Detail of a calendar page with dates

A Week in Security (Feb 14 – Feb 20)

Last week, we proudly revealed a number of brand new stuff from Malwarebytes: an enterprise solution, logo, and website. Heck, this blog was even renamed to Malwarebytes Labs. Do check out that post by our CEO Marcin Kleczynski for more details.

We also talked about doxing—what it is and why it is illegal—and how one can protect themselves from it; revealed a new trick up the sleeves of tech support scammers; and disclosed a phishing campaign aimed at accounting firms.

Senior security researcher Jérôme Segura provided fresh information regarding a then ongoing malvertising campaign against WordPress sites initially reported by our friends at Sucuri. Segura homed in on the updated URL pattern and the shift in payload exploit from the Nuclear EK to the Angler EK.

Speaking of malvertising, Segura was able to trace another campaign from an unlikely source: the “social search” browser add-on called Wajam. He observed that it injects ad banners into existing pages on top of displaying regular adverts. Affected systems were finger printed then served with the Angler EK.

For our PUP Friday post topic, we looked at a specific program claiming to be a YouTube video downloader but actually led users to a tech support scam.

Notable news stories and security related happenings:

  • VTech ‘is Responsible’ for Kids’ Data, Says UK Watchdog. “The terms include the caveat that VTech only absolves itself of responsibility in so far as ‘applicable laws’ allow it to do so. The Information Commissioner’s Office has confirmed that this would not be possible in the UK. ‘The law is clear that it is organisations handling people’s personal data that are responsible for keeping that data secure, said a spokeswoman. A data protection specialist added that this would be the case for other EU countries too.” (Source: The BBC)
  • Communication Essential for Healthcare to Survive Cyberattacks Reputation Intact, Expert Says. “A breach-filled 2015 showed healthcare is at major risk for cyberattacks, a situation experts say makes it more important for health organizations to have plans in place to deal with the aftermath of a security crisis.” (Source: Healthcare IT News)
  • Intercede Launches Two-Factor Biometric Authentication Solution for Mobile Devices. “Once the initial enrollment is completed, users can access the application via a PIN code or fingerprint scan. The solution ensures that no other user can access the application account without having access to both the correct device and the relevant PIN or fingerprint.” (Source: Biometric Update Dot Com)
  • Why Companies are Becoming More Likely to Pay When Struck by Ransomware. “Twenty-four percent of companies say they would pay. And not only would they cough-up the money, but 14% of the polled would pay $1 million or more to prevent the attack, according to findings by the Cloud Security Alliance (CSA) and Skyhigh, who have compiled the study. The CSA is a non-profit promoting best-practices in cloud use; Skyhigh is a cloud security company.” (Source: Network World)
  • New Malware Targets Android Users Through Text Messages. “This new malware is being called Mazar Android BOT and it is spread via SMS and MMS messages. A user will receive a text message which includes a malicious link to an Android application package (APK).” (Source: IT Pro Portal)
  • Sony Hackers Still Active, ‘Darkhotel’ Checks Out Of Hotel Hacking. “There has been a noticeable shift in how some advanced threat groups such as this respond after being publicly outed by security researchers. Historically, cyber espionage gangs would go dark. […] But Baumgartner says he’s seen a dramatic shift in the past few years in how these groups react to publicity. Take Darkhotel, the Korean-speaking attack group known for hacking into WiFi networks at luxury hotels in order to target corporate and government executives. Darkhotel is no longer waging hotel-targeted attacks — but they aren’t hiding out, either.” (Source: Dark Reading)
  • Scam Of The Week – Netflix For Free. “Some of the campaigns are dropping actual malware on the box, others phish for the user’s login and/or payment information and sell these on the dark web. All of the campaigns start with some form of social engineering.” (Source: KnowBe4)
  • Now It’s Nigeria’s Authorities Who Want to Regulate Apps Like WhatsApp and Facebook. “WhatsApp, Facebook, Twitter and Skype, all immensely popular in Africa’s most populous nation, are all considered OTT services which telecoms carriers claim are posing a danger to their core business. The Nigerian Communications Commission (NCC) describes OTTs as ‘services carried over the networks, delivering value to customers, but without any carrier service provider being involved in planning, selling, provisioning, or servicing them’. The NCC says this means traditional telecoms firms cannot directly earn revenue from OTTs.” (Source: Quartz)
  • The Great EMV Fake-Out: No Chip For You! “Many banks are now issuing customers more secure chip-based credit cards, and most retailers now have card terminals in their checkout lanes that can handle the “dip” of chip-card transactions (as opposed to the usual swipe of the card’s magnetic stripe). But comparatively few retailers actually allow chip transactions: Most are still asking customers to swipe the stripe instead of dip the chip.” (Source: Krebs on Security)
  • 10 Years of Mac Malware: How OS X Threats Have Evolved. “As Mac usage continues to steadily grow in popularity, so does the prevalence of Mac malware and security flaws—the threat landscape continues to change over time. The Mac experts at Intego put together a visual timeline that highlights the nastiest, most prevalent threats to demonstrate just how Mac malware has evolved since discovering the Oompa-Loompa Trojan horse.” (Source: Intego’s The Mac Security Blog)
  • Turning Back Time on Your iPhone can ‘Brick’ the Device – Don’t Fall for the 1970 Scam. “As per reports, a horrid hoax message is doing the rounds over the entire social media and prominent online forums, which says that if you want to ‘activate an Easter egg’ just turn back time by setting the date to January 1st, 1970 and then reboot the phone which will activate Easter egg for you. That’s not all, the message also claims that by setting back the date the user will ‘warp back in time with a classic Macintosh theme to relive the magic.'” (Source: Hack Read)
  • VoIP Phones Can be Turned into Spying or Money-making Tools. “A security vulnerability present in many enterprise-grade VoIP phones can easily be exploited by hackers to spy on employees and management, says security consultant Paul Moore. In a less dangerous attack alternative, these compromised devices can also be made to covertly place calls to premium rate numbers operated by the attackers or their associates.” (Source: Help Net Security)
  • Instagram Bug Could Have Allowed Others to Read Your Direct Messages. “Its Android developers proudly rolled out a brand-new feature that made it easy to set up a shared account to complement your private account. You’d be able to switch between up to five accounts without logging out and re-logging into another one. Cool, right? But, according to the Android experts at Android Central, many users who tried this got an unpleasant surprise: if you shared one account with other users, they started seeing notifications about private direct messages to the account you didn’t share.” (Source: Sophos’s Naked Security Blog)
  • Healthcare Data Breaches Lead More Patients to Withhold Information from Doctors. “Some reasons predate computers and are as old as society itself, including shame, embarrassment, and fear of censure. However, fears about unauthorized access to, and abuse of, electronically stored personal health information were voiced as soon as database technologies began to emerge in the latter half of the last century. In fact, the US government agency that was then known as the Department of Health, Education, and Welfare (HEW) prompted some of the first serious thinking about the impact of computer databases on society. A 1973 document commissioned by that agency and subsequently known as the HEW Report, examined the many fears raised by the growing computerization of personal information.” (Source: ESET’s We Live Security Blog)
  • Fighting Malware Monetization and Application Vulnerabilities. “This year’s Cyber Risk Report examines the 2015 threat landscape in this context, and highlights important industry issues such as new security research regulations, the “collateral damage” from high profile data breaches, shifting political agendas, and the ongoing debate over privacy and security.” (Source: Help Net Security)
  • This is Why People Fear the “Internet of Things”. “Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware. Now imagine that the geek gear you bought doesn’t actually let you block this P2P communication without some serious networking expertise or hardware surgery that few users would attempt.” (Source: Krebs on Security)
  • Twitter Password Recovery Bug Exposes 10,000 Users’ Personal Information. “Users should not count on websites to shield their affiliations with those services, because leaks of registration information are common. From a security perspective, users valuing their privacy should take advantage of tools available to protect their accounts from possible hijacking, for example by enabling two-factor authentication when offered.” (Source: CSO)
  • Attackers Favor Old Exploits, Mobile Apps. “While few doubt the cleverness of hackers, the disheartening truth is they don’t need to be all that clever to gain access to sensitive data. […] Similarly, the top 10 vulnerabilities (called CVEs or common vulnerabilities and exposures by security researchers) leveraged by attackers in 2015 are more than a year old and nearly half of them are at least five years old.” (Source: eSecurity Planet)
  • The End of the Line for Flash? Not So Fast. “In late 2015 Adobe announced it was renaming Flash to Adobe Animate which reinvigorated cries that “Flash must die!” from Fortune, Wired, PCWorld,, and bloggers in general. Flash, per Adobe, allows reach to over 1 billion connected desktops. While there is a movement to replace Flash with some of the elements in HTML5, it is likely going to be a long road.” (Source: Digital Guardian)

Safe surfing, everyone!

The Malwarebytes Labs Team