Video games allow users to become a whole new persona, to experience imaginary worlds, and live out scenarios that are beyond their wildest dreams. One of the most popular video games out there, Minecraft, allows users to build worlds out of cubes and create customized virtual avatars to represent themselves within the game. Only now, special add-ons that are used by players to personalize their avatar have become part of a cyber scheme, as over 50,000 Minecraft accounts have been infected with malware via character skins that were created and uploaded to the game’s official website by fellow users.
Though it is unclear who exactly created the malicious skins, it is believed that the malware does not come from any well-known cybercriminals but rather from inexperienced players looking to exploit others for their own amusement. This malware is not just simple competitive jab either, as its tactics are quite nasty. It has been reported that, once downloaded, the strain can reformat hard drives and delete backup data and system programs.
Now, knowing that fellow gamers are out there trying to sabotage others, what are next steps for Minecraft players? It’s important all users start doing all that they can now in order to avoid infection. You can start by following these proactive security tips:
Do your homework. Before you download any extra add-ons for games, make sure you read fellow user reviews. Conduct a quick Google scan and see what other users think – has it caused them issues or security strife? When in doubt, don’t download any add-ons (like character skins) that come from an untrustworthy source or seem remotely sketchy.
Back up your files on an external hard drive. Always make sure your files are backed up on an external hard drive. That way, if your data is deleted in this Minecraft malware attack or others like it, you can restore the data from the backup.
Use comprehensive security. Whether you’re using the mobile version of Minecraft, or gaming on your computer, it’s important you lock down all your devices with an extra layer of security. To do just that, use a comprehensive solution such as McAfee Total Protection.
And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.
<br><a href="https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/minecraft-character-skins-malware/">Source link </a>
If I were to ask if you could trust a script from Google that is loading on your website, the majority of users would say “yes” or even “absolutely”. But when malicious behavior ensues, everything should be double-checked and suspected, even assets that come from “trusted sources” like Google, Facebook, and Youtube.
In the past, we saw how adsense was abused with a malvertising campaign. Even more recently, we saw how attackers injected malware that called Google AdSense ads to generate revenue for the attackers, however, there’s an even more troublesome part of the toolkit that Google offers to webmasters – Google Tag Manager.
How GTM Works
With so many measurement tools out there, marketers need flexibility — whether that’s changing tags on the fly or having the ability to easily add tags from other sources.
In Google Tag Manager, marketers can add or change their own tags as needed. Tag Manager supports all tags and has easy-to-use turnkey templates for a wide range of Google and third-party tags — for web and mobile apps. Don’t see a tag listed? You can add it immediately as a custom tag. With so much flexibility, your campaign can be underway with just a few clicks.
How is Google Tag Manager Implemented?
The Google Tag Manager script is easily called on a website like this:
Where the ID of the script is, defines what content to bring. This makes it easy for an attacker to just change the ID to one that they control, making it hard for the webmaster to know if a compromise on their website has taken place unless he constantly keeps an eye on every change that happens and/or knows the GTM ID by heart.
Google Tag Manager Used to Load Malvertising
Now, let’s dig into it with a practical real-life occurrence that we came across recently.
This is a block of code we found on a Google Tag Manager script being used on a website:
That code makes the website load the following scripts:
They seem pretty normal, right? Two of them (Facebook) are seen quite often and act normally, but the one from adform[.]net is a different story. The name itself reveals that it loads ads, and since most ad networks have very lenient ad filters, this becomes a prime suspect for malicious behavior on the website. We’ll need to investigate it further.
Pop-ups and Redirects
The issues reported were pop-ups and redirects. Just a quick look at how the adform script was behaving gave the indication that something was off.
The script from adform[.]net was requesting a script from action.dstillery[.]com, which then redirected the request to the following URL:
This behavior is common with ads, but when investigating the media6degrees.com request, the data returned was:
It loads ads from other networks. This is a normal strategy for some advertisers, but the problem is that there are networks with known ineffective advertising policies which make it possible for ads with malicious intentions to pass their filters. As a consequence, this allows the ads to be delivered to your website and infect your visitors with several kinds of malware.
We then have the after effect that each of those networks can load other networks and several more scripts. Before we notice it, we have dozens of unknown scripts loading on the website and with each one of them, the potential risk for the visitors multiplies exponentially.
Some of those networks were causing the redirects and pop-ups, so going straight to the removal of the GTM script from the website fixes the problem immediately.
On a separate case which also faced pop-ups and redirects, nothing strange appeared to be loading on the website directly at first glance. As soon as we went to check the scripts which were being executed, we found this on the Google Tag Manager script:
In this case, the code would make the site load scripts from various usual domains, however, it also included hxxps://s.adroll[.]com, which takes us back to the suspicion of malvertising that can come with ad networks.
Upon further investigation, we could see that that adroll.com script was loading scripts from several other websites such as:
Several of these items are ad networks and are often chosen by attackers to display ads on your website to generate some revenue for them. Each of those could load dozens of other scripts.
Again, in this case, some of those networks were directly or indirectly responsible for the malicious behavior, so immediate removal of the GTM script fixed the issue.
In these two examples, it is still unclear if the client’s Google Tag Manager account was compromised and then the ads code added, if the client added the code himself to have ads showing up on his website, or if the attacker just changed the ID call on the script to make it load a version fully controlled by him.
Google Adword’s algorithms are blocking campaigns due to malicious ads such as these, which load from within the GTM script. This makes it imperative to keep in mind every bit of code that is being called from it.
In another example that we came across, the attackers simply replaced the ID of the Google Tag Manager to make it load the one that they wanted. Inside that Google Tag Manager script was a simple redirect that would take the visitor to another website, achieved with the following:
One can see why Google Tag Manager’s script can be a potential source for hiding malicious activity. An attacker can just copy all the contents of your legitimate version and put it in their modified version while adding the malicious content. After that, it’s just a matter of changing the ID that your website is calling.
Since the script will come with Google’s name already, many webmasters most likely ignore it, which makes it perfect for the attackers to hide their code in.
It’s important to understand that a compromise of your website or of your Google Tag Manager account has to take place to allow the attacker to either replace the code or the ID called on the script for the script to be used for bad intentions.
There’s also the possibility that the webmaster himself added the code that then led to malicious activity, but this is something that the webmaster needs to be wary of at all times.
Moral of the Story
The point to be taken here is that seemingly trustworthy scripts can never be trusted when strange behaviors start happening on your website. The most innocent of scripts, even ones such as StatCounter, can wreak havoc on your website and reputation.
Any external assets which load on your website should be kept to a minimum so that you can maintain the most control over everything. Any accounts which are directly connected should be kept secure with strong and unique passwords.
If you believe your website has been compromised or is serving malicious content, we can help.
<br><a href="https://blog.sucuri.net/2018/04/malicious-activities-google-tag-manager.html">Source link </a>
This entry was posted in Wordfence, WordPress Security on April 18, 2018 by Kathy Zant 5 Replies
If your WordPress site matters, upgrading to Wordfence Premium gives you the best protection available. And at $99 per year, it is incredibly affordable. Once you’ve made this great investment, there are a few things you can do to optimize your site’s security.
Install Your Premium License Key
Do you have the free version of Wordfence installed? You probably see that your site security status circles are not fully 100%. You can quickly change that after you purchase your premium license.
Your Premium license key is available on the API Keys page at Wordfence.com. To install it, simply go to either the Global Options or All Options page within the plugin on your site, and paste the license key into the ‘License Key’ box in the Wordfence License section. Hit the ‘Install License’ button and you’re all set!
That one step enables these important Premium features:
The Real-time IP Blacklist blocks all requests from the most malicious IPs, protecting your site while reducing load.
Real-time firewall rule updates protect you from the latest threats
Real-time malware signature updates provide malware blocking within the firewall and malware scanning features with the latest threat intelligence
Site reputation checks tell you if your IP has been blacklisted for malicious activity, generating spam or other security issues.
Premium support from our amazing team of Senior Support Engineers
There are just a few more steps to make sure you site is locked down.
Optimize the Firewall
Your Wordfence firewall should be in extended protection mode, which means the Wordfence firewall will execute before any other PHP code on your server. There’s no better protection available than the Wordfence firewall when it’s optimized and armed with the Premium firewall rules, malware signatures and malicious IPs.
You can learn more about optimizing the Wordfence firewall in our help section.
Enable Two-Factor Authentication
Two factor is one of the most secure forms of remote system authentication available. We support both text messages to your cell phone or Google Authenticator as second authentication methods. If a password is ever stolen somehow, this extra layer of protection ensures your WordPress site remains secure.
Configure Country Blocking
If you’re experiencing malicious activity from a country that you’re not doing business in, you can block it with Wordfence Premium. Be judicious in your blocking, however. Make sure you don’t block countries that may affect your site’s functionality (e.g., don’t block the United States and inadvertently block Google and PayPal).
You can also use country blocking to secure your login page only. If you know you’ll only be logging in from one location, secure your login page from being accessed from other locations.
Customize Your Scan Schedule
With Wordfence Premium, a full scan runs every 24 hours by default, which should be fine for most sites. You can specify which hour or hours of the day you’d like scans to run. We recommend looking at your site traffic patterns and selecting times when traffic is generally the lowest for the day. If you’d like to increase the frequency, you can schedule them to run as often as every hour.
Managing a Large Number of Sites?
We’re doing something new for those of you tasked with securing a large number of WordPress web sites. The Wordfence Client Partner initiative gives agencies, educational institutions, and other large scale users of WordPress a dedicated technical partner to assist with Wordfence at scale. Does this sound like you? Let us know. We’re here to help.
Get Support From Our Senior Support Engineers
The comprehensive capabilities of Wordfence give you tools and features that provide a level of security for WordPress you won’t see elsewhere. But when you’re just getting started, it all may seem overwhelming at first. With Wordfence Premium, you have access to the best WordPress security support team in the world. Our awesome team of Sr. Support Engineers can assist you with any Wordfence- or site security-related question you may have. Just enter a ticket here and they will respond within a few hours on average.
We hope this article helped get your started with Wordfence Premium. To learn more about Wordfence please check out our great help content, or our learning center to learn more about WordPress security in general.
Did you enjoy this post? Share it!
4.00 (6 votes) Your rating:
<br><a href="https://www.wordfence.com/blog/2018/04/wordfence-premium/">Source link </a>
Last week, we described how an ongoing massive malware campaign began using Baidu search result links to redirect people to various ad and scam pages.
It didn’t last long. Soon after the publication of that article, the bad actors changed the links to use compromised third-party sites and a couple of day later they began using Google’s goo.gl URL shortening service.
This is a snippet from their decoded script:
The Redirect Chain
If you check Google’s own information about that shortened URL, it shows that the URL redirects to another Google owned URL maps.app.goo.gl which looks quite benign. This domain is used for sharing user location on Google maps.
Don’t click on it though. Things are not as simple as Google makes them seem. Let’s check the same shortened URL in Unmask Parasites:
These sort of redirects are typical to campaigns operated by roi777. They push location-dependent ads and scam pages and are specifically notorious for fake lottery and fake technical support scams. For more information about roi777 campaigns, we recommend reading this recent blog post by Kafeine.
Open Redirect Vulnerability in maps.app.goo.gl
Now let’s return to the second step of the redirect chain. How did hackers manage to have Google location sharing service maps.app.goo.gl redirect to a malicious site? It turns out that it was not difficult at all. You just need to add any URL in the ?link parameter and maps.app.goo.gl will start redirecting to the specified URL. For example, this URL https://maps.app.goo.gl/?link=https://sucuri.net currently opens Sucuri’s website. That’s called an open (unvalidated) redirect.
This security issue has been known for quite a while. For example, you can find the vulnerability report on the Open Bug Bounty site. It was originally reported by LewisBugBounty on September 10, 2017 and publicly disclosed on December 9, 2018. Apparently, Google didn’t find this issue serious enough to fix and anyone still can use their site as an open redirector.
goo.gl vs maps.app.goo.gl
It’s interesting to see that the attack uses two types of goo.gl links as the initial steps in the redirect chain. The first one is a normal shortened goo.gl link and the second is a crafted redirect via maps.app.goo.gl. So what’s the difference?
The shortened goo.gl link efficiently hides the real link destination and the domain reputation helps avoid problems with blacklisting. On the other hand, goo.gl links can be created only via Google site or their API, so the creator of the link can be potentially tracked. Even for links shortened by anonymous users, anyone can view various analytics data such as time of creation, volume of clicks, and referrers (infected sites in our case).
What’s more important, the URL shortening service has Terms of Service and Acceptable Usage Policy which among other things specifically prohibits “directing users to sites containing spam and malware”, and “shortening URL re-directors”. This means that any shortened goo.gl link can be disabled for violating the rules.
During the investigation, the link was reported to Google and it was disabled. All infected websites with this variation of malware now open the “disabled” notification instead of malicious ads:
While maps.app.goo.gl redirect links have a reputable domain name that can hardly be blacklisted, they are not good at hiding the final link destination, which is in plain sight right after “?link=”. This might not be a big issue for certain attacks, especially when it’s not the first step in the redirect chain as in this case. Moreover, maps.app.goo.gl has several advantages over the regular goo.gl for using in malicious activity.
Anonymous and untrackable. One doesn’t need to use any Google services to create redirect links.
Unblockable. Since the open redirects are just a side effect of the service, there is no easy way to report and block such links to stop malicious activity.
Too bad Google leaves this redirector open.
Now, let’s take advantage of the hackers’ choice of the URL shortening service and check analytics data for this campaign (for this link only – not all infected sites have this goo.gl variation of the redirect at the moment).
As you can see, the link had been created on April 12, 2018 and attracted over 31 thousand clicks (opened popups) in one week, with about 8 thousand clicks on an average “good” day and very few clicks during the weekend.
No more goo.gl links?
A funny fact about this link is that it was created on the last day when goo.gl allowed anonymous users to shorten links. Right now, every goo.gl page has this notification:
This means that the attackers will no longer be able to create new goo.gl links anonymously. Registering fake accounts will not help, as users who have never created short links before March 30, 2018 will not be able to create new goo.gl links either.
At this point, the ih4rWD goo.gl link has already been in use for a whole week and the attackers will have to replace it with something else soon. Unless they managed to shorten multiple links before April 13, we won’t see any new goo.gl links used by this malware.
While we are waiting for new creative variations of this attack, you can read our previous articles and the WordPress cleanup guide that will help you mitigate the damage if your site was one of the many hacked sites. If you believe your website has been compromised, we are happy to help you.
<br><a href="https://blog.sucuri.net/2018/04/from-baidu-to-googles-open-redirects.html">Source link </a>
It’s no secret that IoT devices have caused some issues with security in the past. They’ve been used by cybercriminals to topple networks and hack into homes. Oh, and now breach casinos. You heard correctly – a vulnerable IoT thermometer, which was being used to monitor the water of an aquarium in a casino’s lobby, actually opened up the organization’s network to cyberattack.
So, how exactly did a singular IoT thermometer breach an entire organization? The vulnerable device created an opening into the casino’s network for cybercriminals to enter, resulting in the crooks obtaining information about the casino’s high-roller database. Unfortunately, it has yet to be determined what kind of information has been taken from this database.
This incident reminds us that IoT security continues to be a persistent problem that’s showing no signs of slowing. As discussed during our EMEA McAfee Labs Day event last week, new connected devices are coming online every day, so it’s important to think about how you protect your data now and in the future. That starts with manufacturers including security as part of their design of IoT devices and owners of connected gadgets doing their part in ensuring their devices don’t expose larger networks of any kind. You can start implementing proactive IoT security by following these tips:
Keep security top of mind when buying an IoT device. When you’re thinking of making your next IoT purchase, make sure to do your research first. Start by looking up the device in question’s security standards. A simple Google search on the product, as well as the manufacturer, will often do the trick.
Change default passwords and do an update right away.If you purchase a connected device, be sure to first and foremost change the default password. Default manufacturer passwords are rather easy for criminals to crack. Also, your device’s software will need to be updated at some point. In a lot of cases, devices will have updates waiting from them as soon as they’re taken out of the box. The first time you power up your device, you should check to see if there are any updates or patches from the manufacturer.
Secure your home’s internet at the source. Just like the thermometer must connect to the casino’s larger internet network, smart home devices must connect to a home Wi-Fi network in order to run. If they’re vulnerable, they could expose your network as a result. Since it can be challenging to lock down all the IoT devices in a home, utilize a solution like McAfee Secure Home Platform to provide protection at the router-level.
And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.
<br><a href="https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/casinos-high-roller-database-iot-thermometer/">Source link </a>