Summer is just around the corner in the Northern Hemisphere, and with it comes vacation plans for many. Those looking to take some time away from work and home are likely making plans to secure their home, have their pets taken care of, and tie up loose ends at work. But how about securing your devices and your data while you’re away? Here are some things to take into consideration if you want to have a trip free of cyber worries.

Before you leave

Some of the things on your cybersecurity checklist can be taken care of before you leave. They include the following:

• Make sure the operating systems and software on all the devices you are going to take along with you are up to date. Having to install updates while you are on the road can be a pain due to slow and unstable connections. Use your at-home Wi-Fi, which you know is secured with a password. (Right? If not—do that right away.)
• You may want to take precautions to secure devices that you’ll be leaving behind in your workplace and home. If a burglar gets hold of your desktop, they should not be able to harvest any valuable data. All devices should be password protected (including the ones you are taking along with you).

• Back up the valuable data on the devices you are bringing so that if you lose them, it won’t be a double disaster.
• Do not announce the dates of your upcoming travel plans on social media. That’s a great way to alert criminals to case your house and break in during the time you’ll be gone. Post your travel pics when you get back. They will still be cool.
• Disable the auto-connect options shortly before you leave and have your devices forget the network SSIDs in their lists. Threat actors can abuse these features for man-in-the-middle attacks.
• If you have contactless debit and credit cards, get shields in which to store them so you can carry them around without leaking information.
• Think twice about bringing a multitude of devices. The chances of anything getting damaged, stolen, or lost are much higher when you’re on the road.
• Make sure your travel insurance covers all the devices and any other valuables you plan to take along.

While you are traveling

Travel plans can range from road trips to a nearby camping spot to flights to five-star beach resorts. Because of the wide range of travel options, some of the following advice may or may not apply:

• If you park your car at the airport, obviously make sure no valuable devices are left behind. This is also a good time to disable the Bluetooth of your phone, because the car is probably the only useful Bluetooth connection you need. And when Bluetooth is off, it can’t be abused.
• Airports and other waypoints on your travels will often offer public, free, and unprotected Wi-Fi. Consider the risks associated with them when you use them, or use a VPN to enhance the security by encrypting your connection.
• If you need to use Wi-Fi at your hotel, make sure their connections are secured with passwords. And if you need to access sensitive material for work, set up VPN on your laptop beforehand.

• Privacy screens make sure that only the person sitting straight in front of the screen can read what is on it. This can stop people from secretly watching what you are doing. Good privacy screens are easy to apply and are available for laptops and many handheld devices.
• Don’t use public computers for sensitive Internet traffic. This certainly includes online shopping and any other financial transactions. While you are traveling, it’s safer to spend money at your destination instead of online.
• If you use webmail to read your mail when you are away from home, keep in mind that this may be less secure then reading the mail in your favorite email client. Some webmail services have html enabled by default.
• Use a fully updated anti-malware solution for all your devices. Malwarebytes has solutions for many operating systems and types of devices.
• Since you may not want to take your laptop and every other device with you as you go sightseeing, make sure there is a safe place to keep the items left behind. Not every hotel safe is big enough for a laptop. Ask your hotel concierge if they have other options for securing devices. Simply leaving them behind in your room is not the safest move.

If you travel abroad

Some extra attention to detail may be required when you travel abroad.

• Make sure you leave your country with the devices fully charged. You may need to use them for a while before you get another chance to re-charge. It may require different cables, power plugs, and adapters to charge your devices at your destination or checkpoints along the way. Come prepared.
• Not only the US, but also some other countries will look at your social media accounts to find any information that could make you a less welcome guest. It might be prudent to remove any questionable comments to thwart further investigations.
• If traveling into the US from abroad, be prepared that you might be asked to hand over your device and your password to get in. Make sure there is nothing to be found on it that you don’t want to be found.

When you get back

Back home safe and sound? Don’t rest yet. Check a few more things and then you can start posting online about your relaxing, fun, and incident-free vacation.

• Update your anti-malware solution and run manual scans on your devices to check for any uninvited guests you may have picked up on the road.
• If you bought devices abroad, check them for compliance and whether they are compromised. In some countries, devices are sold with monitoring software pre-installed.
• Check your bank account for any unexpected withdrawals or spending. Warn your bank or credit card provider if you suspect foul play or if you have lost sight of your credit card at some point. it’s especially important to do this if you suspect your login credentials may have been stolen.
• As an extra precaution, you may want to change the passwords that you used during your time away. If someone managed to get ahold of one during your trip, you’ll stop them from doing any damage with a changed password.

Don’t let all this ruin the fun

While most of the things mentioned above are precautions we (should) take every day, they are not the first ones that come to mind when you are planning that awesome trip you have worked for all year. But as always, it’s better to be safe than sorry.

Recommended reading: 7 tips to stay cyber safe this summer

Safe travels!

ABOUT THE AUTHOR

Pieter Arntz
Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

Tips for safe summer travels: your cybersecurity checklist

 

When goods get sold in large quantities, the price goes down. This might not be the first law of economics, but it’s applicable. An extrapolation of this is that if there are practically no production costs and no raw materials involved, prices of such goods will drop to zero. Usually, they will be offered as free gifts to promote the sale of other, more costly goods.

Something like this has happened to SSL certificates. They are offered for free with web hosting packages by several companies, including those that don’t do a thorough check into the identity of the buyer. Better said: They couldn’t care less who buys the package as long as they pay the bills.

So, while users can now expect to see the green padlock on every site, especially the ones where they make financial transactions, the trust that we can put into the underlying certificates is going down.

Definitions

To clarify what we are talking about, let’s have a look at the definitions of the protocols we are about to discuss.

Hypertext Transfer Protocol Secure (HTTPS) is a variant of the standard web transfer protocol (HTTP) that adds a layer of security on the data in transit through a secure socket layer (SSL) or transport layer security (TLS) protocol connection.

Secure Sockets Layer (SSL) is a computer networking protocol for securing connections between network application clients and servers over an insecure network, such as the Internet.

Transport Layer Security (TLS) replaced SSL when it was deprecated, but TLS is backwards-compatible with SSL 3.0.

So, basically TLS is a computer networking protocol that provides privacy and data integrity between two communicating applications. It’s used for web browsers and other applications that require data to be securely exchanged over a network.

The green padlock

So, where does the green padlock come into play? The green padlock simply means that traffic to and from the website is encrypted. A certificate, provided by a certificate provider (Certificate Authority or CA), is used to set up this encryption. Sounds good, right? But the only thing you can actually be sure of when you see such a padlock is that your computer is connected to the site that you see in the address bar.

Let’s use the example above to explain some of this. A right-click on the padlock shows us some more information about the secure connection.

So, we have a secure connection to the domain paypal.com owned by PayPal, Inc. and the Certificate Authority is Symantec.

Let us compare this authentic one to the one in use by a known PayPal phishing site:

As you can see, the phishers have a green padlock on their site as well. But when we have a look at the details:

It is easy to see, from the browser address bar alone, that we are not connected to paypal.com. And in the additional information, we can see that the phishers used a free certificate from the CA Let’s Encrypt.

I do realize that in this example it was easy to see the wrong address in the browser’s address bar, but typosquatted domains can be a lot harder to spot, as they purposely use domain names that look similar to the legitimate site. PayPal has registered many such typosquatted domains to protect their customers.

So, we’ve established that the green padlock alone is not enough. In fact, over a million new phishing sites surface every month. Given how many new sites—not just phishing sites—are created every day, and knowing that hosting deals include free certificates and are cheap as dirt, we can easily assume that hosting providers do not have the resources to check each and every new site. Even if they did perform these checks, who is going to check whether the site does not get changed once it has gone live?

So, since the visitor is the one facing the consequences of entering his credentials on a phishing site, it looks like the ball is in his court.

But there is help

You do not need to feel helpless. The cavalry comes to the rescue in many shapes and forms. Some browsers warn you before they let you visit known phishing or other malicious sites. This method is based on blacklisting, so if you are among the first visitors, you could still wind up on such a site without a warning.

Some security software, including Malwarebytes, blocks known phishing and other malicious sites. These methods can be based both on blacklisting and behavioral analysis.

And there are certificates that do get issued only after extended checks. These are called EV (Extended Validation) certificates. To show the difference, we need to double back a bit.

The bottom screenshot is the original PayPal certificate, and it is an extended one. The top screenshot is a regular Domain Validation (DV) certificate (which was used by the phishing site). As you may notice, the EV certificates are displayed differently from the DV certificates. The difference in how they are displayed varies per browser, so you might want to familiarize yourself with the way that these are displayed in your browser of choice.

Check, check, triple-check

Since HTTPS and TLS are becoming commonplace and cheap, phishers are no longer barred in any way from using the green padlocks on their deceptive sites. As a consequence, users are under advise to pay attention to the kind of certificate behind the padlock.

The best practice is to have shortcuts for the websites that you use to transmit personal or financial data, rather then clicking on links sent to you by mail or found by other means. At first contact, the things to check on a website that require entering personal information or credentials are the following:

• Is there a green padlock in the address bar?
• Does the address in the browser’s address bar match your expectations?
• Is there an EV certificate or not?

Only when you are satisfied that the website belongs to the domain of the company that you wished to pay a visit, enter your credentials or personal data.

Stay safe!

ABOUT THE AUTHOR

Search Engine Optimization (SEO) poisoning basically comes down to getting your web page high in the rankings for relevant search results without buying advertisements or using legitimate, but tedious, SEO best practices. Instead, threat actors use illegal means to push their page to the top. Sometimes, this technique is also referred to as black hat SEO. (Although the people selling these services will refer to them as “link building services.”)

So how does SEO poisoning work? And is it something site owners should actually try? Or should they avoid it at all costs?

The basics

SEO is short for Search Engine Optimization and it is a marketing strategy that is designed to make sure that your website is found if people search for certain keywords that are relevant to your business. The ranking of a site in Google’s search results is primarily based on how well the page is optimized, but it’s also based on “reputation.” The reputation of a page is calculated using the number of inbound links pointing to that page. It helps a lot if the incoming links come from pages that are about the same or related subjects, but a large amount of links coming from all kinds of sites helps as well.

Why focus on Google?

In this article, we will focus on how SEO works for Google. This is for a few reasons:

• Google is by far the most popular search engine, despite mighty efforts by their competitors. The fact that “Googling” is a verb in many languages should tell you enough.
• Google is relatively open about how its algorithms work, and you can find a lot of information if you want to improve the ranking of your search results, which is what SEO is all about. For good results, it’s imperative that web developers keep an eye on new updates and how these updates might influence their SEO strategy.
• Google is the industry standard in this field, and because of this many available SEO tools are limited to or aiming for Google results.

How does link building work?

Search engines want to serve you authoritative pages on the subject that you are looking for. One of the determining factors for the ranking in the search results is called the Page Authority. As you can see in the example below, the page authority is not just a matter of how many incoming links there are. And it is also not the only factor that determines your ranking in the search results. Even though the BBC site has more “page authority” on the keyword of “spyware,” the Page Authority calculation is based on many other factors and seems to take into account that detecting spyware is part of Malwarebytes’ core business.

Authority calculations and screenshot made with Moz Pro

So, a good method to be seen by the search engine’s algorithm as an authority in a certain field is to attract incoming links. And it is important that these links come from other authoritative sites in the field that your page aims to rank high for. Quality really outweighs quantity here. To accomplish this, you need a well-written and cleverly formatted (optimized) page that people will point to if they want someone to read an informative or explanatory piece.

When does link building become SEO poisoning?

If you are lazy, you can’t spend the money to hire someone, or it’s just plain hopeless to become an authority due to heavy competition in your field or for your keywords, you might consider buying incoming links from a black market vendor. These threat actors will usually have, or be able to obtain, a multitude of compromised sites that they can use to post links on. Another method that they may use is to spam forums with the help of spambots. So, we draw the line at whether the site owner agrees with the links being posted on his site.

Contrary to popular belief, posting links on social media like Facebook and Twitter does not help to improve a page’s SEO. The links on social media are “nofollow” links, and Google’s bots will not follow them or add them to your tally of incoming links. Google+ is an exception to this rule. I wonder why.

A quality link from an authoritative site weighs heavier than a lot of low quality links.

Pure malicious purpose

A recent example where SEO poisoning was used successfully is one where link building was done purely for malicious purposes—to infect visitors. By adding keywords and links in hacked websites, threat actors were able to get malicious pages ranked at the top of the Google search results for specific and carefully-chosen queries. The desired queries were banking and financial questions, and visitors of the ranked pages were infected with a banking Trojan.

Are all link building services bad?

No, that’s not what we are saying. But the services offered on black hat forums with a “no money back guarantee” should be examined with a 10-foot pole and a disinfected microscope. If you are not an SEO professional and SEO is just a by-product of trying to sell your goods or services, then by all means, contact a professional and see what they can do for you.

Just make sure you don’t end up sponsoring some malware author who goes around hacking legitimate sites and who may end up ruining your reputation. Because there are ways to investigate whether you have used black hat SEO techniques to boost your search rankings.

Is SEO poisoning actually recommended?

It is not recommended for several reasons:

• It’s not effective. With Google’s new search engine algorithms, black hat SEO is far less effective than it used to be, but is still offered by malware actors on underground markets.
• There are negative side effects. If Google or others sniff out your method, this might ruin page or domain authority, as well as professional reputation.
• It doesn’t come cheap. In the long run, you may end up spending a lot of money—money much better spent on legitimate and long-standing methods for success, such as hiring an SEO professional on staff or working with a consultation on learning best practices.

Not to give you any ideas, but you can also buy negative link building services for your competitors. As appealing as it may sound to have your competitors’ product associated with the keyword Viagra, we do not recommend using these either.

The best long-term solution is to work hard and play fair using legitimate SEO tactics to boost your page rankings. If you aim for a cheap and easy way around SEO, you’ll get exactly what you paid for: a whole lot of nothing.

ABOUT THE AUTHOR

Pieter Arntz
Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

SEO poisoning: Is it worth it?

 

There are two kinds of spam associated with social media. There are spam ads that actually live on social media, and there is spam that comes in your inbox, courtesy of social media. Both thrive by using data from your social media accounts. But how do spammers know how to target you and send you the mails that you are most likely to click on?

There is a real chance that you revealed that information yourself. To understand the relationship between the spam you get in your mailbox, your social media presence, and the ways that criminals try to scam users, you must first understand a few basic principles about how advertising works on social media.

Interest-based advertising

First of all, let’s differentiate between the spam we see on social media and the spam that we get in the mail, but has a relationship with what we interact with on social media. Spam that we see on social media is called interest-based advertising, which we have talked about before. It is also known as personalized or targeted advertising.

This is the foundation of what people perceive as “Facebook and Google knowing about every search I do and every article I read.” If you are interested in limiting the number of personalized ads you see on social media, Google offers an opt-out of interest-based Google ads in this article.

There are several different options for opting out of interest-based advertising. For example, if you do not want to see any advertisements on the sites you visit, you should look into installing an adblocker. Keep in mind that many sites can only stay in business because they are funded by advertising—that doesn’t mean they have the right to invade your privacy, though.

Logging off

If you are a Facebook user and wondering whether it pays off to log off after every session, according to Facebook, it does. Logging off should theoretically prevent social media sites from picking up on your browsing habits to serve you ads. But others have noticed that devices that come with Facebook installed transmit mysterious information in the background to Facebook’s servers—even when the user is not on Facebook. One thing is sure: as long as you have your Facebook timeline open in a browser and you are using the same browser to surf, Facebook will pick up on your interests.

The Facebook pixel

But that is not the only way companies utilize social media for targeted advertising. The Facebook pixel is another marketing tool. A pixel is a tiny object that can be placed on websites that use re-marketing based on which other sites their visitors have looked at. To the visitor these pixels are invisible, unless they have an anti-tracking tool installed.

If the visitor is considered interesting enough for the websites’ company, a targeted advertisement will be placed on the visitors’ Facebook page. This is why you will regularly see advertisements from companies whose website you have visited recently. For the webmaster, the pixel offers a lot more perks, but for the visitor it simply means more data mining is taking place.

Share, Like, Tweet, +1

Every site (including our own) that has buttons to share or promote an article on social media does send information about you to their respective owners (again, unless you are using an anti-tracking solution). Based on what articles you share, like, or otherwise engage with, social media networks can spot patterns and recognize your interests.

Spam based on social media data

While interest-based advertising is something we have learned to cope with, even though it may seem scary how much “they” know about us, it is far less dangerous than the spam you may receive based on your online behavior. Why? Let’s dive in.

Development of spam

While the huge, blanket spam campaigns that ensnare millions of email addresses still exist, todays threat actors are well aware of their diminishing effects. A targeted and well-constructed mail that looks like it comes from your bank offers a much bigger success rate then one coming from some random bank you have never done business with. And the same is true if the spam pretends to be from one of the online shops that you have given a thumbs-up to on social media.

A successful, targeted spam email trumps an annoying breach of trust that still delivers mostly legitimate ads. All it takes is one email to fake out an unsuspecting user into providing their own crucial information to criminals, who can then infect your computer, steal your data, or simply spy on you. But it’s got to be pretty difficult to get that information from users, right?

How do they know?

Providing spammers with the knowledge to scam you more effectively is probably not what you had in mind when you joined your social media network(s).

But of course, we never reveal sensitive, personal information on our social media accounts. Or do we?

If some scammer had the email associated with this Twitter account, they could pull off a real convincing scam attempt. And if you are the intended target, the threat actors will have the email addresses they need.

It is actually terrifying to know how the tiniest amount of information in the wrong hands can have a devastating impact on your life. Identity theft is a possible nightmare lurking around the corner. Once criminals have a starting point, they can use data from various breaches to gather more intel about their victims.

Recognizing spam: fake login requests vs. Nigerian Prince

There are two main categories of fraudulent spam: fake login requests and the Nigerian Prince variety.

The first category can be very convincing, especially if the emails seem to come from your actual bank. But if your bank sends out emails soliciting login credentials, I would advise switching to another bank (because they shouldn’t be doing that).

The emails themselves will have convincing logos and even appear to come from email addresses belonging to the bank or a credit card provider. And the websites they send you to are exact copies (content wise) of the real one, even including a green padlock that makes the site look legit.

Before you check any such mail, remember that your bank should never send you such an email in the first place. But if you look for these signs, you will see right through them. And the signs apply to many other cases like Netflix or iTunes scams. Ways to spot a targeted spam campaign include:

• Comparing the domain in the email address to the one that your bank owns. You may spot (a small) discrepancy, such as slight spelling differences or random sub-domains.
• Hovering over the links in the email. Do they lead to your bank’s actual site?
• Checking the salutations. Does your bank address you with your first name or as “Dear customer”? Not likely. They will generally address you as Mr. or Ms. Last name.

Nigerian scams

These started out as ridiculous messages from a Nigerian prince who claimed, “We have a huge amount of money waiting for you here in a strange and far away country, and all we need from you is a little payment and some information to transfer it into your bank account.” Users duped by this scam would never see their original payment back, let alone the huge amount of cash promised to them. This type of scam has evolved to into many different stories and is nowadays also used to recruit money mules.

And, guess what? You don’t need a computer or email to get scammed either. It only takes a little bit of information, a good story, and a friendly victim to get scammed.

A real-world scenario

A woman gets a text from her brother telling her he has a new phone number, but now he can’t log in to his bank, and he needs to make an urgent payment. Can she do it for him? He’ll pay her back as soon as he has everything sorted. The message has her brother’s avatar and the story seems plausible. Not everyone will fall for this, but probably enough to make it worth trying. You don’t need to do much digging on someone’s Facebook profile to gather everything you need to spam and scam victims.

As much as it may pain you, don’t be that friendly person. In the last scenario, you should tell your brother to call you. That isn’t too much to ask if he needs your help that urgently, is it? And dump those scammy emails in the trash where they belong. Should you ever really be in doubt whether some email actually came from your bank, they won’t mind if you call them to verify that information. In fact, they will be glad that you were so cautious.

Now if only we could get everyone to be more cautious about what they share on social media.

Stay safe!

The European Union claims that the General Data Protection Regulation (GDPR), which comes to term on May 25, is the most important change in data privacy regulation in 20 years. Many companies have spent months preparing for the changes, working on policy and compliance, and introducing changes to their products in order to meet new standards.

We have received quite a few alerts and emails about those policy changes from a wide variety of companies. Combing through the alerts allowed us to see some interesting methods to solve—or evade—the problems that come with making businesses compliant. Let’s take a look at how different companies are coping with GDPR changes, and what you’ll need to pay attention to in those emails.

Total evasion

For some companies whose business interests are too slim in Europe, giving up seemed like the best option. File this alert from Unroll.Me, an app to unsubscribe from unwanted mailing lists, under “why bother.”

because our service was not designed to comply with all GDPR requirements, Unroll.Me will not be available to EU residents…. And we must delete any EU user accounts by May 24.

Obviously, there is a reason for such drastic measures, and I would call it a good guess if someone were to suggest that this might be related to Unroll.Me having been found selling email data to Uber.

Unroll.me may not be the only company walking away from its European customers in the face of GDPR. Some services have popped up seeming to help companies stay compliant by blocking EU visitors to websites. The GDPR shield shown below was promoted for a period as a possible solution, but the site seems to be down now. Or I could not reach it because I’m in the EU, and the block works too well.

Keep EU visitors off your site by using a GDPR Shield

Chain responsibility for advertisers

Some sites and platforms have advertising partners with whom they share user data. GDPR states that So, you would hope that they take special care in selecting partners who will handle that shared data. Instagram and other Facebook companies have decided on a different approach, shifting that portion of the responsibilities to their advertisers:

Businesses who advertise with Instagram and the Facebook companies can continue to use our platforms and solutions in the same way they do today. Each company is responsible for ensuring their own compliance with the GDPR, just as they are responsible for compliance with the laws that apply to them today.

Helping B2B customers

Google Cloud, on the other hand, offers to help their customers.

You can count on the fact that Google is committed to GDPR compliance across Google Cloud services. We are also committed to helping our customers with their GDPR compliance journey…

What deserves your attention

Under the GDPR rules, companies need explicit and informed consent from their customers to collect and use their data, so you can expect, and probably have already have seen, a lot of policy changes (Terms of Service). As much as you might be tempted to automatically delete the influx of emails from online providers, it’s important to pay attention to those new privacy policy regulations—especially if it appears that the company may be cutting corners in meeting GDPR standards.

When sifting through these emails, I’ve come across some that I would not count as informed consent. A banner that looks and behaves like a cookie warning does not qualify, and neither does providing a less-than comprehensive picture by spreading out information across several different web pages. I’m hoping that these platforms will provide more detailed and specific information before the magic GDPR drop date arrives.

To juxtapose these flimsy attempts at GDPR compliance, Google has done an excellent job informing its users of changes. Its Privacy Policy has been updated to make the content easier to understand in light of the GDPR demand that users be able to make informed decisions. It has updated the language and navigation of the document, and introduced videos and illustrations in order to make things clear.

Some companies that are active worldwide do make a distinction between EU and non-EU customers, but offer the same functionality that is automatically applied to EU-based IP addresses as an option to users outside of the EU.

When a user is in Privacy Mode, we will not collect or process any personal data, as defined by GDPR. In cases where we do not have a lawful basis for processing personal data we will apply Privacy Mode to requests from IP addresses associated with an EU country.

Other, smaller, companies made an effort to send out more personalized notifications letting me know I needed to approve their new policy in order to stay in touch:

While the ongoing influx might be a nuisance in your inbox, this is a great opportunity to review the privacy policies and maybe say goodbye to some of the companies that have your email address. (Although the professional spammers will probably just keep on going as if nothing has changed.)

Where will GDPR lead us?

Looking at the examples we have seen so far, we can divide the big players from the small players and see that some small players from outside the EU are giving up that part of the market—at least for the time being. The big players and European companies are mostly applying the same policies for EU and non-EU customers, although there will always be some exceptions.

Some have predicted there will be two separate Internets as a result of GDPR. I don’t think that will happen. But we will soon get a better idea of how things will play out once the implementation is done and the first shots across the bow have been fired.

In the meantime, it is worth your time to review the changed policies carefully and pay close attention to privacy policies when you sign up for something new.

And in case you were wondering about ours, feel free to review the Malwarebytes Privacy Policy.

ABOUT THE AUTHOR

Pieter Arntz
Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

GDPR causes a flood of new policies