The IT Nerd

ESET researchers are releasing their in-depth analysis into the operations of Evilnum, the APT group behind the Evilnum malware. According to ESET’s telemetry, the targets are financial technology companies – for example, platforms and tools for online trading. Although most of the targets are located in EU countries and the UK, ESET has also seen attacks in countries such as Australia and Canada. The main goal of the Evilnum group is to spy on its targets and obtain financial information from both the targeted companies and their customers.

“While this malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates,” says Matias Porolli, the ESET researcher leading the investigation into Evilnum. “It’s toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service provider whose infamous customers include FIN6 and Cobalt Group,” he adds.

Evilnum steals sensitive information, including customer credit card information and proof of address/identity documents; spreadsheets and documents with customer lists, investments and trading operations; software licenses and credentials for trading software/platforms; email credentials; and other data. The group has also gained access to IT-related information, such as VPN configurations.

“Targets are approached with spearphishing emails that contain a link to a ZIP file hosted on Google Drive. That archive contains several shortcut files that extract and execute a malicious component, while displaying a decoy document,” elaborates Porolli. These decoy documents seem genuine, and they are continuously and actively collected in the group’s current operations as they try to compromise new  victims. It targets technical support representatives and account managers, who regularly receive identity documents or credit cards from their customers.

As with many malicious codes, commands can be sent to Evilnum malware. Among those are commands to collect and send Google Chrome saved passwords; take screenshots; stop the malware and remove persistence; and collect and send Google Chrome cookies to a command and control server.

“Evilnum leverages large infrastructure for its operations, with several different servers for different types of communication,” concludes Porolli.

For more technical details about the Evilnum malware and the APT group, read the full blog post “More evil: a deep look at Evilnum and its toolset” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research. 

The rise of the Internet has led to the creation of the social media influencer, altering the aspirations of children around the world. 

A recent British survey of 2,000 parents of children aged 11 to 16 years shows strong interest in being an influencer for a career. Among parents whose children told them what they want to do when they grow up, 17 per cent said they wanted to be a social media influencer, and another 14 per cent desired to be a YouTuber. Only doctor, at 18 per cent, was higher. 

When your kids are online and working on building a following that would make them worthy the title of “influencer,” here are some red flags that may pop up along the way: 

• Online Hate — Sadly, this is inevitable. The vitriol that can flow from someone hiding behind the safety of their screen is disturbingly sad. Comment sections are flooded with hurtful messages and threats — frightening for anybody, no matter their age. If your children are active online and are actively building a following, parents can help by moderating comments, reporting inappropriate behavior and using parental control tools to monitor your kid’s activity online. With parental support, kids can be taught how to act responsibly and articulate their opinion. 
• Oversharing and Online Stalking — Kim Kardashian is one of the most influential figures on social media. During one of her visits to Paris, this backfired. She was robbed at gun point, resulting in the theft of US$8 million worth of jewelry. The heist was organized based simply on following Kim’s whereabouts through her social media posts. This example of oversharing should be a warning to anyone, especially to young influencers who will do almost anything to please their followers. Parents should help their kids set boundaries between their public and private lives. It is also helpful to drill home that anything posted online will stay there forever. 
• Followers are Not Real Friends — We spend so much time in the digital landscape that it can be easy to forget that it is no real life. Children in particular have a tendency to overlook the fact that followers are not real friends. A digital connection in an online platform is not going to be there when they need a break from the latest social media craze, and they won’t be a confidant in difficult times. It is crucial that parents encourage real friendships and strong family ties that should not be neglected for a digital life. 

To learn more about the dangers faced by children online as well as about how technology can help, check out ESET‘s Safer Kids Online platform.

As people become more sensitive about the privacy and security of their data, Canadians across the country are looking for ways to up their personal security.

One personal device where security features often get overlooked is personal cell phones. Whether because we always have them close by or think it “will never happen to me,“ Canadians are leaving themselves exposed to security risks on their phones. 

To help protect your mobile security, ESET, a world-leader in cybersecurity, offers the following lock screen options for protecting your phone. 

• Pattern Lock — A pattern lock, as the name suggests, requires the owner to enter a specific pattern that they came up with to unlock their device. As far as screen lock choices go, pattern locks could be considered a medium-level security option at best. Your finger squiggle could be as easy as drawing an L or you could make the pattern more difficult by drawing a sophisticated shape. The simpler the pattern is, the easier it is for lurkers to copy it if they are watching over your shoulder. 

In fact, research found that lurkers were successful in recreating the swipe pattern 64.2% of the time after looking at it once; with multiple observations, that risk rises. You can improve your security by turning off feedback lines and opting for a more sophisticated pattern. 

• PIN / Password — If you’ve been smart and set up any protection at all on your devices, you’re probably familiar with the PIN lock/password option, because it is the code your SIM card asks you to enter whenever you turn your phone off and on. Many Android versions will allow you to set a paltry four-digit code, but if you care about your security, you will choose a much longer PIN code. 

If you want to up your lock game, you should probably opt for a password that incorporates letters, numbers and special characters and make it at least eight characters long. It may be a bit harder to remember and type out, but in the long run you’ll be glad you played it safe. If you really want to up the ante, you can also turn on the feature to wipe your phone after a number of failed login attempts.

• Fingerprint Biometric Lock — Fortunately for some of us, fingerprint biometric locks are still a thing. You may encounter different varieties, with some being standalone locks, others incorporated into buttons and the latest development are the ones hidden in the smartphone screen. The case for these is that the fingerprint lock can be one of the fastest ways to secure your phone. By placing your finger on the reader, your phone will unlock within a fraction of a second. 

But is it foolproof? Well, where regular people are concerned it is highly doubtful that a bad actor would go through the ordeal of trying to get through a biometric lock. Still, bypassing a fingerprint lock isn’t entirely impossible. Fingerprints can be stolen from photos and other sources, then recreated, even with just 2D printing.

• Face Scan — This biometric lock does exactly what it says: it scans your face. Although you’d imagine that the process is fairly sophisticated and entails a large number of technological wonders, the truth is it basically relies on your front camera and some software. The camera scans an image of your face and then relies on a facial recognition algorithm to verify your face. The speed of the unlock also depends on your phone and the quality of its front-facing camera. 

There is quite a variety of lock options to choose from. It is always wise to choose a combination of features and not rely on just one. The safest two-step combination is a trusty PIN or password of sufficient length, with a fingerprint scan coming in next. Whichever option you choose, it’s always smart to plan ahead. Securing your phone now might save you from a nasty headache in the future.

For more tips, please visit welivesecurity.com

ESET researchers have discovered a previously unreported cyber espionage framework they dub Ramsay. The framework is tailored for collecting and exfiltrating sensitive documents from air-gapped systems that are not connected to the internet or other online systems. Since the number of victims so far is very low, ESET believes that this framework is under an ongoing development process. 

According to ESET findings, Ramsay has gone through several iterations based on the different instances of the framework found, denoting a linear progression on the number and complexity of its capabilities. The developers in charge of infection vectors seem to be trying different approaches, such as using old exploits for Microsoft Word vulnerabilities from 2017 and deploying trojanized applications for delivery, potentially via spear-phishing. The three discovered versions of Ramsay differ in complexity and sophistication, with the latest third version being the most advanced, especially with regard to evasion and persistence.

Ramsay’sarchitecture provides a series of capabilities managed via a logging mechanism:

• File collection and covert storage: The primary goal of this framework is to collect all existing Microsoft Worddocuments within a target’s file system.
• Command execution: Ramsay’s control protocol implements a decentralized method of scanning and retrieving commands from control documents.
• Spreading: Ramsay’s embeds a component that seems to be designed to operate within air-gapped networks.

For more technical details about Ramsay, read the blog post “Ramsay: A cyber espionage toolkit tailored for Air-Gapped Networks” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

A minimum number of characters, mix of letters and numbers and must include a symbol.

Sometimes, it seems like it can be a Herculean task just to come up with a unique password, never mind having to remember it — and all of the other passwords you are asked to use to protect not only your devices but also all of the websites and online services you may use that require inputting sensitive personal information. But with the way technology is progressing, may experts are starting to question whether passwords may becoming obsolete, and if still need them at all.

Online vulnerabilities have amplified during the current COVID-19 pandemic. More of our business is being done online and much of interaction with others is happening on a digital pathway. In early April, the popular conferencing platform Zoom revealed that half a million stolen passwords were up for sale on the dark web, and phishing scams have increased exponentially.

Passwords are the key to keeping digital lives secure, and yet they’re not very secure by themselves. Without a password manager or two-factor authentication, it is relatively easy for hackers to crack people’s passwords, not least because “123456,” “qwerty” and “password” are still some of the most commonly used passwords across the globe.

It is now pretty commonplace to open your phone with your fingerprint or your face, and soon, biometric identification might be the norm for accessing all kinds of personal data. Since 2015, Google has worked to limit both the use of and the need for passwords in Android phones. Microsoft, too, launched its own alternatives, introducing a biometric login system in order to avoid the need for conventional passwords. The fight against our overreliance on passwords even has an open industry body backing the cause – The FIDO Alliance, which includes member companies such as Google, Facebook, PayPal, Visa and Amazon.

The technology to replace passwords exists, yet adoption has been slow. Despite some companies like Dropbox adopting this form of user identification, it has been used as a second layer of security for passwords, when it was really intended to be the first line of defense. 

While it is unlikely that we’ll see passwords completely disappear anytime soon, they may begin to take a backseat to more secure forms of identification, just as you can still use your PIN to open your phone if your fingerprint or face doesn’t register. In the meantime, there is no excuse to slack off on password safety!

Ensure you’re using strong passwords and invest in a password manager for both yourself and your business, such as ESET Password Manager. While recovering a personal password might not be too difficult, accidentally compromising business data can be much trickier to recover from. This World Password Day, take a moment to review your own password protections – it just might save you a lot of hassle down the track!

For more tips about password safety, please visit: www.welivesecurity.com

A new “sextortion” campaign has been detected making the rounds in North America and Europe.

Discovered early last month, the spam emails that were detected by ESET’s research laboratory have been trying to dupe unwitting victims by referring to old passwords that have been part of old data breaches.

The new scam borrows, or rather builds upon, the previous versions. The scammers start with an alarming message right off the bat to get the victim’s attention, usually by including one of the victim’s old passwords that was probably stolen as part of a previous data breach. Moving on, the fraudsters claim that the victim’s device was infected by some form of malware when visiting a porn website, and that allowed them to obtain both the victim’s password and access to their device. The scammers then purport to have made a video of the victim and the alleged “not safe for work” content.

Once the cybercriminals have scared their potential victims enough, they demand a sum to be paid within 24 hours or the embarrassing video will be released. They usually want the payment to be made in bitcoin.

After analyzing some of the cases stemming from this new sextortion scam campaign, ESET researchers found that it probably started sometime around the 8^th or 9^th of April.

To help Canadians avoid these attacks, ESET has complied the following tips for detecting and avoiding sextortion scams:

Utilize Google

By simply googling the word scam in quotes, along with a phrase used in the suspect email you can easily investigate if people have received similar (fake) emails.

Contact your computer security vendor

There is a very good chance that their tech support may know about it already, and that the company is preparing to block the next wave of such attacks if not blocking them already. And if they are not aware of this variant, they will certainly want to know so that they may protect their customer.

Contact your email provider

Whether it is Gmail, Outlook, your company’s IT department, or some other entity, it’s not good to allow scams (one of many forms of spam) in their customers’ Inboxes. So, let them know, which will assist them to tweak their spam filters.

For more tips about online safety, please visit: www.welivesecurity.com

ESET today announced a number of measures, effective today, to assist consumers, small businesses and enterprises in all industries stay safe and secure online during the COVID-19 crisis.

To protect consumers from phishing attacks and other malicious software, ESET is extending the free trial period from 30 to 90 days for ESET Internet Security, which protects Windows, Mac, Android and Linux devices from the latest threats.

To assist new and existing ESET customers bolster their network security and minimize risks from employees working remotely, ESET is extending the free trial period from 30 to 90 days for ESET Dynamic Threat Detection(for users with more than 100 seats) and ESET Secure Authentication.

ESET Dynamic Threat Detection provides another layer of security for ESET products like Mail Security and endpoint products by utilizing a cloud-based sandboxing technology to detect new, never before seen types of threats. ESET Secure Authentication provides a simple, effective way for businesses of all sizes to implement multi-factor authentication across commonly utilized systems. All trials provide access to the full-features of the listed products.

These offers are valid March 27 thru June 30, 2020 inclusively. For more information, please visithttp://www.eset.com/ca.