Transatlantic Cable podcast episode 352 | Kaspersky official blog

/in

Episode 352 of the Transatlantic Cable podcast kicks off with a story concerning generative AI and hackers, with the hackers taking the side of artists (or so it would seem.)  From there discussion turns to the US surgeon general calling for ‘warning labels’ on social media, mainly in part due to the worrying rise in young people’s mental health.

To wrap up, the team look at two stories – the first concerning           ransomware and hospitals, and the second looking at a recent NHS data breach and black binbags.

If you liked what you heard, please consider subscribing.

Hackers Target AI Users With Malicious Stable Diffusion Tool on GitHub to Protest ‘Art Theft’
US surgeon general wants social media warning labels
Medical-Targeted Ransomware Is Breaking Records After Change Healthcare’s $22M Payout
Student’s flimsy bin bags blamed for latest NHS data breach

Kaspersky official blog – ​Read More

How phishing using progressive web apps (PWAs) works | Kaspersky official blog

/in

A security researcher known as mr.d0x has published a post detailing a new technique that can be used for phishing and potentially other malicious activities. The technique exploits so-called progressive web apps (PWAs). In this post, we discuss what these applications are, why they can be dangerous, how attackers can use them for their own purposes, and how to [placeholder Kaspersky Premium]protect yourself[/placeholder] against this threat.

What are progressive web apps?

PWAs are applications developed using web technologies. Essentially, they’re websites that look and function just like native applications installed on your operating system.

The general idea is similar to applications built on the Electron framework, with one key difference. Electron apps are like a “sandwich” of a website (the filling) and a browser (the bread) dedicated to running that site; that is, each Electron application has a built-in browser. In contrast, PWAs utilize the engine of the browser already installed on the user’s system to display the same website – like a sandwich without the bread.

All modern browsers support PWAs, with Google Chrome and Chromium-based browsers (including the Microsoft Edge browser that comes with Windows) offering the most comprehensive implementation.

Installing a PWA (if the respective website supports it) is very simple. Just click an inconspicuous button in the browser’s address bar and confirm the installation. Here’s how it’s done, using the Google Drive PWA as an example:

Installing PWAs only takes two clicks

After that, the PWA appears on your system almost instantly, looking just like a real application — with an icon, its own window, and all the other attributes of a fully-fledged program. It’s not easy to tell from the PWA window that it’s actually a browser displaying a website.

The Google Drive PWA looks just like a real native application

PWA-based phishing

One crucial difference between a PWA and the same website opened in a browser is evident in the screenshot above: the PWA window lacks an address bar. This very feature forms the foundation of the phishing method discussed in this post.

With no address bar in the window, attackers can simply draw their own — displaying an URL that serves their phishing goals. For example, this one:

With a PWA, you can convincingly mimic any site — for example, the Microsoft account login page. Source

Attackers can further enhance the deception by giving the PWA a familiar icon.

The only remaining hurdle is convincing the victim to install the PWA. However, this can be easily achieved with persuasive language and cleverly designed interface elements.

It’s important to note that during the PWA installation dialog, the displayed app name can be anything the attacker desires. The true origin is only revealed by the website address in the second line, which is less noticeable:

The malicious PWA installation dialog displays a name that aids the attacker’s goals. Source

The process of stealing a password using a PWA generally unfolds as follows:

The victim opens a malicious website.
The website convinces the victim to install the PWA.
Installation occurs almost instantly, and the PWA window opens.
A phishing page with a fake address bar displaying a legitimate-looking URL opens in the PWA window.
The victim enters their login credentials into the form — handing them directly to the attackers.

What phishing using a malicious PWA looks like. Source

Of course, convincing the victim to install a native application is just as straightforward, but there are a couple of nuances. PWAs install significantly faster and require much less user interaction compared to traditional app installations.

Additionally, developing PWAs is simpler, as they’re essentially phishing websites with minor enhancements. These factors make malicious PWAs a powerful tool for cybercriminals.

How to protect yourself from PWA phishing

Incidentally, the same mr.d0x previously gained recognition for devising the browser-in-the-browser phishing technique, which we wrote about a couple of years ago. Since then there have been several reported instances of attackers employing this technique not only for stealing account passwords but also for spreading ransomware.

Given this precedent, it’s highly probable that cybercriminals will adopt malicious PWAs and devise novel ways to exploit this technique beyond phishing.

What can you do to protect against this threat?

Exercise caution when encountering PWAs, and refrain from installing them from suspicious websites.
Periodically review the list of PWAs installed on your system. For instance, in Google Chrome, type chrome://apps into the address bar to view and manage installed PWAs.

To view or remove installed PWAs in Google Chrome, type chrome://apps in the address bar

Use a reliable security solution with protection against phishing and fraudulent sites, which will promptly warn you of potential dangers.

Kaspersky official blog – ​Read More

Hackers can crack 59% of passwords in an hour | Kaspersky official blog

/in

Although World Password Day, held annually on the first Thursday in May, has passed, our — and we hope your — fascination with password security continues. Instead of analyzing artificial “test-tube” passwords created for lab studies, we stayed in the real world — examining actual passwords leaked on the dark web. The results were alarming: 59% of these passwords could be cracked in less than an hour — and all it takes is a modern graphics card and a bit of know-how.

Today’s post explains how hackers crack passwords and how to counter it (spoiler alert: use reliable protection and automatically check your passwords for leaks).

The usual way to crack passwords

First, let’s clarify what we mean by “cracking a password”. We’re talking about cracking the password’s hash — a unique sequence of characters representing the password. Companies typically store user passwords in one of three ways:

This is the simplest and clearest way: if a user’s password is, say, qwerty12345, then it’s stored on the company server as qwerty12345. If a data breach occurs, the hacker needs only enter the password with the corresponding username to log in. That is, of course, if there’s no two-factor authentication (2FA), but even then, cybercriminals can sometimes intercept one-time passwords.
This method utilizes hashing algorithms like MD5 and SHA-1 to transform each password into a unique hash value in the form of a fixed-length string of characters, which is stored on the server. When the user enters their password, the system converts the input sequence of characters into a hash, and compares it to the one stored on the server. If they match, the password is correct. Here’s an example: if your password is that same qwerty12345, then “translated” into SHA-1, it looks like this: 4e17a448e043206801b95de317e07c839770c8b8. Hackers obtaining this hash would need to decrypt it back to qwerty12345 (this is the “password cracking” part), for example, by using rainbow tables. A cracked password can then be used to access not only the compromised service but potentially other accounts where the password was reused.
Hashed with salt. Nothing to do with a tasty dish from a takeaway, this method adds a random sequence of data, known as a salt, to each password before hashing. A salt can be static or generated dynamically. A password+salt sequence is fed into the algorithm, which results in a different hash. Thus, pre-computed rainbow tables become useless to hackers. Using this method of storing passwords makes them much more difficult to crack.

For our study, we formed a database of 193 million leaked passwords in plaintext. Where did we get them all from? You have to know where to look. We found them on the dark web, where such “treasures” are often freely available. We used this database to check user passwords for possible leaks — but rest assured we don’t store or even see any passwords. You can read more about the internal structure of the password vault in our Kaspersky Password Manager and how, without knowing your passwords, we match them against leaked ones.

The cost of password cracking

Modern GPUs are the best tool for analyzing a password’s strength. For example, the RTX 4090 paired with the password recovery tool hashcat achieves a rate of 164 billion hashes per second (GH/s) for salted MD5 hashes.

Let’s imagine an 8-character password using both Latin letters (either all lowercase or all uppercase) and digits (36 possible characters per position). The number of possible unique combinations is 2.8 trillion (calculated by raising 36 to the power of eight). A powerful CPU boasting processing power of 6.7 GigaHashes per second (GH/s), could brute-force such a password in seven minutes. But the aforementioned RTX 4090 manages it in just 17 seconds.

While such a hi-end GPU costs slightly south of US$2,000, even attackers unable to get hold of one can easily rent computing power for just a few dollars per hour. But what if they rent a dozen RTX 4090s all at once? That would pack enough power to process massive hash database leaks with ease.

59% of passwords crackable in under an hour

We tested password strength using both brute-force and smart-guessing algorithms. While brute force iterates through all possible combinations of characters in order until it finds a match, smart guessing algorithms are trained on a passwords data-set to calculate the frequency of various character combinations and make selections first from the most common combinations and down to the rarest ones. You can read more about used algorithms in the full version of our research on Securelist.

The results were unnerving: a staggering 45% of the 193 million real-world passwords we analyzed (that is, 87 million passwords!) could be cracked by the smart algorithm in less than a minute, 59% within an hour, 67% within a month, and a mere 23% of passwords could be considered truly strong — needing more than a year to crack.

Cracking time
Percentage of passwords crackable using the given method

Brute force
Smart guessing

Under a minute
10%
45%

1 minute to 1 hour
+10% (20%)
+14% (59%)

1 hour to 1 day
+6% (26%)
+8% (67%)

1 day to 1 month
+9% (35%)
+6% (73%)

1 month to 1 year
+10% (45%)
+4% (77%)

Over 1 year
+55% (100%)
+23% (100%)

It’s important to note that cracking all passwords in the database doesn’t take much more time than cracking just one (!). At each iteration, having calculated the hash for the next combination of characters, the attacker checks whether the same one exists in the general database. If it does, the password in question is marked as “cracked”, after which the algorithm continues to guess other passwords.

Why smart guessing algorithms are so effective

Humans are predictable. We rarely choose truly random passwords, and our attempts at generating them pale in comparison to machines. We rely on common phrases, dates, names, and patterns – precisely what smart cracking algorithms are designed to exploit.

Moreover, the human brain is such that if you ask a sample of folks to pick a number between one and a hundred, most will choose… the same numbers! The YouTube channel Veritasium surveyed more than 200,000 people and found the most popular numbers to be 7, 37, 42, 69, 73, and 77.

Results of the Veritasium survey. Source

Even when attempting random character strings, we tend to favor keys in the middle of the keyboard. Around 57% of all the passwords we analyzed were found to contain a dictionary word or frequent symbol combination. Worryingly, 51% of these passwords could be cracked in less than a minute, 67% in under an hour, and only 12% took more than a year. However, at least just a few passwords consisted of a dictionary word only (which could be cracked within a minute). See the Securelist post for more about the password patterns we encountered.

Smart algorithms make short work of most passwords that contain dictionary sequences. And they even catch character substitutions — so writing “pa$$word” instead of “password” or “@dmin” instead of “admin” won’t make the password much stronger. Using popular words and number sequences is equally risky. In 4% of the passwords we examined, the following cropped up somewhere:

12345
123456
love
12345678
123456789
admin
team
qwer
54321
password

Recommendations

The takeaways from our hands-on study:

Many user passwords aren’t strong enough; 59% of them can be cracked in an hour.
Using meaningful words, names, and standard character sequences in your password significantly reduces password guessing time.
The least secure password is one that consists entirely of numbers or only words.

To keep your accounts safe, consider the following simple recommendations:

Generate strong passwords using Kaspersky Password Manager.
If you decide to create a password yourself, use mnemonic passphrases rather than meaningful word combinations, names, or dictionary sequences.
Never reuse passwords across different sites, because not all companies store user data securely.
Never save passwords in browsers.
Keep your passwords safely stored in a password manager and create a crack-proof primary password for it.
Check how crack-resistant your password is with Password Checker or directly in your Kaspersky Password Manager. It will identify weak and duplicate passwords, check all your passwords against compromised databases, and alert you if a match is found.
Utilize Kaspersky Premium to continually monitor in the background all accounts linked to your and family members’ phones or email addresses for data leaks.
Enable 2FA wherever possible. Incidentally, Kaspersky Password Manager also lets you save 2FA tokens and generate one-time codes.

Kaspersky official blog – ​Read More

Vulnerabilities of ZKTeco biometric terminals | Kaspersky official blog

/in

Organizations are adopting biometric authentication to optimize access control and to add a primary or auxiliary authentication factor for accessing corporate information systems. Biometrics are perfect for the job: such data can’t be forgotten like a password, or lost like a keypass, and is very hard to forge. Security no longer has to deal with lost or forgotten cards, and the IT security team doesn’t need to come up with OTP systems. However, there are a number of “buts” to consider when evaluating such implementations:

Risks associated with storing and processing biometric information (regulated by law in many countries);
Practical difficulties related to false positives and negatives (strongly dependent on the type of biometrics and means of verification);
Risks of authentication bypass;
Risks of cyberattacks through vulnerabilities in the biometric terminal.

The first two points are usually covered by security personnel, but the rest are often underestimated. Yet, as our in-depth study of popular ZKTeco biometric terminals shows, by no means are they far-fetched. These terminals were found to harbor 24 vulnerabilities that allow threat actors to effortlessly bypass authentication, hijack the device, read or modify the list of users, download their photos and other data, and exploit access to the device to develop an attack on the corporate network. Here’s how attackers can use these vulnerabilities.

ZKTeco terminal

QR code instead of a face

The biometric terminal model studied by our experts can store a database of users locally and authenticate them in one of several ways: password, QR code, face photo biometrics, or electronic pass. As it turned out, simply scanning a QR code containing the trivial SQL injection is enough to validate authentication on the device and open the doors. And if too much data is embedded in the QR code, the terminal reboots. To carry out these attacks, an attacker only needs to approach the device with a phone or even a paper card.

Insecure network access

The terminal can be managed either locally or over the network using SSH or a proprietary network protocol using the TCP port 4370. The protocol requires authentication, but the procedure’s implementation contains serious errors. The password is an integer from 0 to 999999, which is easy to brute-force, and its default value is, of course, zero. The message authentication code (MAC) uses reversible operations, making it easy to analyze network traffic and, if necessary, recover the password through it. SSH access is available to root and zkteco users whose passwords could be recovered through accessing the device memory.

Device hijacking

The manufacturer provides the ability to access user data remotely, download photos, upload new users, and so on. Given the insecure implementation of the proprietary protocol, this creates a risk of personal data leakage, including biometrics. Threat actors can also add third parties to the database and exclude legitimate employees.

On top of that, errors in processing protocol commands give attackers even more options, such as injecting Unix shell system commands into image processing commands and reading arbitrary system files on the terminal, right down to the password-containing /etc/shadow.

What’s more, buffer overflow vulnerabilities in the firmware update command allow arbitrary code execution on the device. This creates attractive opportunities for attackers to expand their presence in the network. Since the biometric terminal will have no EDR agent or other security tools, it’s well suited for reconnaissance operations and routing traffic between compromised devices — if, of course, the terminal itself is connected to the internal network without additional restrictions.

How to reduce the risks of attacks through biometric terminals

ZKTeco devices are used worldwide under different brand names. If the devices in the illustration look like those in your office, it’s worth updating the firmware and scrutinizing the settings to make them more secure. Either way, various flaws in biometric terminals need to be taken into account regardless of the specific manufacturer. We recommend the following measures:

Choose a biometric terminal supplier carefully. Conduct preliminary analysis of previously known vulnerabilities in its equipment and the time taken to eliminate them. Request information about the supplier’s software engineering practices, giving preference to manufacturers that use a secure development lifecycle (SDL). Also request a detailed description of how information is stored, including biometrics.
Master the equipment settings and use the most secure configuration. We recommend disabling unnecessary and insecure authentication methods as well as unused services and features. Change all default credentials to strong and unique passwords for all biometric terminal administrators and users.
Physically block unnecessary connectors and interfaces on the terminal to eliminate certain attack vectors.
Include terminals in update and vulnerability management processes.
Isolate the network. If terminals are connected to the local network and linked to a management server, we recommend moving them to a separate physical or virtual subnet (VLAN) to rule out access to terminals from regular computers and servers, and vice versa. To configure access, we advise using a privileged access workstation isolated from regular network activity.
Consider telemetry from terminals as a source of information for the SIEM system and other deployed monitoring tools.

Kaspersky official blog – ​Read More

Euro 2024: Common cyberthreats | Kaspersky official blog

/in

Fraudsters love hype and all-things-trending. Ah, so Toncoin is becoming very popular? Let’s build a cryptocurrency pyramid scheme. Artificial intelligence has hit the next level? Perfect for making voice deepfakes. The Euros have started? Get ready for a month of soccer scams…

The UEFA Euro 2024 tournament will gather over 2.7 million people in stadiums, and another 12 million in fan zones across Germany, while the total number of folks who’ll be following the year’s biggest soccer tournament boggles the mind. Alas, many of these spectators and viewers could make easy targets for scammers. That’s why it’s important to take the right precautions, understand the potential cyberthreats in the soccer world, and learn how to watch your favorite team’s matches safely.

Fake tickets

A typical threat before any major offline event is ticket fraud. In short: buy tickets only from the official UEFA website, or at the stadium box office – not from third parties or any other websites.

What could go wrong otherwise? Here are a few common scenarios:

Payment data compromise. This can happen if you pay by card on a fake (phishing) website. So before attempting to buy a ticket online, make sure there are no typos in the website’s address and that the domain wasn’t registered just a couple of weeks ago.
Personal data compromise. This scenario is also possible when buying from a phishing site — fraudsters may ask for not just your bank details but also your name, address, phone number and email. Be cautious if buying tickets requires an unusual amount of personal data.
Malware downloads. Fraudsters may offer to sell Euro 2024 tickets via a “special app”. This seemingly harmless app could turn out to be a stealer, miner, or something even worse. If you come across an offer to “download this app to buy tickets”, ignore it — it’s a scam.

All these scenarios have the same potential outcome — no tickets actually purchased, financial loss, and a very grumpy mood. If you want to make sure your data hasn’t already been compromised, install Kaspersky Premium — it will protect your devices from viruses, keep you safe from phishing and malicious links while surfing the web, and automatically check for data leaks from your accounts tied to email and phone numbers.

Pirate streams

Even if you plan on watching the entire tournament online — remain vigilant. Some attractively priced streaming services may turn out to be pirated, and a subscription that seems like a great deal could empty your bank account.

The risks here are the same as with tickets — payment and personal data can be stolen, and malicious scripts can be embedded in the streaming site pages, allowing attackers to control your browser and system. That’s why we don’t recommend storing passwords in your browser — use a password manager.

Pirate streaming service for watching Euro Cup matches

Illegal betting

Another popular type of soccer fraud is betting with illegal, fraudulent bookmakers offering fantastic odds. These outfits lure gamblers with attractive odds, and then disappear within a couple of weeks. As a result, the fans lose their money and, yet again, their payment data ends up in grubby hands. If you want to place a bet on a soccer match, use the official website or app of a bookmaker licensed to operate in your country.

Fake stores

Any soccer tournament involving national teams inevitably causes a surge in the popularity of stores selling fan merchandise: jerseys, scarves, T-shirts and so on. Among the plethora of such shops, it’s best to choose official or offline stores — that way you won’t get scammed.

Fake store selling soccer paraphernalia

Fraudsters attract buyers with big discounts, low prices and free shipping, but in reality, these are classic scammer scenarios: without reliable protection, your payment and personal data can be stolen and you’ll never receive your favorite team’s jersey.

Recommendations

Watch soccer matches only on official channels/sites and don’t pay distributors of pirated content.
Use reliable protection that warns you when you’re about to visit a phishing site.
Pay using a virtual card with a set limit. Before purchasing a ticket or subscription, transfer only the amount needed for that one transaction. This way, fraudsters won’t be able to get their hands on anything extra.
Don’t buy tickets on the second-hand market— such tickets may be invalidated by UEFA. It’s better to use the organization’s official website.
Buy fan merchandise only from official stores— otherwise you risk encountering fraudsters.

Kaspersky official blog – ​Read More

How ShrinkLocker ransomware leverages BitLocker | Kaspersky official blog

/in

While investigating a cybersecurity incident, Kaspersky’s experts discovered new ransomware they’ve dubbed “ShrinkLocker”. An interesting feature of this malware is that its creators artfully use the built-in capabilities of Windows to lock down computers the malware has infected. In particular, ShrinkLocker uses the standard full-disc encryption utility BitLocker to block access to the data.

What makes ShrinkLocker dangerous?

Like most ransomware today, ShrinkLocker encrypts the victim’s local drives to block access to their contents. What it essentially does is activate a standard security feature — BitLocker.

ShrinkLocker shrinks the computer’s drive partitions by 100 megabytes — hence its name — and uses the freed-up space to create a boot partition for itself. While it’s at it, it disables every BitLocker key-recovery mechanism, and sends the key that was used for the drives’ encryption to the attacker’s server.

After the user restarts the computer, they’re presented with the standard BitLocker password prompt. Since the user is now unable to start the system, ShrinkLocker changes the labels of all system drives to the attacker’s email address instead of leaving a ransom note.

How ShrinkLocker works

ShrinkLocker is implemented as a complex VBScript. It starts by gathering information about the operating system — primarily, its version. If the script finds that it’s running on Windows 2000, XP, 2003, or Vista, it shuts down. For newer editions of Windows, it runs parts of its code that are optimized for the relevant operating system.

Next, it runs preparatory operations on the local drives as mentioned above, and modifies several registry keys to configure the system for running BitLocker smoothly with the settings that the attacker requires.

ShrinkLocker writes the attacker’s email address to the volume label

Then it disables and removes all default BitLocker protectors to prevent key recovery, and enables the numerical password-protector option.

The script then generates this password and initiates encryption of all local drives using the newly created password. After this, ShrinkLocker sends an HTTP POST request containing the password and system information to the attacker’s command-and-control server.

To mask the actual server address, the threat actor uses several trycloudflare.com subdomains. This is a legitimate domain owned by CloudFlare and designed for website developers to test website traffic tunneling capabilities.

In its final stages, ShrinkLocker covers its tracks by removing its files from the drive, clearing Windows PowerShell logs, and so on. Finally, the script restarts the system.

If the user tries choosing a recovery option while the machine is booting up, they get a message stating that no BitLocker recovery options are available.

ShrinkLocker has blocked access to the drive with BitLocker, and no recovery options are available

Regarding the geographical distribution of infections, our researchers have observed ShrinkLocker and its modifications in Indonesia, Jordan, and Mexico. You can find more details about the ShrinkLocker modus operandi in our report on Securelist.

How to protect yourself from ShrinkLocker

Here are some tips for how to protect against ShrinkLocker and other ransomware threats:

Apply the principle of least privilege. In particular, users should not be given permissions to modify the registry or enable full-volume encryption.
Enable traffic monitoring. In addition to HTTP GET requests, it’s also helpful to log HTTP POST. In case of infection, requests to the attacker’s C&C server may contain passwords and keys.
Monitor events associated with VBS and PowerShell execution. Save scripts and commands you discover to external storage, as the malware may delete your local logs.
Back up your data regularly. Use offline storage for backups and verify their integrity.
Use a reliable security solution on all corporate devices. For example, Kaspersky Endpoint Security for Business detects ShrinkLocker with the verdicts Trojan.VBS.SAgent.gen, Trojan-Ransom.VBS.BitLock.gen, and Trojan.Win32.Generic.
Use EDR (Endpoint Detection and Response) solutions to monitor suspicious activity on your corporate network.

Kaspersky official blog – ​Read More

Transatlantic Cable podcast episode 351 | Kaspersky official blog

/in

Episode 351 of the Transatlantic Cable podcast begins with discussion around Microsoft’s controversial ‘Recall’ feature. Following from there, news turns to discussion around Elon Musk’s frustration around Apple’s decision to include ChatGPT in the upcoming iOS 18.

To wrap up, the team discuss two news stories. The first covers the arrest of 2 suspects in relation to a smishing campaign, and what the police are calling “an illegitimate telephone mast,” converted into a “text message blaster.”  The finals story looks at how a 27-year-old Tamagotchi mystery has finally been solved.

If you liked what you heard, please consider subscribing.

Microsoft ‘recalls’ screenshot feature after outcry
Elon Musk threatens to ban Apple devices from his companies over Apple’s ChatGPT integrations
Two cuffed over suspected smishing campaign using ‘text message blaster’
A 27-Year Old Tamagotchi Mystery Has Been Solved

Kaspersky official blog – ​Read More

Notifications from FB and theft of business account passwords

/in

Cybercriminals in the password theft business are constantly coming up with new ways to deliver phishing emails. Now they’ve learned to use a legitimate Facebook mechanism to send fake notifications threatening to block Facebook business accounts. We explore how the scheme works, what to pay attention to, and what measures to take to protect business accounts on social networks.

Anatomy of the phishing attack on Facebook business accounts

It all starts with a message sent by the social network itself to the email address linked to the victim’s Facebook business account. Inside is a menacing icon with an exclamation mark, and an even more menacing text: “24 Hours Left To Request Review. See Why.”

Email with a fake warning about account problems, sent by Facebook itself

Added to this are other words which, combined with the above text, look odd. But a manager responsible for Facebook may, in haste or in panic, fail to spot these irregularities and follow the link by clicking the button in the email or manually open Facebook in a browser and check for the notifications.

Either way, they’ll end up on Facebook. After all, the email is real, so the buttons really do point to the social network’s site. A notification is waiting there — with the now familiar orange icon and same threatening words: “24 Hours Left To Request Review. See Why.”

Phishing notification informing the victim their account will be blocked for non-compliance with the terms of service

The notification contains more details, alleging that the account and page are to be blocked because someone complained about their non-compliance with the terms of service. The victim is then prompted to follow a link to dispute the decision to block their account.

If they do, a website opens (this time, bearing the Meta logo, not Facebook) with roughly the same message as in the notification, but the time granted to resolve the issue has been halved to 12 hours. We suspect that scammers use the Meta logo this time because they try similar schemes on other Meta platforms — we found at least one “location” on Instagram with the same name: “24 Hours Left To Request Review. See Why.”

On a phishing page outside Facebook, the victim is prompted to appeal the block

After clicking the Start button, through a series of redirects the visitor lands on a page with a form asking initially for relatively innocent data: page name, first and last names, phone number, date of birth.

] The second screen asks the victim to enter certain personal data

It’s the next screen where things get juicy: here you need to enter the email address or phone number linked to your Facebook account and your password. As you might guess, it’s this data that the attackers are after.

The attackers don’t waste any time in requesting your Facebook account credentials

How the phishing scheme exploits real Facebook infrastructure

Now let’s see how threat actors get Facebook to send phishing notifications on their behalf. They do so by using hijacked Facebook accounts. The account name is changed straight away to the most troubling title: “24 Hours Left To Request Review. See Why.” They also change the profile pic so that the preview shows an orange icon with the exclamation mark already familiar to us from the email and notification.

Attackers change the name and profile picture of the hijacked Facebook account

That done, the message about the account block is posted from the account. At the bottom of this message, a mention of the victim’s page appears after a few dozen empty lines. By default it’s hidden, but on clicking the “See more” link in the phishing post, the mention becomes visible.

The trick is the hard-to-spot mention of the targeted Facebook business account at the bottom of the post

Threat actors post such messages from the hijacked account in bulk all at once, each of which mentions one of the target Facebook business accounts.

Hijacked accounts generate a slew of posts, each of which mentions the account of a targeted organization

As a result, Facebook diligently sends notifications to all accounts mentioned in these posts, both within the social network itself and to the email addresses linked to these accounts. And because delivery is via the actual Facebook infrastructure, these notifications are guaranteed to reach their intended recipients.

How to protect business social media accounts from hijacking

We should note that phishing isn’t the only threat to business accounts. There exists an entire class of malware specially created for password theft; such programs are known as password stealers. For this same purpose, attackers can also use browser extensions — see our recent post about their use in hijacking Facebook business accounts.

Here’s what we recommend for protecting the social media accounts of your business:

Always use two-factor authentication wherever possible.
Pay close attention to notifications about suspicious login attempts.
Make sure all your passwords are both strong and unique. To generate and store them, it’s best to use a password manager.
Carefully check the addresses of pages asking for account credentials: if there’s even the slightest suspicion that a site is fake, do not enter your password.
Equip all work devices with reliable protection that will warn of danger ahead of time and block the actions of both malware and browser extensions.

Kaspersky official blog – ​Read More

Transatlantic Cable podcast episode 350 | Kaspersky official blog

/in

Episode 350 of the Kaspersky Transatlantic Cable podcast kicks off with surprising news that whilst Generative AI tools such as ChatGPT and MidJourney are marketed aggressively, they’re not actually that popular with everyday folk – with just 2% of people in the UK saying they use Gen AI in their day.

From there talk moves to news regarding two large data breaches, both of which were hit by the same group “ShinyHunters”.  To wrap up, the team discuss a story around Microsoft’s India X account, which was recently hacked in order to spread crypto scams.

If you liked what you heard, please consider subscribing.

AI products like ChatGPT much hyped but not much used
Ticketmaster hacked. Breach affects more than half a billion users
Santander staff and ’30 million’ customers hacked
Microsoft India’s X account hijacked in Roaring Kitty crypto scam

Kaspersky official blog – ​Read More

When two-factor authentication is useless | Kaspersky official blog

/in

Two-factor authentication (2FA) with the use of one-time passwords (OTPs) is now often seen as a cure-all against phishing, social engineering, account theft, and other cyber-maladies. By requesting an OTP at login, the service in question provides an additional protective layer of user verification. The code can be generated in a special app directly on the user’s device, although, sadly, few people bother to install and configure an authenticator app. Therefore, sites usually send a verification code in the form of a text, email, push notification, IM message, or even voice call.

Valid for a limited time, this code enhances security significantly. But a magic bullet it ain’t: even with 2FA, personal accounts remain vulnerable to OTP bots — automated software that tricks users into revealing their OTPs through social engineering.

To find out what role these bots play in phishing and how they work, read on…

How OTP bots work

Controlled either through a control panel in a web browser or through Telegram, these bots impersonate legitimate organizations such as banks to trick the victim into disclosing a sent OTP. Here’s how it unfolds:

Having obtained the victim’s login credentials — including password (see below for this is done) — the scammer logs into the victim’s account and is asked to enter an OTP.
The victim receives the OTP on their phone.
The OTP bot calls the victim and, using a pre-recorded social engineering script, asks them to enter the received code.
The unsuspecting victim keys in the code right there on their phone during the call.
The code is relayed to the attacker’s Telegram bot.
The scammer gains access to the victim’s account.

The key function of the OTP bot is to call the victim, and the success of the scam hinges on how persuasive the bot is: OTPs have a short lifespan, so the chances of obtaining a valid code during a phone call are much higher than any other way. That’s why OTP bots offer numerous options for fine-tuning the call parameters.

This OTP bot boasts over a dozen features: ready-made and customized scripts in multiple languages, 12 operation modes, and even 24/7 tech support

OTP bots are a business, so to get started, scammers buy a subscription in crypto costing the equivalent of up to $420 per week. They then feed the bot with the victim’s name, number, and banking details, and select the organization they want to impersonate.

The user-friendly bot menu is accessible even to scammers with no programming skills

For plausibility, the scammers can activate the spoofing function by specifying the phone number that the call appears to come from, which is displayed on the victim’s phone. They can also customize the language, and even the voice of the bot. All voices are AI-generated, so, for example, the OTP bot can “speak” English with an Indian accent, or Castilian Spanish. If a call gets forwarded to voicemail, the bot knows to hang up. And to make sure everything is configured correctly, the fraudsters can check the OTP bot settings by making a call to their own test number before commencing an attack.

The victim needs to believe that the call is legitimate, so, before dialing the number, some OTP bots can send a text message warning about the upcoming call. This lulls the target’s vigilance since at first glance there’s nothing suspicious: you get a text notification from the “bank” about an upcoming call, and a few minutes later they do call — so it can’t possibly be a scam. But it is.

During a call, some bots may request not only an OTP, but other data as well, such as bank card number and expiry date, security code or PIN, date of birth, document details, and so on.

For a deeper dive into the inner workings of OTP bots, check out our report on Securelist.

Not by bot alone

While OTP bots are effective tools for bypassing 2FA, they’re utterly useless without the victim’s personal data. To gain account access, attackers need at least the victim’s login, phone number and password. But the more information they have on the target (full name, date of birth, address, email, bank card details), the better (for them). This data can be obtained in several ways:

On the dark web. Hackers regularly put up databases for sale on the dark web, allowing scammers to buy login credentials — including passwords, bank card numbers, and other data. They may not be very fresh, but most users, alas, don’t change their passwords for years, and other details stay relevant for even longer. Incidentally, Kaspersky Premium promptly notifies you of any data breaches involving your phone number or email address, while Kaspersky Password Manager reports password compromise incidents.
From open-source intelligence. Sometimes databases get leaked to the public on the “normal” web, but due to media coverage they quickly grow outdated. For example, the standard practice of a company on discovering a customer data breach is to reset the passwords for all leaked accounts and prompt users to create a new password at the next login.
Through a phishing attack. This method has an undeniable advantage over others — the victim’s data is guaranteed to be up-to-date because phishing can take place in real time.

Phishing kits (phishkits) are tools that allow scammers to automatically create convincing fake websites to harvest personal data. They save time and let cybercriminals collect all the user information they need in a single attack (in which case OTP bots are just one part of a phishing attack).

For example, a multi-stage phishing attack might go like this: the victim receives a message supposedly from a bank, store, or other organization, urging them to update their personal account data. Attached to this message is a phishing link. The expectation is that upon landing on a site that’s almost identical to the original, the victim will enter — and the phishers will steal — their login credentials. And the attackers will use these straight away to log in to the victim’s real account.

If the account is 2FA-protected, the scammers issue a command to the phishing kit control panel to display an OTP entry page on the phishing site. When the victim enters the code, the phishers get full access to the real account, allowing them, for example, to drain bank accounts.

But it doesn’t end there. Scammers take the opportunity to extract as much personal information as possible, pressuring the user to “confirm their credentials” as a mandatory requirement. Through the control panel, the attackers can request email address, bank card number, and other sensitive data in real time. This information can be used to attack other accounts of the victim. For example, they could attempt to access the victim’s mailbox with the phished password — after all, people often reuse the same password for many if not all their accounts! Once they get access to email, the attackers can really go to town: for example, change the mailbox password and after a brief analysis of mailbox content request a password reset for all other accounts linked to this address.

Options for requesting additional data in the phishing kit control panel

How to keep your accounts safe

Always use Kaspersky Premium to automatically scan for data leaks affecting your accounts that are linked to email addresses and phone numbers — both yours and your family’s. If a breach is detected, follow the app’s advice for mitigation (at the very least, change your password right away).
If you suddenly receive an OTP, be wary. Someone might be trying to hack you. For details on what to do in this case, see our instructions.
Create strong and unique passwords for all your accounts with Kaspersky Password Manager. Scammers can’t attack you with OTP bots unless they know your password, so generate complex passwords and store them securely.
If you receive a message with a link to enter personal data or an OTP, double-check the URL. A favorite trick of scammers is to direct you to a phishing site by substituting a couple of characters in the address bar. Always take a moment to verify that you’re on a legitimate site before entering any sensitive data. By the way, our protection blocks all phishing redirection attempts.
Never share your OTPs with anyone or enter them on your phone keypad during a call. Remember that legitimate employees of banks, stores, or services, or even law enforcement officers will never ask for your OTP.
Stay ahead of the game. Subscribe to our blog to make your life in cyberspace more secure.

Kaspersky official blog – ​Read More