MFA Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Wed, 11 Sep 2024 20:32:22 +0000 en-US hourly 1 https://wordpress.org/?v=70413 200474804 Crypto Recovery Services https://gridinsoft.com/blogs/cryptocurrency-recovery-scams/ https://gridinsoft.com/blogs/cryptocurrency-recovery-scams/#comments Wed, 11 Sep 2024 12:28:05 +0000 https://gridinsoft.com/blogs/?p=16561 Crypto recovery scams are a specific type of fraudulent activity that piggybacks on victims of cryptocurrency scams. Con actors offer their help in restoring the lost money on the Internet, claiming to be professional recovery agents. What they do is defraud people once again, charging sums comparable to the amount of the initial loss. Crypto… Continue reading Crypto Recovery Services

The post Crypto Recovery Services appeared first on Gridinsoft Blog.

]]>
Crypto recovery scams are a specific type of fraudulent activity that piggybacks on victims of cryptocurrency scams. Con actors offer their help in restoring the lost money on the Internet, claiming to be professional recovery agents. What they do is defraud people once again, charging sums comparable to the amount of the initial loss.

Crypto Recovery Scam Explained

The hype around cryptocurrencies has slowed down recently, but the number of scams related to this topic has never come down. Moreover, another vector has emerged – crypto recovery scam, which targets people who have already become victims of crypto fraud.

Getting into a financial fraud related to an investment can hit the wallet pretty hard, so the urge to get the money back has obvious motivation. In certain cases, it is technically possible to recover lost assets, and some legitimate organizations can assist victims in doing so. Still, it is very individual and depends on many factors, and there is never a guarantee of success.

The loss of cryptocurrency can occur for a variety of reasons, including technical failures (dead hardware wallet key) or human factors. But what the fraudsters concentrate their attention on are fraudulent investment schemes rather than technical issues. Incidentally, we have a separate post about cryptocurrency fraud, but this time we will focus on fraudulent “cryptocurrency recovery agencies”. Long story short – attackers could not ignore people who fell victim to one scam and developed a whole scheme to scam them again.

Examples of Recovery Services

Domain Description Registration
Againstcon.com A site masquerading as a crypto recovery service, possibly fraudulent. 2023-02-09
Cleedenz.com Fraudulent site offering services to recover lost cryptocurrencies. 2023-10-09
Fiordintel.net A phishing site pretending to be a service for tracking and recovering cryptocurrencies. 2024-07-02
Walletblockchain.net A deceptive site offering fake solutions for recovering cryptocurrencies. 2024-07-17
Leeultimatehacker.com A scam site promising to hack accounts to recover lost funds. 2024-04-05
You can conduct your own investigation using our Inspector API by performing a search with the tag “Recovery Servicehere.

How Do Crypto Recovery Scams Work?

Usually, these scammers are looking for victims on social media, particularly in crypto investment-related groups or trading forums. It all starts with comments from people who allegedly have managed to get their money back. They provide the contact information of a ‘specialist’ and claim to have helped but are actually part of the fraudulent scheme. In another scenario, fraudsters directly contact victims (mostly in crypto communities) and offer their help in restoring their crypto assets. One more scheme involves fraudsters selling lists of victims they have deceived or hacked on the Darknet.

Fake review about crypto recovery agent screenshot
Fake review about crypto recovery agent

After the victim contacts the scammer, they will immediately ask for as much information as possible. This may seem quite logical, since such an operation requires a full pack of victim’s info. However, the scammer will always ask for things that will barely be needed – SSN, detailed personal information, and so on. In addition to this data, attackers almost always require an upfront fee for their work. Quite often, the frauds simply cut any connections upon the upfront payment, but not always. It is often to see them imitating the progress, and asking for more money after some time. Scammers explain this as “additional funds are needed to solve the problem”. Attackers employ a lot of social engineering tactics, which can result in multiple requests for money before they eventually stop responding to the victim.

Red Flags and Potential Risks

Let’s take a look at the main red flags that you’re dealing with a scam. The first thing that should raise concern is a request to make a prepayment without any guarantees. Sure, scammers will promise guaranteed recovery of your funds, but such a guarantee is impossible. Definite false claim = quite an obvious red flag.

The next red flag is the claim that they have “special access”, a private connection with the FBI or another law enforcement agency. Without a confirmation, this claim costs nothing, and any “informal connections” still give you no guarantee that this FBI friend will be helpful. And, after all, if they’re talking about law enforcement – why won’t you go directly to them? The majority of investigation agencies around the world nowadays have an online fraud department, which will be in handy for this case.

Chat with scammers
Private FBI agent-as-a-service

Another sign that you are dealing with fraudsters is a sense of urgency and persistence on their part. In this case, the urgency comes not only from the scammers but also from the victim. Frauds often insist that you should not notify law enforcement about the incident, which is a strange demand from “legit money recovery agents” as they present themselves.

The risks of all this, as you can imagine, are quite high. First of all, there are significant financial losses. Usually, fraudsters demand large sums upfront because they realize that the victim is ready to do anything to get the lost crypto back. Secondly, there is the risk of confidential information leakage. Attackers can request credit card information or login details to an online bank. They may then either use this information to finally empty the victim’s accounts or resell this data on the Darknet.

6 Warning Signs

Most crypto recovery services are scams — especially if they promise to return crypto you no longer own. Look out for these warning signs:

  1. They ask for an upfront fee. If someone asks for money before helping you, it’s likely a scam. They might ask for a small amount first, then keep asking for more.
  2. They claim to have “special access” to crypto exchanges. Scammers will say they have secret ways to get your crypto back. This is always a lie.
  3. They ask for your passphrase or sensitive info. If they want this information, they are trying to steal from you.
  4. They ask for your bank or crypto wallet details. Scammers may ask for your wallet or bank info to “deposit” the recovered crypto. They just want to steal more money.
  5. No physical address or located outside the U.S. If there’s no address, or it’s outside the U.S., it could be fake. Many scam companies use fake addresses.
  6. No phone number or only messaging apps. Legit companies talk by phone. Scammers use apps like Telegram or WhatsApp to hide.

How To Avoid Scams?

If you’ve been a victim of a crypto recovery scam, I have a few recommendations that may help. First, report the platform support through which you were defrauded. Contact the platform’s technical support and report the incident. The next step will be filing a report with law enforcement and gathering as much case evidence as you can. While this still cannot guarantee a refund, it can significantly increase the chances of one. Detailed information will also help men in uniform with finding and detaining the fraudsters.

Complaint Form for crypto recovery scam victims
Complaint Form for crypto recovery scam victims

Also you can report scams to:

  • The Federal Trade Commission (FTC)
  • The Commodity Futures Trading Commission (CFTC)
  • The U.S. Securities and Exchange Commission (SEC)
  • The FBI’s Internet Crime Complaint Center (IC3)

If you have found an organization that helps you recover your lost funds, research its procedures, refund methods, and real user reviews on the Internet. The major challenge is that recovering stolen cryptocurrency is extremely difficult to recover. And almost the only way to do this is to collect as much evidence and information as possible, gather the necessary package of documents and submit it to law enforcement agencies. Law enforcement may contact the platform’s representatives. If proven that the stolen crypto belongs to the victim, there is a chance that it will be returned. This is the only legal way to get the lost crypto back.

Crypto Recovery Services

The post Crypto Recovery Services appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/cryptocurrency-recovery-scams/feed/ 5 16561
Malware Protection https://gridinsoft.com/blogs/benefits-of-using-malware-protection/ https://gridinsoft.com/blogs/benefits-of-using-malware-protection/#comments Thu, 04 Jul 2024 00:42:05 +0000 https://gridinsoft.com/blogs/?p=8033 Many people remain unaware of the substantial benefits of malware protection. While most have encountered the concept of computer threats, their understanding tends to be imprecise. In the past, the term “virus” frequently surfaced; now, “malware” has become the prevalent, albeit nebulous, term that casts a shadow of uncertainty over online threats. This vagueness partly… Continue reading Malware Protection

The post Malware Protection appeared first on Gridinsoft Blog.

]]>
Many people remain unaware of the substantial benefits of malware protection. While most have encountered the concept of computer threats, their understanding tends to be imprecise. In the past, the term “virus” frequently surfaced; now, “malware” has become the prevalent, albeit nebulous, term that casts a shadow of uncertainty over online threats. This vagueness partly stems from ongoing debates among computer security experts over the classification of threats and malware.

Despite the clear dangers, many users still overlook the importance of safeguarding their computers with security software. The process of selecting, installing, and configuring an antivirus, not to mention the system resources it consumes, might seem daunting and unnecessary. However, it’s crucial to remember that safety measures, though they might appear excessive, prove their worth when you most need them.

In this article, we will demystify what happens to a computer infected with malware and explore the importance of using antivirus software.

Understanding Malware Protection

Let’s start by defining malware. The term “malware” — short for “malicious software” — encompasses a variety of harmful programs designed to infiltrate and damage computers. Besides malware, there are non-executable scripts and other network threats like phishing, which doesn’t rely on directly infecting a computer with programs.

Types of Malware
Different malware types are presented in a simplified manner in this image.

Now let us see what malware does from the standpoint of the attacker. The list of damages types below may not be exhaustive, but it summarizes the harm hackers usually inflict by malware nowadays and the reason for such their activities.

Data Theft via Spyware

Hackers deploy spyware, a category of malware, to execute data theft. This group includes diverse programs with a common espionage function. For instance, keyloggers record all keystrokes, while rogue browsers spy on online activities. Their capabilities vary: some might only transfer your browsing history to third parties, while others can record keystrokes or intercept your internet traffic.

Beyond the immediate privacy invasion, spyware also consumes CPU resources in the background, slowing down your computer.

The most severe risk of spyware is identity theft, which can have devastating consequences, including the loss of financial credentials and all the money in your account.

Cryptocurrency Mining Malware

Specialized malware, often introduced to systems as Trojans or downloaded by other Trojans, exists solely to use the infected device’s resources for mining cryptocurrency for others. This process, which involves cryptographic tasks, is handled by the victim’s CPU.

Infected devices typically experience reduced processing speeds and slower internet connections as a result of these mining activities.

Botnet Involvement

Botnets are networks of malware-infected computers controlled remotely by hackers. This collective control allows hackers to perform large-scale operations like DDoS attacks or massive automated posting, activities that are impossible with a single machine. Furthermore, a botnet can propagate itself, potentially growing to tens of millions of infected devices.

For users, the signs of a botnet infection include an overloaded CPU and unexplained internet traffic, with most botnet activities occurring without their knowledge.

Adware: Turning Browsing into a Billboard

Adware encompasses a wide range of software, including overt malware and potentially unwanted applications (PUPs). Malicious adware transforms your browsing experience into a barrage of distractions, reminiscent of the Las Vegas Strip, with bright flashing banners constantly appearing and obstructing your view. Additionally, adware can embed advertisement links within the text of web pages you visit to provoke accidental clicks. Some adware even extends beyond your browser, displaying ads throughout the operating system.

Adware may manifest as easy-to-remove browser extensions, rogue browsers, or various “handy” applications. Some adware operates covertly, appearing only as unremarkable processes in your Task Manager.

The negative effects of adware are obvious and typically prompt users to cleanse their computers. If you find adware on your system, removing it is crucial, as its presence can lead to further malware infections.

Ransomware: Encrypting Data for Ransom

Ransomware is one of the most destructive types of malware. Once it infiltrates a device, it encrypts all data files of specific types, making access to these files impossible, and leaves a ransom note demanding payment in cryptocurrency. The note details the payment amount necessary for the decryption key, which cybercriminals typically provide after receiving the ransom—this ensures that future victims also pay, trusting the scheme will resolve their issues.

Ransomware attacks have become a highly profitable malware-based enterprise, generating millions in annual revenue for perpetrators and are now more rampant than ever. For more insights, read about the business model of ransomware.

Taking Control Over the System with Rootkits

Rootkits represent a particularly perilous class of malware due to their ability to grant hackers administrative-like control over a system. Found at rootkits, these programs are notorious for their capability to create a backdoor—an unauthorized pathway circumventing access controls. This backdoor allows hackers to issue commands directly from the core of the infected system, with potential damages limited only by the attackers’ objectives.

The threat of rootkits highlights the necessity for robust system security measures to detect and counteract such invasive control.

Recognizing Symptoms of Malware Infection

Understanding the symptoms of a malware infection is crucial for early detection and response. This section summarizes the key signs to watch for, regardless of the specific type of malware affecting your device. By paying close attention to these indicators, you may be able to identify the type of malware based on the symptoms alone.

Symptoms of Malware Infection
Different malware symptoms are shown in a simplified manner in this image.
  • Slow PC and Crashing Programs: Various types of malware, especially those like cryptocurrency miners, operate in the background, consuming substantial system resources. This can noticeably decrease your PC’s performance and cause frequent program crashes.
  • Lack of Storage: Some malware types use significant amounts of hard drive space, leaving insufficient room for your regular activities.
  • Slow Internet: Malware can also degrade your Internet speed by generating background traffic that consumes your bandwidth.
  • Spam Reports: If friends report spam from your email or social media accounts, it’s likely that malware has hijacked your accounts.
  • Advertising Pop-ups: Unexpected ads and unfamiliar applications are common signs of adware infection. These can be both annoying and risky if they lead to inadvertent clicks.
  • Weird Extensions Added to Data Files: This is a hallmark of ransomware. Encrypted files become inaccessible, and a ransom is demanded for their release— a harsh reminder of the dangers of online carelessness.

Not Only Malware Protection

Enhancing cybersecurity involves more than just installing software; it requires a proactive approach to safeguard your digital environment. Staying vigilant is crucial, especially within a workgroup. Educating your team on basic security principles can significantly reduce the risk of malware infections which often exploit human errors such as inattention and gullibility through social engineering tactics. For example, phishing attacks might not always carry malware directly, but they frequently aim to compromise devices as part of their strategy. You can learn how to recognize and avoid phishing scams to better protect yourself.

Another vital measure is to be wary of unknown email attachments, links, or banners. Malware commonly infiltrates systems through scripts embedded in files or websites that users inadvertently access. Regular updates to your operating system are also essential; they minimize vulnerabilities and boost the efficacy of antivirus solutions. Stay informed about the latest security practices to keep your system robust against threats.

Furthermore, employing two-factor authentication wherever possible can drastically enhance the security of your online accounts, effectively minimizing the risk of unauthorized access. Lastly, the cornerstone of a solid cybersecurity strategy is the installation of trustworthy antivirus software. A vigilant approach, combined with reliable security programs, forms the most effective defense, detecting and eliminating threats before they can cause any damage.

How Malware Protection Can Help?

We were going to discuss the benefits of using malware protection, and now, let’s delve into what an antivirus does. Consider the example of Gridinsoft Malicious Software Removal. This program offers comprehensive triple protection.

The first layer is On-Run Protection. The program monitors all new files on your machine. Before any incoming file can cause damage, it scans it. If identified as malicious or unwanted, the file is immediately quarantined, allowing the user to decide whether to delete it or restore it.

Next, there’s Internet Protection. This function blocks hazardous websites and alerts you about suspicious ones. Websites are deemed dangerous if they contain malicious scripts or lack an SSL certificate. These blocks and warnings, though overridable, provide essential protection in most scenarios.

The most thorough option is the Deep Scan. You can choose the scope of the scan: a more comprehensive scan takes longer but increases the likelihood of detecting and eliminating malware. Some malware types can only be uncovered and removed through such in-depth scanning.

Malware Protection

Malware Protection Parting Wishes

By integrating various virus detection methods, Gridinsoft products showcase versatility and effectiveness, performing robustly on both home and corporate devices. You can deploy this software as your primary security system or as a supplementary antivirus scanner. Its cost-effectiveness is matched by its efficacy.

As for the general benefits of using antivirus software, they are undeniable. Threats may seem distant until they directly impact you. Cybersecurity is no exception to this rule. However, any doubts about the necessity of antivirus will likely dissipate after the first successful interception of a dangerous Trojan, ideally neutralized by your antivirus.

The post Malware Protection appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/benefits-of-using-malware-protection/feed/ 1 8033
W3LL Targets Microsoft 365 Accounts with Sophisticated Phishing Kit https://gridinsoft.com/blogs/w3ll-phishing-toolkit-microsoft-365/ https://gridinsoft.com/blogs/w3ll-phishing-toolkit-microsoft-365/#respond Fri, 08 Sep 2023 17:07:19 +0000 https://gridinsoft.com/blogs/?p=16817 In the ever-evolving landscape of cyber threats, crooks continually find new and inventive ways to exploit vulnerabilities and target valuable assets. One such threat that has recently garnered significant attention is “W3LL.” Next, we will tell you what it is, what it is known for, and how it succeeded in its business over 6 years… Continue reading W3LL Targets Microsoft 365 Accounts with Sophisticated Phishing Kit

The post W3LL Targets Microsoft 365 Accounts with Sophisticated Phishing Kit appeared first on Gridinsoft Blog.

]]>
In the ever-evolving landscape of cyber threats, crooks continually find new and inventive ways to exploit vulnerabilities and target valuable assets. One such threat that has recently garnered significant attention is “W3LL.” Next, we will tell you what it is, what it is known for, and how it succeeded in its business over 6 years without attracting the attention of law enforcement agencies.

W3LL attacks Microsoft 365 accounts, bypassing MFA

A relatively not new but little-known attacker group called “W3LL” has developed a phishing tool suite that targets Microsoft 365 accounts. The package is called “W3LL Panel” and consists of 16 tools that allow them to organize phishing attacks. However, the main feature is that it allows you to bypass multi-user authentication (MFA). Attackers have compromised more than 8,000 Microsoft 365 enterprise accounts using this software. In addition, according to security researchers, attackers used the software to conduct about 850 phishing attacks between October 2022 and July alone. This has hurt more than more than 56,000 accounts.

W3LL Panel screenshot
W3LL Panel

Same research called the W3LL Panel one of the most advanced phishing kits. It has adversary-in-the-middle functionality, API, source code protection, and other unique features. In addition, the service covers almost the entire business email compromise (BEC) chain of operations. It can be operated by “cybercriminals of any technical skill level”. In other words, it offers solutions for deploying a BEC attack from the initial stage of selecting victims and phishing baits with weaponized attachments to launching phishing emails that land in victims’ inboxes.

History

According to reports, the first appearance of W3LL dates back to 2017 in the form of W3LL SMTP Sender. This tool allowed mass email sending, which is obviously useful for spamming. Thanks to the spam efficiency and popularity, the prominence of such a service proliferated. Later, the same developer started selling a special phishing kit targeting Microsoft 365 corporate accounts. This brought W3LL to the niche it is currently in – and made it popular. As a result, in 2018, the developer opened the W3LL Store. He sold his tools to narrowly-round cyber criminals in this closed English-language marketplace.

Later, it grew into a kind of BEC community where the whole range of phishing services was offered. The service provided technical support through an application system, online chat, and training videos. This allowed even less experienced hackers to figure it out and use the service. However, as I said above, it was a closed community with specific entry rules. To get into the community, a newcomer had to get recommendations from existing ” club ” members. After joining, the newcomer had three days to deposit his balance. Otherwise, the user was deactivated. Such a service costs 500 dollars for the first 3 months and 150 dollars for each following month. There is also a referral bonus program here that offers a 10% commission for referrals. A reseller program also offers a 70-30 split of the profits that third-party groups get from selling products in the store.

A Complete phishing-as-a-service kit

With a comprehensive approach, attackers can find everything they need to launch BEC attacks. They can utilize the kit and its tools in a variety of ways. From SMTP senders and a malicious link-building tool to a vulnerability scanner, automated account discovery tool and reconnaissance toolkit – W3LL can offer all of them as a single package. The toolkit receives updates regularly, which introduces new features, improves detection protection mechanisms, and creates new ones. These tools can be licensed for $50 to $350 per month. Thus, it emphasizes the importance of staying on top of the latest changes to its TTP.

W3LL Store screenshot
W3LL Store

As a result, over the past 10 months, researchers have identified nearly 850 phishing sites linked to the W3LL Panel. Moreover, the group and its infrastructure controlled Telegram groups and chats. Once a target account is compromised, it can steal data, conduct fake account fraud, impersonate account holders, or spread malware through the compromised account. Companies affected by a BEC attack can lose thousands or millions of dollars or face corporate data breaches, leading to damaged reputations, compensation claims, and lawsuits.

W3LL details

The actor behind the W3LL Panel has created 16 tools designed to facilitate Business Email Compromise (BEC) attacks. One of these tools, the W3LL Panel, can bypass multi-factor authentication (MFA). The other tools in the catalog include SMTP senders like PunnySender and W3LL Sender, a malicious link stager called W3LL Redirect, a vulnerability scanner named OKELO, an automated account discovery utility called CONTOOL, and an email validator called LOMPAT. The researchers have found that W3LL is skilled enough to protect its tools from detection by deploying and hosting them on compromised web servers and services. However, customers also have the option to use W3LL’s OKELO scanner to find vulnerable systems and gain access to them on their own.

W3LL uses various techniques to bypass email filters and security agents. These methods include obfuscation techniques for email headers and body text such as Punycode, HTML tags, images, and links with remote content. To avoid detection, initial phishing links are delivered using multiple methods. One of these methods involves phishing attachments instead of embedding them in the email body. The link is placed in an HTML file that comes as an attachment.

When the victim launches the HTML file, which may be disguised as a document or voice message, a browser window opens up with a “genuine-looking MS Outlook animation.” This W3LL Panel phishing page is ready to collect Microsoft 365 account credentials. Experts analyzed a phishing attachment discovered in the wild and found that it was an HTML file that displayed a website in an iframe using JavaScript obfuscated through base64 encoding. In a newer version, updated in late June, W3LL added multiple layers of obfuscation and encoding. The script is now loaded directly from the W3LL Panel instead of being included in the HTML code.

Accounts Hijack Process

Cybercriminals using a phishing attack to hijack Microsoft 365 corporate accounts. The phishing lure initially redirects the victim to a page that does not resemble the fake Microsoft 365 login page in the W3LL Panel. This is done intentionally to prevent the discovery of W3LL Panel phishing pages. The W3LL Panel uses the adversary/man-in-the-middle (AitM/MitM) technique to compromise a Microsoft 365 account. This technique involves intercepting communication between the victim and the Microsoft server, passing through the W3LL Panel and the W3LL Store as a backend system.

Accounts hijack scheme image
Accounts hijack scheme

The cybercriminals aim to obtain the victim’s authentication session cookie. To achieve this, the W3LL Panel has to complete several steps, which include passing CAPTCHA verification, setting up the correct fake login page, validating the victim’s account, obtaining the target organization’s brand identity, getting the cookies for the login process, identifying the type of account, validating the password, obtaining the one-time-password (OTP), and getting an authenticated session cookie. Once the W3LL Panel gets the authentication session cookie, the account is compromised, and to make the login request appear legitimate, the victim is shown a PDF document.

During the account discovery stage, attackers can use CONTOOL to automate finding emails, phone numbers, attachments, documents, or URLs that the victim used. This information can be used to aid in the lateral movement stage. Additionally, CONTOOL can monitor, filter, and modify incoming emails. It can also receive notifications in a Telegram account based on specific keywords. According to the report, the results from such an attack include data theft, fake invoices with the attacker’s payment information, impersonation of professional services to send fraudulent payment requests to clients, classic BEC fraud, which involves gaining access to a top executive, and acting on their behalf to instruct employees to make wire transfers or purchase goods, and distributing malware.

How To Protect Yourself

As I said at the beginning, W3LL is nothing new. This toolkit has been around for approximately five years, and seen active usage by threat actors. It has gathered a customer base of over 500 cybercriminals who have access to more than 12,000 items. W3LL offers a variety of tools, including phishing and BEC-related tools, as well as access to compromised web services like web shells, email, content management systems, SSH and RDP servers, hosting and cloud service accounts, business email domains, VPN accounts, and hijacked email accounts. Protecting yourself and your organization against sophisticated threats like W3LL requires a multi-faceted approach to cybersecurity. Here are essential steps to protect against W3LL and similar threats:

  • Security Awareness Training. Conduct regular security awareness training sessions for employees to educate them on the latest phishing techniques and security best practices.
  • Email Filtering and Anti-Phishing Tools. You should implement robust email filtering solutions and anti-phishing tools to identify and quarantine phishing emails before they reach users’ inboxes.
  • Advanced Threat Protection (ATP). Use Microsoft’s Advanced Threat Protection for Office 365, which offers enhanced security features, including real-time protection against advanced threats.
  • Email Filtering and Anti-Phishing Tools. Email filters analyze various aspects of an email, such as sender, subject, content, attachments, and embedded links. This allows identifying threats, marking suspicious emails as spam, and deleting or blocking them.
  • Content Disarm & Reconstruction. CDR removes all active content from emails in real time, creating a simple cleaned-up file. All active content is treated as suspicious and deleted by default. CDR processes all incoming emails, deconstructs them, and removes all items not complying with firewall policies.

W3LL Targets Microsoft 365 Accounts with Sophisticated Phishing Kit

The post W3LL Targets Microsoft 365 Accounts with Sophisticated Phishing Kit appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/w3ll-phishing-toolkit-microsoft-365/feed/ 0 16817
LastPass Users Can’t Login to App after Resetting MFA https://gridinsoft.com/blogs/reset-mfa-in-lastpass/ https://gridinsoft.com/blogs/reset-mfa-in-lastpass/#respond Tue, 27 Jun 2023 14:16:41 +0000 https://gridinsoft.com/blogs/?p=15581 Since May 2023, users of the LastPass password manager have been experiencing severe login issues after resetting their MFA. It all started when people were asked to reset multi-factor authentication (MFA) applications. The fact is that users are required to re-login to their LastPass account and reset the MFA after the company was hacked at… Continue reading LastPass Users Can’t Login to App after Resetting MFA

The post LastPass Users Can’t Login to App after Resetting MFA appeared first on Gridinsoft Blog.

]]>
Since May 2023, users of the LastPass password manager have been experiencing severe login issues after resetting their MFA.

It all started when people were asked to reset multi-factor authentication (MFA) applications. The fact is that users are required to re-login to their LastPass account and reset the MFA after the company was hacked at the end of last year. And by the way, we also talked that LastPass Breach Investigation Goes On, Things are Even Worse.

Let me remind you that media also wrote that Hackers Broke into the Home PC of the Developer of the LastPass Password Manager and Penetrated the Company’s Cloud Storage, and also that Hunter Biden’s top-secret laptop was protected with a simple password.

The new security measures that will be introduced as part of the planned improvements in this area were announced by the company on May 9th.

Reset MFA in LastPass

As a result, many users were off their accounts and lost access to the LastPass vault, even after successfully resetting MFA apps (eg LastPass Authenticator, Microsoft Authenticator, Google Authenticator).

The problem is exacerbated by the fact that victims cannot even contact LastPass support for help, since it requires logging into their account, and people are locked in an endless loop where they are prompted to reset the MFA.

Reset MFA in LastPass

Forced MFA resync now prevents me from logging in because LastPass doesn’t recognize the new MFA code.says one affected user.
After resetting the MFA, I completely lost access to my storage. The master password does not work, the reset does not work, and even the reset email does not come at all.writes another.
I was prompted to re-enter the master password, then I was forced to reset the MFA, which I successfully did, and now I cannot log in. I can’t even contact support because I need to be logged in to do it.complains another victim.

At the same time, LastPass developers report that they warned about the upcoming reset of the MFA through messages in the application “several weeks” before the start.

Since the warnings clearly didn’t work, the company is now issuing security patch newsletters explaining to users that these changes are necessary to increase the password iterations to the new default value of 600,000.

To increase the security of your master password, LastPass uses a stronger version of the Password-Based Key Derivation Function (PBKDF2). At its core, PBKDF2 is a “password strengthening algorithm” that makes it difficult for a computer to verify that any 1 password is the correct master password during a compromising attack.the developers explain in a bulletin sent to affected users.
Forced logout + MFA resync happens as we increase the number of password iterations for clients. This is due to the encryption of your LastPass vault.the company adds on Twitter.

In another newsletter, the company says users need to re-enable multi-factor authentication to stay secure when logging into LastPass.

You must log into the LastPass website in your browser and re-register your MFA app before you can access LastPass on your mobile device again. You cannot reconnect using the LastPass browser extension or the LastPass Password Manager app.the developers explain.

The entire procedure required to reset the pairing between LastPass and an authenticator app (LastPass Authenticator, Microsoft Authenticator, or Google Authenticator) is now detailed in a separate document.

As part of security enhancements, users are now prompted to verify their location when they sign in to a website or app using LastPass. Also, if you sign in to a site or app that used LastPass to sign in, you’ll need to re-enter your credentials and authenticate with the authenticator app. The next time you sign in to a site or app using LastPass, you are asked to repeat the same process as an added security measure.

Following an incident in 2022, we sent email and in-product messages to our entire customer base recommending that they reset their MFA secrets with their preferred authenticator app as a precautionary measure. This recommendation was also included in the security bulletins we sent to our B2C and B2B customers in early March and follow-up emails in early April. However, some of our customers still haven’t completed these steps, so we’ve asked them to take action when logging into LastPass. We launched this built-in messaging product in early June in the hope that we would get more response than our emails.a LastPas spokesperson told Bleeping Computer.

The post LastPass Users Can’t Login to App after Resetting MFA appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/reset-mfa-in-lastpass/feed/ 0 15581
Microsoft urges users to opt out of multi-factor authentication via phone https://gridinsoft.com/blogs/microsoft-urges-users-to-opt-out-of-multi-factor-authentication-via-phone/ https://gridinsoft.com/blogs/microsoft-urges-users-to-opt-out-of-multi-factor-authentication-via-phone/#respond Thu, 12 Nov 2020 20:08:21 +0000 https://blog.gridinsoft.com/?p=4693 Microsoft experts have once again raised the issue of the insecurity of multi-factor authentication through the phone, that is, through one-time codes in SMS messages or voice calls. Instead, the company is calling for newer technologies, including authenticator applications and security keys. This time, the warning comes from the company’s head of identity security, Alex… Continue reading Microsoft urges users to opt out of multi-factor authentication via phone

The post Microsoft urges users to opt out of multi-factor authentication via phone appeared first on Gridinsoft Blog.

]]>
Microsoft experts have once again raised the issue of the insecurity of multi-factor authentication through the phone, that is, through one-time codes in SMS messages or voice calls. Instead, the company is calling for newer technologies, including authenticator applications and security keys.

This time, the warning comes from the company’s head of identity security, Alex Weinert.

Users who enabled multi-factor authentication (MFA) were protected from 99.9% of automated attacks on their accounts.wrote Alex Weinert last year.

However, Weinert now explains that if a user has a choice between several MFA methods, then in no case should he choose a phone.

The expert says that multi-factor authentication through the phone can depend at least on the state of the telephone networks. Since SMS messages and voice calls are transmitted in the clear, they can be easily intercepted by attackers using methods and tools such as SDR (Software-Defined Radio), FEMTO or various SS7 bugs.

In addition, one-time codes from SMS messages can be extracted using open source and available phishing tools such as Modlishka, CredSniper or Evilginx. Alternatively, employees of mobile operators can be deceived by fraudsters to swap the victim’s SIM card (such attacks are usually called SIM swap), which will allow attackers to obtain one-time MFA codes on behalf of the target.

All this makes SMS and voice call MFAs ‘the least secure MFA method available today.Alex Weinert sums up.

The specialist advises users to use a more powerful multi-factor authentication mechanism, if available, and recommends the Microsoft Authenticator app. And if users only want the best, they should generally use hardware keys that Weinert called the best MFA solution last year.

Let me remind you that the point of view expressed by Weinert is not at all new. Back in 2016, the National Institute of Standards and Technology (NIST) submitted a document according to which the use of SMS messages for two-factor authentication will not be encouraged in the future. The document explicitly states that the use of SMS messages for two-factor authentication will be considered “invalid” and “insecure”.

Let me remind you that Researchers hacked TikTok app via SMS, and I also wrote that Attackers can bypass TikTok multi-factor authentication through the site.

The post Microsoft urges users to opt out of multi-factor authentication via phone appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-urges-users-to-opt-out-of-multi-factor-authentication-via-phone/feed/ 0 4693
Attackers can bypass TikTok multi-factor authentication through the site https://gridinsoft.com/blogs/attackers-can-bypass-tiktok-multi-factor-authentication-through-the-site/ https://gridinsoft.com/blogs/attackers-can-bypass-tiktok-multi-factor-authentication-through-the-site/#respond Mon, 28 Sep 2020 16:11:09 +0000 https://blog.gridinsoft.com/?p=4337 Journalists of the ZDNet publication, citing one of their readers, report that the web version of TikTok did not receive multi-factor authentication (via mail and SMS), which developers established for all users of the platform in August. Thus, an attacker who somehow learned someone else’s credentials (for example, through a phishing attack or brute force)… Continue reading Attackers can bypass TikTok multi-factor authentication through the site

The post Attackers can bypass TikTok multi-factor authentication through the site appeared first on Gridinsoft Blog.

]]>
Journalists of the ZDNet publication, citing one of their readers, report that the web version of TikTok did not receive multi-factor authentication (via mail and SMS), which developers established for all users of the platform in August.

Thus, an attacker who somehow learned someone else’s credentials (for example, through a phishing attack or brute force) can log into the TikTok account through the site.

“This lapse in TikTok’s MFA implementation opens the door for scenarios where a malicious threat actor could bypass MFA by logging into an account with compromised credentials via its website, rather than the mobile app.”, — writes ZDNet journalists.

Fortunately, through the web version, hackers cannot change the user’s password and completely take over someone else’s account. Basically, all an attacker can do is upload and publish a new video, for example, to ruin an account’s reputation or advertise a fraudulent product on behalf of a popular user. The publication also notes that hacked accounts can be used to spread disinformation, propaganda, and so on.

Journalists note that the TikTok mobile app does not notify the user in any way about active sessions in the web version. This essentially means that TikTok doesn’t warn users at all if someone has used their credentials and logged into the account through a browser.

“It’s a well-known fact that Facebook and other companies have abused 2-factor SMS signups, and a clear indicator that TikTok has done something similar is the reality that the TikTok 2-factor is an illusion, and totally optional when using the website login features”, — told ZDNet security researcher Zach Edwards.

TikTok developers have already promised to fix the problem and extend multi-factor authentication to the site too, but they have not named any specific time frame yet.

“In the meantime, users who have enabled MFA for their TikTok account for security reasons should not be lowering their guard and reuse passwords from other accounts, thinking MFA blocks all attackers. These users should continue to use complex and hard-to-guess passwords”, — advised in TikTok company.

ZDNet notes that the login page is protected by a CAPTCHA, which means users can hardly expect a wave of automated attacks and massive compromises of TikTok accounts.

Let me remind you that earlier this year, researchers managed to hack TikTok using SMS.

The post Attackers can bypass TikTok multi-factor authentication through the site appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/attackers-can-bypass-tiktok-multi-factor-authentication-through-the-site/feed/ 0 4337