admin

More and more websites and services are making multi-factor-authentication (MFA) mandatory, which makes it much harder for cybercriminals to access your accounts. That’s a great thing. But as security evolves, so do cybercriminals who are always looking for new ways to scam us. A type of phishing we’re calling authentication-in-the-middle is showing up in online media. While these techniques, named after man-in-the-middle (MitM) attacks, have existed for a while, they appear to be gaining traction now. It works like this: A user gets lured to a phishing site masquerading as a site they normally use, such as a bank, email or social media account. Once the user enters their login into the fake site, that information gets redirected by the cybercriminals to the actual site, without the user knowing. The user is then prompted for their MFA step. They complete this, usually by entering a code or accepting a push notification, and this information is then relayed to the criminals, allowing them to login to the site. Once the criminals are into an account, they can start changing settings like the account’s email address, phone number, and password, so the user can no longer log in, or they can simply clean out a bank account. This may help you understand why many platforms ask for your PIN or other authentication again when you try to change one of these important settings. Victims are lured to phishing sites like these via links from social media or emails where it can be hard to identify the real link.  Phishing sites can even show up in sponsored search results, in the same way as we reported about tech support scams. How to protect yourself from authentication-in-the-middle attacks Credit: malwarebytes.com

For the most popular operating system in the world—which is Android and it isn’t even a contest—there’s a sneaky cyberthreat that can empty out a person’s bank accounts to fill the illicit coffers of cybercriminals. These are “Android banking trojans,” and, according to our 2024 ThreatDown State of Malware report, Malwarebytes detected an astonishing 88,500 of them last year alone. While the 2024 ThreatDown State of Malware report focuses heavily on the corporate security landscape today, make no mistake: Android banking trojans pose a serious threat to everyday users. They are well-disguised, hard to detect in regular use, and are a favorite hacking tool for cybercriminals who want to automate the theft of online funds for themselves. What are Android banking trojans? The idea behind Android banking trojans—and all cyber trojans—is simple: Much like the fabled “Trojan Horse” which, the story goes, carried a violent surprise for the city of Troy, Android banking trojans can be found on the internet disguised as benign, legitimate mobile apps that, once installed on a device, reveal more sinister intentions.   By masquerading as everyday mobile apps for things like QR code readers, fitness trackers, and productivity or photography tools, Android banking trojans intercept a person’s online interest in one app, and instead deliver a malicious tool that cybercriminals can abuse later on. But modern devices aren’t so faulty that an errant mobile app download can lead to full device control or the complete revelation of all your private details, like your email, social media, and banking logins. Instead, what makes Android banking trojans so tricky is that, once installed, they present legitimate-looking permissions screens that ask users to grant the new app all sorts of access to their device, under the guise of improving functionality. Take the SharkBot banking trojan, which Malwarebytes detects and stops. Last year, Malwarebytes found this Android banking trojan hiding itself as a file recovery tool called “RecoverFiles.” Once installed on a device, “RecoverFiles” asked for access to “photos, videos, music, and audio on this device,” along with extra permissions to access files, map and talk to other apps, and even send payments via Google Play. These are just the sorts of permissions that any piece of malware needs to dig into your personally identifiable information and your separate apps to steal your usernames, passwords, and other important information that should be kept private and secure. Still, the tricks behind “RecoverFiles” aren’t yet over. Not only is the app a clever wrapper for an Android banking trojan, it could also be considered a hidden wrapper. Once installed on a device, the “RecoverFiles” app icon itself does not show up on a device’s home screen. This stealth maneuver is similar to the features of stalkerware-type apps, which can be used to non-consensually spy on another person’s physical and digital activity. But in the world of Android banking trojan development, cybercrminals have devised far more devious schemes than simple camouflage. Slipping under the radar The problem with the Ancient Greeks’ Trojan Horse strategy is that it could only work once—if you don’t sack Troy the first time, you better believe Troy is going to implement some strict security controls on all future big horse gifts. The makers of Android banking trojans have to overcome similar (and far more advanced) security measures from Google. As the Google Play store has become the go-to marketplace for Android apps, cybercriminals try to place their malicious apps on Google Play to catch the highest number of victims. But Google Play’s security measures frequently detect malware and prevent it from being listed. So, what’s a cybercriminal to do? In these instances, cybercriminals make an application that is seemingly benign, but, once installed on a device, executes a line of code that actually downloads malware from somewhere else on the internet. This is how cybercriminals recently snuck their malware onto Google Play and potentially infected more than 100,000 users with the Anatsa banking trojan. What was most concerning in this attack was that the malicious apps that made it onto the Google Play store reportedly worked for their intended purposes—the PDF reader read PDFs, the file manager managed files. But hidden within the apps’ coding, users were actually downloading a set of instructions that directed their devices to install malware. These malicious packages are sometimes called “malware droppers” as the apps “drop” malware onto a device at a later time.   What does it all mean for me? There’s a lot of technical machinery at work inside any Android banking trojan that is put in place to accomplish a rather simple end goal, which is stealing your money. All the camouflage, subterfuge, and hidden code execution is part of a longer attack chain in which Android banking trojans steal your passwords and personally identifiable information, and then use that information to take your money. As we wrote in the 2024 ThreatDown State of Malware report: “Once it has accessibility permissions, the malware initializes its Automated TransferSystem (ATS) framework, a complex set of scripts and commands designed to perform automated banking transactions without user intervention. The ATS framework uses the harvested credentials to initiate unauthorized money transfers to accounts held by the attacker. This mimics real user behavior to bypass fraud detection systems.” Staying safe from Android banking trojans Protecting yourself from Android banking trojans is not as simple as, say, spotting grammatical mistakes in a phishing email or refusing to click any links sent in text messages from unknown numbers. But just because Android banking trojans are harder to detect by eye does not mean that they’re impossible to stop. Malwarebytes Premium provides real-time protection to detect and stop Android banking trojans that are accidentally installed on your devices. It doesn’t matter if the banking trojan is simply a malicious app in a convenient package, or if the banking trojan is downloaded through a “malware dropper”—Malwarebytes Premium provides 24/7 cybersecurity coverage and stops dangerous attacks before they can be carried out.

A malicious package uploaded to the npm registry has been found deploying a sophisticated remote access trojan on compromised Windows machines. The package, named “oscompatible,” was published on January 9, 2024, attracting a total of 380 downloads before it was taken down. oscompatible included a “few strange binaries,” according to software supply chain security firm Phylum, including a single executable file, a dynamic-link library (DLL) and an encrypted DAT file, alongside a JavaScript file. This JavaScript file (“index.js”) executes an “autorun.bat” batch script but only after running a compatibility check to determine if the target machine runs on Microsoft Windows. If the platform is not Windows, it displays an error message to the user, stating the script is running on Linux or an unrecognized operating system, urging them to run it on “Windows Server OS.” The batch script, for its part, verifies if it has admin privileges, and if not, runs a legitimate Microsoft Edge component called “cookie_exporter.exe” via a PowerShell command. Attempting to run the binary will trigger a User Account Control (UAC) prompt asking the target to execute it with administrator credentials. In doing so, the threat actor carries out the next stage of the attack by running the DLL (“msedge.dll”) by taking advantage of a technique called DLL search order hijacking. The trojanized version of the library is designed to decrypt the DAT file (“msedge.dat”) and launch another DLL called “msedgedat.dll,” which, in turn, establishes connections with an actor-controlled domain named “kdark1[.]com” to retrieve a ZIP archive. The ZIP file comes fitted with the AnyDesk remote desktop software as well as a remote access trojan (“verify.dll”) that’s capable of fetching instructions from a command-and-control (C2) server via WebSockets and gathering sensitive information from the host. It also “installs Chrome extensions to Secure Preferences, configures AnyDesk, hides the screen, and disables shutting down Windows, [and] captures keyboard and mouse events,” Phylum said. While “oscompatible” appears to be the only npm module employed as part of the campaign, the development is once again a sign that threat actors are increasingly targeting open-source software (OSS) ecosystems for supply chain attacks. “From the binary side, the process of decrypting data, using a revoked certificate for signing, pulling other files from remote sources, and attempting to disguise itself as a standard Windows update process all along the way is relatively sophisticated compared to what we normally see in OSS ecosystems,” the company said. The disclosure comes as cloud security firm Aqua revealed that 21.2% of the top 50,000 most downloaded npm packages are deprecated, exposing users to security risks. In other words, the deprecated packages are downloaded an estimated 2.1 billion times weekly. This includes archived and deleted GitHub repositories associated with the packages as well as those that are maintained without a visible repository, commit history, and issue tracking. “This situation becomes critical when maintainers, instead of addressing security flaws with patches or CVE assignments, opt to deprecate affected packages,” security researchers Ilay Goldman and Yakir Kadkoda said. “What makes this particularly concerning is that, at times, these maintainers do not officially mark the package as deprecated on npm, leaving a security gap for users who may remain unaware of potential threats.” Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Network and security giant Cloudflare and password manager maker 1Password said hackers briefly targeted their systems following a recent breach of Okta’s support unit. Both Cloudflare and 1Password said their recent intrusions were linked to the Okta breach, but that the incidents did not affect their customer systems or user data. “We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing,” said 1Password chief technology officer Pedro Canahuati in a blog post. “We’ve confirmed that this was a result of Okta’s support system breach,” said Canahuati. Okta, which provides single sign-on technology to companies and organizations, said late on Friday that hackers had broken into its customer support unit and stole files uploaded by its customers for diagnosing technical problems. These files include browser recording sessions that can contain sensitive user credentials, such as cookies and session tokens, which if stolen can allow hackers to impersonate user accounts. Okta spokesperson Vitor De Souza told TechCrunch that about 1% of its 17,000 corporate customers — or 170 organizations — were affected by its breach. In an attached report detailing the security incident, 1Password said the hackers used a session token from a file that had been uploaded by a member of the IT team earlier in the day to Okta’s support unit system for troubleshooting. The session token allowed the hackers to use the IT member’s account without needing their password or two-factor code, granting the hacker limited access to 1Password’s Okta dashboard. 1Password said the incident occurred on September 29, two weeks before Okta went public with details of the incident. Cloudflare also confirmed in a blog post on Friday that hackers similarly targeted its systems using a session token stolen from Okta’s support unit. Cloudflare’s chief information security officer Grant Bourzikas said Cloudflare’s incident, which began on October 18, resulted in “no access from the threat actor to any of our systems or data,” in large part because Cloudflare uses hardware security keys that evade phishing attacks. Security company BeyondTrust said it was also affected by Okta’s breach, but that it also quickly shut down its intrusion. In a blog post, BeyondTrust said it notified Okta of the incident on October 2, but accused Okta of not acknowledging the breach for almost three weeks. This is Okta’s latest security incident, following the theft of some of its source code in December 2022, and an incident earlier in January 2022 where hackers posted screenshots of Okta’s internal network. Okta’s stock price dropped more than 11% on Friday — wiping at least $2 billion off the company’s value — following news of the breach, which was first reported by security journalist Brian Krebs.