to be from a store, bank, credit card company, etc. — will entice you to click links that go to copies of legitimate websites. From there, they will try to extract your passwords or credit card information. As your inbox fills up with Black Friday and Cyber Monday deals, remember that not all is as it seems. Lamar Bailey, director of security research and development at Tripwire, warns, “Not all of the emails will be legit, as attackers will take valid emails and change the links to point you to malicious sites that may look like the real things.”Sam Curry, Chief Security Officer at Cybereason, advises that people with balances on multiple credit cards might “receive an email pretending to be from the credit card company saying their account is overdue and is subject to being shut down unless they make a minimum monthly payment. The unsuspecting consumer gives away their credit card information and other personable identifiable information.”Javvad Malik, security advocate at AlienVault (now AT&T Cybersecurity), confirms this, advising you to “regularly monitor your credit, debit, and ATM card activity for fraudulent transactions and immediately report anything suspicious.”Phishing scams are also rife this weekend. Curry warns against opening “any attachments or [clicking] on links appearing to be from trusted vendors” and advises going to the trusted website from your web browser instead. He also notes that ransomware attacks, which allow hackers to make money from you if ransomware hits your computer, are prevalent during the holiday season. In short, do not click on links from unsolicited emails warns Paul Bischoff, privacy advocate at Comparitech. He insists that you should always check that you have a “valid HTTPS before entering any information into a website.”

Other scams occur when you buy something and the item does not arrive. Bischoff notes that the scammer will claim “there is some problem with Amazon or Ebay’s payment system.”

“They will try to contact you and extract payment through some other means,” says Bischoff. “Don’t interact with merchants outside of the marketplace’s official channels.” Also make sure you do not fall victim to porch pirates like a third of Americans do.If you are keen to shop online, make sure that your experience does not come at the cost of your security warns Todd Peterson, IAM specialist at One Identity. He explains, “Having non-essential websites store [your] passwords or credit card details or using the same password across all online stores is ill-advised.”One particular industry to cautiously shop from? Gaming. Beware of fake game codes or large discount from game companies says Jack Baylor, Security Threat Researcher at Cylance. “People often put up fake game codes claiming large discounts compared to buying directly from the game manufacturer or the likes of reputable markets such as Steam, Microsoft Store (Xbox1), or PlayStation Store (PS4),” he says. “Often consumers are left out of pocket with nothing more than a nonsense string of letters and numbers to show for it.”How can you reduce security risks when you shop online?Be wary of clicking email links or downloading anything — no matter how great the holiday sale appears to be. Always go directly to the vendor’s website and type the web address into your browser instead of clicking email links.Check that the vendor’s site is legitimate; look our for typos and grammatical errors in the URL and on the site.Use a different password for every website you purchase from.Disable pop-up ads on your browser.Enable multi-factor authentication or opt in to extra security measures provided by your bank/credit card company. If it takes multiple steps to purchase something when you shop, it will be more difficult for hackers to compromise your account.Check all of your online receipts and correlate them with your credit card statement. You need to know exactly what is being added to your card purchases.Check incoming calls from numbers you do not recognize online to see whether the call is from a genuine vendor, and block the number if you the caller makes you uncomfortable.To protect your incoming packages, use a locked drop box or install a home security camera or a video doorbell.If you are cautious and enable as much security as possible, you are far less likely to be compromised. Then you can rest assured that your holiday shopping does not end in security nightmares and costly mistakes. More

Security researchers have discovered new remote access trojan (RAT) malware that has created an unusual new way of hiding on servers.As first reported on BleepingComputer, this new malware, dubbed CronRAT, hides in scheduled tasks on Linux servers by being set for execution on February 31, a date that doesn’t exist. 

ZDNet Recommends

Discovered and named by e-commerce security specialist Sansec, CronRAT is part of a growing trend in Linux server-focused Magecart malware. CronRAT is used to enable server-side Magecart data theft.SEE: A winning strategy for cybersecurity (ZDNet special report)The security company describes the malware as “sophisticated” and it remains undetected by most antivirus vendors. Sansec had to rewrite its detection engine to spot the malware after receiving samples of it to discover how it works. The name CronRAT is a reference to the Linux cron tool that allows admins to create scheduled jobs on a Linux system to occur on a specific time of day or a regular day of the week.   “CronRAT’s main feat is hiding in the calendar subsystem of Linux servers (“cron”) on a nonexistant day. This way, it will not attract attention from server administrators. And many security products do not scan the Linux cron system,” explain Sansec in a blogpost. 

The malware drops a “sophisticated Bash program that features self-destruction, timing modulation and a custom binary protocol to communicate with a foreign control server,” says Sansec. Magecart card skimmers are a problem that’s not going away any time soon as e-commerce continues to play a vital role in shopping during the ongoing pandemic. Ahead of Black Friday, the National Cyber Security Centre (NCSC) warned it had found 4,151 retailers that had been compromised by hackers targeting bugs in checkout pages over the past 18 months. Most of the attacks targeted bugs in popular e-commerce platform Magento. The FBI last year issued a similar warning about Magecart attackers targeting a Magento plugin. More

Hackers have already created malware in a bid to exploit an elevation of privilege vulnerability in Microsoft’s Windows Installer.Microsoft released a patch for CVE-2021-41379, an elevation of privilege flaw in the Windows Installer component for enterprise application deployment. It had an “important” rating and a severity score of just 5.5 out of 10. 

Windows 11

It wasn’t actively being exploited at the time, but it is now, according to Cisco’s Talos malware researchers. And Cisco reports that the bug can be exploited even on systems with the November patch to give an attacker administrator-level privileges. SEE: Windows 11 FAQ: Our upgrade guide and everything else you need to knowThis, however, contradicts Microsoft’s assessment that an attacker would only be able to delete targeted files on a system and would not gain privileges to view or modify file contents.”This vulnerability allows an attacker with a limited user account to elevate their privileges to become an administrator,” explains Jaeson Schultz at Cisco Talos. “This vulnerability affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022. Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability.”

Abdelhamid Naceri, the researcher who reported CVE-2021-41379 to Microsoft, tested patched systems and on November 22 published proof-of-concept exploit code on GitHub, which shows that it works despite Microsoft’s fixes. It also works on Server versions of affected Windows, including Windows Server 2022. “The code Naceri released leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator,” writes Cisco’s Shultz.SEE: Dark web crooks are now teaching courses on how to build botnetsHe adds that this “functional proof-of-concept exploit code will certainly drive additional abuse of this vulnerability.” Naceri says there is no workaround for this bug other than another patch from Microsoft. “Due to the complexity of this vulnerability, any attempt to patch the binary directly will break Windows Installer. So you’d better wait and see how/if Microsoft will screw the patch up again,” Naceri said. Microsoft is yet to acknowledge Naceri’s new proof of concept and has not yet said whether it will issue a patch for it.  More

Online criminals are deploying cryptocurrency miners within just 22 seconds of compromising misconfigured cloud instances running on Google Cloud Platform (GCP).Cryptocurrency mining is by far the main malicious activity conducted by attackers after taking advantage of misconfigured instances hosted on GCP, making up 86% of all actions carried out after compromise. And in many cases, the attackers move extremely quickly after compromising an instance and installing cryptomining malware to free-ride off others’ CPU and GPU resources to turn a profit for themselves. 

ZDNet Recommends

The best cloud storage services

Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let’s look at the top cloud storage options.

Read More

“Analysis of the systems used to perform unauthorized cryptocurrency mining, where timeline information was available, revealed that in 58% of situations the cryptocurrency mining software was downloaded to the system within 22 seconds of being compromised,” Google says in its first Cloud Threat Intelligence report.SEE: Cloud security in 2021: A business guide to essential tools and best practicesAnother striking trend was how quickly attackers are finding and compromising unsecured, internet-facing instances. The shortest time a compromise took place was 30 minutes after those instances were deployed. In 40% of cases, the time-to-compromise was under eight hours. Security firm Palo Alto Networks similarly found that 80% of 320 internet-facing ‘honeypot’ instances hosted in the cloud — and designed to attract attackers — were compromised within 24 hours. 

As Google’s report highlights, crypto-mining malware is a problem for users on GCP who don’t take steps to protect their cloud instances. “While data theft did not appear to be the objective of these compromises, it remains a risk associated with the cloud asset compromises as bad actors start performing multiple forms of abuse. The public Internet-facing Cloud instances were open to scanning and brute force attacks,” Google notes. SEE: Dark web crooks are now teaching courses on how to build botnetsInternet-facing GCP instances were a significant target for attackers. Just under half of compromised instances were carried by attackers gaining access to instances with either no password or a weak password for user accounts or API connections, which meant these instances could be easily scanned and brute forced.”This suggests that the public IP address space is routinely scanned for vulnerable cloud instances. It will not be a matter of if a vulnerable Cloud instance is detected, but rather when,” Google said.Additionally, 26% of compromised instances were due to vulnerabilities in third-party software being used by the owner.”Many successful attacks are due to poor hygiene and a lack of basic control implementation,” said Bob Mechler, director at Google Cloud’s office of the CISO.The report is a wrap up of observations over the last year by Google Threat Analysis Group (TAG), Google Cloud Security and Trust Center, and Google Cloud Threat Intelligence for Chronicle, Trust and Safety. More

Cyber criminals are using a new JavaScript downloader to distribute eight different kinds of remote access Trojan (RAT) malware and information-stealing malware in order to gain backdoor control of infected Windows systems, as well as steal usernames, passwords and other sensitive data. 

The downloader has been detailed by cybersecurity researchers at HP Wolf Security, who’ve called it RATDispenser.  The initial entry point for attacks is a phishing email that claims to contain a text file about a product order. Clicking the malicious file will run the process for installing RATDispenser malware. In order to avoid detection, the initial JavaScript download is obfuscated with the aid of long strings of code to help hide the malicious intent.SEE: A winning strategy for cybersecurity (ZDNet special report)Once installed, RATDispenser is used to distribute a range of different malware, including trojans, keyloggers and information stealers, all designed to steal sensitive data from the user. The most frequently distributed malware downloads are STRRAT and WSHRAT, which account for four in five of the analysed samples. But other forms of malware RATDispenser have been distributed, including invasive information stealers such as Adwind, Formbook, Remcos, Panda Stealer, GuLoader and Ratty.Some of these trojans, like Panda Stealer, are relatively new, having only been discovered this year, while others, such as WSHRAT, have been active for many years. 

At the time the research was published, RATDispender was only detected by one in 10 available anti-virus engines. “It’s particularly concerning to see RATDispenser only being detected by about 11% of antivirus systems, resulting in this stealthy malware successfully deploying on victims’ endpoints in most cases,” said Patrick Schlapfer, malware analyst at HP.  “RATs and keyloggers pose a silent threat, helping attackers to gain backdoor access to infected computers and steal credentials from business accounts or even cryptocurrency wallets. From here, cyber criminals can siphon off sensitive data, escalate their access, and in some cases sell this access on to ransomware groups,” he added.  In order to protect users from attacks by RATDispenser and the malware it drops, researchers recommend that network administrators audit which email attachment file types are allowed by their email gateway and blocking execuatables that aren’t needed – such as JavaScript or VBScript.MORE ON CYBERSECURITY More

With Thanksgiving underway and Black Friday sales about to arrive, the FBI has warned consumers to be wary of online-shopping scams and phishing attackers using big brands to steal online credentials. The FBI is expecting a rise in complaints and losses during the 2021 holiday season “due to rumors of merchandise shortages and the ongoing pandemic”, it says in a public service announcement. 

Black Friday Deals

Global supply chain problems have affected everything from online fashion sales to smartphones, games consoles and the auto industry. Sony earlier this month cut its PlayStation 5 production outlook due to component shortages and the games console remains hard to buy in many parts of the world. SEE: A winning strategy for cybersecurity (ZDNet special report)During the 2020 holiday season, the FBI received 17,000 complaints over goods that weren’t delivered, resulting in losses over $53 million. In particular, the FBI warns consumers to be cautious of deals that are too good to be true in email, on websites, in social media posts, and in ads on social media. It highlights the risk of online surveys that aim to steal personal information or debit and credit card details. For those purchasing a new pet this holiday season, the FBI recommends meeting the animal and owner in a video chat before buying to reduce the chances of being scammed by sellers of a non-existent pet. 

The FBI recommends consumers to only purchases from HTTPS websites and to beware of online retailers who use, for example, a free email account instead of an address with the company’s domain. Also, consumers should pay for items using a credit card dedicated for online purchases, checking statement activity, and never saving payment information in online accounts. Never use public Wi-Fi to make a purchase, and look up reviews about the online seller and check with the Better Business Bureau to see if they’re legitimate. Victims of fraud can report incidents to the FBI’s www.ic3.gov website. Another risk for consumers this holiday season are various online techniques and tools that scammers use to harvest account credentials of brand-name companies. The FBI issued another PSA warning of “recent spear phishing email campaigns” targeting consumers. One of the key goals of scammers is to bypass two-factor authentication (2FA). At risk are consumers of big brands in technology, banking, shipping, and retail industries.SEE: Dark web crooks are now teaching courses on how to build botnetsThe spear-phishing campaigns aimed at bypassing 2FA target accounts where consumers have used their email address as their user ID. “Once detected, the consumer is redirected to an email scampage of the same email domain to steal their email account login and password information,” the FBI warns.  “When cyber criminals gain access to a consumer’s online and email accounts, cyber criminals may be able to intercept emails with 2FA codes that are used to make significant changes to online accounts, update passwords, verify user access, or change security rules and setup before the account owner is notified and aware,” the FBI notes. Credential scam pages are moving to an ‘as-a-service’ model, where criminals sell their scam pages to others, the FBI warns. Among important piece of advice from the FBI: “Do not store important documents or information in your email account (e.g., digital currency private keys, documents with your social security number, or photocopies of a driver’s license).” Also, it urges users to enable 2FA.  More

Taiwanese chip maker MediaTek has addressed four vulnerabilities that could have allowed malicious apps to eavesdrop on Android phone users. Three the of vulnerabilities, tracked as CVE-2021-0661, CVE-2021-0662 and CVE-2021-0663, affected MediaTek’s audio digital signal processor (DSP) firmware. It’s a sensitive component that if compromised could allow attackers to spy on user conversations. Researchers at Check Point found and reported the flaws to MediaTek, which disclosed and fixed them in October. A fourth issue affects the MediaTek HAL (CVE-2021-0673). It was also fixed in October but will be disclosed in December. 

ZDNet Recommends

Best 5G phone 2021

5G is now standard on US networks, with the expectation that every flagship includes support for 5G.

Read More

“A malformed inter-processor message could potentially be used by an attacker to execute and hide malicious code inside the DSP firmware. Since the DSP firmware has access to the audio data flow, an attack on the DSP could potentially be used to eavesdrop on the user,” explains Check Point researcher Slava Makkaveev. SEE: Best phone 2021: The top 10 smartphones availableAccording to market research firm Counterpoint, MediaTek’s system on chips (SoCs) accounted for 43% of the mobile SoCs shipped in Q2 2021. Its chips are found in high-end smartphones from Xiaomi, Oppo, Realme, Vivo and others. Check Point estimates MediaTek chips are present in about a third of all smartphones.The vulnerabilities are accessible from the Android user space, meaning a malicious Android app installed on a device could be used for privilege escalation against the MediaTek DSP for eavesdropping.

MediaTek rated CVE-2021-0661, CVE-2021-0662 and CVE-2021-0663 as medium severity heap-based buffer over flaws in DSP. In all three cases, it notes that “user interaction is not needed for exploitation.”Check Point also discovered a way to use the Android Hardware Abstraction Layer (HAL) as a way to attack MediaTek hardware. “While looking for a way to attack the Android HAL, we found several dangerous audio settings implemented by MediaTek for debugging purposes. A third-party Android application can abuse these settings to attack MediaTek Aurisys HAL libraries,” explains Makkaveev.SEE: Dark web crooks are now teaching courses on how to build botnetsHe adds that device manufacturers don’t bother validating HAL configuration files properly because they are not available to unprivileged users. “But in our case, we are in control of the configuration files. The HAL configuration becomes an attack vector. A malformed config file could be used to crash an Aurisys library which could lead to LPE,” writes Makkaveev. “To mitigate the described audio configuration issues, MediaTek decided to remove the ability to use the PARAM_FILE command via the AudioManager in the release build of Android,” he adds. More

DBS Bank has attributed the source of a service glitch to “access control servers”, which it says left many customers unable to log into their accounts. The Singapore bank has been instructed by the local regulator to investigate the cause of the problem that lasted two days. The service disruption was first reported Tuesday morning when several customers faced difficulties logging into or accessing DBS’ online and mobile services. The bank initially provided few details on what caused the issue, saying on its Twitter and Facebook profiles and website that it was aware customers were experiencing “intermittent slowness when accessing [its] banking services”.In an update posted early Wednesday morning, DBS said the problem was resolved and services restored. However, customers again reported difficulties accessing the bank’s online services, leading the bank to acknowledge later that day the issue had recurred. 

It posted a video message Wednesday afternoon from its Singapore head Shee Tse Koon, who said the problem was “less severe” than the previous day, while apologising for the “anxiety caused”. “We identified a problem with our access control servers and this is why many of you have been unable to log in. We have since been working round the clock, together with our third-party engineering providers, to fix the problem and services were restored at 2am,” Shee said. “Unfortunately this morning, the same problem recurred.”He added that the bank was aware many of its customers still were unable to access its services and was working on a resolution. “n the meantime, I want to assure you that your deposits and monies are safe, and that you can continue with your banking needs either through our branches, or through phone banking. To facilitate this, we’ve extended banking services at all our branches by two hours,” he said. 

DBS later posted an update at 10.35pm that its digital services were “returning to normal” and it was monitoring the situation to ensure services were running smoothly. In a statement Wednesday, Monetary Authority of Singapore (MAS) said it would consider appropriate actions after DBS had completed its assessment. “This is a serious disruption and MAS expects DBS to conduct a thorough investigation to identify the root causes and implement the necessary remedial measures,” said Marcus Lim, MAS’ assistant managing director for banking and insurance.The industry regulator said it was notified by DBS about its access control servers and was following up with the bank on the issue. Lim said all financial institutions were expected to have the “systems and processes” in place to ensure the “consistent availability” of their services to customers. DBS, along with subsidiary POSB, have some 5 million customers in Singapore.Early this month, DBS announced plans to invest SG$300 million ($220.22 million) next year to beef up its digital and intelligent banking capabilities that supported the bank’s wealth and retail products and services. It said efforts here would enhance personalised user experiences across its digital and physical touchpoints.RELATED COVERAGE More