There are three reasons why this situation might occur:

1. A hacking attempt. Hackers have somehow learned, guessed, or stolen your password and are now trying to use it to access your account. You’ve received a legitimate message from the service they are trying to access.
2. Preparation for a hack. Hackers have either learned your password or are trying to trick you into revealing it, in which case the OTP message is a form of phishing. The message is fake, although it may look very similar to a genuine one.
3. Just a mistake. Sometimes online services are set up to first request a confirmation code from a text message, and then a password, or authenticate with just one code. In this case, another user could have made a typo and entered your phone/email instead of theirs — and you receive the code.

As you can see, there may be a malicious intent behind this message. But the good news is that at this stage, there has been no irreparable damage, and by taking the right action you can avoid any trouble.

What to do when you receive a code request

Most importantly, don’t click the confirmation button if the message is in the “Yes/No” form, don’t log in anywhere, and don’t share any received codes with anyone.

If the code request message contains links, don’t follow them.

These are the most essential rules to follow. As long as you don’t confirm your login, your account is safe. However, it’s highly likely that your account’s password is known to attackers. Therefore, the next thing to do is change the password for this account. Go to the relevant service by entering its web address manually — not by following a link. Enter your password, get a new (this is important!) confirmation code, and enter it. Then find the password settings and set a new, strong password. If you use the same password for other accounts, you’d need to change the password for them, too — but make sure to create a unique password for each account. We understand that it’s difficult to remember so many passwords, so we highly recommend storing them in a dedicated password manager.

This stage — changing your passwords — is not so urgent. There’s no need to do it in a rush, but also don’t postpone it. For valuable accounts (like banking), attackers may try to intercept the OTP if it’s sent via text. This is done through SIM swapping (registering a new SIM card to your number) or launching an attack via the operator’s service network utilizing a flaw in the SS7 communications protocol. Therefore, it’s important to change the password before the bad guys attempt such an attack. In general, one-time codes sent by text are less reliable than authenticator apps and USB tokens. We recommend always using the most secure 2FA method available; a review of different two-factor authentication methods can be found here.

What to do if you’re receiving a lot of OTP requests

In an attempt to make you confirm a login, hackers may bombard you with codes. They try to log in to the account again and again, hoping that you’ll either make a mistake and click “Confirm”, or go to the service and disable 2FA out of annoyance. It’s important to keep cool and do neither. The best thing to do is go to the service’s site as described above (open the site manually, not through a link) and quickly change the password; but for this, you’ll need to receive and enter your own, legitimate OTP. Some authentication requests (for example, warnings about logging into Google services) have a separate “No, it’s not me” button — usually, this button causes automated systems on the service side to automatically block the attacker and any new 2FA requests. Another option, albeit not the most convenient one, would be to switch the phone to silent or even airplane mode for half-an-hour or so until the wave of codes subsides.

What to do if you accidentally confirm a stranger’s login

This is the worst-case scenario, as you’ve likely allowed an attacker into your account. Attackers act quickly in changing settings and passwords, so you’ll have to play catch-up and deal with the consequences of the hack. We’ve provided advice for this scenario here.

How to protect yourself?

The best method of defense in this case is to stay one step ahead of the criminals: si vis pacem, para bellum. This is where our security solution comes in handy. It tracks leaks of your accounts linked to both email addresses and phone numbers, including on the dark web. You can add the phone numbers and email addresses of all your family members, and if any account data becomes public or is discovered in leaked databases, Kaspersky Premium will alert you and give advice on what to do.

Included in the subscription, Kaspersky Password Manager will warn you about compromised passwords and help you change them, generating new uncrackable passwords for you. You can also add two-factor authentication tokens to it or easily transfer them from Google Authenticator in a few clicks. Secure storage for your personal documents will safeguard your most important documents and files, such as passport scans or personal photos, in encrypted form so that only you can access them.

Moreover, your logins, passwords, authentication codes and saved documents will be available from any of your devices — computer, smartphone or tablet — so even if you somehow lose your phone, you’ll lose neither your data nor access, and you’ll be able to easily restore them on a new device. And to access all your data, you only need to remember one password — the main one — which isn’t stored anywhere except in your head and is used for banking-standard AES data encryption.

With the “zero disclosure principle”, no one can access your passwords or data — not even Kaspersky employees. The reliability and effectiveness of our security solutions have been confirmed by numerous independent tests, with one recent example being our home protection solutions having received the highest award — Product of the Year 2023 — in tests run by the independent European laboratory AV-Comparatives.

For employees, it makes the log-in process as user-friendly as it gets. To sign in to an external system – such as Salesforce or Concur – the employee completes the standard authentication procedure, which includes entering a password and submitting a second authentication factor: a one-time password, USB token, or something else – depending on the company’s policy. No other logins or passwords are needed. Moreover, after you sign in to one of the systems in the morning, you’ll be authenticated in the others by default. In theory the process is secure, as the IT and infosec teams have full centralized control over accounts, password policies, MFA methods, and logs. In real life however, the standard of security implemented by external systems that support SSO may prove not so high.

SSO pitfalls

When the user signs in to a software-as-a-service (SaaS) system, the system server, the user’s client device, and the SSO platform go through a series of handshakes as the platform validates the user and issues the SaaS and the device with authentication tokens that confirm the user’s permissions. The token can get a range of attributes from the platform that have a bearing on security. These may include the following:

• Token (and session) expiration, which requires the user to get authenticated again
• Reference to a specific browser or mobile device
• Specific IP addresses or IP range limits, which enable things like geographic restrictions
• Extra conditions for session expiration, such as closing the browser or signing out of the SSO platform

The main challenge is that some cloud providers misinterpret or even ignore these restrictions, thus undermining the security model built by the infosec team. On top of that, some SaaS platforms have inadequate token validity controls, which leaves room for forgery.

How SSO implementation flaws are exploited by malicious actors

The most common scenario is some form of a token theft. This can be stealing cookies from the user’s computer, intercepting traffic, or capturing HAR files (traffic archives). The same token being used on a different device and from a different IP address is generally an urgent-enough signal for the SaaS platform that calls for revalidation and possibly, reauthentication. In the real world though, malicious actors often successfully use stolen tokens to sign in to the system on behalf of the legitimate user, while circumventing passwords, one-time codes, and other infosec protections.

Another frequent scenario is targeted phishing that relies on fake corporate websites and, if required, a reverse proxy like evilginx2, which steals passwords, MFA codes, and tokens too.

Improving SSO security

Examine your SaaS vendors. The infosec team can add SSO implementation of the SaaS provider to the list of questions that vendors are required to respond to when submitting their proposals. In particular, these are questions about observing various token restrictions, validation, expiration, and revocation. Further examination steps can include application code audits, integration testing, vulnerability analysis, and pentesting.

Plan compensatory measures. There’s a variety of methods to prevent token manipulation and theft. For example, the use of EDR on all computers significantly lowers the risk of being infected with malware, or redirected to a phishing site. Management of mobile devices (EMM/UEM) can sort out mobile access to corporate resources. In certain cases, we recommend barring unmanaged devices from corporate services.

Configure your traffic analysis and identity management systems to look at SSO requests and responses, so that they can identify suspicious requests that originate from unusual client applications or non-typical users, in unexpected IP address zones, and so on. Tokens that have excessively long lifetimes can be addressed with traffic control as well.

Insist on better SSO implementation. Many SaaS providers view SSO as a customer amenity, and a reason for offering a more expensive “enterprise” plan, whereas information security takes a back seat. You can partner with your procurement team to get some leverage over this, but things will change rather slowly. While talking to SaaS providers, it’s never a bad idea to ask about their plans for upgrading the SSO feature – such as support for the token restrictions mentioned above (geoblocking, expiration, and so on), or any plans to transition to using newer, better-standardized token exchange protocols – such as JWT or CAEP.

1. Delete unnecessary files

Let’s start with the basics: deleting files you no longer need. This stage might seem easy, but it can actually take a while — simply because we all have an awful lot of files. So, it’s important not to get overwhelmed by the task. Try breaking it down into small steps, for example, deleting 10, 20 or 50 files each day — or even several times a day.

The main places to look for junk files are:

• The desktop. An obvious candidate for where to begin your digital cleanup. Once you’ve cleared your desktop of ancient shortcuts and files, you’ll not only have more storage space, but should also gain a sense of order, which may boost your productivity, lift your spirits, and help you tackle the next steps of your digital cleanup!
• The “Old Desktop” folder. Most likely, you have such a folder somewhere on your computer’s SSD (or something similar, like “Old Disk Drive” or “Old Computer Files”). And inside it, there’s often another “Old Desktop”, and within that, another, and so on. It may seem daunting, but time has come to finally deal with this abyss of nested directories.

Get rid of the Old Desktop nested folders

• The downloads folder. Ancient documents, installation files from long-deleted programs, saved images dating back a decade, and other digital relics — chances are you no longer need them and can simply delete them all. And, don’t forget to clean the downloads folder not only on your computer but also on your smartphone (and on your tablet if you have one).
• Your smartphone’s photo gallery. If you delete all duplicate photos, screenshots taken for unclear reasons, and videos your pocket decided to take all on its own, you might find you can postpone buying a new smartphone with more memory for another year or two. Special apps come to the rescue here, seeking either exact duplicates or similar files — for example, a series of identical shots, of which you only need to keep one or two. Look for them in app stores using the keyword “duplicate”.
• Your cloud storage. This similar to the Old Desktop folder, but in the cloud. Sure, you can pay for extra disk space and accumulate files for a few more years. But might it be better to just get rid of them?
• Large files and duplicates on your computer. If you need to quickly free up space on your hard drive/SSD, the easiest way is to either delete a few large-sized files or get rid of identical files, thoughtfully scattered across different folders. To automatically search for large files, you can use the Large Files feature on the Performance tab of the Kaspersky app. By specifying the minimum size and search area — the entire computer or selected folders — in a few minutes you’ll receive a complete list of files whose size exceeds the limit. Then, you can choose to delete them either in bulk or individually.

Also on the Performance tab, you can find and remove duplicate files. Used together, these features (available in Kaspersky Standard, Kaspersky Plus and Kaspersky Premium subscriptions) might save you from having to buy a new hard drive or SSD.

Once you’ve finished removing unnecessary files, don’t forget to empty the Recycle Bin — or the “Deleted photos” folder, if it’s your smartphone’s photo gallery.

2. Clean up your email and messengers

The next important stage in your digital cleanup is to sort out your email and messaging apps. This will reduce the amount of space your correspondence takes up and, most importantly, improve your experience of using your email and messengers. What to do first?

• Get rid of unread messages. Those scary numbers in red circles hovering above your messenger app icons can really get on your nerves and prevent you from dealing with new incoming messages on time. This could cause you to overlook something important, get your priorities wrong, miss a deadline or meeting, and so on. Like cleaning up files, sorting through unread emails and messages can take some time. That’s why a steady, systematic approach works best here: try to break the process up into small steps. And aim to always have fewer unread items at the end of each day — sooner or later, you’ll hit zero.

Looks familiar? Help yourself: try to gradually sort out all your unreads

• Unsubscribe from unnecessary email newsletters and messenger channels. This step can help you with the previous task, too. Weeding out unneeded information feeds will reduce the number of new unread items, so you can reach that golden zero even faster. You need to be decisive here: instead of simply ignoring another uninteresting message or email, unsubscribe immediately.
• Delete old messenger chats. Correspondence with a realtor about the apartment you moved out of three years ago, communication with couriers, and other similar priceless messages will some day form the basis of your memoirs. Just kidding, of course: delete all of it without hesitation.
• Delete emails with large attachments. Is your email provider sending you annoying messages telling you you’re about to run out of storage space? The easiest way to quickly clean up your inbox is to delete old emails with large attachments. Most providers and email programs allow you to find them without much difficulty. It’s easiest with Gmail — to find all emails bigger than 10 megabytes, just enter “size:10000000” in the search bar.

The easiest way to quickly clean up your inbox: find and delete all large emails

• Clear out the spam folder. Individual spam emails typically don’t take up much space. But if you haven’t checked your spam folder in a while, you might have accumulated a ton of messages. Deleting them will push you away from your mailbox limit even further.

3. Close old tabs

Now it’s time to deal with the program we all use the most: your browser. Old tabs left open for months, if not years, not only eat through your device’s memory, but also make it difficult to find the relevant information you actually need. Moreover, an abundance of tabs can pose a serious obstacle to updating the browser — which, by the way, is one of the most important digital hygiene procedures there is.

So try to get rid of unnecessary tabs in all the browsers you use — including on your smartphone. There are two approaches here: either act quickly and decisively, ruthlessly closing all tabs without concern for what they contain; or do it gradually and cautiously, closing tabs in batches of 10–20 at a time and checking along the way if there’s anything important among them. You can add the ones you actually need to bookmarks or tab groups.

Close all unnecessary tabs in your browser — it’ll be easier to find important ones

And while we’re still on about the browser, also clear its cache. If you haven’t done this before, you’ll be surprised at how much space it takes up. Also, it’s a good idea to review all the extensions installed in your browser: if you’re not using something, now’s the perfect time to remove it.

4. Cancel unnecessary subscriptions

Almost every online service nowadays offers some type of paid subscription — if not several. And these subscriptions can start to pile up beyond all reasonable limits. How much does it all cost? Who knows?! Seriously, people often have no idea about how much they pay for all their digital subscriptions, typically underestimating the total expenses several times compared to reality.

So not only does canceling unnecessary subscriptions bring immediate financial benefit — but this benefit is probably greater than you imagine. On the other hand, the task isn’t that simple: you need to remember all your subscriptions, gather and organize information about them, sort out what’s what — and only then will you understand what you should unsubscribe from. There also might be family subscriptions, with duplicates on the various devices of your family members.

The good news is that there’s a special app for managing subscriptions: SubsCrab. It can organize information about all your subscriptions, calculate monthly expenses, show you a handy schedule and warn you about payment days in advance, tell you what needs to be done to cancel a particular subscription, and even propose alternative subscription options or promo codes and discounts for renewals.

The SubsСrab app will help sort out paid subscriptions and cancel unnecessary ones

5. Remove unused applications

You probably have apps on your smartphone that you haven’t used in over a year. Or maybe even ones you’ve never opened at all. Not only do they take up your device’s memory, but they can also slowly consume internet traffic and battery power and, most importantly, they clog up your interface and may continue to collect data about your smartphone — and you.

It’s time to finally get rid of them! If you delete at least one unused app a day, within a month or so they’ll all be gone, and order will be restored on your smartphone’s home screen.

However, there is a way to immediately detect all unnecessary apps — both on Windows computers and Android smartphones — with the help of the Unused Apps feature included in Kaspersky Standard, Kaspersky Plus and Kaspersky Premium subscriptions. It will show you the apps you rarely use and allow you to delete them all in one fell swoop.

There are some protected Android apps which are impossible to uninstall, even if you don’t need them at all — all due to the whim of the smartphone manufacturer. These may include a proprietary browser or an unused social network client. However, there are special methods to uninstall such apps, which we’ve covered in detail in this comprehensive guide.

6. Turn off unnecessary notifications

One of the main obstacles to digital peace of mind can be the endless stream of notifications flowing from almost every app these days — whether it’s a fitness tracker or a calculator. But, fortunately, we’re not at the mercy of our phones in this case. So go through the list of apps that are allowed to send notifications and thin it out.

Notification settings and Focus mode in Android

There are two possible solutions here. The first one is radical: disable notifications for all apps except the most essential ones — banking apps, work tools, and messengers. The second is moderate: identify apps that blatantly abuse notifications — firing them out for no good reason — and disable these pests.

It’s also helpful to disable notifications in messengers for less important contacts, channels, and chats. Also, take a closer look at the focus mode settings. They’re available in all modern operating systems — such as Android, iOS/iPadOS, Windows and macOS — and allow you to limit the number of notifications and other digital noise for a set period.

Notification settings and Focus mode in iOS

Also, don’t forget that these days it’s not just apps sending notifications; many websites use browser-integrated notification systems for this purpose, too. So make sure to disable all unnecessary notifications there as well. By the way, we have a separate guide on how to stop browsers from bothering you with trivial stuff.

7. Delete unused accounts

Accounts with online services — even the less important ones — always pose a potential risk. If an account gets hacked, it could be used for fraud, laundering stolen goods, attacks on other users, and more — and all in your name. And if a bank card is linked to such an account, there could be damaging consequences.

It’s therefore best not to leave your accounts to fate: if you no longer need a particular account, it’s wise to delete it. This part of the cleanup might be especially challenging: first, you’ll need to recall which accounts you’ve created, then remember your login credentials, and only then can you delete them. But it’s really worth doing!

To avoid getting overwhelmed, try deleting at least one unnecessary account per week. And while we’re at it, I recommend adding all your accounts to a password manager. That way, they’ll all be in one place, their passwords will be securely stored, and you’ll be able to log in with just a few clicks — so the next time you’re cleaning up, it won’t be such a hassle.

Plus, if any of the services you use is compromised, you’ll receive a notification from the password manager and can promptly take action — either by changing the password or by deleting the account.

8. Change unsafe passwords

If you enter your account details into Kaspersky Password Manager, the application shows you any passwords that might be unsafe, either due to data breaches, or because you use these passwords across multiple accounts at once.

Kaspersky Password Manager tells you which passwords are unsafe and need to be changed

The danger of the first scenario — when a password has already been compromised — goes without saying: if malicious actors know your password, the security of the corresponding account is directly threatened.

As for using the same password for different platforms, the risk here is that if one of these services is breached and attackers find out the password, they’ll certainly try to use it to access other accounts — a technique known as credential stuffing. Thus, using the same password everywhere puts you at risk of having multiple accounts hijacked at once — most unpleasant.

Unsafe passwords need to be changed, and the sooner the better. Passwords that have already been compromised should be replaced immediately. When changing passwords that you’re using in multiple places, you can afford to take the process step-by-step, editing a couple of accounts at a time.

By the way, Kaspersky Password Manager helps you create truly secure and unique character combinations using a random password generator (so you don’t have to come up with new complex passwords yourself), and stores them safely in encrypted form — synchronizing passwords across all your devices. The only password you’ll need to remember in this case is the main password for Kaspersky Password Manager: it encrypts the entire password database and isn’t stored anywhere except in your head.

And to streamline all these digital cleanup processes, we recommend using Kaspersky Premium, which includes comprehensive protection, productivity enhancement tools, a password manager, and many other features necessary for effective digital housekeeping across all your family’s devices.

Protect your finances

E-commerce and financial technologies continue to expand globally, and successful technologies are being adopted in new regions. Instant electronic payments between individuals have become much more widespread. And, of course, criminals are devising new ways to swindle you out of your money. This involves not only fraud using instant money-transfer systems, but also advanced techniques for stealing payment data on e-commerce sites and online stores. The latest generations of web skimmers installed by hackers on legitimate online shopping sites are almost impossible to perceive, and victims only learn that their data has been stolen when an unauthorized charge appears on their card.

What to do?

• Link your bank cards to Apple Pay, Google Pay, or other similar payment systems available in your country. This is not only convenient, but also reduces the likelihood of data theft when making purchases in stores.
• Use such systems to make payments on websites whenever possible. There’s no need to enter your bank card details afresh on every new website.
• Protect your smartphones and computers with a comprehensive security system like Kaspersky Premium. This will help protect your money, for example, from a nasty new attack in which the recipient’s details are replaced at the moment of making an instant money transfer in a banking app.
• Use virtual or one-time cards for online payments if your bank supports this option. If a virtual card can be quickly reissued in the app, change it regularly — for example, once a month. Or use special services to ‘mask’ cards, generating one-time payment details for each payment session. There are many of these for different countries and payment systems.

Don’t believe everything you see

Generative artificial intelligence has dominated the news throughout 2023 and has already significantly affected the job market. Unfortunately, it’s also been used for malicious purposes. Now, just about anyone can create fake texts, photos, and videos in a matter of minutes — a labor that previously required a lot of time and skill. This has already had a noticeable impact on at least two areas of cybersecurity.

First, the appearance of fake images, audio, and video on news channels and social media. In 2023, generated images were used for propaganda purposes during geopolitical conflicts in post-Soviet countries and the Middle East. They were also used successfully by fraudsters for various instances of fake fundraising. Moreover, towards the end of the year, our experts discovered massive “investment” campaigns in which the use of deepfakes reached a whole new level: now we’re seeing news reports and articles on popular channels about famous businessmen and heads of state encouraging users to invest in certain projects — all fake, of course.

Second, AI has made it much easier to generate phishing emails, social media posts, and fraudulent websites. For many years, such scams could be identified by sloppy language and numerous typos, because the scammers didn’t have the time to write and proofread them properly. But now, with WormGPT and other language models optimized for hackers, attackers can create far more convincing and varied bait on an industrial scale. What’s more, experts fear that scammers will start using these same multilingual AI models to create convincing phishing material in languages and regions that have rarely been targeted for such purposes before.

What to do?

• Be highly critical of any emotionally provocative content you encounter on social media — especially from people you don’t know personally. Make it a habit to always verify the facts on reputable news channels and expert websites.
• Don’t transfer money to any kind of charity fundraiser or campaign without conducting a thorough background check of the recipient first. Remember, generating heart-breaking stories and images is literally as easy as pushing a button these days.
• Install phishing and scam protection on all your devices, and enable all options that check links, websites, emails, and attachments. This will reduce the risk of clicking on phishing links or visiting fraudulent websites.
• Activate banner ad protection — both Kaspersky Plus and Kaspersky Premium have this feature, as do a number of browsers. Malicious advertising is another trend for 2023-2024.

Some experts anticipate the emergence of AI-generated content analysis and labeling systems in 2024. However, don’t expect them to be implemented quickly or universally, or be completely reliable. Even if such solutions do emerge, always double-check any information with trusted sources.

Don’t believe everything you hear

High-quality AI-based voice deepfakes are already being actively used in fraudulent schemes. Someone claiming to be your “boss”, “family member”, “colleague”, or some other person with a familiar voice might call asking for urgent help — or to help someone else who’ll soon reach out to you. Such schemes mainly aim to trick victims into voluntarily sending money to criminals. More complex scenarios are also possible — for example, targeting company employees to obtain passwords for accessing the corporate network.

What to do?

• Verify any unexpected or alarming calls without panic. If someone you supposedly know well calls, ask a question only that person can answer. If a colleague calls but their request seems odd — for example, asking you to send or spell a password, send a payment, or do something else unusual — reach out to other colleagues or superiors to double-check things.
• Use caller identifier apps to block spam and scam calls. Some of these apps work not only with regular phone calls but also with calls through messengers like WhatsApp.

Buy only safe internet-of-things (IoT) smart devices

Poorly protected IoT devices create a whole range of problems for their owners: robot vacuum cleaners spy on their owners, smart pet feeders can give your pet an unplanned feast or a severe hunger strike, set-top boxes steal accounts and create rogue proxies on your home network, and baby monitors and home security cameras turn your home into a reality TV show without your knowledge.

What could improve in 2024? The emergence of regulatory requirements for IoT device manufacturers. For example, the UK will ban the sale of devices with default logins and passwords like “admin/admin”, and require manufacturers to disclose in advance how long a particular device will receive firmware updates. In the U.S., a security labeling system is being developed that will make it possible to understand what to expect from a “smart” device in terms of security even before purchase.

What to do?

• Find out if there are similar initiatives in your country and make the most of them by purchasing only secure IoT devices with a long period of declared support. It’s likely that once manufacturers are obliged to ensure the security of smart devices locally, they’ll make corresponding changes to products for the global market. Then you’ll be able to choose a suitable product by checking, for example, the American “security label”, and buy it — even if you’re not in the U.S.
• Carefully configure all smart devices using our detailed advice on creating a smart home and setting up its security.

Take care of your loved ones

Scams involving fake texts, images, and voices messages can be highly effective when used on elderly people, children, or those less interested in technology. Think about your family, friends, and colleagues — if any of them may end up a victim of any the schemes described above, take the time to tell them about them or provide a link to our blog.

What to do?

• Don’t just give blanket information from our articles; look beyond our blog to find suitable cybersecurity lessons for your loved ones based on their age and temperament.
• Make sure that all your family’s computers and phones are fully protected. With Kaspersky Premium, you can protect as many devices as needed, on any popular platform — Windows, macOS, Android, or iOS.

Before we say goodbye and wish you a happy and peaceful 2024, one final little whisper — last year’s New Year’s resolutions are still very relevant: the transition to password-less systems is progressing at a swift pace, so going password-free in the New Year might be a good idea, while basic cyber hygiene has become all the more crucial. Oops; nearly forgot: wishing you a happy and peaceful 2024!…

Infecting hotel staff computers with a password stealer

What we’re dealing with here is a multi-stage attack — B2B2C, if you will. It all starts with infecting hotel computers, but the immediate threat isn’t to the hotel itself — it’s to the clients.

To hijack accounts on admin.booking.com, attackers use specialized malware known as password stealers. Typically, these stealers collect any passwords found on an infected computer. But in this case it seems that Booking.com accounts are what the cybercriminals are specifically interested in.

In particular, one of the abovementioned studies describes a targeted email attack on hotel staff. This attack starts with an innocuous email in which someone poses as a recent guest and asks the hotel staff for help in finding lost documents.

The first email from the attackers to the targeted hotel. Source

In the next email, the “guest” claims to have searched everywhere for the lost passport or whatever to no avail, suggesting the hotel is the only possible place where it might be. So, they ask the hotel staff to look for it and, to help the search, provide a link supposedly containing photos of the lost passport.

The next email from the attackers, containing a link to an infected archive with a password stealer. Source

As you might suspect, this archive contains not the photos of the passport, but the password stealer. After the user clicks on the dangerous file, the stealer searches the system for saved login credentials for the hotel’s account on admin.booking.com, and sends them to the attackers.

Using a stolen login and password, the cybercriminals gain access to the hotel’s account on admin.booking.com.

Another study on the Booking.com account theft epidemic describes an alternative method of infecting hotel staff computers. In this attack, criminals create reservations using guest accounts (in some cases, probably stolen accounts). They then contact the hotel using Booking.com’s internal messaging system and, under one pretext or another, slip in a link to a malware-infected file — with the exact same outcome as in the previous case.

Stealing hotel accounts on Booking.com and emailing clients

At the next stage, the attackers proceed to directly use the accounts stolen from the infected hotel computers. Everything is made a lot simpler by the fact that Booking.com’s service doesn’t provide two-factor authentication, so accessing an account only requires a login and password.

Upon entering the hotel’s account on admin.booking.com, the criminals study current bookings and begin sending messages to future guests using Booking.com’s internal messaging system. These messages generally revolve around an error in verifying the guest’s payment card information provided during the booking. The “hotel” thus asks the guest to re-enter their card details; otherwise, the reservation will be canceled.

Of course, the messages include links that at first glance appear to resemble genuine links to Booking.com’s booking pages. They contain the word “booking” itself, something resembling a booking number, and in some cases, additional words like “reservation”, “approve”, “confirmation”, and so on.

Of course, upon closer inspection, it’s easy to see that these links don’t lead to Booking.com at all. However, the aim here is to target hasty individuals who, unexpectedly discovering that their planned trip could be ruined, rush to rectify the situation.

] Through Booking.com’s internal messaging system, scammers send hotel clients links to fake booking pages. Source 1, source 2, source 3, source 4

The messages are written in a professional tone and appear quite plausible. It should also be noted that the text of such messages varies considerably from one described incident to another. Apparently, a number of criminals are using this scheme independently of each other.

Fake copies of Booking.com and stealing bank card data

The final stage of the attack ensues. By clicking on the link in the message, the hotel’s client lands on a fake page — a meticulous copy of Booking.com. These pages even display the correct guest name, information about the hotel where the victim intends to stay, dates, and price — all of which the scammers know because they have access to all the booking data.

The only thing that gives it away is the link in the address bar. However, the scammers distract the victim from paying attention to such minor details by rushing them: the page claims that these dates are in high demand, so “10 four-star hotels similar to this one are already unavailable”. The implication, of course, is that if this booking fails, finding alternative accommodation won’t be easy.

On the fake Booking.com page, the client of the hacked hotel is asked to enter their card number to reconfirm the reservation. Source

The victims are urged once again to confirm the booking as quickly as possible. Moreover, it’s easy to do: just re-enter the payment information. Obviously, the card details then fall into the hands of the criminals — mission accomplished.

Selling hotel logins and passwords for Booking.com

It’s worth mentioning that here, as in almost any other cybercriminal scheme, we see a tendency for narrow specialization. Apparently, some criminals collect hacked Booking.com accounts, while others exploit these accounts to deceive hotel clients. In any case, advertisements offering substantial sums for logins and passwords from admin.booking.com accounts can be found on hacker forums.

Listing on an underground forum, where the authors are willing to pay generously for hacked Booking.com hotel accounts. Source

Another listing offering decent money for hacked admin.booking.com accounts. Source

Yet another group of criminals, providing subscription-based services to search for stolen credentials in stealer malware databases, have recently added admin.booking.com to their list of searchable data.

One of the services offering paid searches across databases of stolen passwords has learned to function with admin.booking.com accounts. Source

All of this suggests that the popularity of this criminal scheme is only growing; therefore, there’ll likely be more hacks of hotel accounts on Booking.com and more affected clients in the future.

How to protect against theft of admin.booking.com accounts

Even though these attacks directly threaten hotel clients rather than the hotels themselves, the hotels still have to deal with the backlash and somehow compensate the affected parties to avoid any reputational damage. And in general, hotel computers getting infected is bad news — today, cybercriminals are hijacking Booking.com accounts; tomorrow they’ll come up with another way to monetize this infection. Therefore, it’s absolutely necessary to protect against this threat. Here’s what to keep in mind:

• Storing passwords in your browser is not safe — that’s where stealer malware always looks for them.
• To store passwords well, use a specialized application — a password manager — that will take care of their security.
• It’s essential to install reliable protection on all your devices used for business.
• And take particular care of the security of those computers that employees might use to communicate with strangers — they’re the ones more likely to become the target of an attack.

This method does seem rather reliable at first glance; however, a recent report by Blackwing Intelligence casts doubt upon this assertion. The authors managed to hack the biometric authentication system and log in to Windows using Windows Hello on Dell Inspiron 15 and Lenovo ThinkPad T14 laptops, as well as using the Microsoft Surface Pro Type Cover with Fingerprint ID keyboard for Surface Pro 8 and Surface Pro X tablets. Let’s have a look at their findings to see whether you should update your cyberdefense strategy.

Anatomy of the hack

First of all, we must note that this was a hardware hack. The researchers had to partially disassemble all three devices, disconnect the sensors from the internal USB bus, and connect them to external USB ports through a Raspberry PI 4 device that carried out a man-in-the-middle attack. The attack exploits the fact that all chips certified for Windows Hello must store the fingerprint database independently, in the on-chip memory. No fingerprints are ever transmitted to the computer itself — only cryptographically signed verdicts such as “User X successfully passed verification”. In addition, the protocol and the chips themselves support storing multiple fingerprints for different users.

The researchers were able to perform the spoofing, although attacks varied for different laptop models. They uploaded onto the chip additional fingerprints, supposedly for a new user, but were able to modify the data exchange with the computer so that information about the successful verification of the new user would be associated with the ID of the old one.

The main reason the spoofing worked was that all verified devices deviate to some degree from the Secure Device Connection Protocol (SDCP), which Microsoft developed specifically to head off such attacks. The protocol takes account of many common attack scenarios — from data spoofing to replaying a data exchange between the operating system and the chip when the user is not at the computer. Hacking the implementation of the security system on a Dell (Goodix fingerprint scanner) proved possible due to the fact that the Linux driver doesn’t support SDCP, the chip stores two separate databases for Windows and Linux, and information about the choice of database is transmitted without encryption. Lenovo (Synaptics chip) uses its own encryption instead of SDCP, and the authors managed to figure out the key generation mechanism and decrypt the exchange protocol. Rather jaw-droppingly, the Microsoft keyboard (ELAN chip) doesn’t use SDCP at all, and the standard Microsoft encryption is simply absent.

Main takeaways

Hardware hacks are difficult to prevent, yet equally if not more difficult to carry out. This case isn’t about simply inserting a USB flash drive into a computer for a minute; skill and care are required to assemble and disassemble the target laptop, and throughout the period of unauthorized access the modifications to the computer are obvious. In other words, the attack cannot be carried out unnoticed, and it’s not possible to return the device to the rightful user before the hack is complete and the machine is restored to its original form. As such, primarily at risk are the computers of company employees with high privileges or access to valuable information, and also of those who often work remotely.

To mitigate the risk to these user groups:

• Don’t make biometrics the only authentication factor. Complement it with a password, authenticator app, or USB token. If necessary, you can combine these authentication factors in different ways. A user-friendly policy might require a password and biometrics at the start of work (after waking up from sleep mode or initial booting), and then only biometrics during the working day;
• Use external biometric scanners that have undergone an in-depth security audit;
• Implement physical security measures to prevent laptops from being opened or removed from designated locations;
• Combine all of the above with full-disk encryption and the latest versions of UEFI with secure boot functions activated.

Lastly, remember that, although biometric scanners aren’t perfect, hacking them is far more difficult than extracting passwords from employees. So even if biometrics aren’t not the optimal solution for your company, there’s no reason to restrict yourself to just passwords.

Roblox extensions with a backdoor

To set the tone and also highlight one of the biggest concerns associated with dangerous extensions, let’s start with a story that began last year. In November 2022, two malicious extensions with the same name — SearchBlox — were discovered in the Chrome Web Store, the official store for Google Chrome browser extensions. One of these extensions had over 200,000 downloads.

The declared purpose of the extensions was to search for a specific player on the Roblox servers. However, their actual purpose was to hijack Roblox players’ accounts and steal their in-game assets. After information about these malicious extensions was published on BleepingComputer, they were removed from the Chrome Web Store, and automatically deleted from the devices of users who’d installed them.

Malicious SearchBlox extensions published in the Google Chrome Web Store hijacked Roblox players’ accounts. Source

However, the Roblox story doesn’t end there. In August 2023, two more malicious extensions of a similar nature — RoFinder and RoTracker — were discovered in the Chrome Web Store. Just like SearchBlox, these plugins offered users the ability to search for other players on the Roblox servers, but in reality had a backdoor built into them. The Roblox user community eventually managed to get these extensions removed from the store as well.

The RoTracker malicious extension, also hosted on the Google Chrome Web Store. Source

This suggests that the quality of moderation at the world’s most official platform for downloading Google Chrome extensions leaves much to be desired, and it’s easy enough for creators of malicious extensions to push their creations in there. To get moderators to spot dangerous extensions and remove them from the store, reviews from affected users are rarely sufficient — it often requires efforts from the media, security researchers, and/or a large online community.

Fake ChatGPT extensions hijacking Facebook accounts

In March 2023, two malicious extensions were discovered in the Google Chrome Web Store within a few days of each other — both taking advantage of the hype surrounding the ChatGPT AI service. One of these was an infected copy of the legitimate “ChatGPT for Google” extension, offering integration of ChatGPT’s responses into search engine results.

The infected “ChatGPT for Google” extension was uploaded to the Chrome Web Store on February 14, 2023. Its creators waited for some time and only started actively spreading it precisely a month later, on March 14, 2023, using Google Search ads. The criminals managed to attract around a thousand new users per day, resulting in over 9000 downloads by the time the threat was discovered.

The infected version of “ChatGPT for Google” looked just like the real thing. Source

The trojanized copy of “ChatGPT for Google” functioned just like the real one, but with extra malicious functionality: the infected version included additional code designed to steal Facebook session cookies stored by the browser. Using these files, the attackers were able to hijack the Facebook accounts of users who’d installed the infected extension.

The compromised accounts could then be used for illegal purposes. As an example, the researchers mentioned a Facebook account belonging to an RV seller, which started promoting ISIS content after being hijacked.

After being hijacked, the Facebook account started promoting ISIS content. Source

In the other case, fraudsters created a completely original extension called “Quick access to Chat GPT”. In fact, the extension actually did what it promised, acting as an intermediary between users and ChatGPT using the AI service’s official API. However, its real purpose was again to steal Facebook session cookies, allowing the extension’s creators to hijack Facebook business accounts.

“Quick access to Chat GPT” malicious extension. Source

Most interestingly, to promote this malicious extension, the perpetrators used Facebook ads, paid for by — you guessed it — the business accounts they’d already hijacked! This cunning scheme allowed the creators of “Quick access to Chat GPT” to attract a couple of thousand new users per day. In the end, both malicious extensions were removed from the store.

ChromeLoader: pirated content containing malicious extensions

Often, creators of malicious extensions don’t place them in the Google Chrome Web Store, and distribute them in other ways. For example, earlier this year researchers noticed a new malicious campaign related to the ChromeLoader malware, already well-known in the cybersecurity field. The primary purpose of this Trojan is to install a malicious extension in the victim’s browser.

This extension, in turn, displays intrusive advertisements in the browser and spoofs search results with links leading to fake prize giveaways, surveys, dating sites, adult games, unwanted software, and so on.

This year, attackers have been using a variety of pirated content as bait to make victims install ChromeLoader. For example, in February 2023, researchers reported the spread of ChromeLoader through VHD files (a disk image format) disguised as hacked games or game “cracks”. Among the games used by the distributors were Elden Ring, ROBLOX, Dark Souls 3, Red Dead Redemption 2, Need for Speed, Call of Duty, Portal 2, Minecraft, Legend of Zelda, Pokemon, Mario Kart, Animal Crossing, and more. As you might guess, all these VHD files contained the malicious extension installer.

A few months later, in June 2023, another group of researchers released a detailed report on the activities of the same ChromeLoader, detailing its spread through a network of sites offering pirated music, movies, and once again, computer games. In this campaign, instead of genuine content, VBScript files were downloaded onto victims’ computers, which then loaded and installed the malicious browser extension.

One of the sites that distributed the ChromeLoader malware under the guise of pirated content. Source

Although the altered search results quickly alert victims to the presence of the dangerous extension in their browser, getting rid of it isn’t so easy. ChromeLoader not only installs the malicious extension but also adds scripts and Windows Task Scheduler tasks to the system that reinstall the extension every time the system reboots.

Hackers reading Gmail correspondence using a spy extension

In March 2023, the German Federal Office for the Protection of the Constitution and the South Korean National Intelligence Agency issued a joint report on the activities of the Kimsuky cybercriminal group. This group uses an infected extension for Chromium-based browsers — Google Chrome, Microsoft Edge, as well as the South Korean browser Naver Whale — to read the Gmail correspondence of their victims.

The attack begins with the perpetrators sending emails to specific individuals of interest. The email contains a link to a malicious extension called AF, along with some text convincing the victim to install the extension. The extension starts working when the victim opens Gmail in the browser where it’s installed. AF then automatically sends the victim’s correspondence to the hackers’ C2 server.

Thus, Kimsuky manages to gain access to the contents of the victim’s mailbox. What’s more, they don’t need to resort to any tricks to hack into this mailbox; they simply bypass the two-factor authentication. As a bonus, this method allows them to do everything in a highly discreet manner — in particular, preventing Google from sending alerts to the victim about account access from a new device or suspicious location, as would be the case if the password were stolen.

Rilide: malicious extension stealing cryptocurrency and bypassing two-factor authentication

Criminals also often use malicious extensions to target cryptocurrency wallets. In particular, the creators of the Rilide extension, first discovered in April 2023, use it to track cryptocurrency-related browser activity of infected users. When the victim visits sites from a specified list, the malicious extension steals cryptocurrency wallet info, email logins, and passwords.

In addition, this extension collects and sends browser history to the C2 server and lets the attackers take screenshots. But Rilide’s most interesting feature is its ability to bypass two-factor authentication.

When the extension detects that a user is about to make a cryptocurrency transaction on one of the online services, it injects a script into the page that replaces the confirmation code input dialog, and then steals that code. The payment recipient’s wallet is replaced with one belonging to the attackers, and then, finally, the extension confirms the transaction using the stolen code.

How the malicious Rilide extension was promoted on X (Twitter) under the guise of blockchain games. Source

Rilide attacks users of Chromium-based browsers — Chrome, Edge, Brave, and Opera — by imitating a legitimate Google Drive extension to avoid suspicion. Rilide appears to be freely sold on the black market, so it’s used by criminals unrelated to one another. For this reason, various distribution methods have been discovered — from malicious websites and emails to infected blockchain game installers promoted on Twitter X.

One of the particularly interesting Rilide distribution methods was through a misleading PowerPoint presentation. This presentation posed as a security guide for Zendesk employees, but was actually a step-by-step guide for installing the malicious extension.

A step-by-step guide for installing the malicious extension, disguised as a security presentation for Zendesk employees. Source

Dozens of malicious extensions in the Chrome Web Store — with 87 million downloads combined

And, of course, one cannot forget the story of the summer when researchers discovered several dozen malicious extensions in the Google Chrome Web Store, which collectively had more than 87 million downloads from the store. These were various kinds of browser plugins — from tools for converting PDF files and ad blockers to translators and VPNs.

The extensions were added to the Chrome Web Store as far back as 2022 and 2021, so by the time they were discovered they’d already been there for several months, a year, or even longer. Among reviews of the extensions, there were some complaints from vigilant users who reported that the extensions were spoofing search results with advertisements. Unfortunately, the Chrome Web Store moderators ignored these complaints. The malicious extensions were only removed from the store after two groups of security researchers brought the issue to Google’s attention.

The most popular of the malicious extensions — Autoskip for YouTube — had over nine million downloads from the Google Chrome Web Store. Source

How to protect yourself from malicious extensions

As you can see, dangerous browser extensions can end up on your computer from various sources —including the official Google Chrome Web Store. And attackers can use them for a wide range of purposes — from hijacking accounts and altering search results to reading correspondence and stealing cryptocurrencies. Accordingly, it’s important to take precautions:

• Try to avoid installing unnecessary browser extensions. The fewer extensions you have in your browser, the better.
• If you do install an extension, it’s better to install it from an official store rather than from an unknown website. Sure, this doesn’t eliminate the risk of encountering dangerous extensions completely, but at least the Google Chrome Web Store does take its security seriously.
• Before installing, read reviews of an extension. If there’s something wrong with it, someone might have already noticed it and informed other users.
• Periodically review the list of extensions installed in your browsers. Remove any you don’t use — especially ones you don’t remember installing.
• And be sure to use reliable protection on all your devices.

In this post, we discuss current threats facing macOS users and how to effectively protect your Mac. To illustrate the fact that viruses for macOS do exist, we’ll look at three recent studies on several malware families that have been published over the past few weeks.

BlueNoroff attacks macOS users and steals cryptocurrency

In late October 2023, our researchers discovered a new macOS Trojan that’s believed to be associated with BlueNoroff, the “commercial wing” of the Lazarus APT group. This subgroup specializes in financial attacks and specifically focuses on two things: firstly, attacks on the SWIFT system — including the notorious heist of the Bangladesh Central Bank — and secondly, stealing cryptocurrencies from organizations and individuals.

The discovered macOS Trojan downloader is distributed within malicious archives. It’s disguised as a PDF document titled “Crypto-assets and their risks for financial stability”, with an icon that mimics a preview of this document.

Cover page of the deceptive PDF that the Trojan downloads and shows to the user when launching the file from an infected archive. Source

Once the user clicks on the Trojan (masquerading as a PDF), a script is executed that actually downloads the corresponding PDF document from the internet and opens it. But, of course, that’s not all that happens. The Trojan’s main task is to download another virus, which gathers information about the infected system, sends it to the C2, and then waits for a command to perform one of two possible actions: self-deletion or saving to a file and executing malicious code sent in response from the server.

Proxy Trojan in pirated software for macOS

In late November 2023, our researchers discovered another malware instance that threatens Mac users — a proxy Trojan, distributed alongside pirated software for macOS. Specifically, this Trojan was added to the PKG files of cracked video editing programs, data recovery tools, network utilities, file converters, and various other software. The full list of infected installers discovered by our experts can be found at the end of the report published on Securelist.

As mentioned earlier, this malware belongs to the category of proxy Trojans — malware that sets up a proxy server on the infected computer, essentially creating a host to redirect internet traffic. Subsequently, cybercriminals can use such infected devices to build a paid network of proxy servers, earning money from those seeking such services.

Alternatively, the Trojan’s owners might directly use the infected computers to carry out criminal activities in the victim’s name — whether it’s attacking websites, companies or other users, or purchasing weapons, drugs or other illegal goods.

Atomic stealer in fake Safari browser updates

Also in November 2023, a new malicious campaign was discovered to spread another Trojan for macOS, known as Atomic and belonging to the category of stealers. This type of malware searches for, extracts, and sends to its creators all kinds of valuable information found on the victim’s computer, particularly data saved in browsers. Logins and passwords, bank card details, crypto wallet keys, and similar sensitive information are of particular value to stealers.

The Atomic Trojan was first discovered and described back in March 2023. What’s new is that now the attackers have started using fake updates for the Safari and Chrome browsers to spread the Atomic Trojan. These updates are downloaded from malicious pages that very convincingly mimic the original Apple and Google websites.

A site with fake Safari browser updates that actually contain the Atomic stealer. Source

Once running on a system, the Atomic Trojan attempts to steal the following information from the victim’s computer:

• cookies
• logins, passwords, and bank card details stored in the browser
• passwords from the macOS password storage system (Keychain)
• files stored on the hard drive
• stored data from over 50 popular cryptocurrency extensions

Zero-day vulnerabilities in macOS

Unfortunately, even if you don’t download any suspicious files, you avoid opening attachments from unknown sources, and generally refrain from clicking on anything suspicious, this doesn’t guarantee your security. It’s important to remember that any software always has vulnerabilities that attackers can exploit to infect a device, and which require little or no active user action. And the macOS operating system is no exception to this rule.

Recently, two zero-day vulnerabilities were discovered in the Safari browser — and according to Apple’s announcement, cybercriminals were already exploiting them by the time they were discovered. By simply luring the victim to a malicious webpage, attackers can infect their device without any additional user action, thereby gaining control over the device and the ability to steal data from it. These vulnerabilities are relevant for all devices using the Safari browser, posing a threat to both iOS/iPadOS users and Mac owners.

This is a common scenario: as Apple’s operating systems share many components, vulnerabilities often apply not just to one of the company’s opertaing systems but to all of them. Thus, it’s a case of Macs being betrayed by the iPhone’s popularity: iOS users are the primary targets, but these vulnerabilities can just as easily be used to attack macOS.

A total of 19 zero-day vulnerabilities were discovered in Apple’s operating systems in 2023 that are known to have been actively exploited by attackers. Of these, 17 affected macOS users — including over a dozen with high-risk status, and one classified as critical.

Zero-day vulnerabilities in macOS, iOS, and iPadOS discovered in 2023, which were actively exploited by cybercriminals

Other threats and how to protect your Mac

What’s important to remember is that there are numerous cyberthreats that don’t depend on the operating system but that can be no less dangerous than malware. In particular, pay attention to the following threats:

• Phishing and fake websites. Phishing emails and websites work the same way for both Windows users and Mac owners. Alas, not all fake emails and websites are easily recognizable, so even experienced users often face the risk of having their login credentials stolen.
• Web threats, including web skimmers. Malware can infect not only the user’s device but also the server it communicates with. For example, attackers often hack poorly protected websites, especially online stores, and install web skimmers on them. These small software modules are designed to intercept and steal bank card data entered by visitors.
• Malicious browser extensions. These small software modules are installed directly into the browser and operate within it, so they don’t depend on the OS being used. Despite being seemingly harmless, extensions can do a lot: read the content of all visited pages, intercept information entered by the user (passwords, card numbers, keys to crypto wallets), and even replace displayed page content.
• Traffic interception and man-in-the-middle (MITM) attacks. Most modern websites use encrypted connections (HTTPS), but you can still sometimes come across HTTP sites where data exchange can be intercepted. Cybercriminals use such interception to launch MITM attacks, presenting users with fake or infected pages instead of legitimate ones.

To protect your device, online service accounts and, most importantly, the valuable information they contain, it’s crucial to use comprehensive protection for both Mac computers and iPhones/iPads. Such protection must be able to counteract the entire range of threats — for example solutions like our Kaspersky Premium, whose effectiveness has been confirmed by numerous awards from independent testing laboratories.

As a result, it’s not uncommon to hear that WordPress is full of security issues. But all this attention has a positive side to it: most of the threats and the methods to combat them are well known, making it easier to keep your WordPress site safe. That’s what we’ll be discussing in this article.

1. Vulnerabilities in plugins, themes, and the WordPress core (in that order of descending importance)

In all the lists of WordPress security issues available on the internet, it’s things like XSS (cross-site scripting), SQLi (SQL injection), and CSRF (cross-site request forgery) keep popping up. These attacks, alongside various others, are made possible due to vulnerabilities in either the WordPress core software, its plugins or themes.

It’s important to note that, statistically, only a small fraction of the vulnerabilities are found in the WordPress core itself. For example, for the whole of 2022, a mere 23 vulnerabilities were discovered in the WordPress core software — which is 1.3% of the total 1779 vulnerabilities found in WordPress that year. Another 97 bugs (5.45%) were discovered in themes. Meanwhile, the lion’s share of vulnerabilities were found in plugins: 1659 — making up 93.25% of the total.

It’s worth mentioning that the number of vulnerabilities discovered in WordPress should not be a reason to avoid using this CMS. Vulnerabilities exist everywhere; they’re just found most frequently where they’re most actively sought — in the most popular software.

How to improve security:

• Always update the WordPress core promptly. Though vulnerabilities are not found as often here, they are exploited more intensively, so leaving them unpatched is risky.
• Remember to update themes — especially plugins. As mentioned, plugins are responsible for the vast majority of known vulnerabilities in the WordPress ecosystem.
• Avoid installing unnecessary WordPress plugins — those that your site doesn’t need to operate. This will significantly reduce the number of potential vulnerabilities on your WordPress site.
• Promptly deactivate or entirely remove plugins you no longer need.

2. Weak passwords and lack of two-factor authentication

The second major security issue with WordPress is the hacking of sites using simple password guessing (brute-forcing) or compromised usernames and passwords (credential stuffing) from ready-made databases, which are collected as a result of leaks from some third-party services.

If an account with high privileges is compromised, attackers can gain control of your WordPress site and use it for their own purposes: stealing data, discreetly adding to your texts links to the resources they promote (SEO spam), installing malware (including web skimmers), using your site to host phishing pages, and so on.

How to improve security:

• Ensure strong passwords for all users of your WordPress site. To achieve this, it’s good to apply a password policy — a list of rules that passwords must satisfy. There are plugins available that let you implement password policies on your WordPress site.
• Limit the number of login attempts — again, there are plenty of plugins for this purpose.
• Enable two-factor authentication using one-time codes from an app. And again, there are WordPress plugins for this.
• To prevent your WordPress users from having to remember long and complex passwords, encourage them to install a password manager. By the way, our [KPM placeholder]Kaspersky Password Manager[/placeholder] also lets you use one-time codes for two-factor authentication.

3. Poor control over users and permissions

This issue is connected to the previous one: often, owners of WordPress sites don’t manage the permissions of their WordPress users carefully enough. This significantly increases risk if a user account gets hacked.

We’ve already discussed the potential consequences of an account with high access rights being compromised — including those access rights issued mistakenly or “for growth”: SEO spam injection into your content, unauthorized data access, installing malware, creating phishing pages, and so on.

How to improve security:

• Be extremely careful when assigning permissions to users. Apply the principle of least privilege — grant users only the access rights they absolutely need for their tasks.
• Regularly review your list of WordPress users, and remove any accounts that are no longer necessary.
• Move users to less privileged categories if they no longer need elevated permissions.
• Of course, the advice from point 2 also applies here: use strong passwords and enable two-factor authentication.

4. Malicious plugins

Aside from plugins that are “just” vulnerable, there are also outright malicious ones. For example, not long ago, researchers discovered a WordPress plugin masquerading as a page-caching plugin but which was actually a full-fledged backdoor. Its main function was to create illegal administrator accounts and gain complete control over infected sites.

Earlier this year, researchers found another malicious WordPress plugin, which was originally legitimate but had been abandoned by developers over a decade ago. Some bleeding hearts picked it up and turned it into a backdoor — allowing them to gain control over thousands of WordPress sites.

How to improve security:

• Avoid installing unnecessary WordPress plugins. Only install the ones truly essential for your site’s operation.
• Before installing a plugin, read its user reviews carefully — if a plugin does something suspicious, chances are someone’s already noticed it.
• Deactivate or remove plugins you no longer use.
• There are plugins that scan WordPress sites for malware. However, keep in mind they can’t be completely trusted: many of the latest instances of WordPress malware can deceive them.
• If your WordPress site is behaving strangely and you suspect it’s infected, consider contacting specialists for a security audit.

5. Unrestricted XML-RPC Protocol

Another vulnerability specific to WordPress is the XML-RPC protocol. It’s designed for communication between WordPress and third-party programs. However, back in 2015, WordPress introduced support for the REST API, which is now more commonly used for application interaction. Despite this, XML-RPC is still enabled by default in WordPress.

The problem is that XML-RPC can be used by attackers for two types of attacks on your site. The first type is brute-force attacks aimed at guessing passwords for your WordPress user accounts. With XML-RPC, attackers can combine multiple login attempts into a single request, simplifying and speeding up the hacking process. Secondly, the XML-RPC protocol can be used to orchestrate DDoS attacks on your WordPress website through so-called pingbacks.

How to improve security:

• If you don’t plan on using XML-RPC in the near future, it’s best to disable it on your WordPress site. There are several ways to do this. If you need this functionality later, it’s not difficult to re-enable it.
• If you intend to use XML-RPC, it’s advisable to configure its restrictions, which can be done using WordPress plugins.
• Also, to protect against brute-force attacks, you can follow the advice from point 2 of this article: use strong passwords, enable two-factor authentication, and use a password manager. By the way, this is included in the license of our product designed for protecting small businesses — Kaspersky Small Office Security.

However, Nothing Chats was almost immediately found to have a whole host of security and privacy issues. These problems were so serious that less than 24 hours after its release in the Google Play Store, the application had to be removed. Let’s delve into this in more detail.

Nothing Chats, Sunbird, and iMessage for Android

The Nothing Chats messenger was announced on November 14, 2023, in a video by the well-known YouTube blogger Marques Brownlee (aka MKBHD). He talked about how the new messenger from Nothing had plans to allow owners of a Nothing Phone (which is Android-based) to communicate with iOS users through iMessage.

By the way, I recommend watching the video by MKBHD, at least to see how the messenger worked.

The video also briefly outlines how the messenger operates from a technical point of view. To begin, users have to provide Nothing Chats with the login and password to their Apple ID account (and if they don’t have one yet, they need to create one). After this, to indirectly quote the video, “on some Mac mini somewhere on a server farm”, this Apple account is logged in to, after which this remote computer serves as a relay transmitting messages from the user’s smartphone to the iMessage system, and vice versa.

To give credit where credit is due, at the end of the sixth minute, the author of the video makes a point of emphasizing that this approach carries some serious risks. Indeed, logging in with your Apple ID on some unknown device that doesn’t belong to you, located who knows where, is a very, very bad idea for a number of reasons.

The coveted blue message clouds of iMessage — the main promise of Nothing Chats

The Nothing company made no secret of the fact that “iMessage for Android” was not their own development. The company partnered with another company, Sunbird, so the Nothing Chats messenger was a clone of the Sunbird: iMessage for Android application, with some cosmetic interface changes. By the way, the Sunbird app was announced to the press back in December 2022, but its full launch for a wide audience was constantly postponed.

Nothing Chats and security issues

After the announcement, suspicions immediately arose that Nothing and Sunbird would face serious privacy and security issues. As mentioned earlier, the idea of logging in with your Apple ID on someone else’s device is highly risky because this account gives full control over a significant amount of user information and over the devices themselves through the Apple feature Find My…

To reassure users, both Sunbird and Nothing asserted on their websites that logins and passwords aren’t stored anywhere, all messages are protected by end-to-end encryption, and everything is absolutely secure.

Sunbird’s website confirming the security and privacy of iMessage for Android, as well as the use of end-to-end encryption (spoiler: this isn’t true)

However, the reality was way off even the most skeptical predictions. Once the application became available, it quickly became clear that it totally failed to deliver on its promises regarding end-to-end encryption. Worse still, all messages and files sent or received by the user were delivered by Nothing Chats in unencrypted form to two services simultaneously — the Google Firebase database and the Sentry error monitoring service, where Sunbird employees could access these messages.

The FAQ section on the official Nothing Chats page also explicitly mentions end-to-end encryption

And if that still wasn’t enough, not only Sunbird employees but anyone interested could read the messages. The issue was that the token required for authentication in Firebase was transmitted by the application over an unprotected connection (HTTP) and could, therefore, be intercepted. Subsequently, this token provided access to all messages and files of all users of the messenger — as mentioned earlier, all this data was sent to Firebase in plain text.

Once again: despite assurances of using end-to-end encryption, any message from any user on Nothing Chats and all files sent by them — photos, videos, and so on — could be intercepted by anyone.

Also, the FAQ page of Nothing Chats claims that messages are never stored anywhere — doesn’t it make you want to cry?

One of the researchers involved in analyzing the vulnerabilities of Nothing Chats/Sunbird created a simple website as proof of an attack’s feasibility, allowing anyone to see that their messages in iMessage for Android could indeed be easily intercepted.

Shortly after the vulnerabilities were made public, Nothing decided to remove their app from the Google Play Store “to fix a few bugs”. However, even if Nothing Chats or Sunbird: iMessage for Android returns to the store, it’s best to avoid them — as well as any similar apps. This story demonstrates vividly that when creating an intermediary service that allows access to iMessage, it’s very easy to make catastrophic mistakes that put users’ data at extreme risk.

What Nothing Chats users should do now

If you’ve used the Nothing Chats app, you should do the following:

• Log into your Apple ID account from a trusted device, find the page with active sessions (devices you’re logged in to), and delete the session associated with Nothing Chats/Sunbird.
• Change your Apple ID password. It’s an extremely important account, so it’s advisable to use a very long and random sequence of characters — Kaspersky Password Manager can help you generate a reliable password and store it securely.
• Uninstall the Nothing Chats app.
• You can then use a tool created by one of the researchers to remove your information from Sunbird’s Firebase database.
• If you’ve sent any sensitive information through Nothing Chats, then you should treat it as compromised and take appropriate measures: change passwords, reissue cards, and so on. Kaspersky Premium will help you track possible leaks of your personal data linked to email addresses or phone numbers.