FBI warns about scams that lure you in as a mobile beta-tester
Apps on your iPhone must come from the App Store. Except when they don’t… we explain what to look out for.
Naked Security – Sophos News – Read More
Apps on your iPhone must come from the App Store. Except when they don’t… we explain what to look out for.
Naked Security – Sophos News – Read More
The rise of tap-to-pay and chip-and-PIN hasn’t rid the world of ATM card skimming criminals…
Naked Security – Sophos News – Read More
To consolidate all of our security intelligence and news in one location, we have migrated Naked Security to the Sophos News platform.
Naked Security – Sophos News – Read More
The rapid development of AI, international tensions, and the proliferation of “smart” technologies like the internet of things (IoT) make the upcoming year particularly challenging in terms of cybersecurity. Each of us will face these challenges in one way or another, so, as per tradition, we’re here to help all our readers make a few New Year’s resolutions for a more secure 2024.
E-commerce and financial technologies continue to expand globally, and successful technologies are being adopted in new regions. Instant electronic payments between individuals have become much more widespread. And, of course, criminals are devising new ways to swindle you out of your money. This involves not only fraud using instant money-transfer systems, but also advanced techniques for stealing payment data on e-commerce sites and online stores. The latest generations of web skimmers installed by hackers on legitimate online shopping sites are almost impossible to perceive, and victims only learn that their data has been stolen when an unauthorized charge appears on their card.
Link your bank cards to Apple Pay, Google Pay, or other similar payment systems available in your country. This is not only convenient, but also reduces the likelihood of data theft when making purchases in stores.
Use such systems to make payments on websites whenever possible. There’s no need to enter your bank card details afresh on every new website.
Protect your smartphones and computers with a comprehensive security system like Kaspersky Premium. This will help protect your money, for example, from a nasty new attack in which the recipient’s details are replaced at the moment of making an instant money transfer in a banking app.
Use virtual or one-time cards for online payments if your bank supports this option. If a virtual card can be quickly reissued in the app, change it regularly — for example, once a month. Or use special services to ‘mask’ cards, generating one-time payment details for each payment session. There are many of these for different countries and payment systems.
Generative artificial intelligence has dominated the news throughout 2023 and has already significantly affected the job market. Unfortunately, it’s also been used for malicious purposes. Now, just about anyone can create fake texts, photos, and videos in a matter of minutes — a labor that previously required a lot of time and skill. This has already had a noticeable impact on at least two areas of cybersecurity.
First, the appearance of fake images, audio, and video on news channels and social media. In 2023, generated images were used for propaganda purposes during geopolitical conflicts in post-Soviet countries and the Middle East. They were also used successfully by fraudsters for various instances of fake fundraising. Moreover, towards the end of the year, our experts discovered massive “investment” campaigns in which the use of deepfakes reached a whole new level: now we’re seeing news reports and articles on popular channels about famous businessmen and heads of state encouraging users to invest in certain projects — all fake, of course.
Second, AI has made it much easier to generate phishing emails, social media posts, and fraudulent websites. For many years, such scams could be identified by sloppy language and numerous typos, because the scammers didn’t have the time to write and proofread them properly. But now, with WormGPT and other language models optimized for hackers, attackers can create far more convincing and varied bait on an industrial scale. What’s more, experts fear that scammers will start using these same multilingual AI models to create convincing phishing material in languages and regions that have rarely been targeted for such purposes before.
Be highly critical of any emotionally provocative content you encounter on social media — especially from people you don’t know personally. Make it a habit to always verify the facts on reputable news channels and expert websites.
Don’t transfer money to any kind of charity fundraiser or campaign without conducting a thorough background check of the recipient first. Remember, generating heart-breaking stories and images is literally as easy as pushing a button these days.
Install phishing and scam protection on all your devices, and enable all options that check links, websites, emails, and attachments. This will reduce the risk of clicking on phishing links or visiting fraudulent websites.
Activate banner ad protection — both Kaspersky Plus and Kaspersky Premium have this feature, as do a number of browsers. Malicious advertising is another trend for 2023-2024.
Some experts anticipate the emergence of AI-generated content analysis and labeling systems in 2024. However, don’t expect them to be implemented quickly or universally, or be completely reliable. Even if such solutions do emerge, always double-check any information with trusted sources.
High-quality AI-based voice deepfakes are already being actively used in fraudulent schemes. Someone claiming to be your “boss”, “family member”, “colleague”, or some other person with a familiar voice might call asking for urgent help — or to help someone else who’ll soon reach out to you. Such schemes mainly aim to trick victims into voluntarily sending money to criminals. More complex scenarios are also possible — for example, targeting company employees to obtain passwords for accessing the corporate network.
Verify any unexpected or alarming calls without panic. If someone you supposedly know well calls, ask a question only that person can answer. If a colleague calls but their request seems odd — for example, asking you to send or spell a password, send a payment, or do something else unusual — reach out to other colleagues or superiors to double-check things.
Use caller identifier apps to block spam and scam calls. Some of these apps work not only with regular phone calls but also with calls through messengers like WhatsApp.
Poorly protected IoT devices create a whole range of problems for their owners: robot vacuum cleaners spy on their owners, smart pet feeders can give your pet an unplanned feast or a severe hunger strike, set-top boxes steal accounts and create rogue proxies on your home network, and baby monitors and home security cameras turn your home into a reality TV show without your knowledge.
What could improve in 2024? The emergence of regulatory requirements for IoT device manufacturers. For example, the UK will ban the sale of devices with default logins and passwords like “admin/admin”, and require manufacturers to disclose in advance how long a particular device will receive firmware updates. In the U.S., a security labeling system is being developed that will make it possible to understand what to expect from a “smart” device in terms of security even before purchase.
Find out if there are similar initiatives in your country and make the most of them by purchasing only secure IoT devices with a long period of declared support. It’s likely that once manufacturers are obliged to ensure the security of smart devices locally, they’ll make corresponding changes to products for the global market. Then you’ll be able to choose a suitable product by checking, for example, the American “security label”, and buy it — even if you’re not in the U.S.
Carefully configure all smart devices using our detailed advice on creating a smart home and setting up its security.
Scams involving fake texts, images, and voices messages can be highly effective when used on elderly people, children, or those less interested in technology. Think about your family, friends, and colleagues — if any of them may end up a victim of any the schemes described above, take the time to tell them about them or provide a link to our blog.
Don’t just give blanket information from our articles; look beyond our blog to find suitable cybersecurity lessons for your loved ones based on their age and temperament.
Make sure that all your family’s computers and phones are fully protected. With Kaspersky Premium, you can protect as many devices as needed, on any popular platform — Windows, macOS, Android, or iOS.
Before we say goodbye and wish you a happy and peaceful 2024, one final little whisper — last year’s New Year’s resolutions are still very relevant: the transition to password-less systems is progressing at a swift pace, so going password-free in the New Year might be a good idea, while basic cyber hygiene has become all the more crucial. Oops; nearly forgot: wishing you a happy and peaceful 2024!…
Kaspersky official blog – Read More
At the 37th Chaos Communication Congress (37C3) held right now in Hamburg, our experts from the Kaspersky Global Research and Analysis Team (GReAT) Boris Larin, Leonid Bezvershenko and Grigoriy Kucherin gave a talk called “Operation Triangulation: what you get when attack iPhones of researchers”. They described the chain of the attack in detail and talked about all of the vulnerabilities involved in it. Among other things, they for the first time presented exploitation details of the CVE-2023-38606 hardware vulnerability.
We will not repeat all the nuts and bolts of this report — you can find technical details in a post on the Securelist blog or you can listen the recording of the talk on the conference’s official website. Here we will briefly describe the main points.
As we already have written in the beginning of this summer, the attack started with an invisible iMessage, which contained a malicious attachment that was processed without the user’s knowledge. This attack did not require any actions from the user at all.
Our experts were able to detect the attack by monitoring a corporate Wi-Fi network using our own SIEM system Kaspersky Unified Monitoring and Analysis Platform (KUMA).
The attack employed four zero-day vulnerabilities that affected all iOS devices up to version 16.2: CVE-2023-32434, CVE-2023-32435, CVE-2023-41990 and the aforementioned CVE-2023-38606.
The obfuscated Triangulation exploit could work both on modern versions of the iPhone and on fairly old models. And if attacking newer iPhones it could bypass Pointer Authentication Code (PAC).
The CVE-2023-32434 vulnerability used by this exploit, allowed attackers access to the entire physical memory of the device at the user level, both for reading and writing.
Thanks to the exploitation of all four vulnerabilities, the malware could gain full control over the device and run any malware needed, but instead it launched the IMAgent process and used it to remove all traces of the attack from the device. It also launched the Safari process in the background and redirected it to the attacker’s web page with exploit for Safari.
This Safari exploit got root rights and launched further stages of attacks (which we already talked about them in our previous publications).
Vulnerability CVE-2023-38606 allowed bypassing of the built-in memory protection mechanism using undocumented and unused in the firmware processor registers. According to our experts, this hardware function probably was created for debugging or testing purposes, and then for some reason remained enabled.
The only remaining mystery — how exactly did the attackers knew how to use this undocumented function and where did they find information about it at all.
Kaspersky official blog – Read More
When you turn on a laptop, the manufacturer’s logo is displayed on the screen before the operating system boots. This logo can actually be changed — a function intended for the use of laptop or desktop manufacturers. But there’s nothing stopping an ordinary user from using it and replacing the default logo with a different image.
The logo is stored in the code that runs immediately after computer is turned on, in the so-called UEFI firmware. It turns out that this logo replacement function opens the way for the device to be seriously compromised — attackers can hack it and subsequently seize control of the system, and this can even be done remotely. The possibility of such an attack, named LogoFAIL, was recently discussed by specialists at Binarly. In this article, we’ll try to explain it in simple terms, but let’s first recall the dangers of so-called UEFI bootkits.
Historically, the program executed upon turning on a PC was called a BIOS (Basic Input/Output System). It was extremely limited in its capabilities, but it was an essential program tasked with initializing the computer’s hardware and then transferring control to the operating system loader. Since the late 2000s, BIOS gradually began to be replaced by UEFI — a more sophisticated version of the same basic program with additional capabilities, including protection against the execution of malicious code.
In particular, UEFI implemented the Secure Boot feature that employed cryptographic algorithms to check the code at each stage of the computer’s booting — from turning it on to loading the operating system. This makes it much more difficult to replace the real OS code with malicious code, for example. But, alas, even these security technologies have not completely eliminated the possibility of loading malicious code at an early stage. And if attackers manage to “smuggle” malware or a so-called bootkit into UEFI, the consequences can be extremely serious.
The issue with UEFI bootkits is that they are extremely difficult to detect from within the operating system. A bootkit can modify system files and run malicious code in an OS with maximum privileges. And the main problem is that it can survive not only a complete reinstall of the operating system, but also replacement of the hard drive. Stashed in the UEFI firmware, a bootkit isn’t dependent on the data stored on the system drive. As a result, bootkits are often used in complex targeted attacks. An example of such an attack is described in this study by our experts.
Since UEFI has fairly robust protection against the execution of malicious code, introducing a Trojan into the boot process isn’t simple. However, as it turns out, it is possible to exploit flaws in the UEFI code to execute arbitrary code at this early stage. There was good reason for the Binarly specialists to pay attention to the mechanism that allows replacing the factory logo. To display the logo, a program is launched that reads data from the graphic image file and displays this image on the screen. What if we try make this program to misbehave?
There are three major UEFI software developers: AMI, Insyde, and Phoenix. Each of them approaches logo processing differently. For example, Insyde has separate image processing programs for different formats, from JPEG to BMP. AMI and Phoenix consolidate handling of all formats into a single program. Vulnerabilities were discovered in each of them, with a total of twenty-four critical errors. The final result of exploiting one of these errors is shown in this video:
LogoFAIL attack demonstration. Source
It’s all fairly simple: the attacker can modify the image of the new logo as they please. This includes, for example, setting the logo resolution so that this parameter ends up beyond the limits defined in the handling code. This leads to a calculation error and ultimately results in data being written from the image file into the area for executable data. This data will then be executed with maximum privileges. The video above shows the seemingly harmless result of such a bootkit: a text file is saved to the Windows desktop. However, if malicious code has this level of access, the attacker can perform almost any action in the operating system.
Notably, some device models from major manufacturers were not susceptible to this attack, and for a very simple reason: replacing the logo in their UEFI is essentially blocked. Among these models are a number of Apple laptops and Dell devices.
Theoretically, this attack can even be carried out remotely: in some cases, it would be enough to inject a specially prepared image into the EFI system partition on the system disk, and it will be processed on the next reboot. The catch is that performing such an operation already require complete access to the system; that is, any data on the computer should already be available to the attackers. You might wonder then, what’s the point of implementing the LogoFAIL attack? To ensure that the malicious code survives even if the OS is reinstalled — this kind of persistence is usually highly desired by APT attack operators.
This problem will gradually be resolved by updated UEFI versions that fix errors in the image handlers. However, since not all companies diligently keep up with firmware updates, a huge number of devices will likely remain unprotected. And the list of vulnerable devices includes not only laptops but also some server motherboards. This means that Binarly’s research should be taken very seriously.
Kaspersky official blog – Read More
Many Apple users believe the macOS operating system is so secure that no cyberthreats can harm them, so they don’t need to worry about protecting their devices. However, this is far from the case: while there is less malware for macOS, it’s still much more common than Apple device owners would like to think.
In this post, we discuss current threats facing macOS users and how to effectively protect your Mac. To illustrate the fact that viruses for macOS do exist, we’ll look at three recent studies on several malware families that have been published over the past few weeks.
In late October 2023, our researchers discovered a new macOS Trojan that’s believed to be associated with BlueNoroff, the “commercial wing” of the Lazarus APT group. This subgroup specializes in financial attacks and specifically focuses on two things: firstly, attacks on the SWIFT system — including the notorious heist of the Bangladesh Central Bank — and secondly, stealing cryptocurrencies from organizations and individuals.
The discovered macOS Trojan downloader is distributed within malicious archives. It’s disguised as a PDF document titled “Crypto-assets and their risks for financial stability”, with an icon that mimics a preview of this document.
Once the user clicks on the Trojan (masquerading as a PDF), a script is executed that actually downloads the corresponding PDF document from the internet and opens it. But, of course, that’s not all that happens. The Trojan’s main task is to download another virus, which gathers information about the infected system, sends it to the C2, and then waits for a command to perform one of two possible actions: self-deletion or saving to a file and executing malicious code sent in response from the server.
In late November 2023, our researchers discovered another malware instance that threatens Mac users — a proxy Trojan, distributed alongside pirated software for macOS. Specifically, this Trojan was added to the PKG files of cracked video editing programs, data recovery tools, network utilities, file converters, and various other software. The full list of infected installers discovered by our experts can be found at the end of the report published on Securelist.
As mentioned earlier, this malware belongs to the category of proxy Trojans — malware that sets up a proxy server on the infected computer, essentially creating a host to redirect internet traffic. Subsequently, cybercriminals can use such infected devices to build a paid network of proxy servers, earning money from those seeking such services.
Alternatively, the Trojan’s owners might directly use the infected computers to carry out criminal activities in the victim’s name — whether it’s attacking websites, companies or other users, or purchasing weapons, drugs or other illegal goods.
Also in November 2023, a new malicious campaign was discovered to spread another Trojan for macOS, known as Atomic and belonging to the category of stealers. This type of malware searches for, extracts, and sends to its creators all kinds of valuable information found on the victim’s computer, particularly data saved in browsers. Logins and passwords, bank card details, crypto wallet keys, and similar sensitive information are of particular value to stealers.
The Atomic Trojan was first discovered and described back in March 2023. What’s new is that now the attackers have started using fake updates for the Safari and Chrome browsers to spread the Atomic Trojan. These updates are downloaded from malicious pages that very convincingly mimic the original Apple and Google websites.
Once running on a system, the Atomic Trojan attempts to steal the following information from the victim’s computer:
cookies
logins, passwords, and bank card details stored in the browser
passwords from the macOS password storage system (Keychain)
files stored on the hard drive
stored data from over 50 popular cryptocurrency extensions
Unfortunately, even if you don’t download any suspicious files, you avoid opening attachments from unknown sources, and generally refrain from clicking on anything suspicious, this doesn’t guarantee your security. It’s important to remember that any software always has vulnerabilities that attackers can exploit to infect a device, and which require little or no active user action. And the macOS operating system is no exception to this rule.
Recently, two zero-day vulnerabilities were discovered in the Safari browser — and according to Apple’s announcement, cybercriminals were already exploiting them by the time they were discovered. By simply luring the victim to a malicious webpage, attackers can infect their device without any additional user action, thereby gaining control over the device and the ability to steal data from it. These vulnerabilities are relevant for all devices using the Safari browser, posing a threat to both iOS/iPadOS users and Mac owners.
This is a common scenario: as Apple’s operating systems share many components, vulnerabilities often apply not just to one of the company’s opertaing systems but to all of them. Thus, it’s a case of Macs being betrayed by the iPhone’s popularity: iOS users are the primary targets, but these vulnerabilities can just as easily be used to attack macOS.
A total of 19 zero-day vulnerabilities were discovered in Apple’s operating systems in 2023 that are known to have been actively exploited by attackers. Of these, 17 affected macOS users — including over a dozen with high-risk status, and one classified as critical.
What’s important to remember is that there are numerous cyberthreats that don’t depend on the operating system but that can be no less dangerous than malware. In particular, pay attention to the following threats:
Phishing and fake websites. Phishing emails and websites work the same way for both Windows users and Mac owners. Alas, not all fake emails and websites are easily recognizable, so even experienced users often face the risk of having their login credentials stolen.
Web threats, including web skimmers. Malware can infect not only the user’s device but also the server it communicates with. For example, attackers often hack poorly protected websites, especially online stores, and install web skimmers on them. These small software modules are designed to intercept and steal bank card data entered by visitors.
Malicious browser extensions. These small software modules are installed directly into the browser and operate within it, so they don’t depend on the OS being used. Despite being seemingly harmless, extensions can do a lot: read the content of all visited pages, intercept information entered by the user (passwords, card numbers, keys to crypto wallets), and even replace displayed page content.
Traffic interception and man-in-the-middle (MITM) attacks. Most modern websites use encrypted connections (HTTPS), but you can still sometimes come across HTTP sites where data exchange can be intercepted. Cybercriminals use such interception to launch MITM attacks, presenting users with fake or infected pages instead of legitimate ones.
To protect your device, online service accounts and, most importantly, the valuable information they contain, it’s crucial to use comprehensive protection for both Mac computers and iPhones/iPads. Such protection must be able to counteract the entire range of threats — for example solutions like our Kaspersky Premium, whose effectiveness has been confirmed by numerous awards from independent testing laboratories.
Kaspersky official blog – Read More
We often write here on these blog pages about how browser extensions can be very dangerous. To illustrate this fact, we decided to dedicate an article to it. In this post, we’ll look at the most interesting, unusual, widespread, and dangerous cases involving malicious extensions in 2023. We’ll also discuss what these extensions were capable of — and, of course, how to protect yourself from them.
To set the tone and also highlight one of the biggest concerns associated with dangerous extensions, let’s start with a story that began last year. In November 2022, two malicious extensions with the same name — SearchBlox — were discovered in the Chrome Web Store, the official store for Google Chrome browser extensions. One of these extensions had over 200,000 downloads.
The declared purpose of the extensions was to search for a specific player on the Roblox servers. However, their actual purpose was to hijack Roblox players’ accounts and steal their in-game assets. After information about these malicious extensions was published on BleepingComputer, they were removed from the Chrome Web Store, and automatically deleted from the devices of users who’d installed them.
However, the Roblox story doesn’t end there. In August 2023, two more malicious extensions of a similar nature — RoFinder and RoTracker — were discovered in the Chrome Web Store. Just like SearchBlox, these plugins offered users the ability to search for other players on the Roblox servers, but in reality had a backdoor built into them. The Roblox user community eventually managed to get these extensions removed from the store as well.
This suggests that the quality of moderation at the world’s most official platform for downloading Google Chrome extensions leaves much to be desired, and it’s easy enough for creators of malicious extensions to push their creations in there. To get moderators to spot dangerous extensions and remove them from the store, reviews from affected users are rarely sufficient — it often requires efforts from the media, security researchers, and/or a large online community.
In March 2023, two malicious extensions were discovered in the Google Chrome Web Store within a few days of each other — both taking advantage of the hype surrounding the ChatGPT AI service. One of these was an infected copy of the legitimate “ChatGPT for Google” extension, offering integration of ChatGPT’s responses into search engine results.
The infected “ChatGPT for Google” extension was uploaded to the Chrome Web Store on February 14, 2023. Its creators waited for some time and only started actively spreading it precisely a month later, on March 14, 2023, using Google Search ads. The criminals managed to attract around a thousand new users per day, resulting in over 9000 downloads by the time the threat was discovered.
The trojanized copy of “ChatGPT for Google” functioned just like the real one, but with extra malicious functionality: the infected version included additional code designed to steal Facebook session cookies stored by the browser. Using these files, the attackers were able to hijack the Facebook accounts of users who’d installed the infected extension.
The compromised accounts could then be used for illegal purposes. As an example, the researchers mentioned a Facebook account belonging to an RV seller, which started promoting ISIS content after being hijacked.
In the other case, fraudsters created a completely original extension called “Quick access to Chat GPT”. In fact, the extension actually did what it promised, acting as an intermediary between users and ChatGPT using the AI service’s official API. However, its real purpose was again to steal Facebook session cookies, allowing the extension’s creators to hijack Facebook business accounts.
Most interestingly, to promote this malicious extension, the perpetrators used Facebook ads, paid for by — you guessed it — the business accounts they’d already hijacked! This cunning scheme allowed the creators of “Quick access to Chat GPT” to attract a couple of thousand new users per day. In the end, both malicious extensions were removed from the store.
Often, creators of malicious extensions don’t place them in the Google Chrome Web Store, and distribute them in other ways. For example, earlier this year researchers noticed a new malicious campaign related to the ChromeLoader malware, already well-known in the cybersecurity field. The primary purpose of this Trojan is to install a malicious extension in the victim’s browser.
This extension, in turn, displays intrusive advertisements in the browser and spoofs search results with links leading to fake prize giveaways, surveys, dating sites, adult games, unwanted software, and so on.
This year, attackers have been using a variety of pirated content as bait to make victims install ChromeLoader. For example, in February 2023, researchers reported the spread of ChromeLoader through VHD files (a disk image format) disguised as hacked games or game “cracks”. Among the games used by the distributors were Elden Ring, ROBLOX, Dark Souls 3, Red Dead Redemption 2, Need for Speed, Call of Duty, Portal 2, Minecraft, Legend of Zelda, Pokemon, Mario Kart, Animal Crossing, and more. As you might guess, all these VHD files contained the malicious extension installer.
A few months later, in June 2023, another group of researchers released a detailed report on the activities of the same ChromeLoader, detailing its spread through a network of sites offering pirated music, movies, and once again, computer games. In this campaign, instead of genuine content, VBScript files were downloaded onto victims’ computers, which then loaded and installed the malicious browser extension.
Although the altered search results quickly alert victims to the presence of the dangerous extension in their browser, getting rid of it isn’t so easy. ChromeLoader not only installs the malicious extension but also adds scripts and Windows Task Scheduler tasks to the system that reinstall the extension every time the system reboots.
In March 2023, the German Federal Office for the Protection of the Constitution and the South Korean National Intelligence Agency issued a joint report on the activities of the Kimsuky cybercriminal group. This group uses an infected extension for Chromium-based browsers — Google Chrome, Microsoft Edge, as well as the South Korean browser Naver Whale — to read the Gmail correspondence of their victims.
The attack begins with the perpetrators sending emails to specific individuals of interest. The email contains a link to a malicious extension called AF, along with some text convincing the victim to install the extension. The extension starts working when the victim opens Gmail in the browser where it’s installed. AF then automatically sends the victim’s correspondence to the hackers’ C2 server.
Thus, Kimsuky manages to gain access to the contents of the victim’s mailbox. What’s more, they don’t need to resort to any tricks to hack into this mailbox; they simply bypass the two-factor authentication. As a bonus, this method allows them to do everything in a highly discreet manner — in particular, preventing Google from sending alerts to the victim about account access from a new device or suspicious location, as would be the case if the password were stolen.
Criminals also often use malicious extensions to target cryptocurrency wallets. In particular, the creators of the Rilide extension, first discovered in April 2023, use it to track cryptocurrency-related browser activity of infected users. When the victim visits sites from a specified list, the malicious extension steals cryptocurrency wallet info, email logins, and passwords.
In addition, this extension collects and sends browser history to the C2 server and lets the attackers take screenshots. But Rilide’s most interesting feature is its ability to bypass two-factor authentication.
When the extension detects that a user is about to make a cryptocurrency transaction on one of the online services, it injects a script into the page that replaces the confirmation code input dialog, and then steals that code. The payment recipient’s wallet is replaced with one belonging to the attackers, and then, finally, the extension confirms the transaction using the stolen code.
Rilide attacks users of Chromium-based browsers — Chrome, Edge, Brave, and Opera — by imitating a legitimate Google Drive extension to avoid suspicion. Rilide appears to be freely sold on the black market, so it’s used by criminals unrelated to one another. For this reason, various distribution methods have been discovered — from malicious websites and emails to infected blockchain game installers promoted on Twitter X.
One of the particularly interesting Rilide distribution methods was through a misleading PowerPoint presentation. This presentation posed as a security guide for Zendesk employees, but was actually a step-by-step guide for installing the malicious extension.
And, of course, one cannot forget the story of the summer when researchers discovered several dozen malicious extensions in the Google Chrome Web Store, which collectively had more than 87 million downloads from the store. These were various kinds of browser plugins — from tools for converting PDF files and ad blockers to translators and VPNs.
The extensions were added to the Chrome Web Store as far back as 2022 and 2021, so by the time they were discovered they’d already been there for several months, a year, or even longer. Among reviews of the extensions, there were some complaints from vigilant users who reported that the extensions were spoofing search results with advertisements. Unfortunately, the Chrome Web Store moderators ignored these complaints. The malicious extensions were only removed from the store after two groups of security researchers brought the issue to Google’s attention.
As you can see, dangerous browser extensions can end up on your computer from various sources —including the official Google Chrome Web Store. And attackers can use them for a wide range of purposes — from hijacking accounts and altering search results to reading correspondence and stealing cryptocurrencies. Accordingly, it’s important to take precautions:
Try to avoid installing unnecessary browser extensions. The fewer extensions you have in your browser, the better.
If you do install an extension, it’s better to install it from an official store rather than from an unknown website. Sure, this doesn’t eliminate the risk of encountering dangerous extensions completely, but at least the Google Chrome Web Store does take its security seriously.
Before installing, read reviews of an extension. If there’s something wrong with it, someone might have already noticed it and informed other users.
Periodically review the list of extensions installed in your browsers. Remove any you don’t use — especially ones you don’t remember installing.
And be sure to use reliable protection on all your devices.
Kaspersky official blog – Read More
At the end of the year, before the Christmas and New Year holidays, the accounting departments of many companies are busy — to put it mildly; especially in countries where the fiscal year is aligned with calendar year. Accountants are busy with financial reporting, planning budgets for the next financial period, and so on. And all that despite the pre-holiday fever where corporate parties are common and colleagues are often not so much in the mood for work. So, of course, cybercriminals can’t ignore this situation: they’re actively sending fake invoices to random employees of companies, in the hope that someone will approve payment in the midst of document flood.
Firstly, the very fact that an email was sent to a random employee, and not directly to the accounting department, should get alarm bells ringing. Criminals usually have no means to obtain the real email addresses of corporate accountants; they use spam mailing databases, consisting primarily of publicly available contacts — so those emails are usually received by employees in HR, PR, technical support, and so on.
Sometimes the senders of the fraudulent emails write that they’ve lost the correct address, or made a typo while writing it down, so they ask to forward the invoice to accounting, or sometimes they don’t bother themselves with explanations. Anyway, this cannot be an excuse for sending an email to a random address. If the invoice is really needed by one of the company’s employees, they would contact the sender themselves, find out the reasons for the delay in delivery and, if necessary, clarify the email address of the accounting department.
Forwarding unexpected emails to colleagues may do more harm than good, for a fraudulent email forwarded by a co-worker is more likely to work. If you forward an invoice to accountants, they may think that you want it to be paid. And in general, an email from an employee of the same company arouses less suspicion than external correspondence.
Secondly, criminals understand that demanding a large amount of money is a bad idea. It’s less likely that such an invoice will be paid without additional enquiries. That’s why they issue invoices for relatively small amounts — insignificant by the standards of a large company.
Thirdly, in the vast majority of cases these kinds of invoices are for correspondence delivery services. Moreover, the accompanying email is written as vaguely as possible so that it’s not always clear whether the invoice was issued directly by the sender of some documents or by the delivery company.
As mentioned earlier, criminals count on the year-end’s heavy workload, folks’ general inattention, and non-specialists “help” in forwarding such emails to the accounting department. But the main reason why such schemes work is impunity. By and large, they’re not afraid of legal consequences. Fraudsters register a real company and send out invoices. Legally, this is a service that was paid for but not provided. Yet if someone were to take this to court, they’d probably be found guilty. But will anyone go to court over such trifling amounts of money?
If you try to search the internet by the name of the company that issued the invoice, you’ll probably find a whole host of indignant comments from businesses that were deceived in a similar way. Presumably, from time to time, criminals change the legal entity trifling amounts — closing one company through bankruptcy and opening another one.
To begin with, we highly recommend using security solutions with effective anti-spam technologies at the corporate mail gateway level. As a rule, attackers send such emails in large quantities, which allows us timely classify such emails as spam.
In addition, you should inform employees that an email received unexpectedly from someone unknown demanding a payment or personal data is a definitely a suspicious email. And if they want to forward it somewhere, they should send it only to the information security department with the comment “possible fraud”.
Ideally, it’s a good idea to periodically increase employee security awareness; for example, using the automated online Kaspersky Automated Security Awareness Platform. This would allow employees to be prepared for unexpected emails from attackers, be they simple fraudulent spam emails or sophisticated spearphishing.
Kaspersky official blog – Read More
Corporate information security specialists usually know quite a few confident employees who say that they don’t click on dangerous links and are therefore not susceptible to cyberthreats. Sometimes those employees use this argument when asking to have corporate security measures turned off, which somehow interfere with work. But attackers often disguise malicious and phishing links, trying to confuse both mail filters and human observers. What they want is to make victims (even if they are examining URLs as we repeatedly advise) click on an address that actually takes them to a different one. Here are the most common methods used by cybercriminals to hide malicious or phishing URLs.
The simplest way to hide the real domain in the address is to use the @ symbol in the URL. This is a completely legitimate symbol that can be used to integrate a login and a password into the website address — HTTP allows to pass credentials to the web server via the URL simply by using login:password@domain.com format. If the data before the @ symbol is incorrect and not suitable for authentication, the browser simply discards it, redirecting the user to the address located after the @ symbol. So cybercriminals use this: they come up with a convincing page name, use the name of a legitimate site in it, and place the real address after the @ symbol. For example, look at our blog’s address disguised in this way:
It looks like a page with many words in the name hosted somewhere on the Google domain, but the browser will take you to http://kaspersky.com/blog/.
In the previous method, attackers often try to confuse the user with a long page name in order to distract them from the real address — because it still remains in the URL. But there’s a way to hide it completely — by converting the IP-address of a site into an integer. As you may know, IP addresses are not very conveniently stored in databases. Therefore, at some point, a mechanism was invented to convert IP addresses into integers (which are much more convenient to store) and vice versa. And these days, when modern browsers see a number in an URL they automatically convert it into an IP address. In combination with the same @ symbol, it effectively hides the real domain. This is how a link to our corporate website can look like:
In using this trick, cybercriminals try to focus attention on the domain before the @ symbol, and make everything else look like some kind of parameter — various marketing tools often insert all sorts of alphanumeric tags into web links.
Another fairly simple way to hide the real URL is to use one of the legitimate link shortening services. You can include absolutely anything inside a short link — and it’s impossible to check what hides there without clicking.
Several years ago, Google and some partners created the Google AMP framework — a service that was intended to help webpages load faster on mobile devices. In 2017, Google claimed that AMPed pages load in less than a second and use 10 times less data than the same pages without AMP. Now attackers have learned how to use this mechanism for phishing. An email contains a link starting with “google.com/amp/s/”, but if the user clicks it, they’ll be redirected to a site that doesn’t belong to Google. Even some anti-phishing filters often fall for this trick: due to Google’s reputation, they consider such a link to be sufficiently reliable.
Another way to hide your page behind someone else’s URL is to use an ESP; that is, a service for creating legitimate newsletters and other mailouts. We’ve already written in detail about this method in one of our previous posts. In short, criminals employ one of these services, create a mailing campaign, input a phishing URL, and as a result get a ready-made clean address, which has the reputation of an ESP company. ESP companies of course try to fight such misuse of their service, but it doesn’t always work out.
The Chinese search engine Baidu has quite an interesting approach to showing search results. Unlike Google, it doesn’t give you links to the sites, but instead makes links to itself with a redirect to the site searched for. That is, in order to disguise a malicious URL as Baidu, all cybercriminals need do is search for the page (and that is quite simple if you enter the exact address), copy the link and paste it in the phishing email.
And by and large, we don’t know just how many other services there are that can redirect URLs or even cache pages on their side (be it for their own needs or in the name of convenience of content delivery).
No matter how confident your employees are, we doubt that they really can understand whether a link is dangerous or not. We therefore recommend backing them up with protective solutions. Moreover, we recommend to use such solutions both at the corporate mail server level, and at the level of internet-enabled working devices.
Kaspersky official blog – Read More