Search Operators and Wildcards for Cyber Threat Investigations

/in

Finding information on specific cyber threats in a vast amount of data can be challenging. Threat Intelligence Lookup from ANY.RUN simplifies this task with wildcards and operators that provide you with the ability to create flexible and precise search queries.

Let’s take a look at how you can use them to identify and collect intel on malware and phishing attacks more effectively. 

About Threat Intelligence Lookup 

Main page of TI Lookup

Threat Intelligence (TI) Lookup is a fast and efficient tool designed to simplify cyber threat investigations. It allows for flexible searches for Indicators of Compromise (IOCs), Indicators of Attack (IOAs), and Indicators of Behavior (IOBs).  

TI Lookup provides access to a constantly updated database of threat data collected from millions of public malware and phishing samples analyzed in ANY.RUN’s Interactive Sandbox.  

Each sandbox session contains detailed logs of system and network events that occur while a threat is executing. By searching through this comprehensive data, you can easily find connections between seemingly unrelated pieces of information and tie them to a specific threat. 

Here’s how TI Lookup can help you and your organization: 

  • Investigate Threats Quickly: Gather extensive and in-depth information on emerging and persistent cyber threats with over 40 search parameters (e.g. threat names, command lines, registry logs, etc.). 
  • Receive Real-Time Updates: Stay informed with real-time updates on results for your search queries. 
  • Enrich Threat Intelligence: Get relevant context, indicators, and samples manually analyzed by threat analysts. 

Black Friday 2024: Get 2x search requests
for your TI Lookup plan 



See details


Search Operators in TI Lookup 

Search operators are essential tools in TI Lookup that allow you to combine several indicators to refine your search queries effectively. They act as logical connectors that help you specify the relationships between different conditions in your search and achieve greater flexibility and precision in your searches. 

TI Lookup supports logical operators like AND, OR, and NOT, as well as grouping with parentheses. Let’s take a closer look at each of these. 

AND 

What it does  

The AND operator helps you combine multiple conditions. 

Why use it  

AND is great for narrowing down your search to find threats by including as many unique indicators as possible.  

It is equally effective in situations when you have several completely disparate artifacts, like an IP address and a mutex, and want to link them to a particular threat. 

Example 

domainName:”thum.io” AND domainName:”logo.clearbit.com”

This query is designed to search for sandbox sessions where both thum[.]io and logo[.]clearbit[.]com domains were found. 

  • Thum[.]io is a real-time website screenshot generator. 
  • logo[.]clearbit[.]com is a service for fetching company logos. 
TI Lookup lets you navigate to the ANY.RUN sandbox to see and run analysis of each sample

TI Lookup almost instantly provides results: associated IP addresses and sandbox sessions, all of which contain a “malicious activity” label and a “phishing” tag. 

We can click any session of our interest to investigate the threat further.

The phishing page contains a fake form for stealing victim’s credentials

By reviewing the analysis report, we can spot that this is a cyber attack which uses thum[.]io to dynamically generate phishing pages with the backgrounds of a website that coincides with that of the victim. Attackers also use logo[.]clearbit[.]com to add corresponding company logos to make fake pages appear more legitimate. 

OR 

What it does 

The OR operator helps return matches where at least one of the given conditions is found. 

Why use it  

OR is excellent in situations when you are not sure which one of two indicators is related to a threat. It is also useful for broadening your search to include results where both indicators are found, but necessarily together in the same session.  

Example  

syncObjectName:”DocumentUpdater” OR syncObjectName:”PackageManager”
You see how these mutexes are used by exploring their corresponding sandbox sessions

It searches for entries where the synchronization object name is “DocumentUpdater” or “PackageManager”. If you’re investigating a threat that could be using either of these sync objects, this query ensures you don’t miss any relevant information. 

TI Lookup shows that the synchronization objects are mutexes and provides sandbox sessions where they were previously discovered. 

NOT 

What it does 

The NOT operator excludes results that match the specified condition. 

Why use it 

NOT is helpful when you want to refine your search and see sandbox sessions where no certain item, like a domain or file name, was observed. 

Example 

threatName:”Phishing” NOT taskType:”url”

This query is looking for phishing samples but excludes any entries where the initial submission uploaded to the ANY.RUN sandbox was a URL.

Results include sandbox sessions with the tag “phishing” that feature malicious files

It helps us find email, html, zip, exe, or other types of files, used in phishing attacks. 

Parentheses () 

What they do 

Parentheses group conditions and control the order of operations to ensure they are processed in the order you specify. 

Why use them  

Parentheses are essential for creating complex queries, making your search more precise and effective. 

Example

imagePath:”mshta.exe” AND (destinationPort:”80″ OR destinationPort:”443″)

This query searches for sandbox sessions and their related data where the process “mshta.exe” was observed along with connections to destination ports of either 80 or 443. The parentheses ensure that the OR condition is processed first, making the search more precise. 

You can explore domains, IPs, synchronization objects, events, files, and other details related to the query

TI Lookup returns a wealth of threat data related to our query. Some of the results include malicious domains and IP addresses, as well as a list of network threats detected during analyses. 

Wildcard Characters 

Wildcards in TI Lookup act as placeholders in your search queries. They can represent different types of character sequences. 

Asterisk (*) 

What it does  

The asterisk represents any number of characters, including none. This means it can stand in for zero, one, or multiple characters. The asterisk is added by default at the start and end of each query, so you in most cases there is no need to enter it manually.

Why use it 

The asterisk is great for when you’re not sure about the exact content of a string. It helps you find matches even if there are unknown parts or certain variations in your query string. 

Example 

commandLine:”C:\Users\Public\*.vbs” AND commandLine:”C:\Users\Public\*.bat” AND commandLine:”C:\Users\Public\*.ps1″

This query searches for sandbox sessions where the command line includes paths to specific script files located in the C:UsersPublic directory. The scripts must be of types .vbs (Visual Basic Script), .bat (Batch file), and .ps1 (PowerShell script).  

Yet, the names of these scripts are replaced with the asterisk wildcard, representing any string of characters, as they can vary.

Asterisks are used to replace any string of characters

This helps us discover scripts with different file names and see how each of them fits into a wider context of the entire attack analyzed in the sandbox.

ANY.RUN’s Interactive Sandbox offers advanced script executiion analysis

In the image above, you can see the execution of one of the found scripts inside the ANY.RUN sandbox. 


ANY.RUN cloud interactive sandbox interface

Learn to Track Emerging Cyber Threats

Check out expert guide to collecting intelligence on emerging threats with TI Lookup


Read full guide


Question Mark (?) 

What it does  

The question mark represents any single character or its absence. This means it can stand in for exactly one character or none at all. 

Why use it  

The question mark is perfect for situations when you are not sure about a certain character in your string or know that it varies. 

Example  

commandLine:”http*/?/?c3Y9″

Here, we can borrow a query from Jane_0sint’s article on phishing investigations, which is intended for identifying samples of Mamba2FA attacks.  

A notable part of this query is that we can see the question mark being used twice. Yet, there is a difference between these two instances: 

  • The first one is the wildcard that serves as a stand-in for the characters “m”, “n”, and “o” that are commonly used in Mamba2FA URLs.  
  • The second question mark is a part of the address. To escape it, we use the slash symbol. 
Make sure to escape ? when it is part of your search string

We once again can observe a variety of results, including command lines that contain different URLs matching our query. 

Dollar Sign ($) 

What it does 

The dollar sign ensures that the search term must appear at the end of the string. It excludes matches with any characters after the specified content. 

Why use it  

The dollar sign is useful when you know the exact ending of a string but are unsure about the beginning. It helps you find matches that end with your specified term. 

Example 

syncObjectName:”_STOP$”

This query searches for any synchronization object whose name ends with _STOP. 

Each mutex can be explored in detail in its corresponding sandbox session

Among the results, we can see mutex names such as biudfw_stop, jeboi_stop, and nonij_stop. As always, we can explore each of them in detail by navigating to their corresponding sandbox sessions. 

Caret (^) 

What it does  

The caret ensures that the search term must appear at the beginning of the string. It prevents matches with any characters before the specified query content. 

Why use it 

The caret is helpful when you know the exact starting point of a string but are unsure about the rest. It narrows down your search to items that begin with your specified term. 

Example 

domainName:”^0ffice.*.com$”

This query finds domain names that start with 0ffice and end with .com, with any characters allowed in between. The caret (^) and dollar sign ($) ensure the exact start and end. 

TI Lookup returns all matching domains found across its database over the past 180 days

TI Lookup provides us with domains that match our query along with sandbox sessions, where they were found. 

Conclusion 

wildcards and operators in TI Lookup provide the flexibility and precision needed to perform threat intelligence searches. By learning how to use these tools, you can make your threat hunting efforts more effective.

Give it a try by requesting a free trial of TI Lookup.

About ANY.RUN  

ANY.RUN’s Threat Intelligence Lookup and YARA Search services allow for precise threat hunting and the extraction of valuable insights into current cyber threat trends. What’s impressive is how fast these scans are—they significantly speed up the analysis process, allowing for quick detection of threats and malware. 

See Black Friday deals for ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup →

The post Search Operators and Wildcards for Cyber Threat Investigations appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Undeclared functionality in machine learning systems

/in

Over the coming decades, security risks associated with AI systems will be a major focus of researchers’ efforts. One of the least explored risks today is the possibility of trojanizing an AI model. This involves embedding hidden functionality or intentional errors into a machine learning system that appears to be working correctly at first glance. There are various methods to create such a Trojan horse, differing in complexity and scope — and they must all be protected against.

Malicious code in the model

Certain ML model storage formats can contain executable code. For example, arbitrary code can be executed while loading a file in a pickle format, the standard Python format used for data serialization (converting data into a form that is convenient for storing and transferring). Particularly, this format is used in a deep learning library PyTorch. In another popular machine learning library, TensorFlow, models in the .keras and HDF5 formats support a “lambda layer”, which also executes arbitrary Python commands. This code can easily conceal malicious functionality.

TensorFlow’s documentation includes a warning that a TensorFlow model can read and write files, send and receive network data, and even launch child processes. In other words, it’s essentially a full-fledged program.

Malicious code can activate as soon as an ML model is loaded. In February 2024, approximately 100 models with malicious functionality were discovered in the popular repository of public models, Hugging Face. Of these, 20% created a reverse shell on the infected device, and 10% launched additional software.

Training dataset poisoning

Models can be trojanized at the training stage by manipulating the initial datasets. This process, called data poisoning, can be either targeted or untargeted. Targeted poisoning trains a model to work incorrectly in specific cases (for example, always claiming that Yuri Gagarin was the first person on the Moon). Untargeted poisoning aims to degrade the model’s overall quality.

Targeted attacks are difficult to detect in a trained model because they require very specific input data. But poisoning the input data for a large model is costly, as it requires altering a significant volume of data without being detected.

In practice, there are known cases of manipulating models that continue to learn while in operation. The most striking example is the poisoning of Microsoft’s Tay chatbot, which was trained to express racist and extremist views in less than a day. A more practical example is the attempts to poison Gmail’s spam classifier. Here, attackers mark tens of thousands of spam emails as legitimate to allow more spam through to user inboxes.

The same goal can be achieved by altering training labels in annotated datasets or by injecting poisoned data into the fine-tuning process of a pre-trained model.

Shadow logic

A new method of maliciously modifying AI systems is to introduce additional branches into the model’s computational graph. This attack does not involve executable code or tampering with the training process, yet the modified model can exhibit a desired behavior in response to specific pre-determined input data.

The attack leverages the fact that machine learning models use a computational graph to structure the computations required for their training and execution. The graph describes the sequence in which neural network blocks are connected and defines their operational parameters. Computational graphs are designed for each model individually, although in some ML model architectures they are dynamic.

Researchers have demonstrated that the computational graph of an already trained model can be modified by adding a branch at the initial stages of its operation that detects a “special signal” in the input data; upon detection, the model is directed to operate under a separately programmed logic. In an example from the study, the popular video object detection model YOLO was modified to ignore people in a frame if a cup was also present.

The danger of this method lies in its applicability to any models, regardless of storage format, modality, or scope of application. A backdoor can be implemented for natural language processing, object detection, classification tasks, and multimodal language models. Moreover, such a modification can be preserved even if the model undergoes further training and fine-tuning.

How to protect AI models from backdoors

A key security measure is the thorough control of the supply chain. This means ensuring that the origin of every component in the AI system is known and free of malicious modifications, including:

  • The code running the AI model
  • The computing environment in which the model operates (usually cloud hosting)
  • The files of the model
  • The data used for training
  • The data used for fine-tuning

Major ML repositories are gradually implementing digital signatures to verify models’ origins and code.

In cases where strict control over the origins of data and code is not feasible, models from questionable sources should be avoided in favor of reputable providers’ offerings.

It’s also crucial to use secure formats for storing ML models. In the Hugging Face repository, warnings are displayed when loading models capable of executing code; also, the primary model storage format is Safetensor, which blocks code execution.

Kaspersky official blog – ​Read More

DESC Leads Dubai’s Journey to Becoming the World’s Safest Digital City

/in

Dubai

Overview

Dubai is making significant strides in integrating advanced technologies while emphasizing strong cybersecurity frameworks. A recent study by the World Economic Forum (WEF), titled “Navigating Cyber Resilience in the Age of Emerging Technologies,” highlights how the city is utilizing technologies such as artificial intelligence (AI), blockchain, quantum computing, and smart city solutions across critical sectors.

The Dubai Electronic Security Center (DESC) plays a central role in supporting the secure adoption of these emerging technologies. Initiatives such as the Dubai Cyber Security Strategy and the UAE National Strategy for Artificial Intelligence 2031, along with policies like the Dubai AI Security Policy and autonomous vehicle security standards, aim to balance innovation with a focus on digital security.

This blog delves into DESC’s contributions, Dubai’s cybersecurity strategies, and the city’s efforts to enhance cyber resilience and enable secure digital transformation.

The Role of DESC in Dubai’s Cybersecurity Strategy

The Dubai Electronic Security Center (DESC) is at the heart of Dubai’s digital transformation. As a key player in Dubai’s Cyber Security Strategy, DESC focuses on securing digital assets, fostering innovation, and establishing Dubai as a leading secure digital hub.

His Excellency Yousuf Hamad Al Shaibani, CEO of DESC, highlighted the center’s proactive measures, saying, “The Center continues to coordinate with governmental, regional, and international entities to study the security requirements of modern and emerging technologies and set standards and controls that ensure their safe adoption across various sectors.”

DESC has introduced multiple initiatives to ensure the secure implementation of emerging technologies:

  • Dubai AI Security Policy: A framework for safe use of AI technologies across sectors.

  • Autonomous Vehicle Security Specification: The first of its kind globally, providing security standards for self-driving vehicles.

  • RZAM Cybersecurity Application: A real-time solution leveraging AI to protect internet users from malicious websites and phishing attacks.

These policies stress Dubai’s efforts to create a secure environment for the adoption of advanced technologies.

Advancing Emerging Technologies

Dubai’s leadership in cybersecurity is closely aligned with the UAE National Strategy for Artificial Intelligence 2031. This strategy, combined with substantial investments in technologies such as quantum computing, 5G communications, and the Internet of Things (IoT), is designed to drive innovation while maintaining robust digital safeguards.

For example, DESC has been instrumental in supporting Dubai’s Self-Driving Transport (SDT) Strategy. The SDT Strategy aims to convert 25% of Dubai’s total transportation to self-driving vehicles by 2030. To achieve this, DESC recently published a study on connected vehicles, highlighting the security specifications required to mitigate cyber risks in IoT-enabled transport systems.

The Economic Impact of AI

Artificial intelligence is central to Dubai’s digital transformation efforts. The WEF report estimated that AI will contribute USD 320 billion to the UAE economy by 2030. In line with this, DESC issued a detailed study examining AI’s potential across various sectors in Dubai.

This study analyzed:

  • AI’s Economic Contributions: Estimating how AI can drive Dubai’s economic growth.

  • Ethical and Societal Considerations: Exploring the implications of widespread AI adoption.

  • Risk Mitigation: Identifying challenges and solutions for safe AI integration.

  • Stakeholder Collaboration: Promoting partnerships to enhance AI research and application.

These efforts are part of a broader vision to position Dubai as a global hub for AI research, development, and implementation.

Global Partnerships and Regulatory Frameworks

DESC has also been instrumental in establishing partnerships with public and private stakeholders at both local and international levels. By collaborating with research institutions and global technology leaders, Dubai is developing regulatory frameworks to safely integrate cutting-edge technologies.

These partnerships are crucial in fostering an environment where innovation can thrive without compromising security. Policies such as the Dubai AI Security Policy and the autonomous vehicle security standards reflect the city’s commitment to balancing innovation with cybersecurity.

Building a Resilient Digital Infrastructure

Dubai’s success in integrating new technologies is rooted in its digital infrastructure and forward-looking strategies. The Dubai Cyber Security Strategy serves as a guiding framework for ensuring the resilience and reliability of digital systems.

By focusing on key areas like secure IoT adoption, AI governance, and blockchain implementation, DESC is driving Dubai’s vision of a smart and secure city. These efforts are complemented by national initiatives such as the UAE’s investments in advanced communication technologies like 5G and quantum computing.

The Future of Cyber Resilience in Dubai

Dubai’s approach to cybersecurity offers valuable lessons for other cities and nations seeking to embrace emerging technologies. With DESC leading the charge, Dubai is not only addressing present-day challenges but also preparing for future risks associated with digital transformation. Its comprehensive strategies and global collaborations ensure that innovation is securely integrated into all aspects of life.

References: https://www.desc.gov.ae/world-economic-forum-study-highlights-descs-innovative-efforts-in-securing-emerging-technologies/

The post DESC Leads Dubai’s Journey to Becoming the World’s Safest Digital City appeared first on Cyble.

Blog – Cyble – ​Read More

CISA Releases Updated TIC 3.0 Security Capabilities Catalog (SCC) Version 3.2

/in

TIC 3.0

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has published the updated version of the Trusted Internet Connections (TIC) 3.0 Security Capabilities Catalog (SCC) version 3.2. This new release incorporates essential updates based on the latest National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) Version 2.0, ensuring that TIC continues to adapt to modern technologies.

The SCC provides a comprehensive set of deployable security controls, capabilities, and best practices to assist federal agencies in implementing secure network environments. With this update, the catalog enhances the guidance for the secure implementation of technology solutions and ensures agencies remain compliant with cybersecurity standards.

The TIC 3.0 SCC serves as a foundational guide for federal agencies, enabling them to meet stringent security requirements across various computing environments. It offers a thorough catalog of security capabilities designed to protect federal information and mitigate cyber risks. By leveraging the latest NIST CSF mappings, the catalog helps agencies strengthen their cybersecurity postures through a series of strategic and technical security measures.

One of the important aspects of the TIC 3.0 SCC Version 3.2 is its alignment with the NIST CSF, which is structured around the core functions of Govern, Identify, Protect, Detect, Respond, and Recover. This mapping ensures that the security controls and capabilities within the catalog are aligned with best practices in risk management, incident detection, and threat response.

The Role of the Security Capabilities Catalog

The SCC is an important resource that assists agencies in applying best practices and risk management principles to protect information in various computing scenarios. This includes guidance for different networking environments, such as cloud, mobile, and traditional on-premises infrastructure. As the federal government continues to transition to more decentralized and cloud-based environments, the TIC 3.0 SCC helps agencies ensure that they maintain security measures across their entire IT ecosystem.

Agencies are encouraged to apply guidance within the SCC to identify potential risks and implement compensating controls when necessary. These controls address potential gaps or residual risks that might remain after deploying the recommended security capabilities. Additionally, CISA emphasizes the importance of collaborating with vendors to ensure that security solutions are adequately implemented, configured, and maintained. This collaboration ensures that agencies can fulfill security requirements and remain protected.

Security Objectives of Security Capabilities Catalog TIC 3.0

The TIC program outlines a set of security objectives aimed at mitigating risks and securing federal data as it moves through various trust zones. As federal agencies increasingly leverage cloud and mobile services, TIC’s security objectives are designed to provide consistent and scalable protections regardless of where the data resides or how it is transmitted.

The objectives of TIC 3.0 include:

  1. Manage Traffic: This objective focuses on observing and filtering data connections to ensure they align with authorized activities. It also applies the principle of least privilege and default-deny policies.

  2. Protect Traffic Confidentiality: This ensures that only authorized parties can access data in transit, protecting the confidentiality of sensitive government communications.

  3. Protect Traffic Integrity: The integrity of data during transmission is critical to prevent and detect any alterations that could indicate a cyberattack or data breach.

  4. Ensure Service Resiliency: With cyber threats constantly evolving, the ability to ensure the continuous operation of critical services and applications is a central focus of TIC 3.0.

  5. Ensure Effective Response: This objective encourages agencies to establish processes for timely responses to cybersecurity incidents, with a focus on adapting security policies as new threats emerge.

These objectives are designed to align with the functions of the NIST Cybersecurity Framework, ensuring that TIC 3.0 offers a comprehensive approach to securing federal networks.

Universal and PEP Security Capabilities

The SCC is divided into two main sections: Universal Security Capabilities and PEP (Policy Enforcement Point) Security Capabilities. These capabilities are critical in securing federal networks and ensuring agencies can manage cybersecurity risks efficiently.

Universal Security Capabilities

Universal security capabilities are high-level principles that are applicable to all federal agencies, irrespective of their individual use cases. These capabilities help agencies implement broad cybersecurity measures that apply to enterprise-level risks. Some of the key universal security capabilities include:

  • Backup and Recovery: Ensures data and configurations are backed up and can be quickly restored after an incident, failure, or corruption.

  • Central Log Management with Analysis: This function collects, stores, and analyzes telemetry to support security analysis and detect malicious activity.

  • Incident Response Planning and Handling: Helps agencies prepare for and respond to cyberattacks, ensuring that recovery and detection measures are in place.

  • Least Privilege: Grants minimum resources and authorizations necessary for entities to perform their functions, reducing exposure to potential threats.

  • Patch Management: Identifies, acquires, installs, and verifies patches to secure systems from known vulnerabilities.

These capabilities are mapped to the NIST CSF, providing a comprehensive set of actions for each area. This ensures that agencies can implement the appropriate security measures based on the severity of the risk.

PEP Security Capabilities

The PEP capabilities focus on specific technical implementations and are more granular in nature. These capabilities support the TIC 3.0 security objectives and are aligned with Zero Trust Architectures. For example, the following PEP security capabilities are critical in network environments:

  • Anti-malware: Detects and quarantines malicious code that could compromise the integrity of the network.

  • Network Segmentation: Divides networks to reduce attack surfaces and limit the potential spread of cyber threats.

  • Multi-factor Authentication: Adds an additional layer of authentication, ensuring that only authorized users gain access to sensitive data.

These PEP capabilities can be adapted depending on the agency’s specific requirements, such as the use of cloud, email, web, or network security solutions.

Conclusion

As cybersecurity threats become increasingly sophisticated, the TIC 3.0 SCC will continue to adapt to new changes. The document is periodically updated to reflect new security practices and technologies. Agencies are encouraged to actively engage with CISA and vendors to ensure that their implementations remain effective.

The TIC 3.0 SCC version 3.2 is a crucial update in protecting federal networks. As agencies adopt more complex computing environments, the need for new and upgraded security measures like the Security Capabilities Catalog, Trusted Internet Connections, and TIC frameworks grows. This updated catalog equips agencies with the tools to understand these challenges, ensuring the protection of sensitive information while maintaining secure operations.

References

The post CISA Releases Updated TIC 3.0 Security Capabilities Catalog (SCC) Version 3.2 appeared first on Cyble.

Blog – Cyble – ​Read More

Release Notes: MITRE ATT&CK Matrix with Samples, Upgraded Automated Interactivity, Expanded Threat Coverage, and More

/in

Welcome to ANY.RUN’s monthly updates, where we give you all the details on our latest features and enhancements. 

November has been a month of innovation at ANY.RUN, with major upgrades. We’ve launched Smart Content Analysis as part of Automated Interactivity, updated the home screen of TI Lookup featuring an interactive MITRE ATT&CK matrix connected with real-world samples, and expanded our detection capabilities with new YARA rules, signatures, and Suricata rules for even more comprehensive threat coverage. 

Here’s everything you need to know about our November updates! 

Product Updates 

Automated Interactivity: Stage 2 

Enabling Automated Interactivity inside ANY.RUN sandbox

Last year, we introduced Automated Interactivity, a feature that simulates user behavior inside the ANY.RUN sandbox to automatically trigger cyberattacks. It was a game-changer, helping analysts streamline tasks like clicking buttons or solving CAPTCHA challenges. 

Now, we’re thrilled to unveil Stage 2 of this feature: Smart Content Analysis, a major upgrade that offers better detection and execution of complex threats. 

This update makes your security workflow more efficient by enhancing detection capabilities, automating time-consuming tasks, and simplifying complex analyses. It saves analysts valuable time, provides deeper insights, and helps teams respond to threats faster and more effectively. 

What is Smart Content Analysis? 

Smart Content Analysis enhances Automated Interactivity by analyzing and detonating malware and phishing attacks at every step of the kill chain. Here’s how it works: 

  • Identifying content: It scans for URLs, email attachments, or hidden malicious components. 
  • Extracting key data: This includes extracting URLs from QR codes or bypassing rewritten links from security filters. 
  • Simulating actions: It interacts with extracted content, such as opening links, solving CAPTCHA challenges, or launching payloads. 
ANY.RUN sandbox automatically solving CAPTCHA problems

Automated Interactivity is available to Hunter and Enterprise-plan users and can be manually enabled in any sandbox session.  

Black Friday 2024: Get up to 3 sandbox licenses for free 



See details


MITRE ATT&CK Techniques with Real-World Samples inside TI Lookup 

We’re thrilled to announce a major update to TI Lookup, now featuring a redesigned home screen integrated with the MITRE ATT&CK matrix. This upgrade turns the matrix into an interactive tool, bridging the gap between theoretical frameworks and practical, real-world threat analysis. 

What’s new? 

Updated home screen of TI Lookup featuring MITRE ATT&CK matrix
  • Interactive MITRE ATT&CK matrix: All techniques and tactics are now neatly organized in a functional, actionable layout. 
Filtering options for MITRE ATT&CK techniques
  • Filtering options: Prioritize techniques by risk level—red for high risk, yellow for moderate, and blue for less urgent. 
Tactics, techniques and procedures of phishing (T1566)
  • Real-world sample connections: Click on any technique to see related malware samples and how they behave in real attacks. 

Best of all, this feature is completely free and available to everyone right now. Dive into the MITRE ATT&CK matrix on TI Lookup and start exploring it today! 

Black Friday 2024:
Double your search requests in TI Lookup for free 



See details


Threat Coverage Update 

Enhanced Network Threat Detection 

In November, we expanded our Suricata rule collection with an additional 7,206 rules, significantly enhancing network threat detection.  

The new rules were added using domains derived directly from Public submissions, supplemented by data from TI Lookup and advanced processing logic.  

Key highlights: 

  • Focus on threat group activity: We continue to monitor the operations of major threat groups and phishing kits, leveraging this information to enhance detection capabilities. 
  • Community engagement: Regular updates and insights into phishing threats are shared through our dedicated weekly post on X, helping you stay informed about the latest developments in the phishing and malware attacks. 

Recent Updates in Suricata Rules 

Our latest Suricata updates have focused on enhancing detection accuracy for phishing campaigns and domain-related threats. Here are some examples of the recent additions: 

MassBass phishing campaign detection– A massive phishing attack that we named MassBass, has been identified and tagged in our Suricata rules: 

TI Lookup: Search MassBass-related rules and insights here 

CrossDomain rules detection– These Suricata rules for domains were created using data from public submissions and include “CrossDomain” in their rule names. 

TI Lookup: You can explore CrossDomain-related activity and insights using our TI Lookup tool: 
Search CrossDomain 

New Signatures 

This month, we’ve added a total of 56 new signatures to enhance our detection capabilities, covering a wide range of malicious behaviors and threats. 

  • Office/archive exploit: Detection of deliberately damaged files exploiting the self-repair mechanism. 
  • Kms tool: Identification of unauthorized kms activation tools. 
  • Torvil mutex: Discovery of torvil-related mutex activity. 
  • Cve-2024-43451: a critical vulnerability (example session). 
  • Untrusted certificate execution: alerting on files executed with untrusted certificates. 
  • Silentkill: a sophisticated malware strain identified. 
  • Rhysida: a ransomware strain (example session). 
  • Secretsdump: detection of credential-stealing activity. 
  • Gumen: a unique malware variant (example session). 
  • Badrabbit: identification of the infamous ransomware. 
  • Ateraagent: detection of unauthorized agent installations (example session). 
  • Lunam and Luna: discovery of related malware strains (example session). 
  • Behavioral detection of attempts to establish rdp connections using configuration files extracted from outlook emails. 
  • Identification of conti-based ransomware, formbook, and xworm
  • Detection of expresszip malware (example session). 

Browser extension module

A new signature module for browser extensions was introduced, enabling in-depth content analysis of web pages. Besides, the following signatures were added: 

  • Obfuscated JavaScript. 
  • Fake Microsoft authentication pages. 
  • Email addresses embedded in URLs. 
  • Phishing kits such as Tycoon2fa and Mamba2fa

New YARA Rules  

This month, 9 new YARA rules were implemented, further enhancing our detection capabilities. Notable additions include: 

APT Detection Update 

This month, we’ve enhanced our detection capabilities against APT groups, specifically focusing on Lazarus and Rhysida. To address these threats, we’ve added 2 YARA rules and approximately 20 tailored signatures, ensuring more precise tracking and analysis of their activity. 

Get Your Black Friday Deals from ANY.RUN! 

Black Friday 2024 is here, and ANY.RUN has prepared exclusive time-limited offers to help you save big while enhancing your security workflow: 

  • Hunter Plan: Get two annual subscriptions for the price of one—perfect for individual researchers who want to collaborate. 
  • Enterprise Plan: Buy 5 licenses and get 2 free, or 10 licenses with 3 free plus a complimentary Threat Intelligence Lookup plan. Special renewal bonuses available! 
  • TI Lookup: Double your search requests with every subscription purchase. 

Offers will expire on December 8th, 11:59 PM PST. Don’t miss out: secure your deal today

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

  • Detect malware in seconds
  • Interact with samples in real time
  • Save time and money on sandbox setup and maintenance
  • Record and study all aspects of malware behavior
  • Collaborate with your team 
  • Scale as you need

Explore all Black Friday 2024 offers →

The post Release Notes: MITRE ATT&CK Matrix with Samples, Upgraded Automated Interactivity, Expanded Threat Coverage, and More appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Attackers target sellers on message boards | Kaspersky official blog

/in

Large online marketplaces do what they can to combat fraud, but cybercriminals remain one step ahead when it comes to scamming both buyers and sellers. This year has seen the rise of an online video-call scam where fake buyers ask for a video-demo of a product, during which they swipe one-time codes. Here’s all about this scheme — in four acts.

Act one. Suspicion

A seller of a high-end product (say, a fancy TV) is approached by someone posing as a buyer who wants to pay and collect as quickly as possible. But there’s a catch: that someone requests a video-demo first. Most message boards don’t let you do this, and even if they do — the “buyer” will mysteriously have some issue at their end: “Strange, it’s not working, how about we use WhatsApp instead?” And so the conversation moves seamlessly to a messenger or other chat platform. The request to switch to WhatsApp, Telegram or whatever is a BIG red flag. On their own home turf, scammers have an easier job of luring you to a phishing site, because many message boards don’t allow sharing links in chats.

Act two. Certainty

The “buyer” asks the seller lots of questions about the product: where did they buy it, does it work ok, and, if so — why are they selling it? With each passing minute, this dialogue between strangers becomes all the more like a conversation between long-time buddies. The “buyer” seems keen and ready to fork out — the seller just needs to provide a card number for the transfer of funds and the deal is done: “What a pleasure doing business with this guy. He sure is trustworthy.” But here’s when the trap springs…

Act three. Discovery

Without even naming the screen-sharing feature, the “buyer” asks the seller to turn on screen-sharing in WhatsApp. If the seller complies, their banking app screen becomes visible to the scammers, who attempt to log in to the seller’s online bank account. At this point, the victim’s smartphone receives an unexpected text message with a one-time code. On most devices, the code is displayed in a pop-up message that the cybercriminals also get to see. And if the victim, still in screen-sharing mode, checks to see what message just arrived, the scammers don’t even need the pop-up — they get the code anyway!

Act four. Loss

Depending on what information the “buyer” had beforehand, and what access they gained to the victim’s bank account, they can either siphon off funds immediately, or, if the amount in the account is too large to transfer, switch to another scam involving a call from an “investigator” who promises to investigate the incident of fraudulent bank access and persuades the victim to transfer the money to “a safe account”. One way or another, the money disappears.

How to guard against message board scams

Bear in mind that message boards are often teeming with fake sellers and buyers. Sure, such accounts eventually get exposed and blocked after user complaints, but the perpetrators simply create or buy new ones. So we’ve made a list of tips to help you stay safe when buying or selling on any message board:

  • Chat with other buyers or sellers only within the platform. Never switch to a messenger app — even (or especially) if the other party really wants to. Outside the marketplace itself, scammers can slip you a phishing link to steal your account — or worse.
  • Use reliable protection on both your smartphone and computer, for example Kaspersky Premium.
  • Decline offers to use alternative delivery or money transfer services — opt for the platform’s native tools or accept payments in cash only.
  • Do not give anyone your phone number (and hide it in your marketplace profile) or card number.
  • Get yourself a virtual card with a limit on online payments.
  • Never give out one-time codes, because then even two-factor authentication won’t save your account.
  • Disable pop-up notifications and on-screen text messages.
  • Check the domain registration date before entering payment details on the site (see here for details of how to do this).

Kaspersky official blog – ​Read More

CISA Releases New List of Known Exploited Vulnerabilities, Urges Immediate Actions 

/in

Vulnerabilities

Overview 

The Cybersecurity and Infrastructure Security Agency (CISA) has once again emphasized the critical importance of addressing IT vulnerabilities. This week, Cyble has reported multiple vulnerabilities across IT devices based on the findings published in the Known Exploited Vulnerabilities (KEVs) catalog.  

Among the most concerning vulnerabilities in the list are CVE-2024-11680, CVE-2024-23113, and CVE-2024-47575, as well as others like CVE-2024-10924, CVE-2023-50094, and CVE-2024-38077. The vulnerabilities included in this updated list, classified as Known Exploited Vulnerabilities (KEVs), pose online threats to both government and private sector organizations.  

These flaws are not just theoretical or potential risks; they have been actively exploited by threat actors, making it essential for organizations to take immediate action to patch or mitigate these weaknesses in their systems. The CISA’s KEV catalog highlights which vulnerabilities need to be addressed immediately to prevent cybercriminals from taking advantage of them. 

Major IT Vulnerabilities Listed in the Known Exploited Vulnerabilities Catalog 

Among the most urgent vulnerabilities is CVE-2024-11680, which affects the popular network management software used by many large organizations. This vulnerability, if left unaddressed, can allow attackers to remotely execute arbitrary code, enabling them to gain unauthorized access to sensitive data or disrupt business operations.  

  • CVE-2024-23113 is another severe IT vulnerability listed by CISA. This flaw is tied to a specific version of a widely deployed application, leaving it susceptible to exploitation through specially crafted requests that could allow an attacker to gain control over an affected system. The widespread use of this application in various industries—from finance to healthcare—means that the ramifications of an exploit could be catastrophic if left unpatched. 

  • CVE-2024-47575, a vulnerability in yet another popular software package, has been flagged as critical by both CISA and security experts. Attackers can exploit this flaw to escalate their privileges, potentially taking control of a system and bypassing normal security mechanisms. Such an escalation could result in the compromise of sensitive data or the deployment of ransomware, making this a particularly malicious vulnerability. 

Other Vulnerabilities on the Radar 

In addition to the three high-priority vulnerabilities, CISA’s latest KEV catalog also includes other notable IT vulnerabilities, such as CVE-2024-10924, CVE-2023-50094, and CVE-2024-38077. While these flaws may not be as widely exploited as the previous ones, they still pose serious risks and require immediate attention. 

  • CVE-2024-10924, for example, is a vulnerability in a widely used version of open-source software that could allow remote code execution. If exploited, attackers could bypass security controls and access systems that are critical to both business and governmental functions. 

  • CVE-2023-50094 is related to a flaw in a popular content management system, which could allow attackers to execute arbitrary code remotely. As businesses and organizations increasingly rely on digital platforms to manage content, vulnerabilities like this one could open the door to a range of cyberattacks, from data breaches to full system takeovers. 

  • CVE-2024-38077 impacts a specific configuration of a widely used database management system. Though not as severe as some of the other vulnerabilities, it can still lead to data corruption or unauthorized access if exploited. 

Mitigations and Recommendations 

Organizations can protect themselves from these vulnerabilities by implementing a range of security measures. Some of these measures include:  

  • Regularly update software and hardware with the latest patches from official vendors and apply critical patches immediately. 

  • Develop a patch management strategy, including inventory management, testing, deployment, and automation for efficiency. 

  • Segment the network to isolate critical assets, using firewalls, VLANs, and access controls to reduce exposure. 

  • Create and maintain an incident response plan, regularly testing and updating it to address current threats. 

  • Implement monitoring and logging systems, such as SIEM, for real-time threat detection and analysis. 

  • Subscribe to security alerts from official sources and conduct regular VAPT exercises to identify and fix vulnerabilities. 

Conclusion 

The publication of new Known Exploited Vulnerabilities (KEVs) by CISA serves as a vital resource in the fight against cybercrime. The vulnerabilities highlighted in the latest list, including CVE-2024-11680, CVE-2024-23113, and CVE-2024-47575, require immediate attention. The inclusion of these flaws highlights the importance of being proactive in identifying and addressing IT vulnerabilities before they can be exploited by attackers. 

The post CISA Releases New List of Known Exploited Vulnerabilities, Urges Immediate Actions  appeared first on Cyble.

Blog – Cyble – ​Read More

Malaysia’s Fight Against Cybercrime: Two New Bills Tabled in Parliament 

/in

Vulnerabilities

Overview 

The Madani Government has taken a significant step toward ensuring online safety by tabling two crucial bills in the Dewan Rakyat on Monday. This development marks a pivotal moment in Malaysia’s efforts to combat cybercrime and modernize outdated cyber laws that were enacted nearly three decades ago. 

Communications Minister Fahmi Fadzil tabled the Communications and Multimedia (Amendment) Bill 2024 and the Malaysian Communications and Multimedia Commission (Amendment) Bill 2024 for their first reading in Parliament.  

These legislative changes highlight the government’s determination to strengthen Malaysia’s legal framework against cybercrime while promoting a safer digital environment for its citizens. 

Why these new Bills are necessary 

The internet has evolved dramatically over the past 26 years, bringing both incredible opportunities and risks. As cyber threats become more advanced, outdated laws struggle to provide adequate protection for users, businesses, and institutions.  

From online scams and fraudulent activities to harassment and the misuse of personal data, the need for strong cyber laws has never been more pressing. The tabling of these two bills comes in response to rising online threats and the necessity to adapt Malaysia’s legal framework to the realities of today’s digital age.  

Minister Fahmi emphasized that these amendments aim to close gaps in existing legislation, ensuring that Malaysia stays ahead in its fight against cybercrime. 

Key Provisions in the Communications and Multimedia (Amendment) Bill 2024 

The Communications and Multimedia (Amendment) Bill 2024 focuses on updating Act 588 to address new challenges in the digital realm. Below are the significant proposed changes: 

  1. Expanded Definition of Harassment and Fraud 

  • Subsection 233(1) will now include the phrase “harass or commit an offense involving fraud or dishonesty against any person”, broadening the scope of punishable offenses under the act. 

  • This change ensures that fraudulent online activities, in addition to harassment, are explicitly covered under the law. 

  1. Prohibition of Unsolicited Commercial Messages 

  • Clause 92 introduces a new Section 233a, which prohibits the sending of unsolicited commercial electronic messages. 

  • This measure aims to combat spam and phishing schemes, which often serve as gateways for more serious cybercrimes. 

  1. Disclosure of Communications Data 

  • Clause 112 introduces Section 252b, empowering police or authorized officers to compel the disclosure of communications data from individuals in control of a communications system. 

  • This change seeks to enhance law enforcement’s ability to investigate and respond to cybercrimes swiftly. 

Key Provisions in the Malaysian Communications and Multimedia Commission (Amendment) Bill 2024 

The Malaysian Communications and Multimedia Commission (MCMC) (Amendment) Bill 2024, meanwhile, focuses on strengthening the capabilities and functions of the MCMC under Act 589. Notable amendments include: 

  1. Expansion of MCMC’s Functions 

  • Clause 5 proposes an amendment to Section 16, enabling the MCMC to review and audit information provided by licensees. 

  • This includes auditing the activities of licensees or service providers as determined by the commission, ensuring better oversight and accountability. 

  1. New Definitions 

  • Clause 2 amends Section 3 to introduce new definitions for “chief executive officer” and “communications system” while also refining the definition of “chairman.” 

  • These updates provide clearer guidelines for roles and responsibilities within the MCMC. 

  1. Increased Contract Value Limit 

  • Clause 13 proposes an amendment to Section 45, raising the contract value limit the commission can enter without ministerial or financial concurrence from RM5 million to RM10 million. 

  • This change is expected to streamline administrative processes and enhance the MCMC’s operational efficiency. 

Implications of these Bills 

The amendments to these two critical acts represent a comprehensive approach to tackling cybercrime. Key implications include: 

  • Enhanced Legal Protections: The laws provide stronger safeguards for individuals and businesses by explicitly addressing harassment, fraud, and spam. 

  • Modernized Oversight: Changes to the MCMC’s functions and financial thresholds will enable the commission to better regulate and oversee the telecommunications and multimedia sectors. 

However, some of these changes, particularly the expanded search powers, may raise concerns about privacy and potential misuse of authority. Balancing security and personal freedoms will be crucial as the bills are debated. 

A Critical Moment for Cybersecurity in Malaysia 

Minister Fahmi Fadzil expressed optimism that these amendments will be passed during the current parliamentary session, which concludes on December 12.  

While the journey toward a safer online environment is far from over, these bills lay a strong foundation for future advancements in Malaysia’s cybersecurity landscape. As debates ensue in Parliament, the hope is that these laws will strike a balance between strong enforcement and the protection of individual rights, paving the way for a secure and prosperous digital future. 

Source:

https://mcmc.gov.my/skmmgovmy/media/General/pdf2/NEAP-Amendment-Notice-No-1-of-2024.pdf 
https://theedgemalaysia.com/node/736203
https://theedgemalaysia.com/node/736160

The post Malaysia’s Fight Against Cybercrime: Two New Bills Tabled in Parliament  appeared first on Cyble.

Blog – Cyble – ​Read More

New Report Highlights Critical Cybersecurity Challenges Facing the U.S.

/in

U.S

The U.S. has never faced a more challenging time for cybersecurity, with critical infrastructure under siege, nation-state threat actors emboldened, and a new Presidential Administration that could usher in policy changes and a possible government restructuring.

A new Cyble report highlights the cyber threats and challenges facing the U.S., offering critical insights into the biggest threats that organizations must grapple with. The report examines the top threats, threat actors, and attack targets; hacktivism trends; more than 50 actively exploited IT and ICS vulnerabilities; Dark Web and cybercrime trends; and recommendations for security teams.

Major U.S. Cyber Challenges

The challenges that will help define the U.S. cybersecurity direction in the coming months include:

Disinformation: Efforts to influence the U.S. election escalated significantly in the final weeks of the campaign. The main foreign actors involved in influence campaigns—notably Russia, China, and Iran—will likely continue to try to influence U.S. policy and discourse.

The Future of CISA: The Republican “Project 2025” agenda includes proposals to reorganize the top U.S. cybersecurity agency and its responsibilities at a time when critical infrastructure is facing significant challenges.

Nation-State Threats: Concern about foreign adversaries escalated when China-linked threat actors successfully infiltrated U.S. telecom systems to access wiretap data and the phone data of top U.S. officials. As China is believed to have significantly infiltrated critical infrastructure in the U.S. and elsewhere, national cyber agencies must do more to detect and remove these threats.

AI in Social Engineering: The proliferation of AI technology is enhancing the effectiveness of social engineering attacks, enabling more personalized and convincing tactics that have scammed average citizens as well as multi-national corporations. To help combat this rising threat, Cyble has added AI deepfake detection and takedown services to its threat intelligence suite.

Dark Web and Cybercrime: Dark Web activity remains a major threat, as exploits are under discussion on cybercrime forums within hours after vulnerabilities are publicly revealed, and zero-day vulnerabilities can frequently be found for sale on these forums.

Healthcare and OT/ICS environments: Threat actors continue to heavily target healthcare and critical infrastructure, with Manufacturing, Energy, Oil and Gas, and Building Automation being the leading attack targets detected by Cyble.

Ransomware: The U.S. is by far the biggest ransomware target, and data exfiltration is increasingly a goal of ransomware groups.

Infostealers continue to grow in frequency and sophistication, threatening the accounts and credentials of both enterprises and consumers.

Most Active Threat Groups and Ransomware Targets

Cyble detected four of the most active threat groups in October: ransomware groups. RansomHub was the top threat actor, followed by DragonForce, Lockbit, and Storm-0501. An APT group, UNC5812, rounded out the top five.

According to Cyble data, the U.S. remains the biggest ransomware target, with October attack volumes 10 times higher than in any other country (chart below).

Healthcare is being increasingly targeted by ransomware groups, and the effects on patient care are predictably dire. Texas Tech Health Sciences Center, Aspen Healthcare Services, and Boston Children’s Health Physicians were among the bigger ransomware targets in October.

The full report examines more than 30 threat groups, more than 50 IT and ICS vulnerabilities, and 52 malware families. The top malware families observed by Cyble in October were:

  • Hydra

  • Lynx

  • Nitro

  • RansomHub

  • Rhysida

  • Hellcat Ransomware

  • Cactus

  • Everest

  • Medusa

  • Interlock

Hacktivism Trends

Hacktivism remained significantly active heading into the election, both in the U.S. and elsewhere. Israel and Palestinian concerns were by far the most dominant – and played a surprisingly pivotal role in the U.S. election in some states, most notably in Michigan and Wisconsin.

Some of the most active hacktivist groups in October included:

  • XYZ/Alpha Wolf

  • Key Group

  • NoName

  • Cyber Operation Alliance

  • Anon Black Flag

Dark Web and Cybercrime Activity

The dark web has become a democratizing force in cybercrime, giving less experienced threat actors and hacktivists access to more sophisticated exploits, leaked files, credentials, stolen credit cards, compromised endpoints, and more.

Cyble dark web researchers typically see ten or more vulnerability exploits discussed each week on cybercrime forums, many of which have available Proof of Concept (PoC) exploits that can be easily deployed.

Cyble’s AI-powered threat intelligence tool detected 1.5 million data exposures, 48,000 compromised endpoints, and 178,000 leaked credentials in October, all readily available for a price.

The report also looked at 34 IT and 20 ICS vulnerabilities targeted by attackers, many of which were discussed on dark web forums. Network devices are frequently a starting point for cyberattacks, but the list touches a wide range of systems that hackers use to move laterally, elevate privileges, and establish persistence.

Cyble Recommendations

The threat landscape may appear overwhelming at times, but good cybersecurity practices performed regularly can do much to reduce your attack surface. Patching, network segmentation, air-gapped backups, monitoring and logging, vulnerability assessments, and a strong incident response plan are all essential practices that take time but don’t necessarily carry a high price tag. Cyble can help with cost-effective vulnerability intelligence and scanning services targeted to individual environments.

The post New Report Highlights Critical Cybersecurity Challenges Facing the U.S. appeared first on Cyble.

Blog – Cyble – ​Read More

Combatting Counterfeit Goods in E-Commerce with Cyble Brand Protection Strategies

/in

Counterfeit

Overview

The rapid growth of e-commerce has revolutionized the way consumers shop, with global e-commerce revenues expected to exceed $6 trillion in 2024. However, this surge in online transactions has also created fertile ground for counterfeit goods, with fraudulent sellers exploiting online platforms to deceive shoppers and tarnish brand reputations.

The problem intensifies during peak shopping periods like Black Friday and Cyber Monday, where high online traffic increases opportunities for counterfeiters to take advantage of consumer demand for discounted products. Cyble’s latest report examines the current state of counterfeit threats in e-commerce, the challenges brands face in detecting and responding to these threats, and the best practices companies can adopt to protect themselves.

Counterfeit goods pose a threat to both consumers and brands, causing financial and reputational damage. According to estimates, counterfeit goods accounted for $500 billion in global trade in 2023, equating to 3.3% of world trade. In addition to harming consumer trust, counterfeit goods cost companies an average of $3.8 billion annually. Small businesses, which often lack the resources to monitor and fight counterfeiting effectively, are especially vulnerable.

The generality of counterfeit goods has become a critical concern in the e-commerce industry. This issue has grown more complex with the rise of online marketplaces such as Amazon, eBay, and Alibaba, where sellers can set up accounts with minimal verification. During high-volume shopping events, counterfeiters intensify their activities, taking advantage of the surge in consumer interest and the pressure on platforms to process transactions quickly.

Key Drivers of the Counterfeit Goods Market

Several factors contribute to the rapid proliferation of counterfeit goods in the digital marketplace. One of the primary reasons is the ease of entry for sellers on e-commerce platforms. Many online marketplaces have minimal barriers to setting up seller accounts, which allows counterfeiters to quickly create profiles and list fake products.

These counterfeit listings can often go unnoticed for extended periods, giving fraudsters ample time to profit before their activities are discovered. The lack of stringent vetting and seller monitoring also allows counterfeiters to operate with relative impunity, further encouraging their presence in the marketplace.

Another key factor enabling the growth of counterfeit goods is anonymity. Counterfeiters often exploit weak identity verification processes and poorly regulated seller protocols on e-commerce platforms, making it difficult to trace their operations. These sellers can easily mask their identities and operate under false information, preventing authorities and brands from taking action.

The growing demand for branded goods, particularly during sales events like Black Friday, also fuels the counterfeit market. Consumers are increasingly drawn to deals on high-demand items, and the temptation of discounted prices can cloud judgment, making them more susceptible to purchasing counterfeit goods unknowingly. Counterfeiters capitalize on this demand by offering fake products that closely resemble legitimate branded items, often priced much lower than the original, which makes it difficult for buyers to spot the difference.

As counterfeit products become more sophisticated, distinguishing them from legitimate goods becomes even more difficult. Counterfeiters commonly use high-quality replicas, fraudulent packaging, and deceptive marketing tactics. These items often appear to be of the same quality as their authentic counterparts, making it even harder for consumers to recognize they’ve been deceived until it’s too late.

The combination of these factors—easy access, anonymity, heightened demand, and increasing product sophistication—creates a perfect storm that allows counterfeit goods to flourish, particularly during peak shopping periods like Black Friday when online traffic and consumer activity surge.

The Financial and Reputational Toll on Brands

Counterfeit goods have economic consequences. The OECD estimates that counterfeit imports into the UK were worth $8.95 billion in 2021. This leads to a direct revenue loss, as counterfeit goods account for 3% of total sales in some sectors, such as luxury goods and electronics. Small businesses, in particular, face the brunt of these losses, as they lack the resources to monitor and combat counterfeiting effectively.

In addition to the financial toll, counterfeit products severely damage brand reputation. Consumers who unknowingly purchase fake goods may associate the substandard experience with the original brand, undermining trust. Furthermore, counterfeit goods can lead to consumer health risks, especially in sectors like pharmaceuticals and health products. The presence of counterfeit goods in fast-moving consumer goods (FMCG), including food and cosmetics, further exacerbates the problem, raising concerns about safety.

E-Commerce Platforms: Key Players in the Fight Against Counterfeiting

Major online marketplaces have recognized the growing threat of counterfeit goods and are increasingly investing in advanced technologies to prevent their proliferation. For example, Amazon has reported blocking over 8 million suspected counterfeit listings in 2024 alone. Cyble’s artificial intelligence-based solutions are invaluable in assisting e-commerce platforms to detect and prevent counterfeit activity during peak shopping events like Black Friday, where fraudulent listings are more likely to surface.

Additionally, platforms like Amazon and eBay have launched brand protection programs such as Amazon’s “Brand Registry” and eBay’s “Verified Rights Owner (VeRO) Program.” These tools allow brands to report and remove counterfeit listings more efficiently. However, detection alone is not enough. Brands must take proactive steps to protect their intellectual property and protect their consumers.

The Role of Technology in Counterfeit Detection and Prevention

Cutting-edge technologies enabling brands to track, authenticate, and remove fake products from online marketplaces are strengthening the fight against counterfeit goods in e-commerce.

  1. Digital Watermarking and Serialization: Brands use unique codes or invisible markers embedded in product packaging to allow consumers and platforms to verify the authenticity of the products. Even if counterfeiters replicate the packaging, these markers can help detect fake goods.

  2. Artificial Intelligence (AI) and Machine Learning: AI algorithms can analyze seller profiles, product descriptions, and reviews to identify suspicious activity. Cyble leverages AI-based solutions to track and authenticate items in real-time, making it easier for brands to monitor listings during busy shopping periods like Black Friday.

  3. Blockchain: This technology offers a tamper-proof system to track product authenticity across the supply chain. By recording every transaction, blockchain creates an immutable trail that verifies the product’s origin, providing greater transparency for brands and consumers.

  4. Image Recognition Tools: These tools scan e-commerce platforms for duplicate images or unauthorized use of brand logos. During peak sales events like Black Friday, counterfeiters often reuse product images to mislead buyers, making image recognition a critical tool for detecting fake listings.

  5. Consumer Empowerment Apps: Brands can deploy apps that allow consumers to verify product authenticity using QR codes or barcodes. Empowering shoppers with tools to check for counterfeit products is an effective way to combat the issue during high-traffic shopping events.

Legal and Policy Measures to Combat Counterfeiting

Alongside technological advancements, legal frameworks are evolving to address the counterfeit threat. For example, the SHOP SAFE Act, reintroduced to Congress in September 2023, aims to hold e-commerce platforms accountable for the sale of counterfeit goods.

The act incentivizes platforms to vet sellers more thoroughly and implement stricter measures to prevent counterfeit products from reaching consumers. In addition, the INFORM Consumers Act passed in June 2023, increases transparency for third-party sellers on e-commerce platforms.

This legislation aims to reduce the prevalence of counterfeit goods and stolen products by enforcing stricter seller identification processes.

Cyble’s Role in Brand Protection

To tackle the growing problem of counterfeit goods, Cyble’s Brand Intelligence services offer a comprehensive suite of tools designed to help businesses monitor and protect their brands from online threats. Cybersecurity solutions like Cyble Vision and Cyble Hawk are particularly effective in identifying and mitigating counterfeit activity during high-risk periods.

Cyble’s Brand Intelligence services include:

  • Social Media Monitoring: Detect unauthorized use of your brand and counterfeit product listings on platforms like Facebook, Instagram, and Twitter, with real-time alerts to help brands respond quickly.

  • Mobile Application Monitoring: Identify counterfeit or malicious apps impersonating your brand on major app stores, protecting your reputation and maintaining customer trust.

  • Phishing Domains: Protect your customers and brand identity by detecting and mitigating phishing domains that mimic your official website.

  • Watchlisted and Suspicious Domains: Continuously track domains linked to counterfeit activities, ensuring constant monitoring of potential threats to your brand.

  • Website Monitoring: Monitor your official website to prevent unauthorized changes, malicious activities, or cloning attempts that could damage your brand’s credibility.

  • Website Watermarking: Enhance security by adding unique watermarks to your website content, preventing unauthorized copying or cloning.

  • Takedown Tracker: This tool simplifies the process of reporting and removing counterfeit listings or domains. It provides real-time updates on takedown request statuses for greater transparency and efficiency.

Cyble’s brand monitoring capabilities provide real-time alerts and data-driven insights that help brands respond effectively to counterfeit threats. By leveraging Cyble’s comprehensive monitoring services, brands can protect their reputation, prevent revenue loss, and ensure that consumers are not deceived by counterfeit products.

The post Combatting Counterfeit Goods in E-Commerce with Cyble Brand Protection Strategies appeared first on Cyble.

Blog – Cyble – ​Read More