Spyware Targeting Users Through ISP

Illustration: Spyware Targeting Users Through ISP - Authentic8 Blog

by Larry Loeb

FinFisher is a suite of surveillance tools that has achieved notoriety for its use by repressive regimes and rogue states to spy on their citizens and civil rights organizations.

Security firm ESET has now found evidence for the first time that an ISP colluded with third parties to enable this surveillance software.

FinFisher features a wide range of capabilities for spying on users, including, among others, live surveillance through webcams and microphones, keylogging, and the exfiltration of files.

The first way that FinFisher infected victims was fairly typical of malware tricks and often exploited local browser vulnerabilities.

The arsenal included zero-day exploits, spear-phishing emails, drive-by downloads when users navigated to hacked sites, as well as directly installing the malware if physical access could be made to target's device.

Some of that still happens. Earlier this month, a spearphishing campaign targeting Russian users was launched which leveraged an Office 365 zero-day to distribute the malware.

Now ESET has found a

5 Free Resources for More Cybersecurity Awareness in Your Business

Illustration: 5 Free Resources for More Cybersecurity Awareness in Your Business - Authentic8 Blog

Every year, too many companies and organizations still pass up an easy opportunity for making their employees or volunteers more #cyberaware: National Cyber Security Awareness Month, the annual public/private campaign in October to raise public awareness and improve the nation’s overall security posture.

While IT security managers acknowledge the need for finding new and better ways to help users overcome their learned helplessness in the face of cyber threats, a lack of internal resources often prevents them from mounting their own NCSAM efforts and reach out to employees on all levels.

Does this sound familiar? If so, it’s not too late for your team to get in on this year’s NCSAM action.

Here's a quick fix.

Check out the free tools and resources we have selected for you.

However big or small your organization, they can help you get up and running with your own NCSAM in-house campaign on a budget and in no time:


The Official NCSAM

Research: Deanonymizing Browser Data Made Easy

Illustration: Research: Deanonymizing Browser Data Made Easy - Authentic8 Blog

This year at DEFCON in Las Vegas, investigative journalist Svea Eckert and researcher Andreas Dewes demonstrated how to deanonymize browsing datasets they had acquired through major browser plugin providers with relative ease.

Their research resulted in a handful of significant findings:

  • 10 “privacy” plugins provided the most voluminous data sets.
  • Data provided is very granular.
  • Contrary to popular belief, deanonymization techniques aren’t novel with the majority being pattern matching rather than complex maths.
  • Using Publicly Available Information (PAI) for correlation makes deanonymization much simpler.

Let’s dig into their research [PDF] to identify the risks involved with plugin usage and techniques utilized for data exploitation. One notable finding even affected an active law enforcement investigation.

Browser Plugins as Data Providers

The security implications of using browser plugins are extensive. Risks abound - from download and installation over settings and permissions to possible user data monetization.

One data provider identified in the research was Web of Trust (WOT) - a plugin installed

How Do I Know If My Local Browser Extension Was Hijacked?

Illustration: How Do I Know If My Local Browser Extension Was Hijacked? - Authentic8 Blog

If you’ve installed add-ons or plugins with your browser (like the one that came with your computer), it could be a question you're asking yourself right now.

This week brought news that at least six more extensions for a popular browser were hijacked. Two similar attacks were uncovered only last week. In all these cases the hijackers “updated” the extensions to inject malicious code into web pages. More than a million local browser installations were affected.


At the risk of repeating myself - local browser add-ons put your data at risk. Browsers are targeted in more than 80 percent of online attacks because inherent design flaws and the security weaknesses of common internet protocols make them the most vulnerable component of your personal or business IT.

When connecting to a website, browsers indiscriminately fetch and process code from the web on the local computer. Malicious code may be hidden in a web app or passed through from an ad server on

So Much Leaking.

Illustration: So Much Leaking. - Authentic8 Blog

In the wake of the devastating WannaCry and NotPetya ransomware campaigns, it was hard to imagine that things could get more embarrassing for the IT profession.

That double whammy was possible because IT administrators left firewall ports 445 and 139 open, which allowed the ExternalBlue exploit to take hold. Thousands of companies around the world paid the price for IT's negligence.

Despite all the attention, many organizations still haven’t taken the simple step to close the obviously open ports.  Once they get hit, regulators and litigators will likely have a field day. Nobody can say IT wasn’t warned.

And now, just a few short weeks later, we learn that security researchers have discovered numerous preventable data leaks that exposed personal, sensitive data of hundreds of millions of users.  Where did they find this data?

On Amazon - where else?  The go-to web service for storing large amounts of data. Impacted organizations include: