Perpetual IT

Most of us now use online platforms routinely – in some countries, almost exclusively – to engage with work colleagues, friends, family and loved ones.

One worrying trend is the posting online of photos of home-working setups, video calls, and virtual meetings.

This trend has coined its own series of hashtags including #WorkFromHome, #WorkingFromHome, #RemoteWork, #HomeOffice. Others allude to the app used, such as #Zoom and #MSTeams.

While the sharing of such photos may seem harmless and even a must-do at the time, the reality is that we are, once again, falling into the age-old trap of oversharing online and overlooking the risks.

We are forgetting to ask ourselves: what might a criminal or fraudster do with this information?

Fraudsters, scammers and other cybercriminals love when we share information openly online about our lives, personal or work-related.

These insights make their jobs of targeting us substantially easier, while the ongoing pandemic – a situation where people are overly anxious, stressed, away from support groups, and balancing work and family life in the same physical space – increases our vulnerability to these attacks.

Opening yourself to targeted scams

Scams are a preferred form of attack for many criminals. They are often simple to launch and, if well-executed, can have relatively good success rates.

As we have become more aware of scams, criminals have had to become more cunning.

One way they have sought to boost success rates is to personalise scams – think spearphishing-type attacks.

No longer do we see “Dear user”, but rather “Dear [your name]”. And, scams now even use your old passwords within their messages to you.

These personal details are often gathered from your online presence and old data breaches – think of it as open-source intelligence (OSINT) gathering focused on you. Its purpose is to increase the believability of their tricks, and it works!

Now we are also leaking personal information through home-working photos and visuals – even that seemingly-harmless background shown during video calls.

Family members (in person or photo form) often feature in the background of video calls, along with your hobbies, favourite sports teams and television shows, and other personal insights.

Photos tagged with #WorkFromHome, #WorkingFromHome, #HomeOffice have also revealed:

• Birthday parties (celebrated on Zoom or Teams), thereby exposing birthdates.
• Home addresses, through photos revealing addresses on Amazon parcels or postal mail.
• Names of family members, children and pets.

The variety of information that may be exposed in such contexts is endless and is only limited by what will fit into your home office (be it a bedroom, living room, or actual office).

Each of these pieces of information stand to put you more at risk to scams if attained by the wrong individual

From research, we know, for instance, that passwords are often created based on favorite teams, music artists, hobbies, and children and pet names. Therefore, this information could easily be used in password guessing attacks.

Or, let’s say you are emailed an ‘e-gift card’ on your actual birthday by a long-lost friend looking to reconnect. Many people would be more likely than usual to open the gift card attachment because the date is correct, unaware that it is actually a piece of malware or ransomware, and that the fraudster knows your birthday because it was posted online months earlier.

You’re leaking corporate data

Businesses have struggled to keep pace with how quickly they have had to adopt digital technologies over the last year. And securing the remote workforce is still very much an ongoing uphill battle for many.

Along with the more typical secure remote working considerations such as VPNs and managed credentials, you also need to worry about oversharing – this time of corporate data.

Analysis of images of home-working environments has revealed work email inboxes, internal emails, names of individuals in emails, private web pages, potentially sensitive internal business correspondence, software installed on computers, and internal identification numbers of devices.

In many cases this information was in the background of video calls or photos of pets near/on keyboards, in the background of children being home-schooled, or within snaps of a nice home-made lunch. Any of these digital footprints could be used in a corporate hack.

For example, an attacker may contact an employee under the guise of a known supplier, drawing on information gathered from an email.

Or, they may get in touch with the employee, pretending to be from the IT department and with a request that the staff member update key software that only internal employees would (should!) be aware of.

In both cases, employees may be tricked into providing more sensitive files or data, directed to download malware, or exploited through a range of other attacks.

There have been similar issues with numerous data breaches in the past where unsecured corporate servers online have leaked data, including millions of business and customer records.

Four tips to stay secure

• Always be mindful of what’s in the background of your photos or video conference calls. This way, you are always in control over the information you expose – wherever it ends up!
• For video conference calls, consider using a virtual background. Most popular software clients allow these, and they work pretty well.
• Blurring backgrounds works too, and makes most objects indecipherable.
• Think twice about sharing photos of your #WorkFromHome, #WorkingFromHome, #RemoteWork, #HomeOffice setup. Advise your friends and family members to think twice, too.

Remember, the cybercrime economy hasn’t slowed down due to COVID-19… and you’re just as likely to be targeted as anyone else.

Learn more

For a deeper dive into topics covered in this article you may like to take a look at research papers that I’ve recently authored/co-authored:

Ransomware gets the big headlines, because of the enormous blackmail demands that typically arrive at the end of ransomware attacks.

Indeed, the word “ransom” only expresses half the drama these days, because modern ransomware attacks usually involve the crooks making copies of all your data first before scrambling it.

The crooks then demand a combination payout, part ransom and part hush-money.

You’re not only paying to get the local copies of your data unscrambled, but also paying for a promise from the crooks that they’ll delete all the data they just stole instead of releasing it to the public.

But what about the very start of a ransomware attack?

Technically, that’s often a lot more interesting – and often more important, too, given that many ransomware attacks are merely the final blow to your network at the end of what may well have been an extended attack lasting days, weeks or even months.

Given the danger that arises as soon as the crooks sneak into your network, it’s as important to learn how malware gets delivered in the first place as it is to know what happens to your files when ransomware finally scrambles them.

With this in mind, SophosLabs has just published an intriguing report on a malware delivery ecosystem dubbed Gootloader.

You may have heard reference to Gootkit, a name given to the malware family of which Gootloader forms a part, because it’s been around for several years already.

But SophosLabs decided to give the initial delivery mechanism a name of its own and study it in its own right:

The Gootkit malware family has been around more than half a decade – a mature Trojan with functionality centered around banking credential theft. In recent years, almost as much effort has gone into improvement of its delivery method as has gone into the NodeJS-based malware itself.

In the past, Sophos and other security experts have bundled the discussion of the malware itself with analysis of the delivery mechanism, but as this method has been adopted to deliver a wider range of malicious code, we assert that this mechanism deserves scrutiny (and its own name), distinct from its payload, which is why we’ve decided to call it Gootloader.

The report goes into the sort of detail that is well worth knowing if you’re interested in how modern malware embeds and extends itself inside a network, including a discussion of so-called “fileless” attacks.

The term fileless attack is a bit of a misnomer, because “fileless” malware often involves at least one physical file to get the malware started, and may also rely on various intermediate files along the way. But fileless malware is entirely unlike regular software in the way it operates. Well-behaved software typically installs its executable code into a self-contained directory on your hard disk, uses the registry to save its configuration settings, and relies on the operating system to load its various software modules into memory and keep them under control. Fileless malware flouts these conventions (ironically, it often uses the registry as a sneaky place to store obfuscated versions of its executable code), loading its malware code directly into memory in order to bypass the regular tools that sysadmins use to monitor the system for unexpected and unwanted processes.

Search treachery

Even if you aren’t an assembly language expert or a malware analyst, the SophosLabs paper is well worth reading for its description of how the Gootloader criminals lure well-meaning users into installing the Gootloader malware in the first place.

Simply put, the crooks game Google’s search engine, tricking Google into treating hacked websites as trustworthy sources, and presenting innocent users with apparently “perfect matches” to their search queries.

(As far as we can tell, this gang has focused its effort on poisoning Google searches, but the tricks below could be used against other search engines, too.)

The report explains the process in detail, but we’ll summarise it here:

• The crooks hack into hundreds of innocent web servers and implant artificially generated content containing phrases that search engines are likely to associate with expertise in a specific field. Examples include real estate, employment law, import/export regulations, company partnerships, and more.
• From time to time, the crooks get lucky and one or their hacked sites turns up as a top hit on Google, typically thanks to a very specific search term entered by an innocent user. There’s a good chance that the user will click the Google link that shows up, because the search hit looks like a natural result, given that it’s not a paid ad or a sponsored link.
• If the user clicks through to the hacked server, the crooks recognise that the click came via a Google search by using the Referer: header (yes, the header name was mis-spelled in the original specification) in the web request. The server deliberately concots a fraudulent web page that looks like a message board on which someone else recently asked the same question.
• The bogus message board page includes an exact duplicate of the question that the new visitor just asked, together with what looks like a reply from a site administrator recommending a download link that answers the question. To make the page look even more convincing, there’s then a further reply, apparently from the original questioner, thanking the administrator for their prompt and helpful answer.

SophosLabs has encountered Gootloader’s fake message board pages in a variety of different languages, including English, German, French and Korean, with different campaigns targeted at different regions.

Here’s an English-language example from the paper, where the unfortunate visitor had searched for the very specific phrase intercompany settlement agreement (chart) alberta:

A veneer of believability

As you can see, the search term doesn’t fit grammatically into the boilerplate text used by the Gootloader crooks, but it looks realistic enough at a glance.

The vote of thanks from the “happy user”, together with the fact that the datestamps are recent, gives the content a veneer of believability..

The name of the web page that’s presented, the download link that shows up, and the name of the file offered for download, are all constructed from the search phrase in order to make the fake page seem like a perfect fit for the query.

The deeply devious part of this, of course, is that the crooks don’t need to guess in advance what search text a hapless visitor is going to type into Google.

All the crooks need is for Google to think that one of the hacked-and-poisoned websites is a good enough match for the search term entered.

Of course, when the unexpecting visitor arrives at the booby-trapped site, the crooks tailor the response on the fly to make it look as though Google found an exact hit for their query, not merely a near-enough match.

Note that although the hacked site displays the malicious download link, the link itself points off to a different download server.

We’re assuming that the crooks are using this two-stage approach so that the Gootloader malware files themselves don’t show up on the hacked site, which helps the hacked site to keep a clean reputation for a lot longer than it otherwise might.

What to do?

• Stop. Think. Connect. This search poisoning trick works because the website you visit seems to fit your search perfectly, which feels like too much of a coincidence for a crook to have anticpated it in advance. But if you look at the imposter page carefully, you should spot that it’s a carefully constructed set-up designed to look like a lucky coincidence. Remember the cybersecurity adage, “If it looks too good to be true, it IS too good to be true!”
• Use an anti-virus with a built-in web filter. A search poisoning subterfuge like this gives your web filter not one but three chances to spot the treachery. It will prevent this attack proactively if it blocks the first click to the hacked site, or the second click to the download URL, or the final download, even before the malware reaches your computer in a dangerous form.
• Use an anti-virus with in-memory exploit protection features. Don’t rely on file-based scaning and detection alone. Augment your protection with behaviour monitoring tools that can detect programs that start out harmless but turn malicious in memory after running, apparently inncocently, for a while.
• Tell Windows to show file extensions. The Gootloader samples described in the report arrive as a JavaScript program file compressed inside a ZIP file. With file extensions turned off, JavaScript programs lack the telltale marker .JS at the end of the filename, and they show up with an icon that looks like a scroll of parchment. This makes it easy to misidentify them as harmless text files.

---

To tell Windows to show file extensions, go to File Explorer, click on the View item in the menu bar and then turn on the option File name extensions. If the Explorer window is narrow you may need to open the Show/hide tab first.

---

The graphics card that wants you to stick to playing games, the man that didn’t weigh 100 tons after all, and the marketing gang that used a browser bug to bombard iPhone users with scammy online surveys.

With Kimberly Truong, Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

---

WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

Keybase, owned by online meeting and teleconferencing behemoth Zoom, is a secure messaging and file sharing service that describes itself as providing “end-to-end encryption for things that matter.”

End-to-end encryption is pretty much what it says: encryption that starts on your computer, typically inside an individual app such as when browser submits a login form, and only gets stripped off at the far end when the data arrives at its final destination, such as when a website receives the login form with your username and password in it.

End-to-end encryption over the internet doesn’t just mean that your data is encrypted while it’s in transit from node to node along its network journey – it’s supposed to be a stronger guarantee than that.

It not only means that your data isn’t decrypted while it’s at any “rest stops” along the way, such as when an email message is held at your ISP for delivery later on, but also means that your data cannot be decrypted along the way, no matter whether you trust the person operating that “rest stop” or not.

Safe even against yourself

When it comes to instant messaging or file-sharing apps that offer end-to-end encryption, even the company that handles your data is supposed to be merely one of those rest stops, and therefore can’t (or isn’t supposed to be able to) see what’s in your files, no matter how long you store them..

If criminals steal that company’s servers, or the police arrive at the company with a search warrant, neither the crooks nor the cops can decrypt your data, and the company that is storing your encrypted files can’t help them to do so, either. (Indeed, the company can’t even decrypt the data for you if you forget your password, no matter how strongly you can prove that the encrypted files are yours.)

As Keybase explains it, “We use public key cryptography to ensure your messages stay private. Even we can’t read your chats. […] Keybase can store your group’s photos, videos, and documents with end-to-end encryption.”

Careful with that file, Eugene

What end-to-end encryption systems can’t do is protect your data before it enters their control, e.g. before it’s loaded into their app for transmission, or after it’s extracted from their service, e.g. when the intended recipient exports a file they just received.

If you copy an unencrypted file from a USB drive to your laptop, for example, before uploading it into a service such as Keybase, neither the Keybase app nor the Keybase servers can do anything about those two unencrypted copies of the file that now exist.

After all, it’s your choice what to do with your data while it’s outside the Keybase system, and you wouldn’t expect the app to mess with files that you hadn’t explicitly entrusted to it.

You do, however, expect security-conscious apps like Keybase to be cautious with how they handle any unencrypted data themselves, such as the text you type into a message or the content of an image file you want to send.

Yes, the app needs temporary access to the raw data you want to send or upload, whether that data is already encrypted or not, so that it can apply its own encryption before transmitting or storing it.

But the app needs to take as much care as it can (and as much care as the underlying operating system will permit) not to let that raw data get stored where it might easily be accessed by anyone else.

That typically means keeping any unencrypted data in memory only, and overwriting that memory as soon as the data is no longer needed.

Many a slip

Unfortunately, as the old adage goes, there’s many a slip ‘twixt the cup and the lip, and the same sort of inattention to detail that might lead you to spill red wine down the front of your favourite shirt in real life might lead to a spillage of private data on your computer.

Sometimes, that spilled wine might not directly be your own fault, because you could get bumped by someone else; in IT terms, spilled data can happen because the operating system decides to “help” in a way you failed to predict or prevent.

For example, many operating systems use a so-called swap file on your hard disk as automatic temporary storage to free up RAM for other programs if your software is idle, quietly and automatically swapping your data back in from disk when you next need it.

This can result in confidential data, including passwords, network authentication keys and fragments of private files, sometimes getting written to disk by the operating system itself.

Also, some operating systems, and many programming libraries, helpfully keep cached copies of files you’ve used recently, in case you need to access them again soon, or they create search indexes based on the content of files you’ve used, in case you need to find them quickly in the future.

This sort of well-meant file caching is particuarly common with files that would otherwise need a lot of pre-processing every time you opened them, such as images.

Images left behind

Well, a quadrumvirate of security researchers (John Jackson, Aubrey Cottle, Jackson Henry and Robert Willis) from a group going by 桜の侍 (Sakura Samurai) had a dig around in the files that were created and used by Keybase while it was running…

…and they found that the app had a tendency to leave behind unencrypted copies of images that you had uploaded into the app, even after the images were supposed to have been sent and the original data wiped out.

They looked at both the Windows and the macOS versions of the app and quickly discovered various transient directories where abandoned image files cold be found:

 Windows: C:\Users\%USERNAME%\AppData\Local\Keybase\uploadtemps C:\Users\%USERNAME%\AppData\Roaming\Keybase\Cache macOS: /Users/$USER/Library/Caches/Keybase/uploadtemps /Users/$USER/Library/Application Support/Keybase/Cache

They claim that the vulnerability affected the Linux version of the software, too; they didn’t explictly list the directories where left-over images were found, but Linux users can probably guess where to look, based on the distro they use.

The researchers were easily able to recover image files that had previously been used by Keybase but that users would assume no longer existed on their hard drive in unencrypted form.

(Keybase includes a feature to “explode” local messages after a certain time so that you can’t leave local copies around by mistake, but the leaky directories listed above even included left-over images from “exploded” messages.)

What to do?

The researchers disclosed this bug responsibly (it is now denoted CVE-2021-23827), and Keybase fixed it promptly.

They’re only telling their story a month after the bug was fixed, presumably by agreement with Keybase, and presumably in order to stop crooks who otherwise wouldn’t have known where to look rushing in to see what they could vaccuum up before the new version had a chance to enter widepsread use.

So, if you are a Keybase user:

• Make sure you have Keybase 5.6.0 or later for Windows and macOS, or Keybase 5.6.1 or later for Linux.

Zoom, owners of Keybase, told us by email [2021-02-23T20:40Z] that the Windows and Mac desktop apps have an auto-update feature that checks for an update once an hour, applies it, and restarts Keybase automatically. (If you haven’t enabled auto-updating, you will receive a dialog prompting you to accept the update manually.) There’s no auto-update feature on Linux, but if you are using an officially supported distro you can use your distro’s package manager to update. Alternatively, Zoom said, you can simply download and install the latest package over your existing version. This will overwrite the application files, but not the user configuration in your home directory.

If you are a programmer:

• Learn how to allocate RAM that won’t get paged out by the operating system for memory where confidential data will be stored. (Remember that this can affect performance if you aren’t careful.)
• Ensure that you actively expunge secret data from RAM after you are done with it, or use operating system functions that guarantee that memory will be wiped before being reassigned to another process or another part of your own program.
• Avoid operating system or library functions that automatically create caches, thumbnails, indexes or other permanent objects that might include any data from confidential files you open and use.
• If you have to create temporary files, encrypt them in the same end-to-end way that you would encrypt the file for long-term storage or for transmission.
• Clean up correctly when your software exits, especially if it gets killed off or terminates unexpectedly, by which we mean, “when it crashes.”

---