Cookies: Should I worry about them?

Starting off the new year, many of us are worried about cookies—how many we ate over the holidays and how we’re going to avoid them in the break room, for example. With so much cybercrime and data theft swirling around like daily bomb cyclones, there’s more than a few folks worried about the kinds of cookies they encounter on the Internet.

But should they be?

Cookies are typically text files that can provide information about your browsing behavior to websites that you visit. On the one hand, cookies are useful for making your Internet experience more efficient. It’s how you automatically get logged in on sites you’ve already visited, even if you closed the browser tab, for example. But on the other hand, cookies are part of the advertising ecosystem that knows which advertisements are most likely to draw your attention—and they serve them up to you wherever you visit.

Why doesn’t Malwarebytes detect cookies?

Cookies in themselves are harmless. They are just data stored by a website in your browser, and they are not malware. It is what sites do with them that determines whether we like them or not. Some cookies are essential to use a site properly, and others might be considered a privacy risk. Since the possible preferences are various and personal, we believe in leaving the choice up to our customers. Of course, we can and do block sites that we know to plant overly intrusive cookies on a user’s machine. But otherwise, we leave it up to you.

How do I delete and control cookies?

At some point, you may want to remove the cookies from your browser. Below, you will see how to do that for a couple popular browsers. But before you get rid of all of them, let me warn you that you may regret doing so. Your favorite sites will forget who you are, and you will have to log in where you normally were automatically accepted.

Windows

Edge

Unfortunately, Edge (like Internet Explorer) does not have a built-in cookie management tool for specific cookies. It does have a delete all or nothing option, which you can find under Settings. Under Clear Browsing Data click Choose  > Cookies and saved website data. The control is also not very granular. You can find it under Settings > Advanced settings > View advanced settings. You will find three options: block, don’t block, or block only third-party cookies.

edge options

Internet Explorer

To clear cookies in Internet Explorer, select Tools > Internet options > General tab. Under Browsing history, hit Delete and put a checkmark in the Cookies box. Think once more, because this is an all or nothing method, before you hit Delete. For a more detailed description, check out Microsoft’s support article on How to delete cookie files in Internet Explorer.

Chrome

Go to Menu > Settings > Show advanced settings. Under Privacy, click Content settings > Cookies. Click “All cookies and site data” to get an overview. Here you do have a choice on what to delete. You can delete individual cookies separately or all of them in one sweep. For a more detailed description, see Google’s support article: Manage your cookies and site data.

Firefox

Click on the Firefox button > Options > Privacy > Show Cookies. Here you will see options to Delete all cookies or search for specific ones you want to delete. For a more detailed description, take a look at Firefox’s article: Delete cookies to remove the information websites have stored on your computer.

Opera

Click the Opera button > Settings > Delete Private Data > Detailed options > Manage cookies. Here you will see an overview of the stored cookies and an option to delete them separately. For more information, see Opera’s help article: Manage Cookies.

In the links I have provided for Chrome, Firefox, and Opera, you will also find information on how to control which cookies get stored on your computer. Internet Explorer has the controls on the Privacy tab under Tools > Internet options.

macOS

Malwarebytes for Mac does not detect or remove cookies either. Like we said before, cookies are just data stored by a website, and not malware. At worst, they can pose a threat to your privacy, in the case of tracking cookies. Further, many cookies are not only legitimate, but also required for normal operation of some websites.

If you feel it necessary to delete cookies from your computer, some of them may be difficult to get rid of. You can use the following techniques to delete these cookies, but you should be aware that they will come right back as soon as you visit a site that sets those cookies.

Safari

Safari offers the option to clear all your cookies along with your browsing history. To use this option choose History > Clear History. Click the pop-up menu, and then choose how far back you want your browsing history cleared. Or you can choose to delete only cookies and website data by clicking Preferences > Privacy > Manage Website Data. Select one or more websites, then click Remove or Remove All. For more information, see Safari’s support articles: Manage cookies and website data and Safari help.

Under Privacy, you can also find the settings to control which cookies will be allowed moving forward by choosing “Change which cookies and website data are accepted.”

Adobe Flash Player

When you visit some sites with Adobe Flash Player installed and activated, the software also stores cookie data on your system. The easiest way to control these is to visit the Flash Player Help site and use the Website Storage Settings panel displayed there to delete those that you no longer want. Read the information below the panel to make sure you understand what your options are and how to use them.

adobe panel

Silverlight

Browser plug-in Silverlight can also store cross-browser information in the application cache. To delete the Silverlight Cache, follow this procedure:

  • Close all Microsoft browser windows (Internet Explorer and Edge).
  • Click Start > All Programs > Microsoft Silverlight.
  • Choose the Application Storage tab.
  • Click Delete all.
  • Click “Yes” in the “Delete application storage for all Web sites?” dialog.
  • Click OK.

Evercookies

Evercookies are not just text files. They are Javascript routines that recreate cookies even after they have been removed. Evercookies often rely on the two major streaming video browser plug-ins: Microsoft Silverlight and Adobe Flash. These plug-ins allow their own caching and storage, which can be used across sessions and even across browsers. But they can be hidden in other caches as well. By storing the same data in several locations that a client can access, the data can be recovered and then reset and reused if any of it is ever lost (for example, by clearing cookies).

To actually get rid of evercookies, you would have to delete all the related cookies and clear all the caches of all your browsers and video browser plug-ins, using the information posted above.

Supercookies

These are technically not cookies because they are not stored in browsers or browser plug-ins, but I wanted to mention them here anyway because their name might lead you to think otherwise. Supercookies are unique identifiers that are inserted into the HTTP header by a service provider. Service providers are legally bound to offer you an opt-out option, so it could be prudent to check if your service provider uses supercookies and how to opt out if they do.

Tech support scammer tries to sell free software

AmericaGeeks is your typical tech support scam company, but with an extra warming glow of attitude, greed, and complete all-around rudeness. Most scams will gladly take your money by buttering up the victim while simultaneously scaring them into thinking that they are in a dangerous situation with their computer or device. They then swoop in to heroically “help” them.

AmericaGeeks instead jumps straight to the point of rude behavior and scare tactics to scam their victims. They do an amazing job of dehumanizing and belittling the user, all while scamming them out of their money. This trait was what made AmericaGeeks shine through the rest.

AmericaGeeks Tech Support has a campaign sending out browser lockers, like the one above. They are posing as Microsoft, sending out warnings to users stating that their computer is infected and they need to contact them immediately. I called them at 877-658-9988, this was the number that was listed on the pop-up. I used a computer that was clean of any infections and allowed them access.

Below is the connect screen they used.

Obviously uncomfortable not knowing which of his company’s pop-ups resulted in the call, the tech wandered about for 10 to 15 minutes, at one point trying to log in to my router using default credentials.

The tech then ran a diagnostic and told me the computer was infected and that I had no security. What is interesting is the tool, ToolWiz, seems to be a rather legit application that is like Ccleaner, and is completely free for anyone to use. This scam is using ToolWiz to mislead users with its results, which are below:

According to the tech, I had 196 infections on my system, but he would fix them for free with the purchase of antivirus software. He suggested that I purchase either Webroot or Norton. As you can see below, he wanted to overcharge me for the cost of the software to make money. It is also important to note that I did not have “196 infections.” The tool simply found 196 Temporary Files, Registry Keys, and other benign objects to remove. When I confronted him about the price, he was flustered and made up some excuse that I was paying a higher price because I was getting antivirus, anti-malware, anti-Trojan, and anti-spyware, and they were all separate (which they are not).

 

Buyer beware: educate yourself, ask a friend, and never call any number that pops up on your screen claiming that your system is infected. Below are all the indicators we could find associated with this particular scam.

Primary indicators

  • geekshelp1.me
  • geekstechllc.us
  • geekstechnicalsupport.com
  • geekstechnicalsupport.co
  • geekstechllc.com

Using the same phone number

  • 162.144.3.137/pls_multifunction.php
  • pc-geeks.us/computer-support

Exosrv.com, an ad server for adult sites, tops Malwarebytes detections

Update (12/18/2017): Upon review, we have decided to lift the block on those two ad servers. You can read ExoClick’s comments below:

At Exoclick we use large resources to ensure that the ads that we serve are clear, clean and issue free. Where malwares and other forms of malvertising are detected through our internal tools we take down the offending ad fast within 15 minutes and effectively ban the advertiser or individual(s) responsible. We are one of the quickest in the industry to isolate and kill any infection and have strict policies against this.

– –

There is a belief that most of what you’ll find on adult websites is going to harm your system. In many cases, this has proven to be true, but overall the adult industry has made numerous efforts to protect their customers and audience. While we would like to tell you that it’s completely safe to surf adult websites these days, we do still need to stay vigilant. That’s why Malwarebytes has started blocking two new domains that are ad servers often seen in adult traffic:

*.exosrv[.]com
*.exdynsrv[.]com

What you are likely seeing when you are doing some adult…research.

The reason why we are preventing traffic to any of those hostnames is based on reports from our customers of malicious redirects and fraud, and our own collection tools—and has nothing to do with the fact that these are sites serving porn. For example, here is a redirection from main.exosrv[.]com, which takes users to a fake online pharmacy website:

This slideshow requires JavaScript.

Here at Malwarebytes, we do our best to protect users by blocking not just malicious sites, but also scam sites, with fake pharmaceutical sites being one of the most common we encounter. Due to this, ads.exosrv[.]com has become our top malicious URL detection, totaling over 4 million blocks in one day, which is due to the huge amount of traffic the main domain receives.

Breakdown of blocks for this domain by country

Our goal at Malwarebytes continues to be the protection of our users, which is why we are taking an aggressive approach on blocking certain ad networks stepping over the line. Visiting adult sites is perfectly legal. Getting scammed on account of it is not.

Stay safe

Beyond keeping an up-to-date security solution installed on your system (like Malwarebytes), it’s advised to do the following when surfing any website:

  • Utilize an ad blocker to keep malicious advertisements away from your system.
  • Utilize a script blocker to keep malicious scripts from running in your browser. (Many ad blockers do this, too.)
  • Utilize safe or private browsing tools so less of your personal information is provided to websites.
  • Keep some kind of anti-exploit technology running in the background to prevent drive-by exploits from infecting your system. Malwarebytes also has this functionality baked into it.
  • Don’t follow the white rabbit! Visit websites that are known and trusted, have high reviews and/or are easy to find. The worst stuff online usually won’t be found by clicking on a Google link.

Thanks for reading!

Mobile Menace Monday: upping the ante on Adups

Adups is back on our radar. The same China-based company caught collecting an abundance of user data and creating a backdoor on mobile devices in 2016 has another malicious card to throw down. This time, it’s an auto installer we detect as Android/PUP.Riskware.Autoins.Fota.

We thought they cleaned up their act

When the headlines about Adups came out in 2016, it forced the company to update a component known under the package name com.adups.fota. The new version was clean of wrongdoing, and we all went about on our collective our ways.

However, it appears there was a lingering component we overlooked. It comes with the package names com.adups.fota.sysoper and com.fw.upgrade.sysoper, appears in the app list as UpgradeSys, and has the filename FWUpgradeProvider.apk.

They call it FWUpgradeProvider

An auto-installer is only threatening if it has system-level rights, which (unfortunately), FWUpgradeProvider does. “How?” you may ask. Because it comes preinstalled on various devices. Thus, by default it has system level privileges. Essentially, this allows it to install and/or update apps without a user’s knowledge or consent.

The trend of preinstalled PUP/malware has been on the rise. Historically, these cases were isolated to budget mobile devices bought from online stores. However, with FWUpgradeProvider, there are reports of it being installed on phones bought from legitimate phone carriers in countries such as the UK.

Cannot remove, cannot disable

Preinstalled system apps cannot be removed from a mobile device. Therefore, full remediation is not possible with anti-malware scanners. However, it is possible to disable these systems apps. Malwarebytes for Android walks you through how to disable a system app that it detects as PUP/malware. No big deal, right? Well, here’s the kicker. Recently, it was brought to our attention by many frustrated customers that FWUpgradeProvider cannot, I repeat, CANNOT, be disabled.

This slideshow requires JavaScript.

Now what!?

Well friends, we’re working on it. It used to be that the only choice users had was to root their mobile device—a risky practice that could lead to permanently destroying a device if done incorrectly.

However, we may have found a method that can disable FWUpgradeProvider (and other preinstalled apps) without rooting. This method uses a PC tool called Debloater. This tool was created by the powerful XDA Developers forum user gatesjunior. The tool uses an exploit found in versions 4.x.x of the Android OS, which luckily is what many phones with FWUpgradeProvider are running. For a full tutorial, see Disabling Adups via Debloater posted on our support forum.

Deep breaths

Regretfully, the solution listed above isn’t much of a solution—it hasn’t fully been tested and we can’t guarantee it won’t cause damage to the mobile device. Consequently, we understand that many users are not comfortable attempting this method.

As it stands, FWUpgradeProvider is categorized as a PUP/Riskware. PUP, or Potentially Unwanted Program, means that it is not malware, and therefore not as threatening. Riskware means that it’s something that could be potentially risky. Yes, it does have auto-installing capabilities. Rest assured, though, that if anything truly malicious installs on your device, we will detect it.

So, if you’re asking yourself if you need to replace the phone you just bought, the answer is no. As a standalone app, FWUpgradeProvider is not a threat. It’s the potential to install other more dangerous apps that prompts us to detect. Hopefully, bringing public attention to this will once again alert Adups to clean things up. If not, we will remain vigilant of any malicious apps it may try to install.

A week in security (December 11–17)

A week in security (December 11–17)

Posted: December 18, 2017 by Malwarebytes Labs

Last week we explained what fast flux is and how it’s being abused, we showed you all kinds of Bitcoin-related scams, presented a video recording of a tech support scammer trying to sell free software, and pointed out some free software to keep an eye on your Internet traffic. We also informed you about an ad server found predominantly on adult websites, which has taken the lead in the number of URLs blocked by our web protection module.

Other news

  • South Korea is preparing a bill that will ban minors and foreigners from trading in cryptocurrencies or opening investment accounts for them within South Korea. (Source: Techspot)
  • Security researchers have publicly disclosed an unpatched zero-day vulnerability in the firmware of AT&T DirecTV WVB kit after trying to get the device manufacturer to patch this flaw over the past few months. (Source: The Hacker News)
  • Intel will implement a hardware lock on management engine equipped chips to defend against patch rollbacks. (Source: The Register)
  • Dutch security firm Fox-IT handled a security breach in an exemplary way after a man-in-the-middle (MitM) attack. (Sources: Fox-IT and Security Affairs)
  • Lawsuit based on a surreptitiously recorded phone call claims Google doesn’t refund advertisers who spend money on fraudulent clicks. (Source: Business Insider)
  • Australian airport hack was “a near miss,” says government’s cybersecurity expert, and could easily have been prevented. (Source: Hot for Security)
  • Hackers utilizing the Triton malware have managed to close down industrial operations in the Middle East, researchers warned. (Source: ZDNet)
  • A two-decade-old security hole lets hackers unlock encrypted data and was found in the software of at least eight IT vendors and open-source projects. (Source: The Register)
  • MoneyTaker, a cybercriminal group believed to be operating out of Russian-speaking territories, has hit at least 20 banks and financial companies and stolen millions of US dollars in the process. (Source: BleepingComputer)
  • Politicians from California, Washington, and New York said they’ll use a mix of legislative action and legal moves to fight the FCC’s repeal of net neutrality regulation, shortly after the vote. (Source: Cnet)

Stay safe, everyone!

Lo lo lo Loapi Trojan could break your Android

Kaspersky has found what they deem as a jack of all trades malicious app they call Trojan.AndroidOS.Loapi. Like the Trojan AsiaHitGroup we discovered last month on Google Play, this malware can do all the things—it’s a downloader, dropper, SMS Trojan, and can push ads all from the same malicious app. If left to its own devices, it could overheat the phone by taxing the processor, make the battery bulge, and essentially leave your Android for dead.

It seems creating Swiss army knife malware—lumping several uniquely malicious features into one catch-all malicious app—is becoming a trend. At least this time, the Loapi Trojan didn’t make it onto Google Play.

Loapi capabilities

For the purpose of hiding itself, Loapi poses (mostly) as a fake antivirus or, on the other end of the spectrum, adult content apps. It then asks for device administrator permissions to lock the screen of the mobile device, among other things. Furthermore, it takes the damage to another level by attempting to trick the user into thinking genuine anti-malware scanners are the real threat, and prompts to uninstall them if found. If that weren’t enough, it comes with a host of other features, including:

With everything going on in the background, Loapi puts an extreme load on the mobile device. This can lead to the Android literally blowing up from heat produced by the maxed-out processor and battery.

To state the obvious: This Loapi Trojan is quite nasty.

Darn it, tell me if you detect it or not already!

So, do we detect this monster? You bet we do! Our Malwarebytes for Android detection name is Android/Trojan.Dropper.Agent.BGT. You’ll be delighted to know that we’ve been on top of this bad boy since October.

In Malwarebytes for Android, detection of this infection is primarily done by our advanced deep scanner, which uses heuristic methodology to find malware, such as this Trojan, deeply embedded in the device. Deep scan is a feature in our Premium version. Therefore, if you want to stay protected in real time against Loapi, we recommend you upgrade to Premium after your free 30-day trial of Malwarebytes for Android. Stay safe out there!

Tech support scammers make browser lockers more resilient

Tech support scammers have been relying on fraudulent pop-ups for many years in order to scare potential victims into calling for remote assistance. These so-called browser lockers (or browlocks) typically originate from malicious ads (malvertising) that can appear on any website, including trusted online portals.

The purpose of browser lockers is not only to scare but also to create the illusion that the computer has been locked, which is not quite true. What’s happened is simply that the browser is stuck in between a flurry of alert dialogs that won’t seem to go away, no matter how many times they are clicked on.

Google Chrome is often the most-targeted browser because of its dominant market share, but pop-ups come in as many different flavors as browser types, with landing pages specific to those browsers. For example, a particularly vicious technique abused the history.pushState HTML5 API to literally freeze machines while displaying the fake pop-up.

Historically, browser makers have let users down by not being to handle those tricks cleanly. However, they appear to have taken note, fixing many of the issues that have to do with poor user experience, while also suggesting other ways for (legitimate) webmasters to send notifications, for example via the proper Notifications API.

Unfortunately, crooks are adapting as well. Despite browser developers’ best intentions, browlocks are still the best bet to scam innocent folks. The following shows a browser locker that went into full screen mode after the user clicked somewhere on the page. Pressing the Escape key to exit full screen (as instructed by the browser) triggered a malicious loop in the code that prevented closing the fraudulent pop-up (without resorting to Task Manager):

This is a similar technique to what we reported on recently with persistent drive-by mining attacks in that it uses a pop-under as a “helper.” There are actually three different layers in play to make this work:

  • a background window in full screen mode
  • another window that is superimposed (triggered on click or Escape key)
  • the pop-under (triggered on click)

The crooks have positioned and sized the pop-under in such a way that it only displays the “Stay” part of the “Leave” or “Stay” dialog window, leaving users very little choice.

Keep in mind that at the same time the user is trying to close the page, a constant reminder is being played on the computer speakers, to add to the victim’s distress:

From a technical stand point, browser lockers are on the low side of the scale compared to malware such as ransomware. However, they benefit from great distribution channels via malvertising, guaranteeing that millions of people are affected by them. Consider that scammers charge an average of $400 per victim, and you soon realize that this is a highly-profitable business.

On this blog, we have long said that awareness is critical in order to avoid falling for tech support scams, but we also recognize that browsers have a big role to play in how they handle and block such annoying alerts. Unfortunately, scammers try to trick people by abusing regular warnings and creating fake buttons. In the case mentioned above, it would have been possible to close the page from the beginning by clicking on the top window’s X before it went into full screen mode. But if a user can be enticed to perform a certain action, they essentially lock themselves out.

The rule of thumb here is to avoid panicking and simply close the browser via the Task Manager (if all else fails). Remember that the pop-ups themselves are usually harmless. You are safe as long as you haven’t dialed the toll-free number that is being advertised.

The seven most colossal data breaches of 2017

By Logan Strain

If it seems like the words “leak,” “compromised data,” and “breach” are constantly in the news, it’s not just you. The frequency of major data breaches is increasing. According to the Identity Theft Resource Center, the number of breaches is expected to top 1,500 in 2017. That’s a 37 percent annual increase over 2016, which itself was a record year for exposed personal data.

But while most data breaches are small and contained, this year saw a handful of spectacularly bad security fails. Here are the most massive sets of compromised data and data breaches of 2017.

1. Equifax

Let’s start with the Mother of All Breaches.

Equifax, one of the four major credit reporting agencies, revealed in September that cybercriminals had penetrated their network. The breach exposed the data of 143 million Americans—basically, every single adult in the country. Exposed information included names, social security numbers, birthdates, addresses and, in some instances, driver’s license numbers.

It gets worse. Credit card numbers for about 209,000 consumers and documents related to credit reporting disputes for 182,000 people were also exposed.

In response, Equifax offered a suite of identity theft protection services to all Americans, regardless of whether they were impacted or not. The services, which include up to $1 million in ID theft insurance and social security number monitoring, are free for anyone who signs up by January 31, 2018. (Though we doubt the efficacy of these identity theft protection services and don’t recommend people purchase them.)

2. Uber

This data breach actually occurred in 2016. But due to general shadiness on Uber’s part, we didn’t learn about it until November of this year. Compromised data included the names, email addresses, and phone numbers of 50 million Uber customers. The personal data of about 7 million drivers were also exposed, including around 600,000 driver’s license numbers.

Hackers pulled off the data heist by first getting access to a private GitHub site used by Uber engineers. From there, they learned Uber’s Amazon Web Services login credentials and accessed the personal data. The hackers then used the data to blackmail Uber. In an attempt to keep the incident under wraps, Uber executives paid the hackers $100,000 to delete the data and keep quiet.

The incident only came to light after new Uber CEO Dara Khosrowshahi discovered it and reported the incident to regulatory authorities.

In a blog post, Khosrowshahi said that “None of this should have happened, and I will not make excuses for it.”

3. Edmodo

Adults aren’t the only ones getting their info compromised. In May, Motherboard reported that social learning platform Edmodo was hacked. The service, which is used by educators and students, has around 78 million users—and a hacker named “nclay” claimed that he acquired the account data of 77 million of them.

The data was put up for sale on the Dark Web, but apparently, accounts for a site that is primarily used to assign homework and create lesson plans aren’t particularly valuable. The hacker priced the entire database of data at just over $1,000.

4. Verizon

Did you call Verizon customer service in the first six months of 2017? Then it’s possible your data was inadvertently exposed.

ZDnet reported that Nice Systems, an Israel-based company, failed to secure an Amazon S3 storage server that contained records for 14 million Verizon customers. The compromised records include customer names, cell phone numbers, and account PINs.

Fortunately, Verizon was able to protect the data before anyone else could access it. In a statement to CNBC, a Verizon spokesperson said, “We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.”

5. Deep Root Analytics

The data analytics firm Deep Root Analytics, which was contracted by the Republican National Committee, revealed that they the exposed data of 198 million citizens. That means almost two out every three Americans were impacted. Exposed information includes names, birthdates, phone numbers, and, most troubling, voter registration details.

The breach was discovered by security researcher Chris Vickery on June 12. His analysis revealed that the firm’s database was stored on an Amazon cloud server without password protection for about two weeks. Anyone had the ability to download the 1.1 terabytes worth of data.

6. Sonic Drive-In

Millions of customers who only wanted to order a cheeseburger and a shake may have inadvertently gave their credit card info to identity thieves.

The fast-food chain Sonic Drive-In acknowledged that an unknown number of restaurant payment systems were compromised and customer credit card information was breached. Security researcher Brian Krebs revealed that stolen credit card numbers made their way to underground markets where cybercriminals buy and sell sensitive financial data.

7. All WiFi devices

In 2017 we also discovered that essentially all data transmitted over WiFi networks is vulnerable. Computer scientist Mathy Vanhoef announced that a vulnerability in WPA2 encryption protocol made WiFi networks accessible without login credentials. Hackers are able to access WiFi data through a key reinstallation attack, or KRACK. It’s unknown if any data was actually stolen using this method, but the vulnerability has existed since the beginning of WiFi.

Fortunately, tech companies started releasing patches shortly after the problem was discovered. Earlier this month Apple fixed the security hole for all iPhones. And several routers manufacturers have released updated firmware that protects against KRACK attacks.

The growing number (and size) of data breaches indicates that threats are outpacing security measures taken by organizations. Until companies can improve their security posture, the responsibility for keeping data breaches from doing serious damage will fall on individuals.

Guest post by Logan Strain, author for Crimewire
Father, writer, and reformed Usenet troll. Lives in San Diego. Doesn’t surf, but should learn.
Follow Logan on Twitter @LM_Strain

Facebook phishers want you to “Connect with Facebook”

As we edge toward Christmas, scammers are throwing their own party—in the form of Facebook phishing pages linked to and from bogus landing pages hosted on sites(dot)google(dot)com URLs.

These landing pages, adorned with very large and very fake “Login with Facebook” buttons, may be extra convincing to the unwary, due to a combination of the trusted Google name and the fact that the sites are HTTPS rather than standard HTTP.

HTTPS is becoming increasingly popular with scammers as it adds an extra air of authenticity to the whole operation. As a result, you can’t just assume a “secure” site is also a safe one. There could well be a phisher lurking in the distance.

The landing pages are all themed around loss of Facebook access, with potential victims most likely directed there by phishing emails. (We haven’t seen any associated with this particular campaign, but given the messaging on the sites and the typical methods used to steer someone to them, it seems a reasonable bet to make.)

The bulk of the fakeouts look like either of the two examples below, with zero additional content on the page except for a big blue box asking you to “Login to Facebook” to “comfirmation your account!!!” [sic]

facebook phish landing page

Click to Enlarge

…or

another phish landing page

Click to Enlarge

…”Connect with Facebook.”

There’s a few other designs out there, but they’re nowhere near as common as the two above. Here’s one of the alt-designs:

Fake Facebook warning page

Click to Enlarge

The word salad on the fake Facebook security page reads as follows:

Regardless of which landing page you kickstart the process from, the end result is the same—you’ll be directed to a number of secondary websites hosting the pages where user data will be phished. First, scammers will ask for login details:

fake lock landing pageClick to Enlarge

After that, they go straight for security questions:

fake lock

Click to Enlarge

The text on the page reads as follows:

Upon hitting the “Protect your account” button, victims will be sent to the legit Facebook login page, another common trick to make the victim think all is well—right up to the point the login mysteriously alters and they lose access. We’ve seen Facebook scams a lot less complicated than this also ask for payment information, so we’re a little surprised that none of the sites across both sets of websites— the landing pages, and the sites playing host to data collection—do this.

We’re certainly not complaining, mind.

At time of writing, many of the secondary sites appear to have been taken down, though there’s still a fair few landing pages still up and running. As such, it would be easy for the scammers to set up new phish pages and point the landing URLs to them instead.

URLs you should avoid:

sites.google.com/site/wwwpagesinfoterms12/

sites.google.com/site/info30021033700i/

sites.google.com/site/policyclaming767005/

sites.google.com/site/recoveryfbunblockingcenter/

(leads to) help-unblocking-fb(dot)site/contact/2017/index(dot)php

sites.google.com/site/wwwpagesconfirms1202/

sites.google.com/site/noticereportslogsinfoo050/

sites.google.com/site/wwwpagesinfonet/

sites.google.com/site/help151054141104105140/

sites.google.com/site/info20012001320i1/

We’re working on having the last of these sites taken offline, but please be careful around any websites claiming they’ll confirm, review, or connect your Facebook account, especially in relation to supposed security alerts or “bad behaviour” on your part. If in doubt, visit the official Facebook site directly and take things from there. There’s a good chance it’s just someone trying to ruin your festive fun, and that definitely doesn’t fall under the season for giving.

IPv6, it’s waiting for you

IPv6 is an expression IT professionals are likely to have seen or heard at one time, but what exactly is it? Let us give you a quick introduction, and then try to explain what it does differently by comparing it to its predecessor, IPv4.

IPv4 and IPv6 are both Internet communications protocols designed as an identification and location systems for networked devices. This allows people to direct traffic to a specific address. IPv6 is short for Internet Protocol version 6. Naturally, that means IPv4 is version 4. In case you are wondering, version 5 was so short-lived that it never reached any importance.

Why the change?

One reason to replace IPv4 was the number of possible IP addresses associated, which was at approximately 4.2 billion. The authority that handed out the IPv4 blocks (IANA) ran out of IPv4 blocks in the beginning of 2011. The number of possible addresses was limited because the IPv4 addresses are only 32 bits long. With IPv6, the address is 128 bits long (both types are hexadecimal), so the number of possible addresses went up to 3.4 × 1038. That’s a lot of addresses.

compare IPv4 and IPv6

Pros and Cons of IPv6

Using IPv6 means that you don’t need Network Address Translating (NAT), which basically comes down to showing 1 external IP to the outside world. Regardless of which device you are using, others will always see the same IP with NAT. IPv6 gives every device a unique address, although the first 64 bits (the network address) are the same. So if you move the device into another LAN, you will get the first 64 bits of that network.

In the early days of IPv6, the last 64 bits were often based on the devices’ MAC address, but this opened possibilities to track devices across networks—which then posed a privacy issue. The lack of NAT also means with IPv6 you no longer need port-forwarding if you want to relay traffic to a certain node in the network. The contact can be established at the unique IPv6 address.

IPv6 offers data-security at the IP level. With IPv6, it is possible to use Internet Protocol Security (IPsec) during the data transport. This enables the use of encrypted traffic and authentication. The authentication means the receiver can be sure about who the sender is, there is no spoofing, and no man-in-the middle. End-to-end encryption was possible in IPv4, but only as an option (e.g. by using a VPN), and it was added as an afterthought. The Secure Neighbor Discovery (SEND) protocol plays an important role in the authentication part.

IPv6 offers the possibility of mobile nodes. The traffic intended for a node that (temporarily) has a different IP can be forwarded to the current IP.

Latency can be higher when using IPv6. In theory, it could be faster, but in real-world use it is slower because not every peer is able to use IPv6. Packets may have to travel around these peers because of this.

Bigger packet headers are caused by the longer addresses. The sender and receiver have a longer address so the headers grow accordingly.

Firewalls have to be considered at the device level. Since IPv6 addresses open up direct access to devices, not everything can be checked at the network router level. Especially when your servers have IPv6 enabled by default and your firewall is not configured accordingly, malware and breaches are not far away to take advantage.

Take action for a safe transition

  • Be ready for IPv6 before you start using it, as it may require a complete makeover of your network design. Study up on IPv6 before you’re forced to make the change.
  • Consider what needs to be done to maintain or better your current security posture.
  • Research how the transition can help you to improve security.
  • Plan the transition in a way so that your environment stays secure during each step of the process.
  • When purchasing new equipment, make sure it will still be useful after the transition to IPv6. Most new devices will be compatible, but will they still be needed?

Conclusion

Since there is no more room to continue using IPv4, we should get ready for IPv6. Several large ISPs and mobile operators are already migrating to IPv6 along with a lot of other major online services. It’s time It professionals do the same.