What hurts the most is that using practically all such security measures won’t help protect you against every threat: new ones just keep on sprouting up, and they call for new protection methods. Meanwhile, most new layers of security lower usability: having two-factor authentication will never be easier than not having it. And that’s the least obnoxious example. So what can you do about this? Create your own threat landscape, as corporations do when they design their security processes, and secure yourself only against those threats within that landscape.

What a threat landscape is, and what it has to do with you

In the field of corporate security, a threat landscape is the aggregate of cyberwoes that threaten a company in a certain industry within a certain period of time. These include vulnerabilities, malware, and ransomware groups and the techniques they use.

An overview of the threat landscape helps define what exactly the company needs to be protected against. Some threats will be more pressing than others, depending on the company’s location and business. And since a security budget always has its limits, just like the number of security staff, it makes sense to secure against the truly relevant threats.

Why not create a threat landscape like that for yourself and base your own personal security strategy on it? This would keep you from getting bogged down with multiple layers of protection and help you keep on using the internet with at least some degree of comfort.

Building a personal threat landscape

Every individual, just like every company, has a threat landscape of their own. Whether you use, say, TikTok or Instagram, and whether you have a password manager or not influences which threats are more relevant to you. Many other factors have an influence too, such as where you live, what operating system you have on your computer, what instant messaging apps you use, and who you text with using these apps.

That said, all these personal threat landscapes have certain elements in common, as we all live in the 21^st century, all use computers and smartphones, and all browse the Web. Therefore, for the purposes of this discussion, a personal threat landscape can be divided into common and individual parts, with the common part mostly applicable to everyone, and the individual part determined by the person’s particular situation.

The common part of a threat landscape

If you’re a regular reader of this blog, you have a rough idea of the types of threats that are most frequent and relevant regardless of country of residence. First and foremost, these are phishing, data leaks, and various scams. Every single person needs to stay protected against these.

The best safeguard against phishing is learning to detect it. To do this, you should do the following:

• Learn what phishing is;
• Get an idea of the main tricks that phishers use;
• Learn the typical signs of phishing, such as a fishy (pun intended) sender address, suspicious links, and so on.

Securing yourself against data leaks is harder, as these are most often not your fault, but that of some service you’re a user of. As every one of us uses many online services — from social media to online stores, and from insurance companies to delivery services — it gets hard to keep an eye on every single one.

Generally, you need to be prepared for leaks, while [placeholder corpsite]any of the new Kaspersky products[/placeholder] with a data-leak alert feature can help you monitor the ones relevant to you. Monitoring is, for sure, a good thing, but what about the data that gets leaked? Well, this is something you can only respond to: change passwords swiftly, get your bank cards blocked if needed, and keep in mind that being addressed by your full name in an e-mail signed with your personal account manager’s name is no guarantee the e-mail really is from your bank. The bank might have had its database leaked and scammers could be using it for phishing.

Finally, there are all sorts of scams around the world,  which do differ significantly among countries. Still, they do have common features. As in the case of phishing, knowledge is your best protection. So, keep reading our blog to learn about various scam types, and take a critical look at everything that’s either too good to be true or screams danger and calls for an immediate response: scammers typically either play on human greed or try putting their victims under stress to unnerve them and have them drop their guard.

Phishing, data leaks and scams are the three most common threat types that are relevant to everyone. Next, let’s discuss the individual part of a threat landscape, which depends on who you are and your online habits.

The individual part of a threat landscape

To create a personal threat landscape, first you need to get introspective and describe yourself and your habit. What websites and instant messaging services do you use? Do you have a separate business phone? Do you work from home or an office, and what computer do you use?

Next, depending on your answers to the above, you can start creating a landscape of relevant threats and security measures simply by going through the list.

Let’s say you’re an active user of social media. In that case, you need to secure yourself against account hacks, ban attacks, and account hijacking (Instagram, Facebook). You also need to set proper privacy settings in Instagram, Facebook, TikTok, and Twitter.

The state of privacy in niche social media, such as Vivino (for wine lovers) and Untappd (for beer lovers), is lamentable: your alcohol discoveries are visible to anyone by default. If you’d rather not share your lost weekend with the world, be sure to configure these apps so that your wine or beer adventures remain your little secret.

Or, say, you’re an avid gamer and a Steam user. If so, you should safeguard yourself against Trojan stealers targeting user accounts and scammers who run schemes inside games that make such activity possible. What can you do about this? Read up on Steam scams, and configure the security features of that service.

Suppose you’re a blogger or the owner of a popular Telegram channel. Well, your biggest threats are account theft and doxing — the latter more commonly experienced by women. What can you do about this? Learn how accounts typically get hijacked, and get a reliable security product to neutralize Trojans and alert you about phishing and personal data leaks.

Even if you decide you’re no longer interested in social media or games, don’t leave your accounts hanging, unattended: they could be hacked and used against you by accessing your personal data. The worst bit is: you won’t learn about this any time soon — or ever. Therefore, we recommend you look at our guide on managing accounts you don’t use/need.

Many naively believe that they may only encounter cyberfraud in their personal space, whereas work is safe, guarded by trained professionals, and generally, no place for scams or phishing! Nothing could be further from the truth. If you’re looking for a job, you could be the perfect target for scammers. If you started working at a new company recently, keep your eyes open for fake coworkers. If you’re remote or use a personal computer for work, set up your workspace so as to avoid harming your employer, and research what software you shouldn’t use for work.

Finally, be especially careful if you’re a crypto investor: since cryptocurrency transactions are not protected by laws, it’s critical to: choose the right storage strategy, remember that even cold wallets can be hacked into, and take every measure to secure your wallets, private keys and seed phrases.

However, even those who’ve covered all bases, installed a reliable program for storing passwords and personal data, and protected every possible account with two-factor authentication, should think ahead about what they’d do should their smartphone with the authenticator app on it break, get lost or stolen. Reach out for our tips on how to back up an authenticator app, or try recovering it if you lost your phone before you could make a backup.

Conclusion

This is how you build your own personal threat landscape: by reviewing every area of your cyberlife. Sad as this may sound, the last step in creating a threat landscape is making a digital last-will-and-testament.

If you design your own personal security strategy around your own threat landscape, you’ll do it faster and keep things simpler than if you try protecting yourself from everything at once. You’ll naturally need knowledge of cybersecurity and online privacy to succeed at this. Subscribe to our mailing list to get new posts in your mailbox and study the threats that belong in your personal threat landscape. Our security solutions can help you neutralize these threats, monitor data leaks, and store personal data safely.

As a rule, such social-media posts give the names of both the employee and the company, as well as the job title. This is usually enough to identify the new person’s manager (through the same social network or the corporate website). Knowing the names, you can either find or figure out their e-mail addresses. Firstly, there are lots of e-mail lookup tools to help with this. Secondly, many companies simply use the employee’s first name, or first and last names, as their e-mail usernames, so all that’s needed is to check which system is in use to be able to work out the address. And once they’ve got your e-mail, then it’s time for some social engineering.

Task one: transfer money to scammers

For the first few days in a new job the employee is likely not quite up to speed, yet keen to appear so in the eyes of colleagues and superiors. And this can lower the new employee’s vigilance: they hastily carry out most any task without stopping to think where it came from, whether it sounds reasonable, or whether it’s their business at all. Someone wants it done, so done it must be. This is especially true if the instruction came from their immediate supervisor or even one of the company founders.

Scammers exploit this to trick new employees. They send an e-mail supposedly from the boss or someone senior (but using a non-company address) asking the employee to do a task “right away”. The newbie, of course, is happy to oblige. The task might be, say, to transfer funds to a contractor or purchase gift certificates of a certain value. And the message makes clear that “speed is of the essence” and “you’ll be paid back by the end of the day” (of course!). Scammers highlight the urgency so as not to give the employee time to think or check with someone else.

The boss has an air of authority, and the employee wants to be of use. So, they don’t stop to query the rationale, or why they in particular have been chosen to perform the task. The victim transfers the money to the specified account without hesitation and reports back to the “boss” at the same e-mail address — again failing to spot that the domain name looks suspicious.

The scammer continues to play the role of the big boss: they ask for documents confirming the transaction, and, after receiving them, praise the employee and say that they’ll forward the documents to the initiator of the order (which adds a sense of legitimacy). To complete the feeling of a normal workplace interaction, the attackers also say they’ll be in touch again if anything more is needed from the (hapless) employee.

Only after some time does the employee either start to wonder why they were assigned the task, spot the non-company e-mail address, or mention the incident in conversation with the real boss. Then the sad truth dawns: it was a scam.

Aggravating circumstances

Like other work-related scams, this scheme has benefited from the mass shift to remote working. Even small companies have started hiring from around the world, meaning that some new employees may not only not know what their boss looks and sounds like — but have no way of quickly clarifying with a co-worker, even if they wanted to, whether the task looks to be on the level.

What’s more, if the supervisor and most of the other employees work in different countries, a request to transfer money to someone in your region could feel very plausible. Domestic bank transfers are always easier and faster than international ones, which lends a veil of normalcy to the scam request.

Finally, smaller companies, which seem to be common targets, tend to have less formal money-handling procedures in place — without form-filling or financial controllers: just send it now, put it on your expenses, and you’ll get it back in a bit. This is another factor that imparts legitimacy to scam e-mails.

How employees can avoid the trap

The most important thing for a new employee is not to lose their head trying to be of service to the company.

• It’s important to look carefully at the addresses from which messages arrive by e-mail or in a messenger. If it looks unfamiliar, redouble your vigilance.
• Don’t hesitate to ask a colleague whether such a request is normal practice. If something appears odd, better ask now than regret it later.
• If you get an unusual request seemingly from inside the company, clarify the details with the sender using a different communication channel. Been asked to buy gift certificates by the boss in an e-mail? Check with them in a messenger.

How companies can protect their employees

The most important thing an employer can do is correctly configure the company’s mail server. It can be set up to flag e-mails from non-corporate addresses. For example, Google Workspace, popular with companies, labels such messages as “External” by default. And when you try to reply to such an e-mail, it clearly warns: “Be careful about sharing sensitive information”. Such notifications really help employees know whether they’re talking to a company colleague or not. In addition, we recommend the following:

• To hold information-security training for employees on their very first day. The session should introduce the concept of phishing (just in case it’s new), as well as give instructions on which practices are in use at the company and which definitely are not.
• To create an information-security guide for new employees with basic rules and precautions against major threats. See our post for details of what to include.
• To hold regular security awareness trainings for all employees; for example, using a specialized online platform.

What would you do, say, if someone sent you a DM on Twitter with the login credentials for some cryptocurrency account asking for help to withdraw money from it?

The right thing to do would be to ignore the message. But maybe, just maybe, it’s for real? What if this is your chance to get rich? Together let’s take a look at what doesn’t smell right and list all the red flags, especially since Kaspersky experts recently discovered a spam campaign of this type.

First, let’s take a look at a screenshot of the message:

Great news. You’re rich! But hang on a sec…

A stranger on Twitter sends you the credentials supposedly for the account of a certain Adam on some cryptocurrency platform that they say holds a six-figure amount. The sender apparently needs your help to withdraw this amount.

Surprisingly, if you go to the site and enter the credentials, you will be taken to an actual personal account containing the amount specified or thereabouts. But we haven’t yet sniffed out the fraud.

While we were logging in to the site, Adam just got $90,000 richer.

Think critically and look for red flags

Let’s start with the basics: if you had a few hundred thousand dollars, would you ask a complete stranger to help manage it? No? And no one else in their right mind would! This reasoning alone is enough to consign the message (and all other 419 fraud spam) to the trash can.

But our task is to investigate all the red flags, so let’s find a reason to carry on: suppose circumstances have indeed forced a complete stranger to seek help and their choice has landed on you. What else looks out of place?

What a popular account our mystery benefactor has!

First, let’s get to know the anonymous do-gooder a bit better. Their Twitter account has precisely zero followers, and they follow the exact same number of other accounts: another clear red flag, since the whole point of creating a social media account is to communicate and follow others.

Second, our counterparty is not sociable: we tried sending them messages, but got no response for a week. That’s also a red flag, indicating that the message is a mass mailing, which means that tens, hundreds, even thousands of people were sent the same username and password. How many of them do you think already tried to log in?

Third, a reddish flag this one, the username and password suggest the user is called Adam (“Adam’s” password, incidentally, is rather weak), while the Twitter handle the message came from has nothing to do with any Adam. Is it that our counterparty wants to get us to empty a hijacked cryptocurrency account and make us a partner in crime?! (Actually there is no cryptocurrency at all in this account, but more about that later.)

Lastly, experts will spot another red flag — a space in the URL of the site where the cryptocurrency is supposedly located. This is how scammers try to bypass security in the e‑mail account where you are notified about a new message on Twitter.

After you actually go to the site, the red flags pop up one after another: the design is simple and slapdash, and googling the domain name serves up only results about scams. A real, even little-known cryptocurrency exchange would surely have some reviews in media or on forums. This one has none, which screams the word “fake.”

And that’s even before we get to the killer red flag, exposing the whole essence of the scam.

Paying to withdraw cryptocurrency

It turns out that in order to withdraw funds outside the platform, one more password is required: a so-called Trade key, which no one gave us. But it is possible to transfer money within the platform itself, for which you need to create a new account with VIP status and fill it up with Adam’s money. That done, we’ll be able to withdraw it without a hitch, because we have all the necessary passwords, right?

Feel like a Very Idiotic Person

To get VIP status, you need to deposit some money to the new account by giving your cryptocurrency wallet details. When you do, there’ll be nothing to withdraw anyway, while your own wallet will be bled dry using the credentials kindly provided by you.

The platform itself is just a phishing site, with no whiff of cryptocurrency. In the recent campaign, scammers set up several such sites and sent out login details to various Twitter accounts.

As for the “cryptocurrency platform,” there are two suspicious signs. First, cryptocurrency is never sent by the give-us-your-wallet-details method; rather you receive a payment address to send the required amount to from your wallet interface. Second, no financial platform worthy of the name would ask you to use third-party funds for handling money already on it. Charge a transfer fee, be our guest, but demand payment using one card to withdraw money from another? That’s downright weird.

And we haven’t even mentioned the bad English and crooked layout — the ever-present hallmarks of phishing sites.

How to avoid phishing nets

So as not to fall victim, you need to understand how scammers work and be able to spot all the inconsistencies. To that end, we have identified all the red flags in the above cryptoscam.

Questions to ask yourself when confronted with any juicy offer are:

• Why is a complete stranger asking me for help and not someone they know?
• Could it be a bot?
• Isn’t it odd that they don’t reply?
• Does the message look suspicious (for example, in the domain name mentioned there’s a space for fooling mail filters)?
• What sort of site am I being asked to visit? What are people saying about it online?
• Do its design and interface inspire trust (sure, half of all websites don’t, but you don’t use them for sending money, right)?
• Does it seem logical what you’re being asked to do?
• Is it normal to have to pay using third-party funds to perform transactions with money already on the platform?
• Am I being hurried so that I would let my guard down?
• Does it sound too good to be true?

By taking a deep breath and answering them to yourself, you will better understand what is going on and not lose your head over the thought of easy money that seems so close.

The abundance of red flags in this case clearly indicates you’re dealing with scammers. But even just one should be enough to alert you. Even if such a message came not from a random user, but from a friend, you should still be vigilant: who knows, maybe your friend was hacked?

Sadly, scammers thrive due to the fact that even vigilant people are human, and sometimes swallow well-crafted bait. So it’s better to adopt a belt-and-braces approach and use a reliable security solution that spots suspicious links and blocks access to fraudulent sites.

And be sure to read our blog post about how to protect yourself from phishing — a very useful skill that will guard against a variety of troubles.

Mining is dead. Long live mining

Many predicted the end of the mining rush after Ethereum’s announcement it would move from confirming transactions using the proof-of-work method to the proof-of-stake model. Proof-of-work requires vast computing power, while proof-of-stake needs significantly fewer participants and resources to confirm a transaction — it’s several thousand times more efficient computationally. The abandonment of the proof-of-work concept, in theory, could have caused a significant decrease in mining’s popularity.

The long-awaited switch went ahead on September 15, and to some extent it did indeed hit mining’s popularity. For instance, the price of video cards used for mining Etherium dipped sharply as they flooded the secondary market. Those engaged in legal mining began to either switch to mining other cryptocurrencies or to sell their computing systems or come up with other uses for them. However, this decline in activity does not extend to attackers who mine at others’ expense.

The fact is they were never all that focused on mining Etherium — being only their third most popular coin. Instead, they preferred to mine Monero, which guarantees total anonymity of transactions. To produce Monero, mining is still required, but video cards are not. This cryptocurrency is best mined on ordinary CPUs, which, unlike powerful GPUs, are found in any computer. The most powerful ones work in servers — naturally, they attract attackers most of all.

How miners threaten business

We’ve already talked about the trouble miners can cause for the average user:

• High electricity bills
• Sluggish performance caused by high load on the CPU and video card

It might seem like a storm in a teacup: many keep their computers on all the time anyway, and most users can put up with slowdowns. But for business the threats are far worse. Besides the above, unwanted cryptominers can lead to:

• Accelerated wear and tear of equipment, causing premature failure (also true for private users, but hits business harder)
• Increased load on company servers, which, just like a DDOS attack, can take services offline; unavailability or unstable operation of services means losses
• Increased costs of maintaining cloud infrastructure; this, too, is no joke — when at the end of the month Amazon, Google, or Microsoft adds a zero to the bill, this plays havoc with the company’s balance sheet. According to a Google report, in 86% of cases of successful compromise of a Google Cloud Platform account, the attackers installed miners; at the same time, the costs of mining cryptocurrency in cloud infrastructure are on average 53 times higher than the payoff, which, of course, does not stop cybercriminals, since they do not bear the costs

Miners strike terror into infrastructure providers

Miner attacks pose the worst threat to companies that don’t just use cloud infrastructure, but supply clients with services based on the major providers’ clouds. And especially if they provide IaaS (Infrastructure-as-a-Service) or PaaS (Platform-as-a-Service).

The difference between such businesses and the rest is that they should have to worry not only about malicious miners penetrating the infrastructure covertly, but also about regular, legitimate ones.

If a company provides infrastructure or a platform as a service, its clients have a certain degree of freedom in using that infrastructure or platform: they can generally use it as they please, including running various applications — among them miners.

It’s not uncommon for cybercriminals to create multiple accounts on such services all at once, and use these to run miners without letting them consume more resources than the service provides under a free account. Such an attack involving hundreds of accounts can place a monstrous load on the servers, bringing the service to its knees and massively increasing the company’s infrastructure outlays. What’s more, it can be harder for an infrastructure provider to detect such an attack than, say, a SaaS company, since it cannot always see all the processes run by clients due to its own privacy policy.

How business can deal with miners

It’s clear from the above that businesses cannot simply turn a blind eye to the threat of mining. Ideally, it should be prevented in the first place; but if not, it must be detected and stopped as soon as possible.

According to other data from Google, most cases of server compromise are due to weak passwords and insufficient access control. Hence, the focus should be on access to computing resources:

• Set strong and unique passwords everywhere
• Always enable two-factor authentication to access the resources of cloud providers (if the password is leaked or brute-forced, the attackers will not gain control over the account without the second factor)
• Restrict access to infrastructure management — the fewer employees have high access privileges, the less likely access will be compromised
• Use security solutions that detect suspicious activity on both physical devices and virtual machines

IaaS and PaaS providers, in addition to the above, should:

• Have the ability to monitor user activity in one way or another; if it’s not possible to monitor active processes at the virtual machine level (preventing execution of identical scripts by different users), at least make sure that one and the same repository is not used by several different accounts
• Have a well-tuned alert system for atypical activity, and engage experts who can respond quickly
• Pay increased attention to the timely remediation of vulnerabilities in software that handles the infrastructure or platform, as attackers can exploit them to hack into and install miners

Don’t feed crocodiles with your hand, or Simple Cybersecurity Rules

Probably the most important rule of information security is to reduce your risks. To do this:

• Don’t visit suspicious websites — they may contain malicious ads or be a front for a phishing scam.
• Don’t download hacked versions of programs via torrents. If you do, there’s a good chance that cracks will contain a password-stealing Trojan, for example.
• Don’t click on links in e-mails that were sent from unknown addresses, and don’t open attachments — there could be all kinds of malware lurking there.

You get the idea: being careful goes a long way toward protecting yourself against cyberthreats.

At the same time, it’s still important to keep your antivirus enabled and updated — as insurance in case something happens. Don’t tempt fate by doing the online equivalent of walking down a deserted alley late at night. If you apply a little bit of common sense, you can greatly reduce your chances of falling prey to scammers.

In addition to the above-listed ways to lower the risk of something bad happening, it’s worth adding one more: don’t download mobile apps from unofficial sources. Google and Apple verify apps before adding them to their stores, so the chances of encountering malware there are slim — albeit still not zero (especially in the case of Google Play). Huawei does the same with its Huawei AppGallery store, although malware has already been found there too. But it’s much more likely that you’ll run into malware on open platforms that let you simply download an APK file.

There’s another key security rule: don’t use unofficial clients for messaging apps. To understand why this is important, let’s take a few steps back and look a little more closely at how messaging apps work.

Most of them operate according to the client-server model, where the user interacts directly with the client app. Data exchange between client and server occurs through a special protocol. For many messaging apps this protocol is open. This makes it possible to create unofficial modified clients with additional features, such as viewing messages other users have deleted, creating mass mailings, customizing the interface, and so on.

So where’s the danger? With official clients, you’re entrusting your correspondence only to the creator of the messaging app. When you use an unofficial client, you’re entrusting it not only to the developers of the messaging system but also to the developers of the unofficial client app. On top of that, the modified client may be distributed through unofficial sources (which, as we recall, shouldn’t be trusted). All these are additional stages where something can go wrong — in other words, there are extra risks.

What’s up, Triada

Naturally, something did go wrong, repeating the scenario we wrote about last year. To recap: back then, attackers infected the FMWhatsapp mod with a dropper that downloaded a multifunctional Trojan — Triada — onto users’ devices. This modular Trojan mainly shows ads and signs the user up for paid content.

Now, practically the same thing has happened — with the same messaging app but a different unofficial client. This time, the YoWhatsApp mod, also known as YoWA, has been infected. This mod attracts users with expanded privacy options, the ability to transfer files up of to 700 MB, increased speed, and so on.

Apparently YoWhatsApp caught the eye of the malware distributors because it has a significant user base. Also, the fact that the mod wasn’t allowed on Google Play played into the hands of the criminals. Therefore, users are accustomed to downloading YoWhatsApp from sources of varying degrees of trustworthiness. One of the main distribution channels for the infected version of the mod was advertising in SnapTube, an app for downloading video and audio. SnapTube owners themselves probably didn’t even suspect that one of its advertising campaigns was spreading malware.

Along with the infected YoWhatsApp, users got a dropper that delivered the Triada Trojan to their device. Unlike last year’s campaign, this time the dropper wasn’t the only thing that came with the Trojan. An additional feature was added to YoWhatsApp that allow intruders to steal the keys required for WhatsApp to operate. These keys are enough to hijack an account and use it to do things like distributing malware or extracting money from the victim’s contacts.

As a result, the user not only loses money — since Triada signs them up for paid subscriptions — but also risks compromising their contacts, to whom the criminals may try to write in the user’s name.

How to protect yourself from malware on Android

The best way to fight malware is to avoid situations where you might get it in the first place. In this case, there are three simple rules to follow to protect yourself:

• Don’t download apps from unknown sources. In fact, it’s a good idea to block the ability to install apps from places other than Google Play on your Android smartphone.
• Don’t install alternative clients for messaging apps. Even if official versions of apps aren’t always ideal, they’re much more reliable and secure.
• Use good protection and always keep it enabled. Kaspersky for Android can detect different modifications of the Triada Trojan and other Android malware and block them before they have a chance to wreak havoc. Keep in mind that with the free version of our mobile protection you need to manually run the scan every time you download or install something new. The full version automatically scans every new app.

Gamers are passionate people, hooked on their hobby, making them vulnerable to well-designed social engineering. Sometimes it’s enough to simply promise an Android version of a game that’s not on Google Play, or the chance to play games for free. Not to mention that in the world of gaming there is piracy, cheats and dark web forums selling hijacked accounts — a vast canvas for attackers to work with.

Open season on gamers has again been declared: cybercriminals are distributing the RedLine Trojan stealer under the guise of game cheats in an attempt to steal accounts, card numbers, cryptowallets and basically anything else within reach.

Watch on YouTube: Trojan disguised as a cheat

The details of Kaspersky’s latest discovery are set out in our Securelist post, but basically it works as follows: Attackers post videos on YouTube allegedly about how to use cheats in popular online games such as Rust, FIFA 22, DayZ and a couple dozen more. The videos look quite convincing and prompt actions that gamers who are no strangers to cheating are well accustomed to, in particular, following a link in the description to download a self-extracting archive and then running it.

If the download fails, the video creators kindly suggest disabling Windows SmartScreen, a filter that protects Microsoft Edge users from phishing and malicious sites. For some reason, however, they unkindly fail to mention that this will result in a whole package of malware being installed on the user’s computer at once.

First, the unlucky cheater will get the RedLine Trojan stealer, which steals almost any kind of valuable information on the computer, starting with browser-saved passwords. In addition, RedLine can execute commands on the computer, as well as download and install other programs onto the infected machine. So if it can’t manage some malicious task by itself, it can call on friends.

Second, RedLine comes with a cryptocurrency miner for deployment on the victim’s computer. Gaming computers are a logical target for cybercriminals in this regard, since they usually have powerful GPUs, which are quite useful for cryptocurrency mining.

The price to pay for using cheats

For real cheats, players can get banned by the game moderators, but a user who has downloaded and installed a fake cheat can face even worse problems.

First, when installed under the guise of a cheat, RedLine attempts to steal everything of value on the computer, in particular:

• Account passwords
• Card details
• Session cookies for logging in to accounts without passwords
• Cryptowallet keys
• Messenger chat history

Second, the cryptominer bundled with RedLine adds the following special effects:

• Computer slowdown
• GPU wear and tear
• Higher electricity bills

Plus the user risks paying with their reputation, because RedLine does another interesting thing: it downloads videos from the command-and-control server and posts them on the victim’s YouTube channel. These are the exact same videos about cheats with the exact same description: download and run the self-extracting archive, after which the cycle repeats but with the next victim. Thus, the Trojan spreads of its own accord, acquiring even more unwitting proponents in the process.

Incidentally, RedLine distributors previously employed a rather similar technique, trying to pass off a malware installer as a Windows 11 update or as an installer for Discord, a platform popular with gamers.

How to stay safe

We really should start with the obvious: don’t download cheats. Besides being unethical, it’s simply not safe. Cheats violate the user agreement with the game developer, which means they automatically occupy a gray zone. By extension, they are never distributed through secure official channels. And when downloading something from unofficial and unverified sources, the chances of encountering malware are always far greater.

In addition, we recommend turning on two-factor authentication wherever possible. That way, even if malware manages to sneak onto your computer and steal important passwords, it won’t be able to use them.

Better still, use and never disable protection features, including browser filtering and a proper security solution. In terms of functionality, even real-deal cheats have a lot in common with malware, which means antiviruses often block their installation. For this reason cheat developers encourage victims to disable their antivirus. You must not do this under any circumstances — once you disable protection, there’s no safety net below.

What happened?

According to the statement issued by Signal, the attack affected around 1900 users of the app. Given that Signal’s audience runs to more than 40 million active users a month, the incident impacted only a tiny share of them. That said, Signal is used predominantly by those who genuinely care about the privacy of their correspondence. So even though the attack affected a minuscule fraction of the audience, it still reverberated around the information security world.

As a result of the attack, hackers were able to log in to the victim’s account from another device, or simply find out that the owner of such and such phone number uses Signal. Among these 1900 numbers, the attackers were interested in three specifically, whereupon Signal was notified by one of these three users that their account had been activated on another device without their knowledge.

How did it happen?

On the pages of Kaspersky Daily, we have often talked about the fact that Signal is a secure messenger, and yet it was successfully attacked. Does that mean that its renowned security and privacy are just a myth? Let’s see exactly what the attack looked like and what role Signal actually played in it.

Let’s start with the fact that Signal accounts, as in, say, WhatsApp and Telegram, are linked to a phone number. This is common, but not universal practice. For example, the secure messenger Threema proudly states as one of its selling points that it does not tie accounts to phone numbers. In Signal, a phone number is needed for authentication: the user enters their phone number, to which a code is sent in a text message. The code must be entered: if it is correct, that means the user does indeed own the number.

The sending of such text messages with one-time codes is handled by specialized companies that provide the same authentication method for multiple services. In the case of Signal, this provider is Twilio — and it is this company that the hackers targeted.

The next step was phishing. Some Twilio employees received messages saying that their passwords were supposedly old and needed updating. To do so, they were invited to click a (that’s right) phishing link. One employee swallowed the bait, went to the fake site and entered their credentials, which fell straight into the hackers’ hands.

These credentials gave them access to Twilio’s internal systems, enabling them to send text messages to users, and to read them. The hackers then used the service to install Signal on a new device: they entered the victim’s phone number, intercepted the text with the activation code and, voilà, got inside their Signal account.

How this incident proves Signal’s robustness

So, it turns out that even Signal isn’t immune to such incidents. Why, then, do we keep talking about its security and privacy?

First of all, the cybercriminals did not gain access to correspondence. Signal uses end-to-end encryption with the secure Signal Protocol. By using end-to-end encryption, user messages are stored only on their devices, not on Signal’s servers or anywhere else. Therefore, there is simply no way to read them just by hacking Signal’s infrastructure.

What is stored on Signal’s servers is users’ phone numbers as well as their contacts’ phone numbers. This allows the messenger to notify you when a contact of yours signs up for Signal. However the data is stored, first, in special storages called secure enclaves, which even Signal developers can’t access. And second, the numbers themselves aren’t stored there in plain text, but rather in the form of a hash code. This mechanism allows the Signal app on your phone to send encrypted information about contacts and receive a likewise encrypted reply as to which of your contacts uses Signal. In other words, the attackers could not gain access to the user’s contact list either.

Lastly, we should stress that Signal was attacked in the supply chain — through a less protected service provider used by the company. This, therefore, is its weak link. However, Signal has safeguards against this, too.

The app contains a feature called Registration Lock (to activate go to Settings → Account → Registration Lock), which requires a user-defined PIN to be entered when activating Signal on a new device. Just in case, let’s clarify that the PIN in Signal has nothing to do with unlocking the app — this is done through the same means you use to unlock your smartphone.

Registration Lock in Signal settings

By default, Registration Lock is disabled, as was the case for at least one of the hacked accounts. As such, the cybercriminals managed to pull off the attack by impersonating the victim of the attack for roughly 13 hours. If Registration Lock had been enabled, they could not have logged in to the app knowing only the phone number and verification code.

What can be done to better protect messages?

To sum up: the attackers did not hack Signal itself, but its partner Twilio, giving them access to 1900 accounts, which they used to log in to three of them. What’s more, they gained access to neither correspondence nor contact list, and could only try to impersonate the users of those accounts they penetrated. If these users had turned on Registration Lock, the hackers could not even have done that.

And although the attack was formally a success, there is no reason to get scared and stop using Signal. It remains a pretty secure app that provides good privacy for your messages, as demonstrated by this hacking incident. But you can make it even safer:

• Enable Registration Lock in the Signal settings, so that cybercriminals can’t log in to your account without knowing your private PIN, even if they have the one-time code for activating Signal on a new device.
• Read our blog post about setting up privacy and security in Signal, and configure your app. Signal has basic settings as well as options for the truly paranoid, that provide extra security at the cost of some usability.
• And, of course, install a security app on your smartphone. If malware gets on your device, no safeguards on Signal’s side will protect your messages and contact list. But if malware is not allowed in, or is at least caught in time, there is no threat to your data.

Here’s what happens. You get a message from someone in your friend list about a ticket giveaway. If you head to the site, you might read about, say, 500 free tickets to mark Disneyland’s 110th anniversary. Nearly 300 have supposedly been snapped up already, but about 200 are still temptingly available.

What’s more, the page is brimming with comments, seemingly from other users falling over themselves to praise Disneyland and post pictures of the tickets they won.

The procedure for getting a free ticket is very simple. Complete a short survey (usually about 5 simple questions, such as: Have you been to Disneyland before? Are you 18 or over? Do you like Disneyland?), and then share the message with your WhatsApp friends, for which a special button is handily provided on the site.

After that, you’re prompted to boldly click or tap the “Get Tickets” button. But, for some strange reason, the tickets are not forthcoming. Instead, you are likely to be redirected to another site, which sends you to a third, and from there to a fourth, and so on.

In the end, you might end up on a site offering some shady goods or services. In general, you will be redirected to a partner site, so that the owners of the fake Disneyland landing page can be paid for the traffic.

This scheme is now very common, and new fake pages pop up almost daily. WhatsApp or Facebook are used for sending messages, and users are complicit in distributing them when they click “Share” in the hope of getting free tickets.

We have observed the spread of such messages supposedly from Disneyland, Legoland, Europa-Park, Air France, Singapore Airlines, and many others. The companies themselves, of course, have absolutely nothing to do with such pages — the fraudsters simply use famous brands to lure people onto their sites. However, regardless of which companies are exploited, the imitation websites all look similar, and even the comment topics and faces of the commenters are usually the same. Only the logos at the top of the page and certain minor details are different.

Redirecting traffic to partner sites is not the only monetization scheme. You might instead be sent to a page where you can subscribe to a dubious mailing list, or end up on a malicious website (see our post here), or you might be signed up for a mobile operator’s paid services, for which the malefactors earn a percentage. Some media reports state that when a user presses the “Get Tickets” button, an attempt is made to steal their personal data, but we were unable to reproduce this scenario.

In any case, even if you’re not threatened with losing money, personal data, or something else, never follow links in such messages.

You should also definitely not share them with friends or post them on Facebook — you’ll only be helping the scammers to profit. If you receive such a message from a friend on WhatsApp, or spot a link to a nonexistent ticket giveaway on Facebook, kindly inform the sender or poster that they are facilitating a scam.

But with some cyberattacks, their scale or sophistication cannot fail to attract attention. This post is dedicated to the five most spectacular and notorious cyberattacks of the last decade.

WannaCry: A real epidemic

The WannaCry attack put ransomware, and computer malware in general, on everyone’s map, even those who don’t know a byte from a bite. Using exploits from the Equation Group hacking team that were made publicly available by the Shadow Brokers, the attackers created a monstrosity — a ransomware encryptor able to spread quickly over the Internet and local networks.

The four-day WannaCry epidemic knocked out more than 200,000 computers in 150 countries. This included critical infrastructure: In some hospitals, WannaCry encrypted all devices, including medical equipment, and some factories were forced to stop production. Among recent attacks, WannaCry is the most far-reaching.

See here for more details about WannaCry, and here and here for business aspects of the epidemic. Incidentally, WannaCry is still out there, endangering the world’s computers. To find out how to configure Windows to stay protected, read this post.

NotPetya/ExPetr: The costliest cyberattack to date

That said, the title of most costly epidemic does not go to WannaCry, but rather to another ransomware encryptor (technically a wiper, but that doesn’t alter the bottom line) called ExPetr, also known as NotPetya. Its operating principle was the same: Using EternalBlue and EtrernalRomance exploits, the worm moved around the Web, irreversibly encrypting everything in its path.

Although it was smaller in terms of total number of infected machines, the NotPetya epidemic targeted mainly businesses, partly because one of the initial propagation vectors was through the financial software MeDoc. The cybercriminals managed to gain control over the MeDoc update server, causing many clients using the software to receive the malware disguised as an update, which then spread across the network.

The damage from the NotPetya cyberattack is estimated at $10 billion, whereas WannaCry, according to various estimates, lies in the $4–$8 billion range. NotPetya is considered the costliest global cyberattack in history. Fingers crossed that if this record is ever broken, it won’t be soon.

More information about the NotPetya/ExPetr epidemic can be found in this post; the pain it caused businesses is examined here; and see here for why the epidemic, capable of disabling large businesses, affects not only those whose computers are infected, but everyone else as well.

Stuxnet: A smoking cybergun

Probably the most famous attack was the complex, multifaceted malware that disabled uranium-enrichment centrifuges in Iran, slowing down the country’s nuclear program for several years. It was Stuxnet that first prompted talk of the use of cyberweapons against industrial systems.

Back then, nothing could match Stuxnet for complexity or cunning — the worm was able to spread imperceptibly through USB flash drives, penetrating even computers that were not connected to the Internet or a local network.

The worm spun out of control and quickly proliferated around the world, infecting hundreds of thousands of computers. But it could not damage those computers; it had been created for a very specific task. The worm manifested itself only on computers operated by Siemens programmable controllers and software. On landing on such a machine, it reprogrammed these controllers. Then, by setting the rotational speed of the uranium-enrichment centrifuges too high, it physically destroyed them.

A lot of ink has been spilled over Stuxnet, including a whole book, but for a general understanding of how the worm spread and what it infected, this post should suffice.

DarkHotel: Spies in suite rooms

It is no secret that public Wi-Fi networks in cafés or airports are not the most secure. Yet many believe that in hotels things should be better. Even if a hotel’s network is public, at least some kind of authorization is required.

Such misconceptions have cost various top managers and high-ranking officials dearly. On connecting to a hotel network, they were prompted to install a seemingly legitimate update for a popular piece of software, and immediately their devices were infected with the DarkHotel spyware, which the attackers specifically introduced into the network a few days before their arrival and removed a few days after. The stealthy spyware logged keystrokes and allowed the cybercriminals to conduct targeted phishing attacks.

Read more about the DarkHotel infection and its aftermath here.

Mirai: The fall of the Internet

Botnets had been around for ages already, but the emergence of the Internet of Things really breathed new life into them. Devices whose security had never been considered and for which no antiviruses existed suddenly began to be infected on a massive scale. These devices then tracked down others of the same kind, and promptly passed on the contagion. This zombie armada, built on a piece of malware romantically named Mirai (translated from Japanese as “future”), grew and grew, all the while waiting for instructions.

Then one day — October 21, 2016 — the owners of this giant botnet decided to test its capabilities by causing its millions of digital video recorders, routers, IP cameras, and other “smart” equipment to flood the DNS service provider Dyn with requests.

Dyn simply could not withstand such a massive DDoS attack. The DNS, as well as services that relied on it, became unavailable: PayPal, Twitter, Netflix, Spotify, PlayStation online services, and many others in the US were affected. Dyn eventually recovered, but the sheer scale of the Mirai attack made the world sit up and think about the security of “smart” things — it was the mother of all wake-up calls.

You can read more about Mirai, Dyn, and “the attack that broke the Internet” in this post.

Here we explain why this might be dangerous and how to protect your smartphone, Epic Games account, and money.

1. Download Fortnite for Android only from the official site

Fortnite for Android can be downloaded from the official game site. That’s an easy way to avoid fake sites offering Trojans disguised as Fortnite Launchers.

After downloading the game, you must enable the “Allow installation from third-party sources” check box in your smartphone settings. To do so, go to Settings -> Security -> Third-party sources:

2. Don’t forget to reset the block on third-party installations

Once you’ve installed Fortnite on your Android smartphone or tablet, don’t forget to deselect the “Third-party sources” option in Android’s settings.

Allowing installation from third-party sources automatically makes the smartphone less secure, because then anything can be installed from anywhere. This setting is exploited by many cybercriminals seeking to cash in on the popularity of Fortnite and other mass-multiplayer games, which involve considerable money streams.

3. On Android, use Fortnite Launcher 2.1.0 or higher

Researchers at Google found that Fortnite Launcher for Android is susceptible to Man-in-the-Disk attacks. In lay terms, that means the installer could basically install any app it was given, including malicious ones, without raising eyebrows.

The developer, Epic Games, has already patched the vulnerability, so Fortnite Launcher 2.1.0 and higher are immune to this kind of attack. That’s why you should use the latest version of the installer.

If you installed the game on your smartphone or tablet using an earlier version, we advise you to remove Fortnite and Fortnite Launcher and then reinstall the game using the new version of the installer. We also recommend scanning the system with an antivirus to check whether this type of attack has been used to install a malicious application on your Android device.

4. Change your Epic Games account password

According to online rumors, a data leak in March 2018 put Epic Games account logins and passwords into the hands of cybercriminals, who promptly made use of them. Forums are full of threads about how Fortnite accounts were stolen and how scammers used them to buy in-game codes, reselling them afterwards on the cheap.

If you created an Epic Games account before March 2018 and didn’t change the password, do it now. Here’s the link you need.

5. Enable two-factor authentication

Even if your password is leaked, cybercriminals won’t be able to access your account without a second factor in the form of a short, one-time-use code. For two-factor authentication (2FA), Epic Games recommends Google Authenticator, and we concur. Alternatively, you could try Microsoft Authenticator, LastPass Authenticator, or Authy. For details on how to opt in to 2FA, see this support page.