What can we protect ourselves against?
Let’s make one thing clear: following the tips below isn’t going to protect you from targeted espionage, a participant secretly recording a call, pranks, or uninvited guests joining by using leaked links. We already provided some videoconferencing security tips that can help mitigate those risks. Protecting every participant’s computer and smartphone with comprehensive cybersecurity — such as Kaspersky Premium — is equally important.
Here, we focus on other kinds of threats such as data leaks from the videoconferencing platform, misuse of call data by the platform, and the harvesting of biometric information or conference content. There are two possible engineering solutions to these: (i) hosting the conference entirely on participant computers and servers, or (ii) encrypting it, so that even the host servers have no access to the meeting content. The latter option is known as end-to-end encryption, or E2EE.
Signal: a basic tool for smaller group calls
We have repeatedly described Signal as one of the most secure private instant messaging apps around, but Signal calls are protected with E2EE as well. To host a call, you have to set up a chat group, add everyone you want to call, and tap the videocall button. Group videocalls are limited to 40 participants. Admittedly, you’re not getting any business conveniences such as call recording, screen sharing, or corporate contact-list invitations. Besides, you’ll need to set up a separate group for each meeting, which works well for regular calls with the same people, but not so much if the participants change every time.
Signal lets you set up videoconferences for up to 40 participants in a familiar interface
WhatsApp and Facetime: just as easy — but not without their issues
Both these apps are user-friendly and popular, and both support E2EE for videocalls. They share all the shortcomings of Signal, adding a couple of their own: WhatsApp is owned by Meta, which is a privacy red flag for many, while Facetime calls are only available to Apple users.
Jitsi Meet: self-hosted private videoconferencing
The Jitsi platform is a good choice for large-scale, fully featured, but still private meetings. It can be used for hosting meetings with: dozens to hundreds of participants, screen sharing, chatting and polling, co-editing notes, and more. Jitsi Meet supports E2EE, and the conference itself is created at the moment the first participant joins and self-destructs when the last one disconnects. No chats, polls or any other conference content is logged. Finally, Jitsi Meet is an open-source app.
Jitsi Meet is a user-friendly, cross-platform videoconferencing tool with collaboration options. It can be self-hosted or used for free on the developer’s website
Though the public version can be used for free on the Jitsi Meet website, the developers strongly recommend that organizations deploy a Jitsi server of their own. Paid hosting by Jitsi and major hosting providers is available for those who’d rather avoid spinning up a server.
Matrix and Element: every type of communication — fully encrypted
The Matrix open protocol for encrypted real-time communication and the applications it powers — such as Element — are a fairly powerful system that supports one-on-one chats, private groups and large public discussion channels. The Matrix look-and-feel resembles Discord, Slack and their forerunner, IRC, more than anything else.
Connecting to a Matrix public server is a lot like getting a new email address: you select a user name, register it with one of the available servers, and receive a matrix address formatted as @user:server.name. That allows you to talk freely to other users including those registered with different servers.
Even a public server makes it easy to set up an invitation-only private space with topic-based chats and videocalls.
The settings in Element are slightly more complex, but you get more personalization options: chat visibility, permission levels, and so on. Matrix/Element makes sense if you’re after team communications in various formats, such as chats or calls, and on various topics rather than just a couple of odd calls. If you’re simply looking to host a call from time to time, Jitsi works better — the call feature in Element even uses Jitsi code.
Element is a fully featured environment for private conversations, with video chats just one of the available options
Corporations are advised to use the Element enterprise edition, which offers advanced management tools and full support.
Zoom: encryption for the rich
Few know that Zoom, the dominant videoconferencing service, has an E2EE option too. But to enable this feature, you need to additionally purchase the Large Meetings License, which lets you host 500 or 1000 participants for $600–$1080 a year. That makes the price of E2EE at least $50 per month higher than the regular subscription fee.
Zoom supports videoconferencing with E2EE too, but you need an extended license to be able to use it
You can enable encryption for smaller meetings as well, but still only if you have a Large Meeting License. According to the Zoom website, activating E2EE for a meeting disables most familiar features, such as cloud recording, dial-in, polling and others.
I’m such a fan of RUOK? Day. Started in 2009, it’s an Australian non-profit suicide prevention that is all about having conversations with others to address social isolation and promote a sense of community. What I love the most, is that RUOK? Day has become quite an event on the Australian calendar. You’d be hard-pressed to find a workplace that doesn’t host a morning tea or a retailer that’s not selling a ribbon or badge in support of the day. In my opinion, it has given many of us the confidence to talk about mental health and that, my friends, is a very good thing!
When You’re Not Feeling OK
You wouldn’t be human if you hadn’t ever felt a little down or anxious. It’s the natural ebb and flow of daily life. However, if these symptoms are hanging around and are affecting your ability to ‘do’ life then, it’s time to take some action.
Remember, it is incredibly common for someone to experience a dip in their mental health. Recent research shows that over 2 in 5 Aussies aged 16 to 85 will experience a mental disorder at some time in their life, with 1 in 5, experiencing a mental disorder in the previous 12 months.
If you’re not feeling OK, the most important thing to remember is that you do not need to deal with this all by yourself. Sometimes when you’re feeling really low, the thought of leaving the house and facing the world can feel too much. I totally get it! And that’s where the online world can play a huge role. There is an abundance of resources available online for anyone who needs mental health support which makes it so much easier to get the help you need when facing the world just feel a bit much.
Where To Go Online When You’re Not Feeling OK
Here is a list of organisations that offer online mental health services here in Australia. This list is not exhaustive however these are the most commonly used, and hence best funded, support services. If you are based in the US, please find details at the end of the post for organisations that can provide mental health support.
When Things Are Pretty Dire
The Suicide Call-Back Service offers free professional 24/7 counselling support to Aussies at risk of suicide, concerned about someone at risk, affected by suicide as well as people experiencing emotional or mental health issues. There is an option for telephone support as well as online chat and video counselling also.
If you need to speak to someone ASAP then contact Lifeline. They offer a free 24/7 confidential one to one counselling service that can help you in a crisis. You can, of course, choose to speak to someone on the telephone (13 11 14) but you also have the option of either messaging or texting (0477 13 11 14) with a counsellor also.
Beyond Blue is another great Aussie mental health and wellbeing support service that can help in an emergency. Again, it offers 24/7 confidential counselling services for anyone who is struggling. Telephone counselling is an option here (1300 22 4636) but if you’d prefer, you can use their web chat option here.
Online Help Specifically For Young People
Kids Helpline is a dedicated 24/7 support service for young people aged 5 to 25 who want to chat for any reason. It’s free (even from a mobile phone) and there is a choice of telephone counselling or support via web chat or email. You can also access support if you are an adult supporting a young person. Since it was established in 1991, the service has supported over 8.5 million people. The service offers everything from life-saving crisis intervention through to emotional support when young people just need someone to listen.
Headspace is Australia’s Mental Health Young Foundation. It also provides free online and telephone support from 9am to 1am AEST, 7 days a week for young people (12-25) and their families. In addition to its crisis support services, it also offers regular counselling options through its network of 150 centres around Australia.
The Butterfly Foundation’s National Helpline is a free confidential service that provides information, counselling, and treatment referral for people (and their families) with eating disorders and body image issues. It operates between 8am and midnight, 7 days a week and offers support via telephone (1800 33 4673), email and web chat. This is not a crisis service.
Friendline is a telephone and chat support service for anyone who’s feeling lonely, needs to reconnect or just wants a chat. You can call them 7 days a week on 1800 424 287, or chat online with one of their trained volunteers. All conversations with FriendLine are anonymous. This is not a crisis service.
MensLine Australia is a professional telephone and online counselling service offering support to Australian men 24 hours/7days a week. Whether it’s addiction issues, domestic violence, anxiety or depression, the service is able to offer support on 1300 78 99 or via online or video chat.
Open Arms – Veterans and Families Counselling provides 24/7 free and confidential telephone and webchat counselling to anyone who has served at least one day in the Australian Defence Force, their partner, and their families. It isn’t a crisis service, but it can offer ongoing mental health treatment and services.
So, if you are not just yourself at the moment and are feeling really low – or you know someone that is – please know that there is help available online 24/7. So, make yourself a cuppa and get started because you are not alone.
PS For my US friends:
The 988 Suicide & Crisis Helpline provides 24/7 free and confidential support and crisis resources for people in distress, and their families. Simply text or call 988 to access help.
The Crisis Text Line is a free and confidential 24/7 support service for anyone who resides in the US. Support can be accessed by text message (text HOME to 741-741) and online chat.
Identity theft protection and privacy for your digital life
Chocolate chip, oatmeal raisin, snickerdoodle: Cybercriminals have a sweet tooth just like you. But their favorite type of cookie is of the browser variety.
Browser cookies – often just referred to as cookies – track your comings and goings on websites. And when a cyber thief gets their mitts on your browser cookies, it can open all kinds of doors into your online accounts.
The first step to protecting your devices and online privacy from criminals is to understand their schemes. Here are the key terms you need to know about cookie theft plus how to keep malicious software off your devices.
Key Cookie Theft Terms You Should Know
Cookie theft can happen to anyone. Knowing the basics of this cyberscheme may help you better protect your online life:
Browser cookie. A small collection of data your internet browser stores every time you visit a website. When your browser stores this data, it makes it quicker for you to log back into a website or for a website to customize its suggestions for you the next time you visit.
Cache. Like a mouse scurrying away a pile of sweet treats, your device hoards – or caches – all the cookies you gather from websites you visit. Your cache of cookies will grow continually until you clear it out. If your cache grows too large, it could slow down your device, affect performance, or tax your battery power.
Multifactor authentication. MFA is a way to log in to an online account that requires additional forms of identification beyond a username and password. It could require biometric identification (like a face or fingerprint scan), a security question, or a one-time code.
How and Why Do Criminals Steal Browser Cookies?
Cookies thieves are generally motivated by the financial gains of breaking into people’s online accounts. Banking, social media, and online shopping accounts are full of valuable personal and financial details that a cybercriminal can either sell on the dark web or use to impersonate you and steal your identity.
Malware is generally the vehicle cybercriminals use to steal cookies. Once the malicious software gets onto a device, the malware is trained to copy a new cookie’s data and send it to the cybercriminal. Then, from their own machine, the cybercriminal can input that data and start a new session with the target’s stolen data.
There was a stretch of a few years where cookie thieves targeted high-profile YouTube influencers with malware spread through fake collaboration deals and crypto scams. The criminals’ goal was to steal cookies to sneak into the backend of the YouTube accounts to change passwords, recovery emails and phone numbers, and bypass two-factor authentication to lock the influencers out of their accounts.1
But you don’t have to have a valuable social media account to draw the eye of a cybercriminal. “Operation Cookie Monster” dismantled an online forum that sold stolen login information for millions of online accounts gained through cookie theft.2
Best Practices for Secure Browsing
To keep your internet cookies out of the hands of criminals, it’s essential to practice safe browsing habits. These four tips will go a long way toward keeping your accounts out of the reach of cookie thieves and your devices free from malicious software.
Set up MFA. MFA may seem like it’ll slow down your login process, but really, the extra seconds it takes are well worth it. Most people have their phone within arm’s reach throughout the day, so a texted, emailed, or authentication app-generated code is easy enough to access. Just remember that a reputable company will never ask you for one-time codes, so these codes are for your eyes only. MFA makes it extremely difficult for a criminal to log into your accounts, even when they have your password and username. Without the unique code, a bad actor is locked out.
Watch out for phishing attempts and risky websites. Cookie-stealing malware often hops onto innocent devices through either phishing lures or through visiting untrustworthy sites. Make sure to carefully read every text, email, and social media direct message. With the help of AI content generation tools like ChatGPT, phishers’ messages are more believable than they were years ago. Be especially diligent about clicking on links that may take you to risky sites or download malicious files onto your device.
Clear your cache regularly. Make it a habit to clear your cache and browsing history often. This is a great practice to optimize the performance of your device. Plus, in the case that a cybercriminal does install cookie-stealing malware on your device, if you store hardly any cookies on your device, the thief will have little valuable information to pilfer.
Use a password manager. While a password manager won’t protect your device from cookie-stealing malware, it will lessen your dependence upon storing valuable cookies. It’s convenient to already have your usernames and passwords auto-populate; however, if your device falls into the wrong hands these shortcuts could spell trouble for your privacy. A password manager is a vault for all your login information for your dozens of online accounts. All you need to do is input one master password, and from there, the password manager will autofill your logins. It’s just as quick and convenient, but infinitely more secure.
Lock Up Your Cookie Jar
McAfee+ is an excellent partner to help you secure your devices and digital life. McAfee+ includes a safe browsing tool to alert you to suspicious websites, a password manager, identity monitoring, and more.
The next time you enjoy a cookie, spare a moment to think of cookies of the digital flavor: clear your cache if you haven’t in awhile, doublecheck your devices and online accounts for suspicious activity, and savor the sweetness of your digital privacy!
1The Hacker News, “Hackers Stealing Browser Cookies to Hijack High-Profile YouTube Accounts”
2CNN, “‘Operation Cookie Monster:’ FBI seizes popular cybercrime forum used for large-scale identity theft”
Identity theft protection and privacy for your digital life
Digital wellbeing isn’t just about privacy and protection against online scammers and equipment failure. It’s also about having some level of control over our social networks, our screen time, and what we spend on digital services. These outlays are increasingly taking the form of subscriptions. Sure, recurring payments have long been the standard for cell phone billing, music and video streaming services, watching TV and reading online magazines and newspapers, but these days you can sign up for pretty much anything, including delivery of regular consumer goods — like socks or coffee. In many cases, a subscription is the only way to get hold of apps, games, and other online stuff — ever more services are switching to this model, and the number of subscriptions is snowballing. Even automakers are getting in on the subscription game, and soon it might not be possible to turn on the seat heating or use the sat-nav without subscribing to the respective service.
Almosteveryone underestimates theirsubscription costs. According to this fascinating survey, the average American thinks they spend US$86 per month on subscriptions, when the real figure is a whopping US$219! And besides online, there are other recurring payments: mortgages, loans, utility bills, public transport, gym memberships and the like, all of which need to be budgeted so you don’t suddenly find yourself broke.
Monthly subscription costs: expectation versus reality. (Source)
As trite as it sounds, how to save money couldn’t be simpler: cancel subscriptions you don’t use. No less than 42% of respondents admitted to having stopped using an app or service and then forgetting to stop paying for it. Even active subscriptions, renewed for years without change, become less economical over time: by changing your plan to a newer one, applying a promo code, or looking at competitors, you can save a lot.
But more often there’s another problem: 74% of users forget when payment is due. If the subscription auto-renews, it can burn a large hole in your pocket. If you pay manually, forgetting could result in termination of the service. And that can spell trouble if it’s your phone or something equally important.
Another common way to accidentally fork out is by subscribing to apps and services that offer a free trial period. The service takes your card number on sign-up, but doesn’t charge you. After a week, month or whatever length of trial period, the first payment falls due. If during this time you decide the service is not for you, what are the chances you forget to go into the settings and cancel the subscription? As practice shows — very high. Such user forgetfulness is now being exploited by less-than-squeaky-clean developers who sell apps on the App Store and Google Play with exorbitant monthly fees (for example, US$90 per month for a regular calculator!). Such apps are known as fleeceware.
How to manage subscriptions properly
To get the most out of your subscriptions, plan your outlays carefully, never pay for unnecessary services, and follow a few simple rules:
Make a general list of subscriptions so you know exactly what, when and how much you’re paying.
Update the list as soon as you subscribe to a new service. Bear in mind that renewing a subscription may be cheaper or more expensive than the first payment — check the small print!
Check the list on a regular basis (say, monthly) to plan your spending for the coming month.
Checking regularly will help you remember to cancel subscriptions you don’t wish to renew. Note that to cancel a subscription it’s usually not enough to simply uninstall the app — you need to go to your personal account or to a special subsection of the App Store/Google Play to cancel it.
Keep an eye out for sales and promotions, such as Black Friday. They often give discounts on subscription renewals.
Despite their outward simplicity, all these tips have one major drawback: they require a high level of self-discipline and attentiveness. They involve record-keeping and list-updating, and not everyone will have the time or inclination. But there is an easier, more convenient way — in the shape of a specialized subscription management service. Speaking of which, Kaspersky Product Studio recently released such an app, called SubsCrab.
SubsCrab helps you manage subscriptions and save money
SubsCrab makes it easy to keep a list of subscriptions, remember when and how much to pay, and find ways to economize.
A single glance at the SubsCrab home screen will provide all subscription details for the current month, as well as monthly outlays, due dates, and the cost of each subscription
You can add all your subscriptions to the app in one of two ways:
Manually. You yourself select subscriptions from a long list of paid services and payment plans. There are already more than 4000 subscription services and 11,000 related plans in the database.
Mailbox scan. The app searches your mailbox for emails from all known services, and automatically determines the plan and payment date. Email data is not sent anywhere; all processing takes place on your smartphone.
Adding a new subscription to SubsCrab couldn’t be simpler
Future app updates will add two more methods:
Bank statement scan. This feature will only work in the U.S. and some EU countries using the Open Bank API, which is supported by around 15,000 banks. As with email scanning, subscriptions will be searched for locally, and no transaction data will leave your smartphone.
Screenshot scan of subscription page in the App Store or Google Play.
Thereby, the app also makes it easy to add new subscriptions as soon as they appear.
When all your subscriptions are in SubsCrab, the app will remind you about upcoming payments, show your total spending for the selected month or year, and help with general budget planning.
Never miss a payment with SubsCrab Push notifications
Click or tap on any subscription and you’ll see its current settings, but it’s the bottom of the card that’s the really interesting part. That’s where discount promo codes get published, plus a list of alternative services that do the same job. If you want to cut costs, you can try switching to one of these competitor services or find out how to unsubscribe.
Cards are a handy source of subscription details, alternatives, and promo codes
It might sound odd, but SubsCrab itself is a subscription service. The free version lets you manually enter subscriptions from the database, choose alternative services, and get reminders and statistics.
The paid version of SubsCrab can automatically find subscriptions in your mailbox, as well as maintain and analyze multiple subscription lists — for different family members or different tasks (entertainment, work, health, etc.); only this version gives you access to promo codes for tasty discounts on your favorite subscriptions.
And if all this helps you cut costs and take control of hundreds, perhaps thousands of dollars you spend annually and unaccountably on subscriptions, the juice is worth the squeeze.
You sure you actually ordered that pair of shoes? Here’s how to recognize and avoid package-delivery scams.
Do you order cartons of strawberries, flat-screen TVs, running shoes, and light bulbs online? You’re far from alone. Oberlo reported that in 2023, the number of people who shop online rose to 2.64 billion worldwide. That’s equal to 33.3% of the globe’s population.
Previous posts in our back-to-school series have covered how to protect your child’s devices and explain the importance of cybersecurity in school. Today we talk about the core, and often unavoidable, apps used in modern education. This means electronic diaries and virtual classrooms, plus videoconferencing for distance learning. They are all insecure.
Electronic study-diaries and virtual classroom websites are used these days to help administer the educational process. Educators use them to share lesson schedules, homework assignments, and announcements. And parents can see their kids’ grades, or even chat with their teachers.
The main problem with such web applications is the substandard protection of personal data that’s provided. In 2020, the attorney general of the U.S. state of New Mexico even filed a lawsuit against Google Classroom, citing the company’s alleged practice of collecting personal data from children and using it for commercial purposes. And in 2022, the Dutch Ministry of Education introduced a number of restrictions on the use of Google services in schools for the exact same reason.
Unfortunately, in most cases parents have no control over what services schools decide to use. The story of Google Classroom is by no means the worst. Issues with the service have been openly discussed for a long time, and Google has been forced to take note and beef up its protection. But, as a father of three, I’ve had the (mis)fortune of seeing other electronic diaries in action, where the situation with personal data storage and transfer is nothing if not murky.
What can parents do about this? Asking the school for all details about privacy and personal data usage in all services you need is a good start. And teach your kid how to leave as little personal data as possible on such sites.
The covid lockdown was a big eye-opener for many kids: turns out you don’t need to go to school! Lessons suddenly became more fun but for the wrong reasons: my daughter chats with her teacher in one window — and watches a movie or plays a game in another (or on a different device).
Such distance “learning” only adds to the worries of parents. Even before covid, we had to monitor what our kids were downloading, since banking Trojans, spyware and ransomware are forever sneaking in under the guise of legal apps — even in Google Play and other official stores. But at least in school they were less exposed to such threats, because internet usage was not generally a part of in-class learning.
With the distance-learning revolution, however, there are now even more apps on our kids’ tablets for us parents to fret about, as well as unlimited internet use for “study” purposes.
And although the lockdowns are long over, many schools continue to practice distance learning for some classes. Meanwhile, Zoom, Teams, and other videoconferencing platforms remain vulnerable to attacks. The most obvious consequence of such attacks, as before, is personal data leakage. But it can get worse: if a malicious third party were to gain access to a virtual classroom, they might show some decidedly “non-kid-suitable” videos.
And even if parents are versed in the safe hosting of video chats, they are unlikely to be able to influence the school’s choice of tools. Here, too, you should ask the school for an explanation as to why an insecure program was chosen.
In addition, you need to teach your kids the basic safety rules of using such apps. In particular, your child should learn to turn off both the microphone and camera when not required, as well as to blur the background and disable screen-sharing by default. And of course, your child should never accept video chat invitations from strangers — or communicate with any if they do show up uninvited to a video conference.
And it goes without saying that all devices your child uses should be protected with a reliable security solution — one that guards against viruses and personal data leaks on computers and mobile devices, and keeps your kid’s privacy intact. Remember that with your free annual subscription to Kaspersky Safe Kids as part of Kaspersky Premium, in addition to total protection for all devices, you get powerful parental controls over your child’s online activity and offline location.
Agent Tesla functions as a Remote Access Trojan (RAT) and an information stealer built on the .NET framework. It is capable of recording keystrokes, extracting clipboard content, and searching the disk for valuable data. The acquired information can be transmitted to its command-and-control server via various channels, including HTTP(S), SMTP, FTP, or even through a Telegram channel.
Generally, Agent Tesla uses deceptive emails to infect victims, disguising as business inquiries or shipment updates. Opening attachments triggers malware installation, concealed through obfuscation. The malware then communicates with a command server to extract compromised data.
The following heat map shows the current prevalence of Agent Tesla on field:
Figure 1: Agent Tesla heat map
McAfee Labs has detected a variation where Agent Tesla was delivered through VBScript (VBS) files, showcasing a departure from its usual methods of distribution. VBS files are script files used in Windows for automating tasks, configuring systems, and performing various actions. They can also be misused by cybercriminals to deliver malicious code and execute harmful actions on computers.
The examined VBS file executed numerous PowerShell commands and then leveraged steganography to perform process injection into RegAsm.exe as shown in Figure 2. Regasm.exe is a Windows command-line utility used to register .NET assemblies as COM components, allowing interoperability between different software. It can also be exploited by malicious actors for purposes like process injection, potentially enabling covert or unauthorized operations.
Figure 2: Infection Chain
VBS needs scripting hosts like wscript.exe to interpret and execute its code, manage interactions with the user, handle output and errors, and provide a runtime environment. When the VBS is executed, wscript invokes the initial PowerShell command.
Figure 3: Process Tree
First PowerShell command
The first PowerShell command is encoded as illustrated here:
Figure 4: Encoded First PowerShell
Obfuscating PowerShell commands serves as a defense mechanism employed by malware authors to make their malicious intentions harder to detect. This technique involves intentionally obfuscating the code by using various tricks, such as encoding, replacing characters, or using convoluted syntax. This runtime decoding is done to hide the true nature of the command from static analysis tools that examine the code without execution. Upon decoding, achieved by substituting occurrences of ‘#@$#’ with ‘A’ and subsequently applying base64-decoding, we successfully retrieved the decrypted PowerShell content as follows:
Figure 5: Decoded content
Second PowerShell Command
The deciphered content serves as the parameter passed to the second instance of PowerShell..
Figure 6: Second PowerShell command
Deconstructing this command line for clearer comprehension:
Figure 7: Disassembled command
As observed, the PowerShell command instructs the download of an image, from the URL that is strore in variable “imageURL.” The downloaded image is 3.50 MB in size and is displayed below:
Figure 8: Downloaded image
This image serves as the canvas for steganography, where attackers have concealed their data. This hidden data is extracted and utilized as the PowerShell commands are executed sequentially. The commands explicitly indicate the presence of two markers, ‘<<BASE64_START>>’ and ‘<<BASE64_END>>’. The length of the data is stored in variable ‘base64Length’. The data enclosed between these markers is stored in ‘base64Command’. The subsequent images illustrate these markers and the content encapsulated between them.
Figure 9: Steganography
After obtaining this data, the malware proceeds with decoding procedures. Upon examination, it becomes apparent that the decrypted data is a .NET DLL file. In the subsequent step, a command is executed to load this DLL file into an assembly.
Figure 10: DLL obtained from steganography
Process Injection into RegAsm.exe
This DLL serves two purposes:
Downloading and decoding the final payload
Injecting it into RegAsm.exe
Figure 11: DLL loaded
In Figure 11, at marker 1, a parameter named ‘QBXtX’ is utilized to accept an argument for the given instruction. As we proceed with the final stage of the PowerShell command shown in Figure 7, the sequence unfolds as follows:
The instruction mandates reversing the content of this parameter and subsequently storing the outcome in the variable named ‘address.’ Upon reversing the argument, it transforms into:
Figure 12: Request for payload
Therefore, it is evident that this DLL is designed to fetch the mentioned text file from the C2 server via the provided URL and save its contents within the variable named “text.” This file is 316 Kb in size. The data within the file remains in an unreadable or unintelligible format.
Figure 13: Downloaded text file
In Figure 11, at marker 2, the contents of the “text” variable are reversed and overwritten in the same variable. Subsequently, at marker 3, the data stored in the “text” variable is subjected to base64 decoding. Following this, we determined that the file is a .NET compiled executable.
Figure 14: Final payload
In Figure 11, another activity is evident at marker 3, where the process path for the upcoming process injection is specified. The designated process path for the process injection is :
Since RegAsm.exe is a legitimate Windows tool, it’s less likely to raise suspicion from security solutions. Injecting .NET samples into it allows attackers to effectively execute their malicious payload within a trusted context, making detection and analysis more challenging.
Process injection involves using Windows API calls to insert code or a payload into the memory space of a running process. This allows the injected code to execute within the context of the target process. Common steps include allocating memory, writing code, creating a remote thread, and executing the injected code. In this context, the DLL performs a sequence of API calls to achieve process injection:
Figure 15: Process Injection
By obscuring the sequence of API calls and their intended actions through obfuscation techniques, attackers aim to evade detection and make it harder for security researchers to unravel the true behavior of the malicious code. The function ‘hU0H4qUiSpCA13feW0’ is used for replacing content. For example,
“kern!”.Replace(“!”, “el32”) à kernel32
Class1.hU0H4qUiSpCA13feW0(“qllocEx”, “q”, “VirtualA”) à VirtualAllocEx
As a result, these functions translate into the subsequent API calls:
CreateProcessA : This API call is typically employed to initiate the creation of a new process, rather than for process injection. In the context of process injection, the focus is generally on targeting an existing process and injecting code into it.
VirtualAllocEx: This is often used in process injection to allocate memory within the target process to host the injected code.
ReadProcessMemory: This is used to read the memory of a target process. It is typically used in reflective DLL injection to read the contents of a DLL from the injector’s memory and write it into the target process.
GetThreadContext: This API is used to retrieve the context (registers, flags, etc.) of a thread within a target process. It’s useful for modifying thread execution flow during injection.
Wow64GetThreadContext: This is like GetThreadContext, but it’s used when dealing with 32-bit processes on a 64-bit system.
SetThreadContext: This API is used to set the context of a thread within a target process. This can be useful for modifying the execution flow.
Wow64SetThreadContext: Like SetThreadContext, but for 32-bit processes on a 64-bit system.
ZwUnmapViewOfSection: This is used to unmap a section of a process’s virtual address space, which could potentially be used to remove a DLL loaded into a target process during injection.
WriteProcessMemory: This is used to write data into the memory of a target process. It’s commonly used for injecting code or data into a remote process.
ResumeThread: This is used to resume the execution of a suspended thread, often after modifying its context or injecting code.
Upon successful injection of the malware into RegAsm.exe, it initiates its intended operations, primarily focused on data theft from the targeted system.
The ultimate executable is heavily obfuscated. It employs an extensive array of switch cases and superfluous code, strategically intended to mislead researchers and complicate analysis. Many of the functions utilize either switch cases or their equivalent constructs, to defend detection. Following snippet of code depicts the same.
Figure 16: Obfuscation
Collection of data:
Agent Tesla collects data from compromised devices to achieve two key objectives: firstly, to mark new infections, and secondly, to establish a unique ‘fingerprint’ of the victim’s system. The collected data encompasses:
Agent Tesla initiates the process of gathering data from various web browsers. It utilizes switch cases to handle different browsers, determined by the parameters passed to it. All of these functions are heavily obscured through obfuscation techniques. The following figures depict the browser data that it attempted to retrieve.
Figure 17: Opera browser
Figure 18: Yandex browser
Figure 19: Iridium browser
Figure 20: Chromium browser
Similarly, it retrieves data from nearly all possible browsers. The captured log below lists all the browsers from which it attempted to retrieve data:
Figure 21: User data retrieval from all browsers -1
Figure 22: User data retrieval from all browsers – 2
Agent Tesla is capable of stealing various sensitive data from email clients. This includes email credentials, message content, contact lists, mail server settings, attachments, cookies, auto-complete data, and message drafts. It can target a range of email services to access and exfiltrate this information. Agent Tesla targets the following email clients to gather data:
Figure 23: Mail clients
Agent Tesla employs significant obfuscation techniques to evade initial static analysis attempts. This strategy conceals its malicious code and actual objectives. Upon successful decoding, we were able to scrutinize its internal operations and functionalities, including the use of SMTP for data exfiltration.
The observed sample utilizes SMTP as its chosen method of exfiltration. This protocol is frequently favored due to its minimal overhead demands on the attacker. SMTP reduces overhead for attackers because it is efficient, widely allowed in networks, uses existing infrastructure, causes minimal anomalies, leverages compromised accounts, and appears less suspicious compared to other protocols. A single compromised email account can be used for exfiltration, streamlining the process, and minimizing the need for complex setups. They can achieve their malicious goals with just a single email account, simplifying their operations.
Figure 24: Function calls made for exfiltration.
This is the procedure by which functions are invoked to facilitate data extraction via SMTP:
A specific value is provided as a parameter, and this value is processed within the functions. As a result, it ultimately determines the port number to be utilized for SMTP communication. In this case, port number 587 is used for communication.
Figure 25: Port number
Next, the malware retrieves the hostname of the email address it intends to utilize i.e., corpsa.net.
Figure 26: Domain retrieval
Subsequently, the email address through which communication is intended to occur is revealed.
Figure 27: Email address used
Lastly, the password for that email address is provided, so that attacker can log in and can start sending out the data.
Figure 28: Password
The SMTP process as outlined involves a series of systematic steps. It begins with the processing of a specific parameter value, which subsequently determines the port number for SMTP communication. Following this, the malware retrieves the associated domain of the intended email address, revealing the address itself and ultimately providing the corresponding password. This orchestrated sequence highlights how the malware establishes a connection through SMTP, facilitating its intended operations.
Following these steps, the malware efficiently establishes a login using acquired credentials. Once authenticated, it commences the process of transmitting the harvested data to a designated email address associated with the malware itself.
The infection process of Agent Tesla involves multiple stages. It begins with the initial vector, often using email attachments or other social engineering tactics. Once executed, the malware employs obfuscation to avoid detection during static analysis. The malware then undergoes decoding, revealing its true functionality. It orchestrates a sequence of PowerShell commands to download and process a hidden image containing encoded instructions. These instructions lead to the extraction of a .NET DLL file, which subsequently injects the final payload into the legitimate process ‘RegAsm.exe’ using a series of API calls for process injection. This payload carries out its purpose of data theft, including targeting browsers and email clients for sensitive information. The stolen data is exfiltrated via SMTP communication, providing stealth and leveraging email account. Overall, Agent Tesla’s infection process employs a complex chain of techniques to achieve its data-stealing objectives.
Your teacher was right. Spelling counts, particularly to scammers.
Enter the world of typosquatting scams. Also known as URL hijacking, typosquatting scams target internet users who incorrectly type a website address into their web browser.
Scammers have long used typosquatting techniques to capture traffic from those butterfingers moments we all have when typing on our keyboards. And the butterthumbs moments on our phones.
For example, say you type “websiteaddresss dot-com” instead of “websiteaddress dot-com.” More than just a mistake, a mistyped address might land you on a malicious site designed to steal personal information, make money, or spread malware.
The scam sites you might land on vary. Some serve up a screenload of spammy ads. Others host malicious download links, and yet more lead to stores full of cheap, knockoff goods. In other cases, scammers take it up a notch. We’ve seen typosquatting sites evolve into clever copycats of legitimate sites. Some look like real banking and e-commerce sites that they steal traffic from, complete with stolen logos and familiar login screens. With this, scammers hope to trick you into entering your passwords and other sensitive information.
Companies are well aware of this practice. Many purchase URLs with those common misspellings and redirect them to their proper sites. Further, many brands put up anti-fraud pages on their sites that list the legitimate addresses they use to contact customers. Here at McAfee, we have an anti-fraud center of our own.
The fact remains, people make mistakes. And that can lead to risky scam sites. However, you can still avoid typosquatting attacks quite easily.
The big business of typosquatting
For starters, it helps to know that typosquatting is often big business. In many cases, larger cybercrime organizations set up entire flights of malicious sites that can number into the dozens to the hundreds.
Let’s check out a few examples and see just how sophisticated typosquatting scams can be:
In 2018, researchers found a host of addresses that were registered in the names of well-known sites, but ending in “.cm”, instead of “.com”. These copycat addresses included financial websites, such as “Chase dot-cm” and “Citicards dot-cm,” as well as social and streaming sites.
Scammers used the .cm sites to advertise promotions and surveys used to collect users’ personal information. What’s more, more than 1,500 of them were registered to the same email address, indicating that someone was trying to turn typosquatting into a serious business.
Similarly, 2016 saw the advent of malicious dot-om sites, that mimicked big names like “linkedin dot-om” and “walgreens dot-om.” Even the interesting typo found in “youtubec dot-om” cropped up. Of note, single entities registered these sites in batches. Researchers found that individuals or companies registered anywhere from 18 to 96 of them. Again, signs of serious business.
Big brand and voice assistant typosquatting scams
Recently, security researchers further found an increase in the number of typosquatting sites. An increase of 10% from 2021 to 2022. These sites mimic popular app stores, Microsoft addresses, services like TikTok, Snapchat, PayPal, and on and on.
Further, scammers have gotten wise to the increased use of personal assistants to look up web addresses on phones and in homes. Typosquatting now includes soundalike names in addition to lookalike names. With that, they can capitalize when an assistant doesn’t quite hear a command properly.
How to protect yourself from typosquatting
No doubt, slip-ups happen when browsing. Yet you can minimize how often with a few steps—and give yourself an extra line of defense if a mistake still slips through.
Whether you type in a web address to the address field, or a search engine, be careful that you spell the address correctly before you hit “return”.
If you are going to a website where you might share private information, look for the green lock symbol in the upper left-hand corner of the address bar. This indicates that the site uses encryption to secure the data that you share.
Be suspicious of websites with low-quality graphics or misspellings. These are telltale signs of fake websites.
Consider bookmarking sites you visit regularly to make sure you get to the right site, each time.
Don’t click on links in emails, text messages, and popup messages unless you know and trust the sender.
Consider using a safe browsing tool such as McAfee Web Protection, which can help you avoid dangerous links, bad downloads, malicious websites, and more.
Always use comprehensive online protection software like ours on your computers and devices to protect you from malware and other online threats.
Identity theft protection and privacy for your digital life
For popular messengers such as Telegram, Signal and WhatsApp, there are quite a few alternative clients (not to be confused with clients as in (human) customers; whoever opted this confusing language needs a good talking to) out there. Such modified apps — known as mods — often provide users with features and capabilities that aren’t available in the official clients.
While WhatsApp disapproves of mods — periodically banning them from official app stores, not only has Telegram never waged war on alternative clients, it actively encourages their creation, so Telegram mods are popping up like mushrooms. But are they safe?
Alas, several recent studies show that messenger mods should be handled with great caution. Although most users still blindly trust any app that’s been verified and published on Google Play, we’ve repeatedly highlighted the dangers: when downloading an app on Google Play, you could also pick up a Trojan (that one had more than a 100 million downloads!), a backdoor, a malicious subscriber, and/or loads of other muck.
This just in: infected Telegram in Chinese and Uyghur on Google Play
We’ll start with a recent story. Our experts discovered several infected apps on Google Play under the guise of Uyghur, Simplified Chinese and Traditional Chinese versions of Telegram. The app descriptions are written in the respective languages and contain images very similar to those on the official Telegram page on Google Play.
To persuade users to download these mods instead of the official app, the developer claims that they work faster than other clients thanks to a distributed network of data centers around the world.
Simplified Chinese, Traditional Chinese, and Uyghur versions of Telegram on Google Play with spyware inside
At first glance, these apps appear to be full-fledged Telegram clones with a localized interface. Everything looks and works almost the same as the real thing.
We took a peep inside the code and found the apps to be little more than slightly modified versions of the official one. That said, there is a small difference that escaped the attention of the Google Play moderators: the infected versions house an additional module. It constantly monitors what’s happening in the messenger and sends masses of data to the spyware creators’ command-and-control server: all contacts, sent and received messages with attached files, names of chats/channels, name and phone number of the account owner — basically the user’s entire correspondence. Even if a user changes their name or phone number, this information also gets sent to the attackers.
Previously: spyware versions of Telegram and Signal on Google Play
Interestingly, a short while ago researchers at ESET found another spyware version of Telegram — FlyGram. True, this one didn’t even try to pretend to be official. Instead, it positioned itself as an alternative Telegram client (that is, just a mod), and had found its way not only onto Google Play, but into the Samsung Galaxy Store as well.
What’s even more curious is that its creators didn’t limit themselves to imitating just Telegram. They also published an infected version of Signal in these same stores, calling it Signal Plus Messenger. And for added credibility, they even went so far as to create the websites flygram[.]org and signalplus[.]org for their fake apps.
There’s a spyware client on Google Play for Signal too, called Signal Plus Messenger. (Source)
Inside, these apps amounted to full-fledged Telegram/Signal messengers, whose open-source code was flavored with malicious additives.
Thus FlyGram learned to steal contacts, call history, a list of Google accounts and other information from the victim’s smartphone, as well as make “backup copies” of correspondence to be stored… where else but on the attackers’ server (although this “option” had to be activated in the modified messenger independently by the user).
In the case of Signal Plus, the approach was somewhat different. The malware scraped a certain amount of information from the victim’s smartphone directly, and allowed the attackers to log in to the victim’s Signal account from their own devices without being noticed, after which they could read all correspondence almost in real time.
FlyGram appeared on Google Play in July 2020 and stayed there until January 2021, while Signal Plus was published in app stores in July 2022 and removed from Google Play only in May 2023. In the Samsung Galaxy Store, according to BleepingComputer, both apps were still available at the end of August 2023. Even if they are now completely gone from these stores, how many unsuspecting users continue to use these “quick and easy” messenger mods that expose all their messages to prying eyes?
Infected WhatsApp and Telegram spoof cryptowallet addresses
And just a few months back, the same security researchers uncovered a slew of trojanized versions of WhatsApp and Telegram aimed primarily at cryptocurrency theft. They work by spoofing the cryptowallet addresses in the messages so as to intercept incoming transfers.
An infected version of WhatsApp (left) spoofs the cryptowallet address in a message to the recipient, who has the official, uninfected version of WhatsApp (right). (Source)
In addition, some of the versions found use image recognition to search screenshots stored in the smartphone’s memory for seed phrases — a series of code words that can be used to gain full control over a cryptowallet and then empty it.
And some of the fake Telegram apps stole user profile information stored in the Telegram cloud: configuration files, phone numbers, contacts, messages, sent/received files, and so on. Basically, they pilfered all user data except for secret chats created on other devices. All these apps were distributed not on Google Play, but through a variety of fake sites and YouTube channels.
How to stay safe
Lastly, a few tips on how to protect yourself from infected versions of popular messengers, as well as other threats targeting Android users:
As we’ve seen, even Google Play isn’t immune to malware. That said, official stores are still far safer than other sources. So, always use them to download and install apps.
As this post has made clear, alternative clients for popular messengers should be treated with extreme caution. Open source lets anyone create mods — and fill them with all sorts of nasty surprises.
Before installing even the most official app from the most official store, look closely at its page and make sure that it’s real — pay attention not only to the name, but also the developer. Cybercriminals often try to fool users by making clones of apps with descriptions similar to the original.
It’s a good idea to read negative user reviews — if there’s a problem with an app, most likely someone will have already spotted and written about it.
And be sure to install reliable protection on all your Android devices, which will warn you if malware tries to sneak in.
If you use the free version of Kaspersky Security & VPN, remember to manually scan your device after installation and before running any app for the first time.
Threat scanning is done automatically in the full version of our security solution for Android, which is included into the Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium subscription plans.
Love it or hate it, ChatGPT has become one of the most talked about tech developments of 2023. Many of us have embraced it with open arms and have put it to work by tasking it to ‘assist’ with assignments, write copy for an ad, or even pen a love letter – yes, it’s a thing. Personally, I have a love/hate relationship with it. As someone who writes for a living, it does ‘grind my gears’ but I am a big fan of its ability to create recipes with whatever I can find in my fridge. But like any new toy, if you don’t use it correctly then there could be issues – which may include your privacy.
ChatGPT – A Quick Recap
ChatGPT is an online software program that uses a new form of artificial intelligence – generative artificial intelligence – to provide human-style responses to a broad array of requests. Think of it as Google on steroids. It can solve maths questions, translate copy, write jokes, develop a resume, write code, or even help you prepare for a job interview. If you want to know more, check out my Parent’s Guide to ChatGPT.
But for ChatGPT to answer tricky questions and be so impressive, it needs a source for its ‘high IQ’. So, it relies on knowledge databases, open data sources and feedback from users. It also uses social media to gather information and a practice known as ‘web scraping’ to gather data from a multitude of sources online. And it is this super powerful combination that allows ChatGPT to ‘almost always’ deliver on tasks.
Why Is ChatGPT A Threat To My Privacy?
Your privacy is affected in several ways by ChatGPT. Some of these ways may not concern you, but I’m quite sure some will. Here’s what you need to know:
1. ChatGPT Uses Your Data Without Your Permission
When ChatGPT absorbed the enormous amount of data it needed to function from the internet, it did so without permission. As data can be used to identify us, our friends and family or even our location, this is clearly a violation of privacy. But not only was the data taken without permission, it was also taken without compensation. Many online news groups have been, understandably, quite upset about this, particularly when ChatGPT is making a handsome profit by offering users a premium package for US$20/month. However, in recent weeks, many online news outlets have blocked OpenAI’s crawler which will limit the ChatGPT’s ability to access their news content.
2. Whatever You Share With ChatGPT Goes Into Its Data Bank
Every time you share a piece of information with ChatGPT, you are adding to its data bank, risking that the information ends up somewhere in the public domain. The Australian Medical Association (AMA) recently issued a mandate for Western Australian doctors not to use ChatGPT after doctors at a Perth hospital used it to write patient notes. These confidential patient notes could be used to not only further train ChatGPT but could also be included in responses to other users.
3. ChatGPT Collects A Lot Of Information About Its Users
4. Risk of a Data Breach
One of the biggest risks to using ChatGPT is the risk that your details will be leaked in a data breach. Between 100,000 ChatGPT accounts credentials were compromised and sold on the Dark Web in a large data beach which happened between June 2022 to May 2023, according to Search Engine Journal.
But here’s the big problem – as ChatGPT users can store conversations, if a hacker gains access to an account, it may mean they also gain access into propriety information, sensitive business information or even confidential personal information.
What’s ChatGPT Doing To Protect Privacy?
Now please don’t misunderstand me, ChatGPT is taking action to protect users however in my opinion these steps are not enough to truly protect your privacy.
ChatGPT does make it very clear that all conversations between a user and ChatGPT are protected by end-to-end encryption. It also outlines that strict access controls are in place so only authorised personnel can access sensitive user data. It also runs a Bug Bounty program which rewards ethical hackers for finding security vulnerabilities. However, in order to remain protected while using the app, I believe the onus is on the user to take additional steps to protect their own privacy.
So, What Can I Do To Protect My Privacy While Using ChatGPT?
As we all know, nothing is guaranteed in life however there are steps you can take to minimise the risk of your privacy being compromised while using ChatGPT. Here are my top tips:
1. Be Careful What You Share With ChatGPT
Never share personal or sensitive information in any of your chats with ChatGPT. By doing so, you increase the risk of sharing confidential data with cybercriminals. If you need a sensitive piece of writing edited, ask a friend!!
2. Consider Deleting Your Chat History
One of the most useful ways of safeguarding your privacy is to avoid saving your chat history. By default, ChatGPT stores all conversations between users and the chatbot with the aim of training OpenAI’s systems. If you do choose not to save your chat history, OpenAI will still you’re your conversations for 30 days. Despite this, it is still one of the best steps you can take to protect yourself.
3. Stay Anonymous
As mentioned above, ChatGPT can collect and process highly sensitive data and associate it with your email address and phone number. So, why not set up a dedicated email just for ChatGPT? And keep your shared personal details to a minimum. That way, the questions you ask or content you share can’t be associated with your identity. And always use a pseudonym to mask your true identity.
4. Commit To Staying Up To Date
Whether it’s ChatGPT or Google’s Bard, it’s imperative that you stay up to date with the company’s privacy and data retention policies, so you understand how your data is managed. Find out how long your conversations will be stored for before they are anonymised or deleted and who your details could potentially be shared with.
So, if you’re looking for a recipe for dinner, ideas for an upcoming birthday party or help with a love letter, by all means get ChatGPT working for you. However, use a dedicated email address, don’t store your conversations and NEVER share sensitive information in the chat box. But if you need help with a confidential or sensitive issue, then maybe find another alternative. Why not phone a friend – on an encrypted app, of course!!
Identity theft protection and privacy for your digital life