![When so-called safety apps go rogue [Audio + Text] – Naked Security](https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2023/03/s3-ep124-auth-1200.png?w=775 "When so-called safety apps go rogue [Audio + Text] – Naked Security")
Rogue software program packages. Rogue “sysadmins”. Rogue keyloggers. Rogue authenticators.
DOUG. Scambaiting, rogue 2FA apps, and we haven’t heard the final of LastPass.
All that, and extra, on the Naked Security podcast.
[MUSICAL MODEM]
Welcome to the podcast, everyone.
I’m Doug Aamoth; he’s Paul Ducklin.
Paul, how do you do in the present day?
DUCK. Chilly, Doug.
Apparently, March goes to to be colder than February.
DOUG. We are having the identical drawback right here, the identical problem.
So, fret not – I’ve a really attention-grabbing This Week in Tech History phase.
This week, on 05 March 1975, the primary gathering of the Homebrew Computer Club came about in Menlo Park, California, hosted by Fred Moore and Gordon French.
The first assembly noticed round 30 expertise lovers discussing, amongst different issues, the Altair.
And a couple of 12 months later, on 01 March 1976, Steve Wozniak confirmed as much as a gathering with a circuit board he created, aiming to offer away the plans.
Steve Jobs talked him out of it, and the 2 went on to start out Apple.
And the remainder is historical past, Paul.
DUCK. Well, it actually is historical past, Doug!
Altair, eh?
Wow!
The pc that persuaded Bill Gates to drop out of Harvard.
And in true entrepreneurial style, along with Paul Allen and Monty Davidoff – I feel that was the trio who wrote the Altair Basic – decamped to New Mexico.
Go and work on the {hardware} vendor’s property in Albuquerque!
DOUG. Perhaps one thing that’s possibly not going to make historical past…
…we’ll begin the showcase with an unsophisticated but attention-grabbing scambaiting marketing campaign, Paul.
NPM JavaScript packages abused to create scambait hyperlinks in bulk
DUCK. Yes, I wrote this up on Naked Security, Doug, underneath the headline NPM JavaScript packages abused to create scambait hyperlinks in bulk (it’s loads wordier to say than it appeared on the time once I wrote it)…
…as a result of I felt it was an attention-grabbing angle on the type of internet property that we are inclined to affiliate instantly, and solely, with so-called supply-chain supply code assaults.
And on this case, the crooks figured, “Hey, we don’t want to distribute poisoned source code. We’re not into that kind of supply-chain attack. What we’re looking for is just a series of links that people can click on that won’t arouse any suspicions.”
So, if you’d like a Web web page that somebody can go to that has a load of hyperlinks to dodgy websites… like “Get your free Amazon bonus codes here” and “Get your free bingo spins” – there have been actually tens of hundreds of those…
…why not select a website just like the NPM Package Manager, and create a complete load of packages?
Then you don’t even have to be taught HTML, Doug!
You may simply use good outdated Markdown, and there you’ve acquired primarily a handsome, trusted supply of hyperlinks you’ll be able to click on by way of to.
And these hyperlinks that they have been utilizing, so far as I could make out, went off to primarily unsuspicious weblog websites, neighborhood websites, no matter, that had unmoderated or poorly moderated feedback, or the place they have been simply in a position to create accounts after which make feedback that had hyperlinks in.
So they’re mainly constructing a series of hyperlinks that wouldn’t arouse suspicion.
DOUG. So, now we have some recommendation: Don’t click on freebie hyperlinks, even if you happen to discover you have an interest or intrigued.
DUCK. That’s my recommendation, Doug.
Maybe there are some free codes, or possibly there’s some coupon stuff that I may get… possibly there’s no hurt in taking a look.
But if there’s some type of affiliated advert income with that, that the cooks are making simply by engaging you bogusly to a specific website?
No matter how minuscule the quantity is that they’re making, why give them something for nothing?
That’s my recommendation.
“Best way to avoid punch is no be there,” as all the time.
DOUG. [LAUGHS] And then now we have: Don’t fill in on-line surveys, regardless of how innocent they appear.
DUCK. Yes, we’ve stated that many occasions on Naked Security.
For all you already know, you is likely to be giving your identify right here, your telephone quantity there, you possibly give your date of start to one thing for a free reward there, and also you assume, “What’s the harm?”
But if all that info is definitely ending up in a single large bucket, then, over time, the crooks are simply getting increasingly more about you, generally maybe together with information that it’s very tough to alter.
You can get a brand new bank card tomorrow, but it surely’s fairly more durable to get a brand new birthday or to maneuver home!
DOUG. And final, however actually not least: Don’t run blogs or neighborhood websites that enable unmoderated posts or feedback.
And if anybody’s ever run, say, a WordPress website, the considered permitting unmoderated feedback is simply in need of mind-blowing, as a result of there will likely be hundreds of them.
It is an epidemic.
DUCK. Even if you happen to’ve acquired an automatic anti-spamming service in your remark system, that may do an ideal job…
…however don’t let the opposite stuff by way of and assume, “Oh, well, I’ll go back and remove it, if I see that it looks dodgy afterwards,” as a result of, such as you stated, it’s at epidemic proportions…
DOUG. That’s a full time job, sure!
DUCK. …and has been for ages.
DOUG. And you have been in a position, I’m delighted to see, to work in two of our favorite mantras round right here.
At the top of the article: Think earlier than you click on, and: If unsure…
DUCK. …don’t give it out.
It actually is so simple as that.
DOUG. Speaking of giving issues out, three kids allegedly made off with hundreds of thousands in extortion cash:
Dutch police arrest three cyberextortion suspects who allegedly earned hundreds of thousands
DUCK. Yes.
They have been busted within the Netherlands for crimes that they’re alleged to have began committing… I feel it’s two years in the past, Doug.
And they’re 18 years, 21 years, and 21 years outdated now.
So they have been fairly younger once they began.
And the prime suspect, who’s 21 years outdated… the cops allege he has made about two-and-a-half-million Euros.
That is some huge cash for a teenager, Doug.
It’s some huge cash for anyone!
DOUG. I don’t know what you have been making at 21, however I used to be not making that a lot, not even shut. [LAUGHS]
DUCK. Maybe two Euros fifty an hour? [LAUGHTER]
It appears that their modus operandi was to not find yourself with ransomware, however to go away you with the *menace* of ransomware as a result of they have been already in.
So they’d are available, they’d do all the info theft, after which as a substitute of really bothering to encrypt your recordsdata, it sounds as if what they’d do is that they’d say, “Look, we’ve got the data; we can come back and ruin everything, or you can pay.”
And the calls for have been someplace between €100,000 and €700,000 per sufferer.
And if it’s true that one among them made €2,500,000 previously two years out of his cybercriminality, you’ll be able to think about that they most likely blackmailed fairly a couple of victims into paying up, for concern of what may get revealed…
DOUG. We’ve stated round right here, “We’re not going to judge, but we urge people not to pay up in instances like this, or in instances like ransomware.”
And for good motive!
Because, on this case, the police notice that paying the blackmail didn’t all the time work out.
They stated:
In many instances, stolen information was leaked on-line even after the affected corporations had paid up.
DUCK. So. if you happen to ever thought, “I wonder if I can trust those guys not to leak the data, or for it not to appear online?”…
…I feel you’ve acquired your reply there!
And keep in mind that it will not be that these explicit crooks have been simply ultra-duplicitous, and that they took the cash and leaked it anyway.
We don’t know that *they* have been essentially the individuals who leaked it.
They may have simply been so unhealthy at safety themselves that they stole it; they needed to put it someplace; and whereas they have been negotiating, telling you, “We’ll delete the data”…
…for all we all know, another person may have stolen it within the meantime.
And that’s all the time a danger, so paying for silence not often works out nicely.
DOUG. And we’ve seen increasingly more assaults like this the place ransomware really appears to be like a bit bit extra easy: “Pay me for the decryption key; you pay me; I’ll give it to you; you can unlock your files.”
Well, now they’re stepping into and saying, “We’re not going to lock anything up, or we’re going to lock it up but we’re also going to leak it online if you don’t pay…”
DUCK. Yes, it’s three types of extortion, isn’t it?
There’s, “We locked up your files, pay the money or your business will stay derailed.”
There’s, “We stole your files. Pay up or we’ll leak them, and then we might come back and ransomware you anyway.”
And there’s the double-ground that some crooks appear to love, the place they steal your information *and* they scramble the recordsdata, and so they say, “You might as well pay up to decrypt your files, and no extra charge, Doug, we’ll delete the data as well!”
So, are you able to belief them?
Well, right here’s your reply…
Probably not!
DOUG. All proper, head over and examine that.
There’s additional perception and context on the backside of that article… Paul, you probably did an interview with our personal Peter Mackenzie, who’s the Director of Incident Response right here at Sophos. (Full transcript obtainable.)
No audio participant beneath? Listen instantly on Soundcloud.
And, as we all the time say in instances like these, if you happen to’re affected by this, report the exercise to the police in order that they’ve as a lot info as they will get with a purpose to put their case collectively.
I’m completely satisfied to report that we stated we’d regulate it; we did; and we’ve acquired a LastPass replace:
LastPass: Keylogger on house PC led to cracked company password vault
DUCK. We have certainly, Doug!
This is indicating how the breach of their company passwords allowed the assault to go from being a “little thing” the place they acquired supply code to one thing fairly extra dramatic.
LastPass appear to have found out how that really occurred… and on this report, there are successfully, if not phrases of knowledge, not less than phrases of warning.
And I did repeat, within the article I wrote about this, what we stated on final week’s podcast promo video, Doug, specifically:
“As simple as the attack was, it would be a bold company that would claim that not one of their users, ever, would fall for this kind of thing…”
Listen now – Learn extra!https://t.co/CdZpuDSW2f pic.twitter.com/0DFb4wALhi
— Naked Security (@NakedSecurity) February 24, 2023
Sadly, evidently one of many builders, who simply occurred to have the password to unlock the company password vault, was working some type of media-related software program that they hadn’t patched.
And the crooks have been in a position to make use of an exploit towards it… to put in a keylogger, Doug!
From which, after all, they acquired that super-secret password that opened the subsequent stage of the equation.
If you’ve ever heard the time period lateral motion – that’s a Jargon time period you’ll hear loads.
The analogy you might have with standard criminality is…
..get into the foyer of the constructing; dangle round a bit bit; then sneak right into a nook of the safety workplace; wait within the shadows so no one sees you till the guards go and make a cup of tea; then go to the shelf subsequent to the desk and seize a kind of entry playing cards; that will get you into the safe space subsequent to the lavatory; and in there, you’ll discover the important thing to the secure.
You see how far you may get, and then you definitely work out most likely what you want, or what you’ll do, to get you the subsequent step, and so forth.
Beware the keylogger, Doug! [LAUGHS]
DOUG. Yes!
DUCK. Good, old-school, non-ransomware malware is [A] alive and nicely, and [B] could be simply as dangerous to your small business.
DOUG. Yes!
And we’ve acquired some recommendation, after all.
Patch early, patch typically, and patch in all places.
DUCK. Yes.
LastPass have been very well mannered, and so they didn’t blurt out, “It was XYZ software that had the vulnerability.”
If they’d stated, “Oh, the software that was hacked was X”…
…then individuals who didn’t have X would go, “I can stand down from blue alert; I don’t use that software.”
In reality, that’s why we are saying not simply patch early, patch typically… however patch *in all places*.
Just patching the software program that affected LastPass is just not going to be sufficient in your community.
It does should be one thing you do on a regular basis.
DOUG. And then we’ve stated this earlier than, and we’ll proceed to say it till the solar burns out: Enable 2FA wherever you’ll be able to.
DUCK. Yes.
It is *not* a panacea, however not less than it signifies that passwords alone are usually not sufficient.
So it doesn’t elevate the bar all the best way, but it surely positively doesn’t make it simpler for the crooks.
DOUG. And I imagine we’ve stated this just lately: Don’t wait to alter credentials or reset 2FA seeds after a profitable assault.
DUCK. As we’ve stated earlier than, a rule that claims, “You have to change your password – change for change’s sake, do it every two months regardless”…
…we don’t agree with that.
We simply assume that’s getting everyone into the behavior of a nasty behavior.
But if you happen to assume there is likely to be a superb motive to alter your passwords, although it’s an actual ache within the neck to do it…
…if you happen to assume it’d assist, why not simply do it anyway?
If you’ve acquired a motive to start out the change course of, then simply undergo with the entire thing.
Don’t delay/Do it in the present day.
[QUIETLY] See what I did there, Doug?
DOUG. Perfect!
Alright, let’s keep on the topic of 2FA.
We are seeing a spike in rogue 2FA apps in each app shops.
Could this be due to the Twitter 2FA kerfuffle, or another motive?
Beware rogue 2FA apps in App Store and Google Play – don’t get hacked!
DUCK. I don’t know that it’s particularly because of the Twitter 2FA kerfuffle, the place Twitter have stated, for no matter causes they’ve, “Ooh, we’re not going to make use of SMS two-factor authentication anymore, until you pay us cash.!
And because the majority of individuals aren’t going to be Twitter Blue badge holders, they’re going to have to change.
So I don’t know that that’s triggered a surge in rogue apps in App Store and Google Play, but it surely actually drew the eye of some researchers who’re good mates to Naked Security: @mysk_co, if you wish to discover them on Twitter.
They thought, “I bet lots of people are actually looking for 2FA authenticator apps right now. I wonder what happens if you go to the App Store or Google Play and just type in Authenticator app?”
And if you happen to go to the article on Naked Security, entitled “Beware rogue 2FA apps”, you will note a screenshot that these researchers ready.
It’s simply row after row after row of identically-looking authenticators. [LAUGHS]
DOUG. [LAUGHS] They’re all referred to as Authenticator, all with a lock and a defend!
DUCK. Some of them are legit, and a few of them aren’t.
Annoyingly. When I went – even after this had acquired into the information… once I went to the App Store, the highest app that got here up was, so far as I may see, one among these rogue apps.
And I used to be actually shocked!
I believed, “Crikey – this app is signed in the name of a very well known Chinese mobile phone company.”
Luckily, the app seemed fairly unprofessional (the wording was very unhealthy), so I didn’t for a second imagine that it actually was this cell phone firm.
But I believed, “How on earth did they manage to get a code-signing certificate in the name of a legitimate company, when clearly they wouldn’t have had any documentation to prove that they were that company?” (I gained’t point out its identify.)
Then I learn the identify actually rigorously… and it was, in actual fact, a typosquat, Doug!
One of the letters in the midst of the phrase had, how can I say, a really related form and measurement to the one belonging to the actual firm.
And so, presumably, it had due to this fact handed automated assessments.
It didn’t match any identified model identify that any individual already had a code signing certificates for.
And even I needed to learn it twice… although I knew that I used to be a rogue app, as a result of I’d been instructed to go there!
On Google Play, I additionally got here throughout an app that I used to be alerted to by the chaps who did this analysis…
…which is one which doesn’t simply ask you to pay $40 a 12 months for one thing you can get without cost constructed into iOS, or instantly from Play Store with Google’s identify on it without cost.
It additionally stole the beginning seeds on your 2FA accounts, and uploaded them to the developer’s analytics account.
How about that, Doug?
So that’s at greatest excessive incompetence.
And, at worst, it’s simply outright malevolent.
And but, there it was… high outcome when the researchers went trying within the Play Store, presumably as a result of they splashed a bit little bit of advert love on it.
Remember, if somebody will get that beginning seed, that magic factor that’s within the QR code while you arrange app-based 2FA…
…they will generate the best code for you, for any 30-second login window sooner or later, ceaselessly and ever, Doug.
It’s so simple as that.
That shared secret is *actually* the important thing to all of your future one-time codes.
DOUG. And we’ve acquired a reader touch upon this rogue 2FA story.
Naked Security reader LR feedback, partly:
I dumped Twitter and Facebook ages in the past.
Since I’m not utilizing them, do I should be involved concerning the two-factor scenario?
DUCK. Yes, that’s an intriguing query, and the reply is, as ordinary, “It depends.”
Certainly if you happen to’re not utilizing Twitter, you can nonetheless select badly in the case of putting in a 2FA app…
…and also you is likely to be extra inclined to go and get one, now 2FA has been within the information due to the Twitter story, than you’ll have weeks, months, or years in the past.
And if you happen to *are* going to go and go for 2FA, simply be sure to do it as safely as you’ll be able to.
Don’t simply go and search, and obtain what looks as if the obvious app, as a result of right here is robust proof that you can put your self very a lot in hurt’s method.
Even if you happen to’re on the App Store or on Google Play, and never sideloading some made-up app that you simply acquired from someplace else!
So, in case you are utilizing SMS-based 2FA however you don’t have Twitter, then you definitely don’t want to change away from it.
If you select to take action, nevertheless, be sure to decide your app properly.
DOUG. Alright, nice recommendation, and thanks very a lot, LR, for sending that in.
If you might have an attention-grabbing story, remark or query you’d wish to submit, we’d like to learn it on the podcast.
You can e-mail ideas@sophos.com, you’ll be able to type touch upon any one among our articles, or you’ll be able to hit us up on social: @nakedsecurity.
That’s our present for in the present day – thanks very a lot for listening.
For Paul Ducklin, I’m Doug Aamoth, reminding you till subsequent time to…
BOTH. Stay safe!
[MUSICAL MODEM]