The rapid development of AI, international tensions, and the proliferation of “smart” technologies like the internet of things (IoT) make the upcoming year particularly challenging in terms of cybersecurity. Each of us will face these challenges in one way or another, so, as per tradition, we’re here to help all our readers make a few New Year’s resolutions for a more secure 2024.

Protect your finances

E-commerce and financial technologies continue to expand globally, and successful technologies are being adopted in new regions. Instant electronic payments between individuals have become much more widespread. And, of course, criminals are devising new ways to swindle you out of your money. This involves not only fraud using instant money-transfer systems, but also advanced techniques for stealing payment data on e-commerce sites and online stores. The latest generations of web skimmers installed by hackers on legitimate online shopping sites are almost impossible to perceive, and victims only learn that their data has been stolen when an unauthorized charge appears on their card.

What to do?

Link your bank cards to Apple Pay, Google Pay, or other similar payment systems available in your country. This is not only convenient, but also reduces the likelihood of data theft when making purchases in stores.
Use such systems to make payments on websites whenever possible. There’s no need to enter your bank card details afresh on every new website.
Protect your smartphones and computers with a comprehensive security system like Kaspersky Premium. This will help protect your money, for example, from a nasty new attack in which the recipient’s details are replaced at the moment of making an instant money transfer in a banking app.
Use virtual or one-time cards for online payments if your bank supports this option. If a virtual card can be quickly reissued in the app, change it regularly — for example, once a month. Or use special services to ‘mask’ cards, generating one-time payment details for each payment session. There are many of these for different countries and payment systems.

Don’t believe everything you see

Generative artificial intelligence has dominated the news throughout 2023 and has already significantly affected the job market. Unfortunately, it’s also been used for malicious purposes. Now, just about anyone can create fake texts, photos, and videos in a matter of minutes — a labor that previously required a lot of time and skill. This has already had a noticeable impact on at least two areas of cybersecurity.

First, the appearance of fake images, audio, and video on news channels and social media. In 2023, generated images were used for propaganda purposes during geopolitical conflicts in post-Soviet countries and the Middle East. They were also used successfully by fraudsters for various instances of fake fundraising. Moreover, towards the end of the year, our experts discovered massive “investment” campaigns in which the use of deepfakes reached a whole new level: now we’re seeing news reports and articles on popular channels about famous businessmen and heads of state encouraging users to invest in certain projects — all fake, of course.

Second, AI has made it much easier to generate phishing emails, social media posts, and fraudulent websites. For many years, such scams could be identified by sloppy language and numerous typos, because the scammers didn’t have the time to write and proofread them properly. But now, with WormGPT and other language models optimized for hackers, attackers can create far more convincing and varied bait on an industrial scale. What’s more, experts fear that scammers will start using these same multilingual AI models to create convincing phishing material in languages and regions that have rarely been targeted for such purposes before.

What to do?

Be highly critical of any emotionally provocative content you encounter on social media — especially from people you don’t know personally. Make it a habit to always verify the facts on reputable news channels and expert websites.
Don’t transfer money to any kind of charity fundraiser or campaign without conducting a thorough background check of the recipient first. Remember, generating heart-breaking stories and images is literally as easy as pushing a button these days.
Install phishing and scam protection on all your devices, and enable all options that check links, websites, emails, and attachments. This will reduce the risk of clicking on phishing links or visiting fraudulent websites.
Activate banner ad protection — both Kaspersky Plus and Kaspersky Premium have this feature, as do a number of browsers. Malicious advertising is another trend for 2023-2024.

Some experts anticipate the emergence of AI-generated content analysis and labeling systems in 2024. However, don’t expect them to be implemented quickly or universally, or be completely reliable. Even if such solutions do emerge, always double-check any information with trusted sources.

Don’t believe everything you hear

High-quality AI-based voice deepfakes are already being actively used in fraudulent schemes. Someone claiming to be your “boss”, “family member”, “colleague”, or some other person with a familiar voice might call asking for urgent help — or to help someone else who’ll soon reach out to you. Such schemes mainly aim to trick victims into voluntarily sending money to criminals. More complex scenarios are also possible — for example, targeting company employees to obtain passwords for accessing the corporate network.

What to do?

Verify any unexpected or alarming calls without panic. If someone you supposedly know well calls, ask a question only that person can answer. If a colleague calls but their request seems odd — for example, asking you to send or spell a password, send a payment, or do something else unusual — reach out to other colleagues or superiors to double-check things.
Use caller identifier apps to block spam and scam calls. Some of these apps work not only with regular phone calls but also with calls through messengers like WhatsApp.

Buy only safe internet-of-things (IoT) smart devices

Poorly protected IoT devices create a whole range of problems for their owners: robot vacuum cleaners spy on their owners, smart pet feeders can give your pet an unplanned feast or a severe hunger strike, set-top boxes steal accounts and create rogue proxies on your home network, and baby monitors and home security cameras turn your home into a reality TV show without your knowledge.

What could improve in 2024? The emergence of regulatory requirements for IoT device manufacturers. For example, the UK will ban the sale of devices with default logins and passwords like “admin/admin”, and require manufacturers to disclose in advance how long a particular device will receive firmware updates. In the U.S., a security labeling system is being developed that will make it possible to understand what to expect from a “smart” device in terms of security even before purchase.

What to do?

Find out if there are similar initiatives in your country and make the most of them by purchasing only secure IoT devices with a long period of declared support. It’s likely that once manufacturers are obliged to ensure the security of smart devices locally, they’ll make corresponding changes to products for the global market. Then you’ll be able to choose a suitable product by checking, for example, the American “security label”, and buy it — even if you’re not in the U.S.
Carefully configure all smart devices using our detailed advice on creating a smart home and setting up its security.

Take care of your loved ones

Scams involving fake texts, images, and voices messages can be highly effective when used on elderly people, children, or those less interested in technology. Think about your family, friends, and colleagues — if any of them may end up a victim of any the schemes described above, take the time to tell them about them or provide a link to our blog.

What to do?

Don’t just give blanket information from our articles; look beyond our blog to find suitable cybersecurity lessons for your loved ones based on their age and temperament.
Make sure that all your family’s computers and phones are fully protected. With Kaspersky Premium, you can protect as many devices as needed, on any popular platform — Windows, macOS, Android, or iOS.

Before we say goodbye and wish you a happy and peaceful 2024, one final little whisper — last year’s New Year’s resolutions are still very relevant: the transition to password-less systems is progressing at a swift pace, so going password-free in the New Year might be a good idea, while basic cyber hygiene has become all the more crucial. Oops; nearly forgot: wishing you a happy and peaceful 2024!…

Kaspersky official blog – ​Read More

When you turn on a laptop, the manufacturer’s logo is displayed on the screen before the operating system boots. This logo can actually be changed — a function intended for the use of laptop or desktop manufacturers. But there’s nothing stopping an ordinary user from using it and replacing the default logo with a different image.

The logo is stored in the code that runs immediately after computer is turned on, in the so-called UEFI firmware. It turns out that this logo replacement function opens the way for the device to be seriously compromised — attackers can hack it and subsequently seize control of the system, and this can even be done remotely. The possibility of such an attack, named LogoFAIL, was recently discussed by specialists at Binarly. In this article, we’ll try to explain it in simple terms, but let’s first recall the dangers of so-called UEFI bootkits.

UEFI bootkits: malware loaded before the system

Historically, the program executed upon turning on a PC was called a BIOS (Basic Input/Output System). It was extremely limited in its capabilities, but it was an essential program tasked with initializing the computer’s hardware and then transferring control to the operating system loader. Since the late 2000s, BIOS gradually began to be replaced by UEFI — a more sophisticated version of the same basic program with additional capabilities, including protection against the execution of malicious code.

In particular, UEFI implemented the Secure Boot feature that employed cryptographic algorithms to check the code at each stage of the computer’s booting — from turning it on to loading the operating system. This makes it much more difficult to replace the real OS code with malicious code, for example. But, alas, even these security technologies have not completely eliminated the possibility of loading malicious code at an early stage. And if attackers manage to “smuggle” malware or a so-called bootkit into UEFI, the consequences can be extremely serious.

The issue with UEFI bootkits is that they are extremely difficult to detect from within the operating system. A bootkit can modify system files and run malicious code in an OS with maximum privileges. And the main problem is that it can survive not only a complete reinstall of the operating system, but also replacement of the hard drive. Stashed in the UEFI firmware, a bootkit isn’t dependent on the data stored on the system drive. As a result, bootkits are often used in complex targeted attacks. An example of such an attack is described in this study by our experts.

So, what do images have to do with it?

Since UEFI has fairly robust protection against the execution of malicious code, introducing a Trojan into the boot process isn’t simple. However, as it turns out, it is possible to exploit flaws in the UEFI code to execute arbitrary code at this early stage. There was good reason for the Binarly specialists to pay attention to the mechanism that allows replacing the factory logo. To display the logo, a program is launched that reads data from the graphic image file and displays this image on the screen. What if we try make this program to misbehave?

There are three major UEFI software developers: AMI, Insyde, and Phoenix. Each of them approaches logo processing differently. For example, Insyde has separate image processing programs for different formats, from JPEG to BMP. AMI and Phoenix consolidate handling of all formats into a single program. Vulnerabilities were discovered in each of them, with a total of twenty-four critical errors. The final result of exploiting one of these errors is shown in this video:

LogoFAIL attack demonstration. Source

It’s all fairly simple: the attacker can modify the image of the new logo as they please. This includes, for example, setting the logo resolution so that this parameter ends up beyond the limits defined in the handling code. This leads to a calculation error and ultimately results in data being written from the image file into the area for executable data. This data will then be executed with maximum privileges. The video above shows the seemingly harmless result of such a bootkit: a text file is saved to the Windows desktop. However, if malicious code has this level of access, the attacker can perform almost any action in the operating system.

Notably, some device models from major manufacturers were not susceptible to this attack, and for a very simple reason: replacing the logo in their UEFI is essentially blocked. Among these models are a number of Apple laptops and Dell devices.

Dangerous implications for businesses

Theoretically, this attack can even be carried out remotely: in some cases, it would be enough to inject a specially prepared image into the EFI system partition on the system disk, and it will be processed on the next reboot. The catch is that performing such an operation already require complete access to the system; that is, any data on the computer should already be available to the attackers. You might wonder then, what’s the point of implementing the LogoFAIL attack? To ensure that the malicious code survives even if the OS is reinstalled — this kind of persistence is usually highly desired by APT attack operators.

This problem will gradually be resolved by updated UEFI versions that fix errors in the image handlers. However, since not all companies diligently keep up with firmware updates, a huge number of devices will likely remain unprotected. And the list of vulnerable devices includes not only laptops but also some server motherboards. This means that Binarly’s research should be taken very seriously.

Kaspersky official blog – ​Read More

We often write here on these blog pages about how browser extensions can be very dangerous. To illustrate this fact, we decided to dedicate an article to it. In this post, we’ll look at the most interesting, unusual, widespread, and dangerous cases involving malicious extensions in 2023. We’ll also discuss what these extensions were capable of — and, of course, how to protect yourself from them.

Roblox extensions with a backdoor

To set the tone and also highlight one of the biggest concerns associated with dangerous extensions, let’s start with a story that began last year. In November 2022, two malicious extensions with the same name — SearchBlox — were discovered in the Chrome Web Store, the official store for Google Chrome browser extensions. One of these extensions had over 200,000 downloads.

The declared purpose of the extensions was to search for a specific player on the Roblox servers. However, their actual purpose was to hijack Roblox players’ accounts and steal their in-game assets. After information about these malicious extensions was published on BleepingComputer, they were removed from the Chrome Web Store, and automatically deleted from the devices of users who’d installed them.

However, the Roblox story doesn’t end there. In August 2023, two more malicious extensions of a similar nature — RoFinder and RoTracker — were discovered in the Chrome Web Store. Just like SearchBlox, these plugins offered users the ability to search for other players on the Roblox servers, but in reality had a backdoor built into them. The Roblox user community eventually managed to get these extensions removed from the store as well.

This suggests that the quality of moderation at the world’s most official platform for downloading Google Chrome extensions leaves much to be desired, and it’s easy enough for creators of malicious extensions to push their creations in there. To get moderators to spot dangerous extensions and remove them from the store, reviews from affected users are rarely sufficient — it often requires efforts from the media, security researchers, and/or a large online community.

Fake ChatGPT extensions hijacking Facebook accounts

In March 2023, two malicious extensions were discovered in the Google Chrome Web Store within a few days of each other — both taking advantage of the hype surrounding the ChatGPT AI service. One of these was an infected copy of the legitimate “ChatGPT for Google” extension, offering integration of ChatGPT’s responses into search engine results.

The infected “ChatGPT for Google” extension was uploaded to the Chrome Web Store on February 14, 2023. Its creators waited for some time and only started actively spreading it precisely a month later, on March 14, 2023, using Google Search ads. The criminals managed to attract around a thousand new users per day, resulting in over 9000 downloads by the time the threat was discovered.

The trojanized copy of “ChatGPT for Google” functioned just like the real one, but with extra malicious functionality: the infected version included additional code designed to steal Facebook session cookies stored by the browser. Using these files, the attackers were able to hijack the Facebook accounts of users who’d installed the infected extension.

The compromised accounts could then be used for illegal purposes. As an example, the researchers mentioned a Facebook account belonging to an RV seller, which started promoting ISIS content after being hijacked.

In the other case, fraudsters created a completely original extension called “Quick access to Chat GPT”. In fact, the extension actually did what it promised, acting as an intermediary between users and ChatGPT using the AI service’s official API. However, its real purpose was again to steal Facebook session cookies, allowing the extension’s creators to hijack Facebook business accounts.

Most interestingly, to promote this malicious extension, the perpetrators used Facebook ads, paid for by — you guessed it — the business accounts they’d already hijacked! This cunning scheme allowed the creators of “Quick access to Chat GPT” to attract a couple of thousand new users per day. In the end, both malicious extensions were removed from the store.

ChromeLoader: pirated content containing malicious extensions

Often, creators of malicious extensions don’t place them in the Google Chrome Web Store, and distribute them in other ways. For example, earlier this year researchers noticed a new malicious campaign related to the ChromeLoader malware, already well-known in the cybersecurity field. The primary purpose of this Trojan is to install a malicious extension in the victim’s browser.

This extension, in turn, displays intrusive advertisements in the browser and spoofs search results with links leading to fake prize giveaways, surveys, dating sites, adult games, unwanted software, and so on.

This year, attackers have been using a variety of pirated content as bait to make victims install ChromeLoader. For example, in February 2023, researchers reported the spread of ChromeLoader through VHD files (a disk image format) disguised as hacked games or game “cracks”. Among the games used by the distributors were Elden Ring, ROBLOX, Dark Souls 3, Red Dead Redemption 2, Need for Speed, Call of Duty, Portal 2, Minecraft, Legend of Zelda, Pokemon, Mario Kart, Animal Crossing, and more. As you might guess, all these VHD files contained the malicious extension installer.

A few months later, in June 2023, another group of researchers released a detailed report on the activities of the same ChromeLoader, detailing its spread through a network of sites offering pirated music, movies, and once again, computer games. In this campaign, instead of genuine content, VBScript files were downloaded onto victims’ computers, which then loaded and installed the malicious browser extension.

Although the altered search results quickly alert victims to the presence of the dangerous extension in their browser, getting rid of it isn’t so easy. ChromeLoader not only installs the malicious extension but also adds scripts and Windows Task Scheduler tasks to the system that reinstall the extension every time the system reboots.

Hackers reading Gmail correspondence using a spy extension

In March 2023, the German Federal Office for the Protection of the Constitution and the South Korean National Intelligence Agency issued a joint report on the activities of the Kimsuky cybercriminal group. This group uses an infected extension for Chromium-based browsers — Google Chrome, Microsoft Edge, as well as the South Korean browser Naver Whale — to read the Gmail correspondence of their victims.

The attack begins with the perpetrators sending emails to specific individuals of interest. The email contains a link to a malicious extension called AF, along with some text convincing the victim to install the extension. The extension starts working when the victim opens Gmail in the browser where it’s installed. AF then automatically sends the victim’s correspondence to the hackers’ C2 server.

Thus, Kimsuky manages to gain access to the contents of the victim’s mailbox. What’s more, they don’t need to resort to any tricks to hack into this mailbox; they simply bypass the two-factor authentication. As a bonus, this method allows them to do everything in a highly discreet manner — in particular, preventing Google from sending alerts to the victim about account access from a new device or suspicious location, as would be the case if the password were stolen.

Rilide: malicious extension stealing cryptocurrency and bypassing two-factor authentication

Criminals also often use malicious extensions to target cryptocurrency wallets. In particular, the creators of the Rilide extension, first discovered in April 2023, use it to track cryptocurrency-related browser activity of infected users. When the victim visits sites from a specified list, the malicious extension steals cryptocurrency wallet info, email logins, and passwords.

In addition, this extension collects and sends browser history to the C2 server and lets the attackers take screenshots. But Rilide’s most interesting feature is its ability to bypass two-factor authentication.

When the extension detects that a user is about to make a cryptocurrency transaction on one of the online services, it injects a script into the page that replaces the confirmation code input dialog, and then steals that code. The payment recipient’s wallet is replaced with one belonging to the attackers, and then, finally, the extension confirms the transaction using the stolen code.

Rilide attacks users of Chromium-based browsers — Chrome, Edge, Brave, and Opera — by imitating a legitimate Google Drive extension to avoid suspicion. Rilide appears to be freely sold on the black market, so it’s used by criminals unrelated to one another. For this reason, various distribution methods have been discovered — from malicious websites and emails to infected blockchain game installers promoted on Twitter X.

One of the particularly interesting Rilide distribution methods was through a misleading PowerPoint presentation. This presentation posed as a security guide for Zendesk employees, but was actually a step-by-step guide for installing the malicious extension.

Dozens of malicious extensions in the Chrome Web Store — with 87 million downloads combined

And, of course, one cannot forget the story of the summer when researchers discovered several dozen malicious extensions in the Google Chrome Web Store, which collectively had more than 87 million downloads from the store. These were various kinds of browser plugins — from tools for converting PDF files and ad blockers to translators and VPNs.

The extensions were added to the Chrome Web Store as far back as 2022 and 2021, so by the time they were discovered they’d already been there for several months, a year, or even longer. Among reviews of the extensions, there were some complaints from vigilant users who reported that the extensions were spoofing search results with advertisements. Unfortunately, the Chrome Web Store moderators ignored these complaints. The malicious extensions were only removed from the store after two groups of security researchers brought the issue to Google’s attention.

How to protect yourself from malicious extensions

As you can see, dangerous browser extensions can end up on your computer from various sources —including the official Google Chrome Web Store. And attackers can use them for a wide range of purposes — from hijacking accounts and altering search results to reading correspondence and stealing cryptocurrencies. Accordingly, it’s important to take precautions:

Try to avoid installing unnecessary browser extensions. The fewer extensions you have in your browser, the better.
If you do install an extension, it’s better to install it from an official store rather than from an unknown website. Sure, this doesn’t eliminate the risk of encountering dangerous extensions completely, but at least the Google Chrome Web Store does take its security seriously.
Before installing, read reviews of an extension. If there’s something wrong with it, someone might have already noticed it and informed other users.
Periodically review the list of extensions installed in your browsers. Remove any you don’t use — especially ones you don’t remember installing.
And be sure to use reliable protection on all your devices.

Kaspersky official blog – ​Read More

Corporate information security specialists usually know quite a few confident employees who say that they don’t click on dangerous links and are therefore not susceptible to cyberthreats. Sometimes those employees use this argument when asking to have corporate security measures turned off, which somehow interfere with work. But attackers often disguise malicious and phishing links, trying to confuse both mail filters and human observers. What they want is to make victims (even if they are examining URLs as we repeatedly advise) click on an address that actually takes them to a different one. Here are the most common methods used by cybercriminals to hide malicious or phishing URLs.

An @ symbol in the address

The simplest way to hide the real domain in the address is to use the @ symbol in the URL. This is a completely legitimate symbol that can be used to integrate a login and a password into the website address — HTTP allows to pass credentials to the web server via the URL simply by using login:password@domain.com format. If the data before the @ symbol is incorrect and not suitable for authentication, the browser simply discards it, redirecting the user to the address located after the @ symbol. So cybercriminals use this: they come up with a convincing page name, use the name of a legitimate site in it, and place the real address after the @ symbol. For example, look at our blog’s address disguised in this way:

It looks like a page with many words in the name hosted somewhere on the Google domain, but the browser will take you to http://kaspersky.com/blog/.

Numbers instead of the IP address

In the previous method, attackers often try to confuse the user with a long page name in order to distract them from the real address — because it still remains in the URL. But there’s a way to hide it completely — by converting the IP-address of a site into an integer. As you may know, IP addresses are not very conveniently stored in databases. Therefore, at some point, a mechanism was invented to convert IP addresses into integers (which are much more convenient to store) and vice versa. And these days, when modern browsers see a number in an URL they automatically convert it into an IP address. In combination with the same @ symbol, it effectively hides the real domain. This is how a link to our corporate website can look like:

In using this trick, cybercriminals try to focus attention on the domain before the @ symbol, and make everything else look like some kind of parameter — various marketing tools often insert all sorts of alphanumeric tags into web links.

URL shortener services

Another fairly simple way to hide the real URL is to use one of the legitimate link shortening services. You can include absolutely anything inside a short link — and it’s impossible to check what hides there without clicking.

Google Accelerated Mobile Pages

Several years ago, Google and some partners created the Google AMP framework — a service that was intended to help webpages load faster on mobile devices. In 2017, Google claimed that AMPed pages load in less than a second and use 10 times less data than the same pages without AMP. Now attackers have learned how to use this mechanism for phishing. An email contains a link starting with “google.com/amp/s/”, but if the user clicks it, they’ll be redirected to a site that doesn’t belong to Google. Even some anti-phishing filters often fall for this trick: due to Google’s reputation, they consider such a link to be sufficiently reliable.

Email service providers

Another way to hide your page behind someone else’s URL is to use an               ESP; that is, a service for creating legitimate newsletters and other mailouts. We’ve already written in detail about this method in one of our previous posts. In short, criminals employ one of these services, create a mailing campaign, input a phishing URL, and as a result get a ready-made clean address, which has the reputation of an ESP company. ESP companies of course try to fight such misuse of their service, but it doesn’t always work out.

Redirect via Baidu

The Chinese search engine Baidu has quite an interesting approach to showing search results. Unlike Google, it doesn’t give you links to the sites, but instead makes links to itself with a redirect to the site searched for. That is, in order to disguise a malicious URL as Baidu, all cybercriminals need do is search for the page (and that is quite simple if you enter the exact address), copy the link and paste it in the phishing email.

And by and large, we don’t know just how many other services there are that can redirect URLs or even cache pages on their side (be it for their own needs or in the name of convenience of content delivery).

Practical takeaways

No matter how confident your employees are, we doubt that they really can understand whether a link is dangerous or not. We therefore recommend backing them up with protective solutions. Moreover, we recommend to use such solutions both at the corporate mail server level, and at the level of internet-enabled working devices.

Kaspersky official blog – ​Read More