Week in security with Tony Anscombe

ESET research analyzes the Vadokrist banking trojan – Beware smishing scams – WhatsApp postpones privacy policy changes

ESET researchers released another instalment in their series of articles about banking trojans targeting businesses in Latin America, this time focusing on Vadokrist, malware that takes aim at financial institutions in Brazil. Also this week, we looked at why so many people for SMS phishing, also known as smishing, scams. In the meantime, WhatsApp announced that it’s delaying the enforcement of changes to its privacy following confusion and backlash among users.

FBI warns of voice phishing attacks stealing corporate credentials

Criminals coax employees into handing over their access credentials and use the login data to burrow deep into corporate networks

The United States’ Federal Bureau of Investigation (FBI) has issued a warning about campaigns where threat actors target employees worldwide with voice phishing (also known as vishing) attacks in order to steal their network credentials and elevate user privileges.

The warning can in part be attributed to the fact that the COVID-19 pandemic has forced many companies to shift to telework, which may not allow for comprehensive monitoring of network access points and privilege escalation.

The Bureau highlighted a campaign that goes back to December 2019 and involved attackers targeting employees at large businesses in the US and elsewhere through Voice over IP (VoIP) platforms as well as a company chatroom in order to coax credentials into corporate networks.

“During the phone calls, employees were tricked into logging into a phishing webpage in order to capture the employee’s username and password,” reads the FBI’s description of one attack vector, which often involves spoofed caller ID numbers that conceal the criminal’s location and identity.

Before long, the threat actors found that they could burrow deeper into the networks than they’d initially believed and that they even had the ability to elevate permissions on the compromised accounts.

In these scenarios, attackers can wreak all manner of havoc on a company’s systems such as implanting malware, sifting through the company’s data to search for proprietary data, or gaining access to account credentials of executives with the aim of conducting Business Email Compromise (BEC) fraud. Needless to say, any of this could cost any company dearly.

Meanwhile, in another case, cybercriminals first contacted an employee via the company’s chatroom and duped the person into logging into a fraudulent Virtual Private Network (VPN) page. Using the captured account credentials, they then accessed the company’s network, where they searched for an employee with the ability to change usernames and emails. The cybercriminals were successful in identifying their target via a cloud-based payroll service and went on to phish the victim’s credentials using the chatroom tactic as well.

RELATED READING: Strengthening the different layers of IT networks

The federal law enforcement agency also shared advice on how companies could mitigate the risks of such attacks. This includes implementing multi-factor authentication, actively scanning and monitoring for unauthorized access, network segmentation, and periodic reviews of employee network access.

In August 2020, the FBI together with the Cybersecurity and Infrastructure Security Agency (CISA) issued a similar advisory warning about a surge in vishing attacks targeting staff at multiple companies. During these attacks, the threat actors also used similar tactics including fraudulent VPN pages to obtain account credentials.

WhatsApp delays privacy policy update after confusion, backlash

Millions of people flock to Signal and Telegram as WhatsApp scrambles to assuage users’ concerns

The post WhatsApp delays privacy policy update after confusion, backlash appeared first on WeLiveSecurity

Week in security with Tony Anscombe

ESET research dissects targeted malware attacks in Colombia – What parents hope to get out of parental controls – Privacy risks of new mesh Wi-Fi routers

ESET researchers released details about Operation Spalax, a series of targeted malware attacks against businesses and government organizations in Colombia. Also this week, we looked at the main takeaways from a recent report about parents’ attitudes to parental controls and how they use these tools to help keep their children safe online. As new mesh Wi-Fi routers are being announced at CES 2021, we explore their potential implications for privacy. All this – and more – on WeLiveSecurity.com.

Newsletter Newsletter Discussion

Comments are closed.

What’s your attitude to parental controls?

Nobody said parenting was easy, but in the digital age it comes with a whole slew of new challenges. How do parents view the role of parental monitoring in children’s online safety?

Experience from my nearly 20 years of being involved in the conversation around child online safety has caused me to be skeptical when a parent says, “yes, I limit, monitor or control my child’s online activity”. A few delving questions asking how they achieve this and what tools they use typically causes them to stumble and answer with nothing meaningful; indeed, more often than not, it transpires that there’s no technology in place and that it’s more a desire than a reality.

The cynic in me leads me to the conclusion that many parents view their own children as doing nothing wrong – it’s other parents’ kids than have these issues, thus I don’t need to worry about what my kids do online. This attitude is, of course, expected, since we, proud parents, look at our own kids through rose-tinted glasses and are amazed at everything they do.

A recent report published by the Family Online Safety Institute (FOSI) explores the attitudes towards parental controls and how parents use them. The report headlines with an interesting trend showing that the attitude of parents differs depending on their age, with 57% of Baby Boomer parents believing that the “most responsibility” is with parents, compared to 43% of Generation X and just 30% of Millennial parents.

While this may be seen as a divide, my own view is that it reflects reality: parents of kids during the early years of the Internet did not have the benefits that many parents enjoy today. There was minimal understanding by educators and the plethora of organizations offering advice today just did not exist. The education system in many countries now supports curriculum topics, including privacy, security, anti-cyberbullying and in some cases even how to identify fake news. This may explain, in part, why today’s parents see safety online as a collaborative responsibility.

RELATED READING: A generation of connected kids

The landscape of security and privacy features on social media platforms has changed significantly since becoming popular in the noughties. Back in the day, privacy was a choice that you made a conscious decision about if chosen significant effort was spent locking down a profile. Today, many of the settings, but not all, default with privacy in mind and there are procedures and options to report unacceptable content and cyberbullying. Social media companies needed to make the changes to comply with government and user pressure.

As regulators around the world continue to pressure social media companies, parents may be stepping back from the perception of online safety being their sole responsibility. The benefit of the pressure coming from governments and regulators is that all kids benefit regardless of whether their parents are engaged in keeping them safe online or not.

Another interesting takeaway from the report is that teens view the content taught in schools to address digital safety as outdated and less effective than parental conversations. As parents we benefit from the ability to talk about what matters today, whereas teachers are required to abide by the topics set out in a curriculum that typically go through approval processes and agreement within the education system, by which time it probably is outdated. There is no quick win to this as technology and the fashion of which app is currently cool changes quickly and it’s probably fairer to view the education system as setting out the principles of online safety as opposed to real-world usage.

The survey says that the number one feature in digital parenting tools is the ability to block mature content, with over half of all the respondents seeing this as essential (mature content was defined as R- or X-rated movies, TV-MA rated television and adult websites and sexual content). In second place are privacy settings, especially for parents of teenagers.

RELATED READING: 5 things you can monitor with your parental control tool

The survey also found that most parents (71%) stated that they are “not satisfied” with the tools they have used to keep kids safe online. The survey states that parents of kids in the 7-11 age bracket are the most likely to use digital tools to keep their kids safe online and for the same age group there is concern around age-appropriate video content. There is an overwhelming desire by parents to have a one-stop shop and resource to provide parental controls, which is fully understandable given the many types of devices and the complexity of services that kids may be using.

In my view, the task of keeping kids safe online is, and always has been, a collaborative task shared by all the people who have influence, be it family, friends or teachers. With important lessons, including the responsibility of conducting online behavior in an acceptable manner and guidance on safety and security, these are a continuance of the expectations that we, as parents, have in the physical world. And as a parent, it’s important to be a trusted and open source of guidance for our kids.

To learn more about risks faced by children online, as well as about how technology can help, head over to Safer Kids Online.

CES 2021: Car spying – your insurance company is watching you

Your ‘networked computer on wheels’ has a privacy problem – when it comes to your data, you may not really be in the driver’s seat

The CES 2021 conference heralds the natural progression of car-spying apps built directly into the car and tied directly to insurance companies. Originally slated to assist drivers in an emergency, the systems are baked into the car platform telemetry itself and know everything about how you drive. How are your premiums calculated? Black box. What happens with your information? Black box, too. What happens when things go wrong? You get the idea.

This creeping blight oozing all over the last vestiges of our privacy in the interest of some thinly-perceived benefit was something tech was supposed to liberate us from – provide new degrees of freedom from. But there is this feeling that the walls of surveillance are closing in on our ability to do what we want, how we want, with things we own.

Only, we own less and less. We rent the things we “buy” from companies, and only borrow what is specified in take-it-or-leave-it licenses heavily favoring the vendor. No? Try opting out of tying into the cloud for basic functionality in the latest e-thing you bought. This will be really hard in the cars of the future.

RELATED READING: Connected cars: How to improve their connection to cybersecurity

If privacy pundits bark vociferously, there may be a tiny checkbox allowing you to opt out, but it will be buried in fine print, and couched in obtuse terms, like “opt out of personalized experiences” or some such phrase. This is not privacy by default – it’s privacy by great effort.

But the cloud knows best, or so we’re told. Even though the cloud is subject to change, we should trust it, whatever it becomes.

Maintaining proxy ownership of your devices via licensing through the cloud doesn’t seem like ownership, really, it feels like renting. Now, with baked-in insurance spies, it feels like always driving with your driving instructor taking notes. So much for the freedom of the road.

Speaking of the road, new cars know how many miles you drive, which leans into by-the-mile licensing and taxing of your car. Someone else determines how much you pay, but once again your private life is the fuel to feed the machine.

Going to court? They can know exactly where you were and when: just ask your car. No need for an alibi – they already know with mind-numbing precision where you were that night. Driving too fast? That will be worse. Stopped outside a bar? Even worse. Both? Well… ”.

And imagine weight sensors in the seats. Then it’s not difficult to guess who the passengers were – or weren’t.

RELATED READING: Connected car hacking: Who’s to blame?

The good news is that auto theft will be very difficult indeed. Unless on the approved driver list, the would-be operator won’t be able to force the car to do anything, other than be hauled off on a flatbed tow truck. Even then, you’d know where it is. And maybe that’s good. But at what price?

Is there a world where consumers can understand what they truly own, and maybe even modify or fix it if they see fit, or opt out of third-party interaction altogether?

The “right to repair” what you own is a long, hard-fought cause shouldered by farmers who wanted to be able to work on their farm equipment out in the middle of nowhere. If your tractor is five hours from the dealer broken in a muddy field, it would be nice to fix it yourself instead. Manufacturers said ‘no’. Baked into the low initial sale prices were the expectation of a long tail of revenue from semi-forced service dependency. Violate that and rouse the ire of the dealers and manufacturers.

What will happen if you opt out of vehicle telemetry? At the grocery store I have to pay more if I don’t use a rewards card; will this happen with my next car? Will you eventually be able to get affordable insurance at all? You can bet the car manufacturers (and their insurance company partners) will have something to say about it.

Hackers leak stolen COVID‑19 vaccine documents

The documents related to COVID-19 vaccine and medications were stolen from the EU’s medicines agency last month

The European Medicines Agency (EMA), which evaluates and approves medicines for the European Union (EU), has disclosed that cybercriminals have posted online a portion of the documents that are related to COVID-19 vaccines and were stolen in a cyberattack last month.

“The ongoing investigation of the cyberattack on EMA revealed that some of the unlawfully accessed documents related to COVID-19 medicines and vaccines belonging to third parties have been leaked on the internet. Necessary action is being taken by the law enforcement authorities,” reads the EMA’s press release. However, the agency added that its systems are fully functional and the approval and evaluation timelines for the vaccines haven’t been derailed.

The agency, based in the Netherlands, first disclosed on December 9th, 2020 that it had suffered a cyber incident of unknown origin. The subsequent probe found that several documents belonging to third parties, presumably those belonging to companies working on the vaccines, had been illegally accessed.

Per the investigation, the data breach was limited to one IT application, with the threat actors directly targeting information involving COVID-19 medicines and vaccines. According to BleepingComputer, the data trove included “email screenshots, EMA peer review comments, Word documents, PDFs, and PowerPoint presentations”. The affected companies were notified about the incident in due course.

Following the disclosure of the attack, the pharmaceutical companies BioNTech and Pfizer revealed that they were among those whose documents were accessed. The companies, which partnered to develop and test a COVID-19 vaccine, have issued a joint statement addressing the breach:

“Today, we were informed by the European Medicines Agency (EMA) that the agency has been subject to a cyber attack and that some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed. It is important to note that no BioNTech or Pfizer systems have been breached in connection with this incident and we are unaware that any study participants have been identified through the data being accessed.”

Unfortunately, this may not be the last time we hear about cyberattacks and fraud attempts concerning COVID-19 vaccines and medication. In the run-up to New Year’s Eve, law enforcement authorities from around the world have been sounding the alarm about cybercriminals and fraudsters attempting to cash in on the vaccine rollout.

The US Department of Treasury is one of the latest agencies to have issued a stark warning about criminals’ attempts to exploit the rollout of the COVID-19 vaccines, including by falsely offering people to help them jump the line. Keep in mind that any such offers are fraudulent, and not only because  most countries have a vaccination strategy that prioritizes high-risk groups and medical professionals; indeed, trying to jump the queue may lead to stern fines. If you encounter similar offers or offers to buy a vaccine, it is most certainly a scam – just like any of the various coronavirus-themed scams that began to do the rounds soon after the pandemic began.

CES 2021: Router swarms invade your home (and know where you are)

New mesh Wi-Fi routers may be the answer to your wireless signal woes, but how about your privacy and security?

Wi-Fi is hard, especially powering the swarms of smart devices in the average home. To combat dead spots, metal surfaces which block or reflect signals, and distant garages too far to connect, manufacturers at CES are rolling out router swarms using the new Wi-Fi 6E rules. These smart devices will get Wi-Fi to the nooks and crannies, but also spy on you and know where you are.

Rather than having one central router that is in charge of reaching your whole home, new routers will form a mesh with a distributed brain that tracks when signals are having a hard time propagating and work around it. By placing lots of tiny little mesh nodes in different rooms, they can learn the RF environment by comparing signal propagation. They can even split signals into tiny slivers to better communicate if they run into interference. Since you affect signal propagation when you stand in a room, they even learn to work around you too. This also means they become de facto motion detectors, since they would know where you are (and aren’t).

Sold as an upgrade, these distributed surveillance devices will make your Wi-Fi work better, sometimes a lot better (due to better frequency management), and that’s how they’re sold. But so much for privacy in private spaces.

And what about security?

Many systems have a cloud component, allowing them to be remotely managed, or remotely managed directly by your ISP. But in the event of a breach – in an industry that lacks an enviable security track record and where time-to-market trumps security – bad actors would know way more about your home environment than you’d like.

Remote management woes currently rank near the top of our list of most vulnerable attack entry points. Putting remote management on every room in your house seems like a fresh new opportunity for hackers, since remote management channels would likely be enabled by default, speeding the onboarding process by ISP install crews.

RELATED READING: New Year’s resolutions: Routing done right

Customers want it anyway. If someone can “magically” log in and fix Wi-Fi woes – fine. They’ll even pay for it as an upsell in the form of managed Wi-Fi service. This service’s control panel has a view to every device that’s connected in your house, their signal strengths, data transfer rates, sites they visit, how long they’ve been online, and a host of other metrics. They can also be used as a sort of low-grade alarm.

As distributed routers burrow further and further into your private life, it seems clear that some invisible line would be crossed whereby they would collect personally identifiable information (PII), which would put them at legal odds in certain parts of the world. We’ll see what legislators think of the technology in the coming years.

Meanwhile, some customers are happy to pay an extra $10 a month to implement these surveillance systems, and hope for the best. If you’re in the market, CES is definitely the place for you to start.

5 common scams and how to avoid them

Fraudsters are quick to exploit current events for their own gain, but many schemes do the rounds regardless of what’s making the news. Here are 5 common scams you should look out for.

Cybercriminals can be very creative when it comes to swindling people out of money. They will use a variety of methods to target their victims ranging from impersonating government officials to creating fraudulent online marketplaces. Time and again they have proven to be very adaptable, tailoring their scams around various hot topics.

In recent months, many scams have capitalized on the COVID-19 pandemic, with the schemes impersonating health authorities or offering to sell protective equipment that was in short supply. Up to December 16th, the US Federal Trade Commission had received more than 275,000 reports of fraud and identity theft related to the pandemic, with the victims reporting losing US$211 million in total. These days, there are scams doing the rounds that attempt to cash in on the vaccine rollout.

Make no mistake, however; fraudsters don’t launch their campaigns only in the wake of public health emergencies or global events. The European Commission recently conducted a survey on consumers’ experience with fraud and scams and found that over half of the surveyed Europeans had experienced at least one of the types of scams they were surveyed about in the past two years.

Fraud comes in many forms, and we’ve rounded up 5 common schemes where con men try to trick victims out of their money at pretty much any time of the year and regardless of what’s making the news. We also share a bunch of tips on how you can avoid falling victim to the ploys.

Online shopping and auction scams

One of the many ways scammers like to target unsuspecting victims is through shopping scams. During the pandemic, there has been a surge of these scams especially due to the shortage of certain goods, such as face masks and hand sanitizer. More broadly, however, using a sophisticated design that may come complete with a stolen logo, fraudsters will create a fake retail website masquerading as a reputable vendor, and offer luxury products from famous brands for ridiculously low prices. However, once you make an order, you’ll either receive a counterfeit product or nothing at all, or worse if you shared your credit card info the criminals could rack up charges on it. Fraudsters have also taken to social media and started offering their goods there. Another similar tactic cybercriminals use to defraud victims is the auction scam. The fraudsters will create a bogus auction offering an item they don’t have, or copy a real listing, and once the prospective buyer wins the auction and pays the allotted price, the victim never receives the product.

RELATED READING: Online scams: Why we get duped

To lower the chances of losing money to such scams, you should always do your due diligence and research the vendor you are buying from by looking through their terms of service and privacy and return policies. You should also try to find reviews from other customers who have ordered from the website. If the vendor is asking you to share too much personal information, that should immediately be a red flag. Perhaps the best and safer advice would be just to purchase the product from a reputable vendor with a proven track record.

Money mule scams

Money mule scams can take various forms; however, the goal of the criminals behind them remains the same – to move money from illicit activities without being traced. To achieve their mission, the crooks will target their victims using various means – enticing them through work-from-home jobs, which isn’t an outlandish concept considering the current pandemic situation, or using online dating services to cultivate a relationship. Once they’ve earned the victim’s trust, they will send them money or a check and ask the victim to send it to someone else. There are various outcomes; depending on the scam, you might submit a fake check that will initially clear … but then bounce and your bank will ask you to repay it, or you may be moving money for a criminal element and you might find yourself in legal trouble.

The advice, in this case, is simple: if the remote job in question entails transferring money for the client to purported clients or contractors, don’t accept it; the risks associated with accepting such jobs online far outweigh any benefits. If your online love interest tries to coax you into sending money somewhere on their behalf, you should be suspicious and refuse to do so, especially if you’ve only ever met them online; romance scams abound and some victims blinded by love have ended up losing their life savings and in some cases had to face legal charges.

Lottery and prize-winning scams

Lottery and prize-winning scams, which fall under the advance-fee fraud category, usually start with the potential victim receiving an unsolicited email, phone call, or text message claiming that they won a large sum of money or some kind of a luxury prize. The message will include pressure tactics telling the victim that there is a limited time to respond and claim the prize, but to do that they will have to pay a fee that covers taxes or shipping costs, or other imaginary charges. Since the competition is bogus, the victim won’t receive any of these “winnings” after paying the faux fees.

RELATED READING: You have NOT won! A look at fake FIFA World Cup‑themed lotteries and giveaways

Alternatively, the victims may be solicited to take part in a competition or lottery with astronomical prizes and they are told that they can increase their chances by paying for secret tactics or more draws. The only result, however, will be the victim getting scammed out of money. It’s also worth noting that U.S. citizens partaking in foreign lotteries may be violating federal law, so besides losing money to a scam they could also be facing legal trouble.


Week in security with Tony Anscombe

Watch out for a new PayPal smishing campaign – Employee login credentials up for sale – WhatsApp to share more data with Facebook

If you use PayPal, you should watch out for a new SMS-based phishing campaign that targets people by claiming that their accounts have been “permanently limited”. Hundreds of thousands of login credentials belonging to the employees of leading gaming companies are being offered for sale on the dark web. WhatsApp is notifying users that starting from February 8th it will share more of their data with Facebook. All this – and more – on WeLiveSecurity.com.