Cybercriminals are becoming more adept, innovative, and stealthy with each passing day. They are now adopting more clandestine techniques that come with limitless attack vectors and are harder to detect. A new strain of malware has now been discovered that relies on a unique technique to steal payment card information from point-of-sale (PoS) systems.

Since the new POS malware relies upon User Datagram Protocol (UDP) DNS traffic for the exfiltration of credit card information, security researchers at Forcepoint Labs, who have uncovered the malware, dubbed it UDPoS.

Yes, UDPoS uses Domain Name System (DNS) queries to exfiltrate stolen data, instead of HTTP that has been used by most POS malware in the past. This malware is also thought to be first of its kind.

Besides using 'unusual' DNS requests to exfiltrate data, the UDPoS malware disguises itself as an update from LogMeIn—a legitimate remote desktop control service used to manage computers and other systems remotely—in an attempt to avoid detection while transferring stolen payment card data pass firewalls and other security controls.

"We recently came across a sample apparently disguised as a LogMeIn service pack which generated notable amounts of 'unusual' DNS requests," Forcepoint researchers said in a blogpost published Thursday.

"Deeper investigation revealed something of a flawed gem, ultimately designed to steal magnetic stripe payment card data: a hallmark of PoS malware."

The malware sample analyzed by the researchers links to a command and control (C&C) server hosted in Switzerland rather than the usual suspects of the United States, China, Korea, Turkey or Russia. The server hosts a dropper file, which is a self-extracting archive containing the actual malware.

It should be noted that the UDPoS malware can only target older POS systems that use LogMeIn.

Like most malware, UDPoS also actively searches for antivirus software and virtual machines and disable if find any. The researchers say it's unclear "at present whether this is a reflection of the malware still being in a relatively early stage of development/testing."

Although there is no evidence of the UDPoS malware currently being in use to steal credit or debit card data, the Forcepoint's tests have shown that the malware is indeed capable of doing so successfully.

Moreover, one of the C&C servers with which the UDPoS malware sample communicates was active and responsive during the investigation of the threat, suggesting the authors were at least prepared to deploy this malware in the wild.

It should be noted that the attackers behind the malware have not been compromised the LogMeIn service itself—it's just impersonated. LogMeIn itself published a blogpost this week, warning its customers not to fall for the scam.

"According to our investigation, the malware is intended to deceive an unsuspecting user into executing a malicious email, link or file, possibly containing the LogMeIn name," LogMeIn noted.

"This link, file or executable isn't provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You'll never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update."

According to Forcepoint researchers, protecting against such threat could be a tricky proposition, as "nearly all companies have firewalls and other protections in place to monitor and filter TCP- and UDP-based communications," but DNS is still often treated differently, providing a golden opportunity for hackers to leak data.

On the internet, you can never be too safe. New threats keep coming up all the time, whether attacking your security or trying to mine your data. It only makes sense to do whatever you can to stay secure. And just as the internet takes, the internet also provides. Developers have made everything from extensions that will stop data-miners to simple apps that monitor how secure you are. Here are five of the best that you should use right away.

1. Two Factor Auth (Web): Lock Your Accounts Twice!

Two-factor authentication (2FA) is fast gaining popularity as a must-have security measure for any digital account.

Two Factor Auth has every single website that supports or doesn’t support 2FA, and which type of 2FA is available. For example, your secondary token can be hardware or software related, and differ in how you receive it: email, phone call, or SMS.

There are some services you should lock down with 2FA right away, but make this site your weekend project. In case the worst happens, you’ll feel mighty thankful.

2. IOT Scanner (Web): Are Your Devices “Open” on the internet?

The “internet of Things” (IoT) promises to change how we live our lives. But it’s also fraught with risk. When you have things like your fridge or your smart TV always connected to the internet, that also leaves them open to hackers. In fact, IoT is a potential security nightmare.

IoT Scanner is a simple tool that figures out which of your devices is open publicly. It checks the IP devices of all the gadgets in your home network, and sees if they are available openly on Shodan. Shodan is a database of publicly-accessible devices on the internet.

After you click the “Check if I am on Shodan” button, it’s a good idea to also do the Deep Scan. That’s the one which you want to know about, and ideally, you’re looking for the green tick at the end of it.

3. Deseat.me (Web): Scan Gmail, Find Everything You Signed Up For

Over the years, you’ve probably used your Gmail account to sign up for several services. Whether you used the power of Gmail aliases or not, you might have forgotten which places you have an account at. And if you used the same password and one of those gets hacked, suddenly, you’re in grave danger.

Deseat.me scans your Gmail inbox to find everything you have subscribed for over the years. It reads your emails, yes, but your privacy is guaranteed by working entirely offline. The app does not send any data to its servers. So run it once, let it find everywhere you have registered, and then start visiting those sites to delete the accounts you no longer use.

4. Privacy Badger 2.0 (Chrome, Firefox): The EFF’s Privacy Protecting Extension

Websites are always tracking you. On any page you go, even something as small as Facebook and Twitter’s social sharing buttons are tracking you. All of this information is used to build a “profile” of you, sold to advertisers. Want to stop that? Privacy Badger is what you need.

Privacy Badger is made by the Electronic Frontier Foundation, a non-profit independent group protecting consumers on the internet. Privacy Badger works faster than before and adds more protection. Specifically, it tackles the problem of websites and malware trying to find your IP address, which can lead to more harm later.

Privacy Badger is completely free. The EFF recommends also enabling Do Not Track, but we found that Do Not Track doesn’t do much.

5. Passlock (Web, Chrome, Android, iOS): Easy Email Encryption for Everyone

You already know that sending sensitive data on emails is risky. You never know who might be snooping. The ideal solution is to encrypt your emails, but it’s a messy process. Passlock makes it simple.

https://youtu.be/UxgrES_CGcg

Passlock works on smartphones as well as with email, including Gmail. It’s extremely easy to use, and it is built by a security professor to boot.

Unfortunately, identity theft and fraud also have a top ten list, as the following scams demonstrate. This list includes some of the most prevalent scams of 2017, some of the most damaging, and quite frankly, some of the most bizarre. 1. Can You Hear Me? Scam

When news of this scam began to circulate, it almost seemed like a hoax. However, law enforcement agencies all over the country issued warnings after victim reports began to roll in. A caller, presumably fumbling with a headset mic or worried about a bad connection, would ask a simple question—“Can you hear me?”—and record the victim saying, “Yes.” That simple answer led to expensive charges and subscriptions for the victim after their responses were spliced onto a different recorded question.

2. Bank Text Scams

Victims all across the country reported receiving text messages from Wells Fargo, Bank of America, Chase, and other high-profile financial institutions, warning them that something was wrong with their accounts. These “smishing” scams called for recipients to click the included link, which led to installing a virus on the mobile device or taking the victim to a screen to submit all of their highly sensitive personal information to the scammer.

3. Health Insurance Scams

Following the start of a new presidential administration, there was a lot of news circulating about “repealing and replacing” the government healthcare program. That led to scam attempts that offered to secure your health insurance coverage for another year, offers of a new government program, and more, all of which were fake.

4. Student Loan Relief Scams

Again, with the changeover in presidential administrations, scammers also sought out victims by threatening them with the loss of other existing government programs, this one specifically for student loan forgiveness. Any scam that can entice victims to “act now or lose out” can cause even the most sensible people to make a rash decision.

5. Reshipping Scams

This category of scams not only can cause its victims to lose money or personal information, it can also land them in jail. Reshipping scams can involve trafficking in stolen goods or accepting illegal payments then sending that money on to another scammer. Either way, the victim in the middle is just as guilty of a crime as the mastermind behind it. One US citizen in Louisiana has just been indicted on more than 200 counts of wire fraud for serving as the go-between in a Nigerian prince email scam.

6. Nigerian Prince Scams

Speaking of Nigerian princes…those scams aren’t going away anytime soon. What has changed, though, are the tone and the tactics. One version went rampant this year: the death threat. The bone-chilling email says someone has hired the sender to kill you, but he’s been following you and you “seem like a good person.” For the amount of money requested, he will happily not harm you.

7. Social Media Scams

This year saw not only social media scams, but also more variety in the platforms that were used. Facebook hoaxes and gift card scams are nothing new, but they’ve filtered over to other platforms like Instagram and WhatsApp. These typically entice you to click, like, or share in order to earn a gift card or be entered in a drawing. Unfortunately, you’re only increasing their visibility online when you play along, and you’re potentially sharing your sensitive information with scammers.

8. Jury Duty Scams

One commonly reported police warrant fraud this year was the jury duty scam. The victim is informed that they failed to appear for jury duty—because they were never summoned in the first place—and now they must pay a hefty fine for being in contempt of court. That all sounds very plausible, right up until the scammer orders you to pay via prepaid debit card, iTunes gift card, or some other untraceable method.

9. Federal Grant Scams

These scams work because we’ve probably heard about wasteful spending or unclaimed budget line items. This scam informs you that you’re eligible for some type of government money, whether it’s to go back to school, pay off your mortgage, start a business, even to lose weight. Clicking the link will possibly install harmful software on your computer, and you’ll be asked to fill out highly-sensitive forms that scammers will use to steal your identity.

10. Travel Scams

There is a growing world of app-based travel that involves third-parties. Companies like Uber and AirBnb don’t actually own any of the vehicles or properties, but you can take advantage of the low cost associated with using another individual’s car or house. While these are absolutely legitimate companies that offer tremendous savings and convenience, there are also plenty of scammers who’ve slipped through the cracks. They sign up to be a driver or host an accommodation, only you’re trapped by the bait and switch.

Of course, this list is only skimming the surface of the types of identity information-based crimes that occur each and every day. The most important thing consumers can do is to remain aware and vigilant about the threat; exercising an air of caution can help you pause and think through the ramifications before clicking on that message.