Cybercriminals have set their sights on iOS users, using malware to steal face scans and gain access to Apple device users’ bank accounts. This is believed to be the first of its kind in the world.
A group of cybercriminals who speak Chinese, known as GoldFactory, have been distributing smartphone apps infected with trojans since June 2023. The latest version, GoldPickaxe, has been around since October.
GoldPickaxe and GoldPickaxe.iOS target Android and iOS devices respectively. They trick users into performing biometric verification checks, which are then used to bypass the security measures of legitimate banking apps in Vietnam and Thailand, where these attacks are focused.
The iOS version specifically targets users in Thailand, disguising itself as the official digital pensions app of the Thai government. However, there are suspicions that it has also made its way to Vietnam, as similar attacks were reported in the region recently, resulting in the theft of thousands of dollars.
Group-IB researchers noted that GoldPickaxe.iOS is the first iOS Trojan they have observed that combines various functionalities, such as collecting biometric data, ID documents, intercepting SMS, and proxying traffic through victims’ devices.
The Android version of the malware has even more functionalities than its iOS counterpart, due to the more open nature of the Android platform compared to the closed nature of iOS.
While Android malware is more common due to the ability to sideload apps, the discovery of iOS malware has surprised researchers because of the tighter security controls on Apple’s platform.
The Android infection was more straightforward, with malicious apps being available for download/sideload through a fake but seemingly legitimate Google Play store.
Researchers also found that the Android version had more disguises than the iOS version, posing as over 20 different government, finance, and utility organizations in Thailand, giving attackers more opportunities to deceive users.
Just when you think you’re reasonably on top of all the cyber threats out there, new ones emerge. Say hello to voice cloning. Or don’t say hello to it because you don’t want a scammer to have your voice.
Voice cloning made headlines recently when scammers called a frantic mom saying they had kidnapped her daughter and demanded $1 million in ransom. They “put her on the phone” and the mother was certain it was her daughter on the other end. It wasn’t her daughter, but it was her daughter’s voice.
The incident was described in a CNN report which illustrates the wider threat voice cloning poses: Sometimes, the caller reaches out to grandparents and says their grandchild has been in an accident and needs money. Fake kidnappers have used generic recordings of people screaming.
But federal officials warn such schemes are getting more sophisticated, and that some recent ones have one thing in common: cloned voices. The growth of cheap, accessible artificial intelligence (AI) programs has allowed con artists to clone voices and create snippets of dialogue that sound like their purported captives.
The next big threat – in reverse
This same type of voice cloning can be used to breach the perimeter of cyber defences. “This really is the next big thing – in reverse,” explains Jamie Johnson, a cybersecurity expert in Chicago. Johnson says that voice technology was going to add an extra layer of security to systems, but now that inexpensive AI is available, hackers can weaponize voice.
“Voice cloning is now so authentic, if your boss called you and asked for some passwords or access, would the average employee risk their job by refusing?” Johnson questions. The best cyber defences could succumb if someone unwittingly gives out a password to someone who sounds exactly like their supervisors.
Johnson also warns that because the threat from voice cloning is so new, many cybersecurity experts simply aren’t equipped to handle it.
The emerging technology is opening cybercrime to a whole new cohort of criminals that wouldn’t typically have operated in the space. “A criminal with few computer skills can now use AI to create malicious code, spread spam, or write phishing emails, this is already happening,” Johnson warns.
Johnson recommends a few best practices for MSPs and other security specialists:
Be aware of the threat. The first step is to be aware of the threat of voice cloning. Scammers are using this technology to impersonate people they know, such as your boss, your doctor, or your bank, to trick you into giving them money or sensitive information. “This is where user training goes a long way, a lot of people simply aren’t aware this threat exists,” Johnson explains.
Be suspicious of unexpected calls or emails. MSPs need to train clients that if someone receives a call or email from someone they don’t know, or from someone they know but who is asking for something unusual, to be suspicious and not give out any personal information or financial information unless they are sure of the person they are talking to. “If your boss never calls you, but suddenly, out of the blue, he or she calls and asks you for access or passwords or to transfer funds, red flags should go up,” he says.
Social Media Awareness: Employees need to be aware that when they place an audio clip of themselves sampling sushi or cheering on their favorite sports team, their voice can be cloned and used against them, Johnson warns. “It only takes a short, short snippet of audio for a cybercriminal to clone it, maybe 10 to 15 seconds.”
What Can You Do?
“MSPs are on the front lines of this emerging threat, so raising awareness is probably the top task,” Johnson says. Beyond awareness, here are some other tips Johnson offers to MSPs and businesses trying to get a handle on this new threat:
Use a secure phone system. A secure phone system will have features that make it more difficult for attackers to eavesdrop on calls or intercept data. “Or, better yet, don’t use the phone if you don’t have to, I don’t like to encourage people living and working in fear, but until we get a better handle on this threat, texting and emailing or work apps like Slack can eliminate the voice threat,” Johnson says.
Use a firewall. A firewall can help to block unauthorized access to networks and devices. “This is cybersecurity 101″
Educate employees about security best practices. Employees should be aware of the risks that voice cloning poses. “Unfortunately, voice cloning is here, and it is a real threat, so cybersecurity specialists will have to adapt accordingly,” Johnson advises.
Multifactor authentication (MFA) is the gold standard in offices around the world and 2FA is the standard for end users. We all know the drill: you use your username (often your email address) and, perhaps, as the password, the name of your first dog and your kids DOB.
Not very foolproof, and not recommended, but often the end user isn’t too worried. In their mind, they know that if the hacker does figure out their crappy password using various tools or techniques, they still must find their way past the 2FA/MFA layer of security.
Beware of “push bombing”
However, what you may not realize is that hackers have developed many tried-and-true methods for circumventing your 2FA/MFA security, including social engineering attacks, spear-phishing, and DDoS attacks. And there is another favorite tool hackers have at their disposal, and it relies on users being tired, frazzled, or annoyed enough to “cave in.”, which is especially prevalent in the lead-up to the holiday season.
Users and organizations frequently implement multi-factor authentication (or 2FA) that uses push notifications to protect their employees and customers. The process is simple: you type in your password, receive a notification that is “pushed” to your smartphone, and approve the access. Many Identity Providers (IdPs) and MFA products work in this way. The problem with push notification MFA is that, like most things, it can be exploited.
The 2022 Passwordless Security Report found that push attacks grew 33% year over year
Push attacks are a favorite tactic of Nobelium, the Russian hacking group behind the massive Solar Winds supply chain attack
The recent attacks by the Lapsus$ hacking group underscore the level of risk push notification MFA creates for organizations.
Push attacks (also called push bombing attacks, push fatigue attacks and MFA-prompt bombing) are used by malicious actors to get past push notification MFA. The attacker is usually already in possession of a valid username and password. With 15 billion stolen passwords available on the dark web, this is trivial. The attacker spams the victim with notifications to authenticate until they are fatigued and finally accept it. When deployed on a mass scale using automated attack tools, even a 3% success rate is significant.
How Does a Push Attack Work?
Consider this: what happens when you’re busy, immersed in your work, and you receive a notification on your phone to approve?
Do you always read the notification? How likely are you to casually approve a message or prompt out of habit, just to get on with your day? Would a less tech-savvy user in your organization tap “Approve” on their mobile app, even if it was a fake push notification?
The reality is that they are very likely to do so. Push notifications have become so numerous that people often hastily approve them — not knowing or understanding the repercussions this can have on their work environment. In 2018, malicious actors exploited this tendency toward “push fatigue” multiple times in concert with phishing tools to target politicians involved in the economic and military sanctions against Iran. More recently, large swaths of Microsoft 365 users were targeted in a push attack campaign.
Push notification attacks take advantage of a few key factors:
Awareness
The attackers prey on a particular lack of awareness on the user’s part. Many people outside the Security Operations Center (SOC) don’t even know this is happening. Companies invest heavily in security education to protect employees from falling victim to password phishing and more traditional attacks. It’s going to be a while before the push attack problem is part of users’ daily vocabulary.
Familiarity
Push-based approvals are often introduced to the enterprise along with an MFA app such as SalesForce Authenticator. The user associates the action of approving a request with a security feature. Given this, It’s understandable that people aren’t quick to be suspicious of this functionality.
Cognitive Overload
Between texts, emails, Spotify alerts, etc., our smartphones are overloaded with notifications. There is simply too much information to process — and hackers take advantage of this overload. Users who receive dozens or even hundreds of notifications a day are not likely to think too hard about them. The likelihood of a single rogue login approval being overlooked or approved by accident is low, but at scale, it becomes a very promising attack vector.
Compromisable Push Notification MFA
Of course, the elephant in the room in common here is the fact that standard push notification MFA is inherently flawed and increasingly being used as an attack vector.
Can You Prevent Push Attacks?
The good news is that you can use alternative authentication flows that better secure you or your users, increase your login speed and provide a smoother user experience.
These attacks are generally going to be targeted at employees of organizations they want to gain access, rather than individuals.
If you are just and end user, looking to protect access to your online services and accounts, the easy solution is to not use an MFA/2FA solution that simply requires you to tap “approve” on your mobile device (such a Windows Hello or Android authentication), which gives access to anyone who is asking.
Instead use a solution that actually requires you to interact with the service/website that you are logging into, such as entering a One-Time-Password (OTP) from your authenticator app or confirming an on-screen code that you will only know if you are one logging in.
This will stop you from simply approving a malicious actors requests, either accidentally or through fatigue,
When you combine user-first login with desktop SSO, you can achieve a very high level of assurance for desktop login, web applications and Single sign-on. It’s more secure than a push-based login and it gives you instant access across SSO-protected apps and corporate resources.
For example, with HYPR True Passwordless™ MFA, your smartphone acts as a remote control for your computer. You tap on the HYPR mobile app to select your computer, provide your preferred biometric or decentralized PIN and gain access to your desktop.
User-initiated authentication for desktop SSO addresses multiple threats:
Clarifying Intent: The login action is initiated by the user. This requirement signals a clear intent to login. Moving the first step from the desktop to the smartphone keeps a malicious actor from spamming the user with requests to access their workstation, and subsequently, all of their corporate resources.
Stops phishing: Login of this kind is phishing resistant, preventing you from inadvertently approving any access request because it’s an active process that begins on your smartphone. Access is granted only when you make the conscious decision to unlock your smartphone.
Elimination of passwords: HYPR’s mobile-first login does not utilize passwords. Going passwordless also means you’ll worry less about credential stuffing, brute force, and SIM-swapping attacks that are common among legacy, password-based MFA solutions.
MFA By Design
The mobile-initiated login method is multi-factor by design. It provides factors for:
Something you are: your fingerprint, face scan, or other biometric recognition.
Something you have: your smartphone, which acts as a physical FIDO token, similar to a smart card.
Something you know: a decentralized PIN that’s also stored safely on your device.
Now that the user has strong authentication into their computer, your SSO provider can extend that strong binding to provide seamless access into other resources across the enterprise without additional friction.
Log into SSO With QR Code
Passwordless MFA that supports QR code scanning provides the strongest protection against push attacks. This eliminates push notifications entirely, even for direct SSO login. QR Login feature lets users log into their SSO-managed web apps by scanning a QR code with the App or camera on their smartphone.
This prevents push fatigue and its potential for push attacks. It gives more control to the end-user as they initiate their authentication by scanning the code rather than waiting for a push notification to arrive on their smartphone. QR Code login is also an inherently multi-factor as it utilizes something you have (your phone) and something you are (biometric validation).
Preventing Push Attacks: Key Takeaways
With push notification MFA, organizations are relying on the weakest link known to security — people. It’s human nature to take the path of least resistance, including recklessly accepting push notification authentication requests so we can continue on with our day.
As cyber threats evolve, so must our security solutions. Here are key takeaways to help your organization steer clear of push attacks:
Push-based MFA is subject to bypassing commonly used tools such as Modlishka and phishing.
Initiating login on the user’s smartphone creates a phishing-resistant flow so your employees cannot be tricked into logging into the enterprise.
Mobile-initiated login at the desktop is inherently multi-factor, this means you can leverage your SSO provider for instant access to cloud and web applications.
QR Code login to SSO eliminates push notifications entirely from the authentication process.
Cybersecurity is a complex topic and if you are the average layperson, you likely have found yourself asking “What is the difference between 2FA and MFA “.
In simple terms, Two-Factor Authentication (2FA) requires users to demonstrate exactly two distinct methods of authentication, whereas Multi-Factor Authentication (MFA) requires users to demonstrate a MINIMUM of two distinct methods of authentication but can be more. So, all 2FA is MFA, but not all MFA is 2FA.
If you are new to the world of cybersecurity, terms such as MFA and 2FA may appear rather cryptic to you. Sometimes MFA and 2FA are used interchangeably, but although similar, they are not the same thing. Both acronyms have been in wide use for years and happen to be an inseparable part of online security, so let’s once and for all clear up the confusion around MFA and 2FA.
Preliminary Definitions
In order to fully comprehend what MFA and 2FA are, you have to understand two concepts: that of authentication and that of a factor of authentication.
Authentication is a process during which a security system decides if the person who tries to log in is exactly who they claim to be.
The preceding definition entails that a security system has to find a way to ensure that the person who tries to log in as Bob is indeed Bob and not someone pretending to be Bob. The security system should not grant access to some oher person using Bob’s credentials. So how can a security system know that the person is Bob?
Well, Bob has to successfully present adequate evidence of his identity and then and only then will he be granted access.
A factor of authentication is a piece of evidence that a user has to present to prove they are who they claim to be.
The three basic Factors of Authentication are:
Knowledge Factor – represents what you know, e.g. a password
Possession Factor – represents what you have, e.g. a phone, a security token
Inherence Factor – represents who you are, e.g. your fingerprint or eye retinal pattern
MFA vs. 2FA
Multi-Factor Authentication (MFA) is a type of authentication that requires two or more factors of authentication.
Two-Factor Authentication (2FA) is a type of authentication that requires exactly two factors of authentication.
Two-Factor Authentication is, therefore, a subset of Multi-Factor Authentication, and the following two sentences are true:
Every Two-Factor Authentication is Multi-Factor Authentication
Not every Multi-Factor Authentication is Two-Factor Authentication
Why Is One Factor Not Enough?
The Knowledge Factor is the most commonly used factor of authentication. A password you enter every time you log in to an application is an example of the Knowledge Factor. Unfortunately, passwords have long proved insufficient in the contemporary world. Simply put, passwords are not secure enough.
Cybercriminals invented a wide range of methods to intercept and hack somebody’s password, from phishing to keylogging, to rainbow table attacks. If passwords are your sole line of defense against unauthorized access, then you better enable Multi-Factor Authentication in your workforce before it’s too late along with a password manager.
How Introducing More Factors Improves Security?
MFA adds more factors of authentication and therefore eliminates security threats associated with low security of passwords. You can think of every factor as an additional lock, with varying levels of difficulty of breaking them. If you introduce Two-Factor Authentication (2FA) to your users’ login experience, then even if a malicious third party manages to break the weak lock (password), they will not be able to open the door because the strong lock (e.g. the Mobile Push authentication request method) will stop them.
The Mobile Push authentication method is an example of the Possession Factor. Mobile Push is one of the methods your users can use if they install a mobile authentication app. Assuming the attacker already broke your password, now they have to steal or gain remote access to your phone, which isn’t impossible but much harder than cracking a password. Stealing or gaining access to your phone requires additional steps on the attacker’s side, which in turn means more time for you to react. Simply tapping DENY on your phone will stop any malicious attempt at breaking into your account.
Nobody’s perfect. It’s human to err. Sometimes you work under stress or pressure and it’s so easy to get distracted. Attackers know this and they will try to attack you when you are the weakest. You can make a mistake that will cost you your data and money. Two-Factor Authentication significantly mitigates the probability of human error but does not eliminate it. Introducing yet another factor of authentication will make your authentication even stronger and the chances of human error are negligible.
One way to further reinforce your MFA is turning on fingerprinting in your Authenticator.
With fingerprinting turned on, your Mobile Push Multi-Factor Authentication may look as follows:
Again, adding more factors of authentication is like adding more locks to your door, each lock harder to crack than the other. In the login example above, three factors of authentication were used: Knowledge Factor (password), Possession Factor (phone), and Inherence Factor (fingerprint). Since three factors were used, the preceding is an example of Multi-Factor Authentication but not Two-Factor Authentication.
Enable MFA/2FA Now
To reiterate, MFA involves introducing more factors of authentication to the process of authentication. 2FA is a subset of MFA that involves using exactly two factors of authentication. Using just one factor in the form of a password is not secure enough, and that’s why you have to enable Multi-Factor Authentication in your company.
Time is of the essence. Now that you understand what MFA/2FA is and know how insecure using only passwords in your company is, enable MFA before it’s too late! Improving security should be your number one concern now.
Google Chrome is about as common in office spaces as a water cooler or a coffee maker.
Chrome is also becoming king elsewhere, unless the systems are Macs, and Safari is the browser of choice. With its minimalist, crisp interface and Google brand, most people are quickly satisfied. Even MSPs, with too many other things to handle and not enough people to handle them, can also be sometimes lulled into Chrome complacency.
Google is great for its ease of use, but that also makes things easier for hackers to get they hooks in – whether they be outside or even inside jobs.
One area where you really need to take care is to ensure that passwords don’t get saved in the Google browser or ineed any browser. If you are not currently using a password manager, then it is highly likely you are already doing this. While it may be a convenience for the home user that supersedes the security risks, it’s just not worth the risk in an business environment.
if your system gets infected with malware, it can extract all your passwords right out of the browser and you will likely never even know it happened. This happen far more then you might realise.
You have also surely heard of all the support scams, which have been on the rise since convid. Where someone posing as tech support from Microsoft, Google, Amazon etc remotely connects to your PC and scams people and often installs malware at the same time.
These scammers can easily steal all your passwords from your browser, or indeed even a legit person providing remote support may innocently poke around and see passwords stored, the temptation is then there to do something bad.
Chrome is not a static product, Hodges points out. People install Chrome on their computers and think it is a one-and-done exercise, but it is not. The algorithms and behind-the-scenes ecosystem are constantly in flux, creating openings for cybercriminals. Recently, Google attempted to tamp down on one discovered opening. They released a security update with an urgent patch on February 14 for Chrome, with the goal of fixing several security issues.
According to Google, “This new Chrome version fixes several security issues, one of which is being exploited actively.” Google did not mention how widespread the attacks are, but Chrome users are highly encouraged to update to the latest version as soon as possible. The security issue is only found on versions of Chrome earlier than 98.0.4758.102.
A hotspot for security vulnerabilities
Though, most recently, an alert was part of a slew of vulnerabilities discovered. Chrome announced earlier in February that it found 27 issues, eight being “high risk”: meaning hackers could exploit to load malware, steal data, or unleash ransomware. The problems could impact Windows, Linux, or Mac users. These issues come on the heels of a slew of Chrome vulnerabilities discovered last fall, making zero-day attacks more likely.
IT is recommended to perform an annual “Chrome Audit” to see who is using it as the main browser on their workstations. Once an inventory is made, those Chrome stations should be put on monthly maintenance to fix vulnerabilities and ensure that saved passwords are cleared, and fixes are implemented.
Make Chrome a safer place
Another ongoing challenge for business owners and MSPs, is the need to work towards is user training. Even though Chrome is not infallible, it still falls upon the user to make smart decisions and not make it even easier for a hacker to get their hands-on information.
Other actions you can take to make Chrome safer include enabling Chrome’s Enhanced Protection (instructions further down). Chrome’s default is the standard browsing experience, but you can switch to the enhanced protection setting, which offers many more security features such as:
Blacklisting: If employees visit certain sites prone to problems, then block them.
Two-Step Verification on Google Accounts: This adds another layer of built-in security. This can be especially valuable when battling internal office threats, says, a rogue employee trying to access a unit that they shouldn’t be.
Extensions: As part of a Chrome audit and maintenance program, make sure unnecessary and unwanted extensions are removed.
Script-Blocking: This is a handy feature that will prevent ad-loading and malware-laced video programs from loading.
Set Chrome to Default: When in doubt, do a full reset to get rid of unwanted extensions.
A combination of actions by you or your MSP and better education for end-users is a potent mix. Videos, malware, advertising, streaming, and other potentially threatening elements from outside, can converge to make Chrome a very dangerous place without some basic precautions. MSPs are in a good spot to implement these safeguards.
The thing with Chrome is that it is so universal, so widely accepted, that people just get too complacent. Hackers know that and exploit that comfort.
Disable password storage in your browser
Chrome
To stop Chrome from asking to save your passwords:
Click the Chrome menu in the toolbar and choose Settings.
To stop Firefox from asking to save your passwords:
Click the Firefox menu in the toolbar and choose Options.
Click Privacy & Security.
Turn off “Remember logins and passwords for websites”.
Microsoft Edge
To stop Edge from asking to save your passwords:
Click the Edge menu in the toolbar and choose Settings.
Click Passwords.
Turn off “Offer to save passwords”.
Brave
To stop Brave from asking to save your passwords:
Click the Brave menu in the toolbar and choose Settings.
Click “Additional settings”, then click Auto-fill.
Click Passwords.
Turn off “Offer to save passwords”.
Internet Explorer
To stop Internet Explorer from asking to save your passwords:
Click the Settings menu and choose “Internet options”.
Click the Content tab.
In the AutoComplete section, click Settings.
Turn off “Forms and Searches” and “User names and passwords on forms”, then click OK.
What Is Enhanced Protection in Google Chrome?
Google Chrome’s Enhanced Protection is a browsing security feature that substantially increases safety on the web against dangerous downloads and websites.
If you’re signed into Chrome and other Google apps you use, you can get improved protection based on the attacks against your Google account and threats you encounter on the web.
Plus, if you rely on Chrome extensions to help you improve your browser experience or be more productive, Enhanced Protection helps you choose safer extensions before installing them on your device.
Enhanced Protection is different from the Standard protection on Chrome, which only offers warnings about potentially risky sites, extensions and downloads. Plus, with Standard protection, you can select whether to get warnings about password breaches or improve security on the web by sending more information to Google.
Specifically, Enhanced Protection enables the following:
Displays a dialog that alerts you whether the extension is trusted or not. Trusted extensions are those that are built by developers who follow the Chrome Web Store Developer Program Policies.
Predicts and notifies you about dangerous events before they occur.
Increases your safety on Chrome and can be used to improve security in other Google apps you’re signed into.
Warns you if login credentials are exposed in a data breach.
Offer better protection against risky files you download on the web. Enhanced Protection uses metadata about the file to determine if it’s potentially suspicious and warns you about it.
Send additional information to Google about your activity.
How to Enable Enhanced Protection in Google Chrome
Enhanced Protection is available for Chrome on mobile and desktop. The steps to enable the feature are similar on both platforms.
Enable Enhanced Protection on Desktop
You can enable Enhanced Protection on your computer and increase your safety while browsing the web.
Open Chrome browser and select More.
Select Settings.
Select Security under the Privacy and Security section.
Next, select the Enhancedprotection.
Enable Enhanced Protection on an Android Device
Enhanced Protection isn’t limited to desktop devices only. You can also enable the feature on your Android phone or tablet.
Open Chrome and tap More (three dots).
Next, tap Settings.
Tap Privacy andSecurity.
Next, tap Safe Browsing.
Next, select the Enhanced Protection level.
Enable Enhanced Protection on iOS Devices
Initially, the Enhanced Protection feature wasn’t available on iPhone and iPad. Google has since added it on Chrome for iOS devices so you can get alerts about risky extensions, malware, phishing or sites on Google’s list of potentially unsafe sites.
Open Chrome on your iPhone or iPad and tap More > Settings.
Tap Sync and Google Services.
Next, enable Safe Browsing and then select Done.
Protect Your Device from Real Threat Actors
When it comes to web browsers, security and privacy are major concerns.
Google’s Enhanced Protection and other security features have further fortified Chrome against malware, phishing and other cyberattacks. The feature helps you avoid zero-day exploits and makes it safer for you to browse the web.
If you want to further protect your device, I highly recommend installing Bitdefender on all your devices, using a password manager and enable 2 factor authentication on all your online accounts, websites wherever posisble.
I also provide an affordable Remote Management & Monitoring solution. Monitoring your windows OS and installed software for missing patches/updates, with automatic updates. Plus managed Bitdefender advanced threat protection and endpoint security.
Recent Comments