Previous posts in our back-to-school series have covered how to protect your child’s devices and explain the importance of cybersecurity in school. Today we talk about the core, and often unavoidable, apps used in modern education. This means electronic diaries and virtual classrooms, plus videoconferencing for distance learning. They are all insecure.

Electronic diaries

Electronic study-diaries and virtual classroom websites are used these days to help administer  the educational process. Educators use them to share lesson schedules, homework assignments, and announcements. And parents can see their kids’ grades, or even chat with their teachers.

The main problem with such web applications is the substandard protection of personal data that’s provided. In 2020, the attorney general of the U.S. state of New Mexico even filed a lawsuit against Google Classroom, citing the company’s alleged practice of collecting personal data from children and using it for commercial purposes. And in 2022, the Dutch Ministry of Education introduced a number of restrictions on the use of Google services in schools for the exact same reason.

Unfortunately, in most cases parents have no control over what services schools decide to use. The story of Google Classroom is by no means the worst. Issues with the service have been openly discussed for a long time, and Google has been forced to take note and beef up its protection. But, as a father of three, I’ve had the (mis)fortune of seeing other electronic diaries in action, where the situation with personal data storage and transfer is nothing if not murky.

What can parents do about this? Asking the school for all details about privacy and personal data usage in all services you need is a good start. And teach your kid how to leave as little personal data as possible on such sites.


The covid lockdown was a big eye-opener for many kids: turns out you don’t need to go to school! Lessons suddenly became more fun but for the wrong reasons: my daughter chats with her teacher in one window — and watches a movie or plays a game in another (or on a different device).

Such distance “learning” only adds to the worries of parents. Even before covid, we had to monitor what our kids were downloading, since banking Trojans, spyware and ransomware are forever sneaking in under the guise of legal apps — even in Google Play and other official stores. But at least in school they were less exposed to such threats, because internet usage was not generally a part of in-class learning.

With the distance-learning revolution, however, there are now even more apps on our kids’ tablets for us parents to fret about, as well as unlimited internet use for “study” purposes.

And although the lockdowns are long over, many schools continue to practice distance learning for some classes. Meanwhile, Zoom, Teams, and other videoconferencing platforms remain vulnerable to attacks. The most obvious consequence of such attacks, as before, is personal data leakage. But it can get worse: if a malicious third party were to gain access to a virtual classroom, they might show some decidedly “non-kid-suitable” videos.

And even if parents are versed in the safe hosting of video chats, they are unlikely to be able to influence the school’s choice of tools. Here, too, you should ask the school for an explanation as to why an insecure program was chosen.

In addition, you need to teach your kids the basic safety rules of using such apps. In particular, your child should learn to turn off both the microphone and camera when not required, as well as to blur the background and disable screen-sharing by default. And of course, your child should never accept video chat invitations from strangers — or communicate with any if they do show up uninvited to a video conference.

And it goes without saying that all devices your child uses should be protected with a reliable security solution — one that guards against viruses and personal data leaks on computers and mobile devices, and keeps your kid’s privacy intact. Remember that with your free annual subscription to Kaspersky Safe Kids as part of Kaspersky Premium, in addition to total protection for all devices, you get powerful parental controls over your child’s online activity and offline location.

#Backtoschool #threats #virtual #classrooms #videoconferencing

For popular messengers such as Telegram, Signal and WhatsApp, there are quite a few alternative clients (not to be confused with clients as in (human) customers; whoever opted this confusing language needs a good talking to) out there. Such modified apps — known as mods — often provide users with features and capabilities that aren’t available in the official clients.

While WhatsApp disapproves of mods — periodically banning them from official app stores, not only has Telegram never waged war on alternative clients, it actively encourages their creation, so Telegram mods are popping up like mushrooms. But are they safe?

Alas, several recent studies show that messenger mods should be handled with great caution. Although most users still blindly trust any app that’s been verified and published on Google Play, we’ve repeatedly highlighted the dangers: when downloading an app on Google Play, you could also pick up a Trojan (that one had more than a 100 million downloads!), a backdoor, a malicious subscriber, and/or loads of other muck.

This just in: infected Telegram in Chinese and Uyghur on Google Play

We’ll start with a recent story. Our experts discovered several infected apps on Google Play under the guise of Uyghur, Simplified Chinese and Traditional Chinese versions of Telegram. The app descriptions are written in the respective languages and contain images very similar to those on the official Telegram page on Google Play.

To persuade users to download these mods instead of the official app, the developer claims that they work faster than other clients thanks to a distributed network of data centers around the world.

Spyware versions of Telegram on Google Play

Simplified Chinese, Traditional Chinese, and Uyghur versions of Telegram on Google Play with spyware inside

At first glance, these apps appear to be full-fledged Telegram clones with a localized interface. Everything looks and works almost the same as the real thing.

We took a peep inside the code and found the apps to be little more than slightly modified versions of the official one. That said, there is a small difference that escaped the attention of the Google Play moderators: the infected versions house an additional module. It constantly monitors what’s happening in the messenger and sends masses of data to the spyware creators’ command-and-control server: all contacts, sent and received messages with attached files, names of chats/channels, name and phone number of the account owner — basically the user’s entire correspondence. Even if a user changes their name or phone number, this information also gets sent to the attackers.

Previously: spyware versions of Telegram and Signal on Google Play

Interestingly, a short while ago researchers at ESET found another spyware version of Telegram — FlyGram. True, this one didn’t even try to pretend to be official. Instead, it positioned itself as an alternative Telegram client (that is, just a mod), and had found its way not only onto Google Play, but into the Samsung Galaxy Store as well.

What’s even more curious is that its creators didn’t limit themselves to imitating just Telegram. They also published an infected version of Signal in these same stores, calling it Signal Plus Messenger. And for added credibility, they even went so far as to create the websites flygram[.]org and signalplus[.]org for their fake apps.

Signal Plus Messenger: a spyware version of Signal on Google Play and in the Samsung Galaxy Store

There’s a spyware client on Google Play for Signal too, called Signal Plus Messenger. (Source)

Inside, these apps amounted to full-fledged Telegram/Signal messengers, whose open-source code was flavored with malicious additives.

Thus FlyGram learned to steal contacts, call history, a list of Google accounts and other information from the victim’s smartphone, as well as make “backup copies” of correspondence to be stored… where else but on the attackers’ server (although this “option” had to be activated in the modified messenger independently by the user).

In the case of Signal Plus, the approach was somewhat different. The malware scraped a certain amount of information from the victim’s smartphone directly, and allowed the attackers to log in to the victim’s Signal account from their own devices without being noticed, after which they could read all correspondence almost in real time.

FlyGram appeared on Google Play in July 2020 and stayed there until January 2021, while Signal Plus was published in app stores in July 2022 and removed from Google Play only in May 2023. In the Samsung Galaxy Store, according to BleepingComputer, both apps were still available at the end of August 2023. Even if they are now completely gone from these stores, how many unsuspecting users continue to use these “quick and easy” messenger mods that expose all their messages to prying eyes?

Infected WhatsApp and Telegram spoof cryptowallet addresses

And just a few months back, the same security researchers uncovered a slew of trojanized versions of WhatsApp and Telegram aimed primarily at cryptocurrency theft. They work by spoofing the cryptowallet addresses in the messages so as to intercept incoming transfers.

Infected WhatsApp spoofs the cryptowallet address in messages

An infected version of WhatsApp (left) spoofs the cryptowallet address in a message to the recipient, who has the official, uninfected version of WhatsApp (right). (Source)

In addition, some of the versions found use image recognition to search screenshots stored in the smartphone’s memory for seed phrases — a series of code words that can be used to gain full control over a cryptowallet and then empty it.

And some of the fake Telegram apps stole user profile information stored in the Telegram cloud: configuration files, phone numbers, contacts, messages, sent/received files, and so on. Basically, they pilfered all user data except for secret chats created on other devices. All these apps were distributed not on Google Play, but through a variety of fake sites and YouTube channels.

How to stay safe

Lastly, a few tips on how to protect yourself from infected versions of popular messengers, as well as other threats targeting Android users:

  • As we’ve seen, even Google Play isn’t immune to malware. That said, official stores are still far safer than other sources. So, always use them to download and install apps.
  • As this post has made clear, alternative clients for popular messengers should be treated with extreme caution. Open source lets anyone create mods — and fill them with all sorts of nasty surprises.
  • Before installing even the most official app from the most official store, look closely at its page and make sure that it’s real — pay attention not only to the name, but also the developer. Cybercriminals often try to fool users by making clones of apps with descriptions similar to the original.
  • It’s a good idea to read negative user reviews — if there’s a problem with an app, most likely someone will have already spotted and written about it.
  • And be sure to install reliable protection on all your Android devices, which will warn you if malware tries to sneak in.
  • If you use the free version of Kaspersky Security & VPN, remember to manually scan your device after installation and before running any app for the first time.
  • Threat scanning is done automatically in the full version of our security solution for Android, which is included into the Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium subscription plans.

#Spyware #versions #Telegram #Signal #Google #Play

The creators of any website bear the moral and legal responsibility for it during its entire existence. Moreover, few people know that if a corporate web server gets hacked, it’s not only the company and its customers that may suffer; often, a hacked site becomes a platform for launching new cyberattacks, with its owners not even being aware of it.

Why websites get hacked

A website hack can be part of a larger cyberattack, or a standalone operation. By “hack”, we mean making changes to the target site — not to be confused with a DDoS attack. If your company finds itself in the crosshairs of hackers, their goals are usually to:

  • Exert pressure on the victim organization as part of a ransomware attack, including by making the hack known to customers and partners;
  • Download valuable information from the site, for example, customer contact details stored in a database;
  • Distract IT and InfoSec teams from a more serious data theft or sabotage attack occurring at the same time;
  • Cause reputational damage.

That said, very often hackers don’t need your site in particular. They’ll happily make do with any reputable site they can sneak malicious content onto. Once that’s achieved, they can populate the site with phishing pages, links to spam resources, and pop-up ads. Basically, it turns into a cybercriminal tool. At the same time, the main sections of the site may be unaffected. Customers and employees visiting the home page won’t notice anything different. The malicious content is tucked away in new subfolders to which victims get lured through direct links.

How websites get hacked

Website hacks are normally carried out through vulnerabilities in server applications: web servers, databases, or content management systems and their add-ons. Around 43% of all websites on the internet run on WordPress, so it’s no surprise that hackers pay special attention to this content management system. Vulnerabilities are discovered in WordPress and thousands of add-ons for it regularly, and not all authors get around to fixing their plug-ins. And besides, not all users promptly install updates for their sites.

Attackers can exploit a vulnerability to upload to the web server a so-called web shell; that is, additional files and scripts allowing them to manage site content while bypassing standard administration tools. Next, they place malicious content on the site in subfolders, taking pains not to affect the main pages of the legitimate site.

Another common hacking scenario is to guess the administrator password. This is possible if the administrator uses weak passwords, or the same password on different web resources. In this way, cybercriminals can place malicious content by means of standard administration tools, creating new users on the site, as well as additional subsections or pages. However, this increases the likelihood of detection, so even in this case, attackers prefer to install their own backdoor in the shape of a web shell.

Damage from website hacking

In case of a large case targeted attack, the given company immediately suffers financial and reputational damage. As for opportunistic attacks, the harm is indirect. Website maintenance costs can increase due to spam content and its views. At the same time, the site’s SEO reputation drops, so it gets fewer visitors from search engines. The site may even be flagged as malicious, in which case its traffic drops catastrophically. In practice, however, hackers may go for abandoned sites, so issues with traffic are of no relevance.

How websites get abandoned

The internet has long turned into a website graveyard. According to statistics, there are more than 1.1 billion websites in total, but 82% of them are not updated or maintained. In the case of corporate websites, a number of scenarios can be the cause:

  • A company ceases to operate, but its website is published on free hosting and keeps running;
  • The only employee who had access to the site leaves the given small business. Unless the owners take action, the site will remain frozen for months or even years;
  • A company rebrands or merges, but keeps the old website “temporarily” for customers. The revamped entity then gets a brand-new site, and the “temporary” old one is gradually forgotten;
  • A dedicated site is launched for a marketing campaign, product line, blog, or side project. When the project is over, the site is no longer updated, but it’s not shut down either.

Signs of website hacking

Since the main pages are often left untouched by hackers, it can be difficult to tell if your site has been compromised. But there are some pointers: the site is running slower than usual; traffic has sharply increased or decreased for no apparent reason; new links or banners have appeared out of nowhere; problems with control panel access; new folders, files, or users can be seen in the control panel. Still, the most obvious sign is if others start bombarding you with complaints about malicious content on your site. To properly diagnose the situation, you need to study the web server logs, but this task is better entrusted to experts. Like pest control, it takes experience to get rid of an infestation — which here means removing the web shell and other backdoors from the site.

How to guard against website hacking

Even small companies without a large cybersecurity budget can implement simple measures that greatly reduce the chances of getting hacked:

  • Set long, strong passwords for the administration section of your site, and enable two-factor authentication. Each administrator must have their own password;
  • Never allow just one person to have access to the site (unless the company has just one employee, naturally). Remember to revoke access when employees leave;
  • Make sure to keep updated all software components of the site, including the operating system, web server, databases, content management system, and add-ons. Install updates as soon as they are released. If your company lacks the time or expertise, better to use professional website hosting where security is in the hands of a dedicated team. For example, for WordPress there are specialized secure hosting platforms, such as WP Engine;
  • Maintain a registry of all company websites. It should list every site created, even temporary ones set up, say, for a one-month ad campaign;
  • Each site in the registry should have its software components updated regularly, even if there’s no business need to update the content;
  • If the site is no longer needed, and the resources are lacking to update it, better to close it down in a tidy manner. Save the data to an archive, then terminate your hosting account. If necessary, you can also cancel the domain delegation. Another way to shut down a subsite is to remove all content from it, disable any software add-ons like WordPress, and set up redirection to the company’s main site.

#Ways #protect #WordPress #sites #blogs #hacking

QR codes are all around us. They offer a quick way to take part in surveys, download useful stuff, and visit websites of interest. After all, pointing your phone at a picture is far easier than typing in an annoyingly long URL.

But their very convenience hides a significant drawback. With regular links, it’s possible to spot a trap with the naked eye. The red flags are well-known: typos or extra characters in the site address, a disguised redirect, strange domain zones, and so on. But as for QR codes, where that jumble of black squares might take you is anyone’s guess.

With a compelling example, in this post we explain how those harmless-looking squares can pose a threat, and how not to fall victim to scammers. The example in question is the story of a woman who lost US$20,000 by scanning a QR code when buying bubble tea.

20,000-dollar bubble tea

Many have encountered coffee-shop promos when visitors are invited to take a short survey in exchange for a free drink or a discount on a purchase. This often requires you to scan a QR code at the counter — a familiar, almost routine action. What could possibly go wrong?

That’s what a 60-year-old Singaporean must have thought, too. To get a free cup of bubble tea, she scanned the QR code sticker on the glass of the coffee shop door. As it turned out later, the sticker had been pasted on by cybercriminals. The scam code contained a link to download a third-party Android app in order, she believed, to take a survey. However, the app was malicious.

Once installed, the program requested access to the camera and microphone, and to enable Android Accessibility services. This built-in Android service allows criminals to view and control the victim’s screen, as well as to disable facial and fingerprint recognition — this way attackers can force the victim to type their banking app password manually, if needed. The scammers had only to wait for her to log in, intercept the credentials, and later use them to transfer all the money to their own accounts.

How not to fall victim

Since it’s impractical (and not really necessary) to avoid scanning QR codes altogether, we recommend the following:

  • Check the addresses of sites that are linked inside QR codes carefully, and look for typical red flags.
  • Make sure that the expected and actual content match up. For example, if the code was supposed to lead to a survey, logically there should be some kind of form with answer options. If not, close the site immediately. But even if the page arouses no suspicion, you should still be careful — it may be a high-quality fake (see the first point, and read our post about how to spot a bogus site).
  • Don’t download apps via QR codes. As a rule, bona fide apps can always be found on Google Play, the App Store, or any other official platform. Apps from third-party sources shouldn’t be installed in any case.
  • Protect your devices with a reliable security solution. A built-in QR scanner lets you check the link buried in the maze of squares. Also, our solution blocks attempts to visit malicious sites and protects you from the profusion of other threats out there in cyberspace.

#codes #dangerous #Kaspersky #official #blog

Short links are everywhere these days. All these,,,, and the like have long since become a familiar part of the online landscape. So familiar, in fact, that most users click on them without thinking twice. But thinking is never a bad thing. With that in mind, we explain below how short links work and what privacy and security threats they can pose.

What happens when you click on a short link?

When you click on a short link, you almost go straight to the intended destination, which is the address specified by the user who created the link. Almost, but not quite: the actual route takes a quick detour via the URL shortener service.

The more efficient the service, the quicker this takes, and the smoother the transition to the end stop. Of course, the delay feels insignificant only to a person — we humans are rather slow. But for an electronic system, it’s more than long enough to get up to all kinds of activity, which we’ll discuss below.

Why short links? The main reason is one of space: making a long link shorter means it takes up less of the screen (think mobile devices) and doesn’t eat up the character limit (think social media posts). Alas, that’s not all there is to it. The creators of short links may be pursuing their own goals, not necessarily driven by concern for users. Let’s talk about them.

Short links and user tracking

Have you ever wondered why many internet links are so long and unsightly? It’s usually because links encode all kinds of parameters for tracking click-throughs, so-called UTM tags.

Usually, these tags are deployed to determine where the user clicked on the link, and thus to evaluate the effectiveness of ad campaigns, placement on blogger pages, and so on. This is not done in the name of user convenience, of course, but for digital marketing.

In most cases, this is a fairly harmless form of tracking that doesn’t necessarily collect data from link clickers: often marketers are just interested in the source of traffic. But since this additional “packaging” doesn’t look very aesthetic, and often makes the URL insanely long, shortener services are often brought into play.

What’s more unpleasant from a privacy point of view is that URL shorteners don’t limit themselves to redirecting users to the destination address. They also tend to harvest a host of statistics about the link clickers — so your data ends up in the hands not only of the creator of the short link through embedded UTM tags, but also of the owners of the URL shortener. Of course, this is the internet, and everyone collects some kind of statistics, but using a short link introduces another intermediary that holds data on you.

Disguised malicious links

Besides violating your privacy, short links can threaten the security of your devices and data. As we never tire of repeating: always carefully check links before clicking on them. But with short links, a problem arises: you never know for sure where it is you’ll be taken.

If cybercriminals use short links, the advice to check them becomes meaningless: you can only find out where a link points after clicking. And by then it may be too late — if the attackers exploit a zero-click vulnerability in the browser, the infection can occur as soon as you land on the malicious site.

Short links and dynamic redirects

Cybercriminals can also use link-shortening tools to change the target address as the need arises. Suppose that some attackers bought a database of millions of email addresses and used it to send out phishing messages with some kind of link. But here’s the problem (for the attackers): the phishing site they created was quickly discovered and blocked. Rehosting it at a different address is not an issue, but then they would have to resend all the phishing mailshots.

The solution (again, for the attackers) is to use a “shimming” service, which makes it possible to quickly change the URL users will visit. And the role of “shims” here can be played by URL shorteners, including ones originally created with dubious intentions in mind.

With this approach, a link to the shimming service is added to the phishing email, which redirects victims to the phishers’ site at their currently active address. Often, multiple redirects are used to further muddy the trail. And if the destination phishing site gets blocked, the cybercriminals simply host it at a new address, change the link in the shim, and the attack continues.

Man-in-the-middle attacks

Some link-shortening tools, such as Sniply, offer users more than just shorter links. They allow tracking the actions of link clickers on the actual destination site, which is effectively a man-in-the-middle attack: traffic passes through an intermediate service node that monitors all data exchanged between the user and the destination site. Thus, the URL shortener can intercept anything it wants: entered credentials, social network messages, and so on.

Personal spying

In most cases, short links intended for mass use are placed in social network posts or on web pages. But additional risks arise if one was sent to you personally — in a messenger or an email to your personal or work address. Using such links, an attacker who already has some information about you can redirect you to a phishing site where your personal data is pre-filled. For example, to a copy of a banking site with a valid username and a request to enter your password, or to the “payment gateway” of some service with your bank card number pre-filled, asking you to enter a security code.

What’s more, such links can be used for doxing and other types of tracking, especially if the URL shortener service offers advanced functionality. For instance, our recent post about protecting privacy in Twitch looked in detail at ways to de-anonymize streamers and how to counter them.

How to stay protected

What to do about it? We could advise never to click on short links, but, in the vast majority of cases, URL shorteners are used for legitimate purposes, and short links have become so common that total avoidance isn’t really an option. That said, we do recommend that you pay special attention to short links sent to you in direct messages and emails. You can inspect such links before clicking by copying and pasting them into a tool for checking short links, such as GetLinkInfo or UnshortenIt.

However, there is a simpler method: a high-quality security solution with an integrated approach that takes care of security and privacy at the same time. For example, our Kaspersky Premium has a Private Browsing component that blocks most known online trackers and thus prevents your online activities from being monitored.

Our products also offer protection against online fraud and phishing, so rest assured that Kaspersky Premium will warn you in good time before landing on a dangerous site — even if the link was shortened. And, of course, the antivirus will guard against any attempts to infect your devices — including ones exploiting as-yet-unknown vulnerabilities.

#Privacy #security #threats #short #links

Beware: hundreds of thousands of websites are fakes. They’re made to look like the sites of popular online stores, banks, and delivery services, but with just one purpose: to steal your passwords and financial data. Victims are lured to such sites by phishing emails, messenger chats, and even paid ads. But don’t despair: even if you click on a bogus link, it might still be possible to escape the scammers’ clutches without loss. As long as you spot the fake in time…

Where do phishing sites get hosted?

Sometimes scammers create a special new website and register a name for it that resembles the original (for example, instead of Our separate post on fake names is worth checking out. But such sites are expensive to make and easy to block, so many cybercriminals take a different route. They hack legitimate sites of any kind, then create their own subsections where they publish phishing pages. It’s very often SMBs that fall victim to such hacks because they lack the resources to constantly update and monitor their websites. Sometimes a site hack can go unnoticed for years, which is a godsend for cybercriminals.

One of the most popular web content management systems is WordPress, and the number of hacked sites on the platform runs into the tens of thousands. However, once you know what to look for, it’s not hard to detect such sites yourself.

First sign of fakery: mismatch between site name and address

When following a link in an email, a social media post, or an ad, it pays to take a look at the URL of the site you land on. If it’s a hacked site, the discrepancy will be staring you in the face. The name of the service the fake site pretends to be might crop up somewhere in the directory path, but the domain name will be completely different; for example: www.medical-helpers24.dmn/wp-admin/js/js/Netflix/home/login.php. You know perfectly well that Netflix lives at, so what’s it doing on medical-helpers24?

It looks like Netflix, but the URL screams phishing

It looks like Netflix, but the URL screams phishing

Checking the URL requires a little more effort on mobile devices because many apps open links in such a way that the site address isn’t visible or is only partially visible. In this case, click on the address bar in your browser to see the site’s full address.

Second sign of fakery: directory path elements

When looking at the full address of a web page, pay attention to the tail of the URL after the domain name. It might be rather long, but just focus on the first parts. Hacked subsections of a site are usually hidden deep within WordPress service directories, so the address will most likely contain elements like /wp-content/, /wp-admin/ or /wp-includes/.

In our example, www.medical-helpers24.dmn/wp-admin/js/js/Netflix/home/login.php, one such element comes right after the domain name, confirming our suspicions that the site has been compromised.

Chances are that the URL will end in .php. Pages with the .php extension are quite common, and this in itself is not a sign of hacking. But in combination with this directory path, the .php extension is compelling evidence of guilt.

Third sign of fakery: the site has a different subject

If the site name seems unfamiliar or suspicious, you can perform an additional check by going to the home page. To do that, delete the URL tail, leaving only the domain name. And this may open the page of the real owner of the site, which will be totally unlike the phishing page both in subject and design. It might even be in a different language, as in the example below:

French phishing on a Chinese site

French phishing on a Chinese site

Your personal data on a fake website

It might happen that some information fields (such as your email address or bank card number) are correctly pre-filled even on a phishing site. This means that the attackers have somehow gotten hold of a database of stolen personal data and are seeking to enrich it with additional information, such as passwords and CVV numbers. To this end, they post a table with known data on the victims, and this can often be freely downloaded from the site. So, if you see your real card number on a fake site, have the card reissued straight away, then think about additional security measures for other personal data. For example, if your email has been leaked, protect your email login with a stronger password and be sure to enable two-factor authentication.

How to guard against phishing

  • Be vigilant. For the above tips to work, remember to check every link you click on.
  • Check links before you click on them — some attacks don’t require the victim to do anything but land on an infected site. On your computer, you can hover over a link to show the URL it will take you to. On your phone, tap and hold the link with your finger to see the URL in the pop-up menu.
  • Important addresses (your bank, email server, etc.) are best accessed through bookmarks or typing them manually, not through links in emails.
  • Install security solutions on all computers, tablets, and phones. Phishing can get you on any device, so use Kaspersky Premium to keep all your digital companions secure.

#spot #phishing #hacked #WordPress #website

The main purpose of a VPN is to encrypt your internet connection and protect your data from being intercepted, viewed and altered. The technology is used by companies to ensure secure remote working or communication between branches. For regular users, a VPN helps protect privacy and access content from a specific region. The recently discovered TunnelCrack vulnerabilities can be used to disrupt normal operation of VPNs and partially deprive users of protection. The problem affects most corporate and home user VPNs. What are the causes of those vulnerabilities, and how to stay protected?

How TunnelCrack works

If you connect to a malicious Wi-Fi hotspot or a malign ISP, it can send your computer or phone instructions that will allow some application traffic to bypass the VPN tunnel, making it open to analysis and modification. The attack works regardless of what specific VPN protocol the connection uses. But redirecting all traffic in this way is impractical, so the attackers have to limit themselves to a set list of websites and servers they want to spy on.

The attack exploits the exclusions list that can be set in all VPN clients. Each exclusion directs some traffic past the encrypted VPN tunnel. This feature is needed in at least two cases. First, to keep traffic between local devices out of the VPN tunnel. If your computer is streaming an image to your own TV over a local network, it does not need to be encrypted. Second, traffic already encrypted by the VPN client and destined for the VPN server should be routed past the VPN tunnel. Again, this is logical — if it is directed to the tunnel, it will go through another round of encryption.

The name given by the researchers to an attack on the first case is LocalNet (CVE-2023-36672 and CVE-2023-35838). A rogue router (for example, a Wi-Fi hotspot) feeds the victim incorrect network settings (routing tables) that represent public IP addresses of interest to the attackers as part of the local network. As a result, data exchanged between the victim and these addresses falls under the exclusions and bypasses the VPN tunnel.

An attack on the second case goes by the name of ServerIP (CVE-2023-36673 and CVE-2023-36671). Clients typically access a legitimate VPN server using a domain name. Manipulating the DNS server that the victim connects to, the attackers return an incorrect VPN server IP that matches the IP of the target resources they are interested in. Meanwhile, the cybercriminals retranslate VPN traffic to a real VPN server, and can modify or analyze incoming unencrypted traffic to the target IPs.

What to do as a VPN user

  • Check your VPN service for updates. Peruse the official website and contact technical support. It’s possible that your provider has already updated its applications and settings, so it may be enough to install an update to fix the problem. Note that there may not be an update for iOS due to VPN configuration restrictions on Apple’s side.
  • For services based on pure OpenVPN (of which there are plenty) you can use any OpenVPN client in which the vulnerabilities are fixed. The researchers recommend Windscribe.
  • Check the exclusions in the VPN service settings. If there is an option to “route local traffic without VPN” or “allow access to local network,” disable it. In other words, all traffic must go through the VPN. The obvious downside of this setting is that you won’t be able to log in from the computer to a local NAS or manage smart devices via Wi-Fi over a local network — the only way to do this will be through cloud services. Ideally, the setting to block local traffic should be applied only to public networks, outside the home. But such a nuanced configuration that allows different settings for different networks is not always possible in VPN clients.
  • Set up a secure DNS if you haven’t done so already. This will not only complicate ServerIP attacks, but generally improve network security. A secure DNS dovetails nicely with a VPN, the two should be used in tandem.

What to do as a corporate VPN administrator

  • Check if your VPN clients are exposed to this vulnerability. A manual testing method is described by the researchers on GitHub. Test all versions of VPN clients used in your company for all relevant platforms.
  • Request updates of vulnerable client applications from your corporate VPN provider. Updates were promptly released by Cisco, for example. Note that iOS updates may not be available due to Apple’s configuration restrictions.
  • Check the standard VPN client configuration on all computers. Often the default option is to block local network access, in which case a TunnelCrack attack will not be possible.
  • If you need to keep some local VPN-free traffic, say, to provide access to a printer over a local network at an employee’s home, create restrictive rules on each computer’s local firewall to allow only certain activities from a fixed list.
  • Use DNS security tools. These often form part of all-in-one corporate network security systems, but can also be purchased separately.

#TunnelCrack #vulnerabilities #VPN #clients

There are lots of websites with tempting offers of quick and easy money working from home. But in reality, they’re likely to be from scammers looking to get gullible users to work for them for free and advertise their “business.” This post demonstrates the operation principle of several such schemes and gives tips on how to avoid falling victim to them.

Many scams in one

Who wouldn’t want to earn money for doing regular online stuff: taking surveys, watching videos, playing games and other simple tasks? That’s how scammers lure victims to one of the sites.

Home page of a scam website offering part-time work doing regular online activities

Home page of a scam website offering part-time work doing regular online activities

The home page of the “platform” is overflowing with offers of easy-earning jobs. Scammers promise new recruits a whopping US$200 a day. Plus a US$25 signing-up bonus!

Of course, there are numerous reviews from grateful “users” who have already become rich. But if you bother to read them, you’ll spot a lot of grammatical mistakes.

Reviews from

Reviews from “users” who supposedly struck gold

To earn money on the “platform”, you are asked to complete various tasks, such as testing apps, playing games, sharing a link to the site with friends, and the like.

Tasks you get paid for

Tasks you get paid for

In fact, all these “tasks” are just links to other scam resources. By visiting them, users create traffic to cybercriminals’ sites. This improves their position in search results. And also, cybercriminals may have their own footfall KPIs (key performance indicators).

When the victim tries to get their “money” (the home page promises that this can be done through popular services like Cash App, Venmo, PayPal and others), they discover that they must first earn at least US$200.

Message saying you need to earn US$200 to withdraw funds

Message saying you need to earn US$200 to withdraw funds

Sure, you won’t see any payout even if you do “earn” 200 bucks.

Nor can it be ruled out that the scammers’ domain won’t simply be blocked before user even try — such sites have very short lifespan. After getting blocked, the scammers will get another domain and launch the whole scheme again with new victims.

The scam itself is quite international. Besides English, the cybercriminals’ website is available in nine other languages. Although these versions look less professional.

Share it with the whole world

Now let’s talk about a similar site with a more primitive design, but with a different mechanism for making money from naive users.

The victims are offered two ways to earn. The first is to share the link and invite “referrals” to the website: you get US$1 for every 100 people. What’s more, the site supposedly lets you withdraw funds after accumulating just US$20. To earn this amount through inviting referrals, you need to attract 1500 users to the site (you get US$5 for signing-up).

Home page of a site that pays you to share its link

Home page of a site that pays you to share its link

Sounds hard, but things aren’t all that bad, you have a chance to earn US$50 right away. But for this you’ll have to play the scammers’ game — by endlessly refreshing the page so that the two images match. They won’t of course.

Scammers' game

Scammers’ game

When the victim goes to the site, they are immediately asked for permission to display browser notifications. Through these, the cybercriminals distribute ads for various other scams or relatively legit adult sites. That’s the main objective: to lure as many victims as possible who will give this permission.

And the image-matching game helps the scammers boost traffic to their own site and improve its search visibility.

How to avoid falling victim?

To avoid falling for online job scams:

  • Don’t believe promises of easy money.
  • Don’t enter payment information on dubious websites.
  • Read our post on how to spot scammers.
  • Use a robust security solution that will warn you before visiting suspicious sites and keep your money and data out of cybercriminals’ hands.

#Scam #websites #offering #jobs #Kaspersky #official #blog

You’ve received an email at work asking you to change your email password, confirm your vacation period, or make an urgent money transfer at the request of the CEO. Such unexpected requests could be the start of a cyberattack on your company, so you need to make sure it’s not a scam. So how do you check email addresses or links to websites?

The centerpiece of a fake is usually the domain name; that is, the part of the email after the @, or the beginning of the URL. Its task is to inspire confidence in the victim. Sure, cybercriminals would love to hijack an official domain of the target company, or of one of its suppliers or business partners, but in the early stages of an attack they usually don’t have that option. Instead, before a targeted attack, they register a domain that looks similar to that of the victim organization – and they hope that you won’t spot the difference. Such techniques are called lookalike attacks. The next step is to host a fake website on the domain or fire off spoof emails from mailboxes associated with it.

In this post, we explore some of the tricks used by attackers to prevent you from noticing a domain spoof.

Homoglyphs: different letters, same spelling

One trick is using letters that are visually very similar or even indistinguishable. For example, a lowercase “L” (l) in many fonts looks identical to a capital “i” (I), so an email sent from the address JOHN@MlCROSOFT.COM would fool even the more eagle-eyed. Of course, the sender’s actual address is!

The number of devilish doubles increased after it became possible to register domains in different languages, including ones that don’t use the Latin alphabet. A Greek “ο”, Russian “о”, and Latin “o” are totally indistinguishable to a human, but in the eyes of a computer they’re three distinct letters. This makes it possible to register lots of domains that all look like microsоft.cοm using different combinations of o’s. Such techniques employing visually similar characters are known as homoglyph or homograph attacks.

Combo-squatting: a little bit extra

Combo-squatting has become popular with cybercriminals in recent years. To imitate an email or website of the target company, they create a domain that combines its name and a relevant auxiliary word, such as or The subject of the email and the end of the domain name should match up: for example, a warning about unauthorized access to an email account could link to a site with the domain outlook-alert.

The situation is made worse by the fact that some companies do indeed have domains with auxiliary words. For example, is a perfectly legitimate Microsoft site.

According to Akamai, the most common combo-squatting add-ons are: support, com, login, help, secure, www, account, app, verify, and service. Two of these – www and com – warrant a separate mention. They are often found in the names of websites, and the inattentive user might not spot the missing period:,

Top-level domain spoofing

Sometimes cybercriminals manage to register a doppelganger in a different top-level domain (TLD), such as instead of, or instead of In this case, the name of the spoofed company can remain the same. This technique is called Tld-squatting.

A substitution like this can be very effective. It was just recently reported that, for over a decade, various contractors and partners of the U.S. Department of Defense have been mistakenly sending emails to the .ML domain belonging to the Republic of Mali instead of the American military’s .MIL domain. In 2023 alone, a Dutch contractor intercepted more than 117,000 misdirected emails bound for Mali instead of the DoD.

Typo-squatting: misspelled domains

The simplest (and earliest) way to produce doppelganger domains is to exploit various typos that are easy to make and hard to spot. There are lots of variations here: adding or removing doubles ( instead of, adding or removing punctuation (cloud-flare or c.loudflare instead of cloudflare), replacing similar-sounding letters (savebank instead of safebank), and so on.

Typos were first weaponized by spammers and ad fraudsters, but today such tricks are used in conjunction with fake website content to lay the groundwork for spear-phishing and business email compromise (BEC).

How to guard against doppelganger domains and lookalike attacks

Homoglyphs are the hardest to spot and almost never used for legitimate purposes. As a result, browser developers and, in part, domain registrars are trying to defend against such attacks. In some domain zones, for example, it is forbidden to register names with letters from different alphabets. But in many other TLDs there’s no such protection, so you have to rely on security tools. True, many browsers have a special way of displaying domain names containing a mix of alphabets. What happens is that they represent the URL in punycode, so it looks something like this: xn--micrsoft-qbh.xn--cm-fmc (this is the site with two Russian o’s).

The best defense against typo-squatting and combo-squatting is attentiveness. To develop this, we recommend that all employees undergo basic security awareness training to learn how to spot the main phishing techniques.

Unfortunately, the cybercriminal’s arsenal is wide-ranging and by no means limited to lookalike attacks. Against carefully executed attacks tailored to a specific company, mere attentiveness isn’t enough. For example, this year attackers created a fake site that cloned Reddit’s intranet gateway for employees and successfully compromised the company. Therefore, infosec teams need to think about not only employee training, but also vital protection tools:

#Lookalike #attacks #phishing #BEC