Tag Archives: phishing

10Fold – Security Never Sleeps – 79

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: Netcraft researchers have discovered an extremely convincing Facebook phishing attack – the fraudsters made it look like the fake “Facebook Page Verification” form they’ve asked the victims to fill and submit is legitimate, as the page serving it is on a Facebook subdomain. One cyber underground group saw a golden opportunity and created Ran$umBin, a Dark Web service that acts as a one-stop shop for monetizing ransomware. As the Republican presidential contenders, Sen. Ted Cruz and Gov. John Kasich, battle over who can best protect America, at least two candidates are having trouble protecting potential voters’ personal information on their campaign apps. Hacking group “PLATINUM” used Windows’ own patching system against it, the unknown group has been attacking targets in South East Asia since at least 2009, with Malaysia being its biggest victim, with just over half the attacks, and Indonesia in second place.

Facebook made to serve phishing forms to users – Publication: Help Net Security – Reporter name: Zeljka Zorz

The phishers have registered Facebook apps, and have managed to load the form inside it via iframes. The form is hosted on the crooks’ own servers, which also uses HTTPS, so no warnings about unsecure connections will pop up. Another trick up the fraudsters’ sleeve is that they made the form return an “incorrect credentials” notification the first time the user submits them (whether they are correct or not). This trick is used to convince the most suspicious users, who might have inserted incorrect credentials on purpose, that the form works as it should and is legitimate.

Crowdsourcing The Dark Web: A One-Stop Ran$om Shop – Publication: Dark Reading- Reporter name: STAFF

The website is dedicated to criminals and victims alike: it lets criminals upload stolen data (embarrassing information, user credentials, credit data, stolen identities, and any other kind of cyber-loot), and lets victims pay for the removal of said stolen data from the Dark Web, where it could be bought by any cybercriminal who’s willing to pay. Ran$umBin has been active for under two months; it is very user-friendly and its business model is simple: hackers can upload stolen data and either sell it to other criminals or extort the data’s owner – while the site takes commission. The site’s cut is based on who the data owner is: criminals who want to buy data belonging to a pedophile would pay $100 and the site would take a 30% commission; if a criminal is looking for data belonging to a celebrity or a law enforcement representative, the price could be double and the commission would climb to 40%. Alternatively, the hacker who uploads the data can choose their own ransom demand and simply send their victim instructions on how to log in to Ran$umBin and pay. I’ve seen several Dox markets, but this one truly stands out: it’s a platform where any criminal can use what other criminals have stolen, like a cyber-ransom Uber or AirBnB.

 Cruz, Kasich campaign apps under scrutiny over security issues – Publication: Fox News – Reporter name: STAFF

The official apps for GOP candidates Sen. Ted Cruz and Gov. John Kasich have come under scrutiny after a Monday report from cybersecurity firm Symantec found users’ data was improperly secured and vulnerable to hackers. Symantec’s analysis used a test that collects unencrypted personal data being transmitted from phones running the campaigns’ apps. “The data may be going to a legitimate destination, but it could be intercepted by someone intercepting the traffic,” Symantec engineer Shaun Aimoto said. Cruz data director Chris Wilson on Monday denied the campaign’s app leaks data.

Hacking group “PLATINUM” used Windows’ own patching system against it – Publication: Ars Technica – Reporter name: Peter Bright

Microsoft’s Windows Defender Advanced Threat Hunting team works to track down and identify hacking groups that perpetrate attacks. The focus is on the groups that are the most selective about their targets and that work the hardest to stay undetected. Almost half of the attacks were aimed at government organizations of some kind, including intelligence and defense agencies, and a further quarter of the attacks were aimed at ISPs. The goal of these attacks does not appear to have been immediate financial gain—these hackers weren’t after credit cards and banking details—but rather broader economic espionage using stolen information.

10Fold – Security Never Sleeps – 31

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider:  As devices and things get more connected, privacy becomes harder to achieve. Forbes points out the age of data in corporate culture and how some companies are monitoring bathroom use and healthcare data, which leaves the question of where does privacy fit into all of this? Trustwave security firm is being sued for a “woefully inadequate” forensics investigation. Symantec security researchers have identified a new malware that can defeat two-factor authentication. A new phishng campaign called LostPass has found a way to mimic the actual LostPass error code and trick people into accepting the phishing campaign.

From Medical Tests To Drones In Backyards: Is Physical Privacy Dead? – Publication: Forbes – Reporter name: Kalev Leetaru

Looking at trends in the sharing economy, companies like Uber have built an entire industry on the use of data-driven algorithms, with employment and pricing decisions based purely on the cold hard calculus of data. What might happen when this data-driven mindset reaches the world of healthcare? In the corporate pursuit of maximizing employee productivity it is not a far stretch to imagine a world in which companies use the results of all of this medical data to optimize the lives of its employees to squeeze every bit of work it can from them.

Security Firm Sued For Filing “Woefully Inadequate” Forensics Report – Publication: Ars Technica – Reporter name: Dan Goodin

A Las Vegas-based casino operator has sued security firm Trustwave for conducting an allegedly “woefully inadequate” forensics investigation that missed key details of a network breach and allowed credit card thieves to maintain their foothold during the course of the two-and-a-half-month investigation. The complaint provides a rare glimpse inside the confidential world of security incident response and underscores the consequences when investigations don’t have the results customers expect. As a result of the follow-on breaches, Affinity was required to obtain the second PCI forensics report from Mandiant and to pay additional assessments so banks could reissue credit cards.

Hackers Have Figured Out A Way To Defeat A Key Protection On Online Accounts – Publication: Business Insider – Reporter name: Rob Price

Two-factor authentication is an important way to help keep your online accounts safe — but it’s not perfect. It requires an extra layer of proof before anyone trying to log in gets access to an account. After the password is entered correctly, a temporary code known as a one-time password (OTP) is sent to the account owner’s smartphone. The code is then entered to complete the login process. That way, even if the user’s password is guessed, stolen, or cracked, the attacker can’t get into the account without physical access to the paired phone. But if the attacker is able to smuggle rogue software onto a user’s smartphone, they can defeat two-factor. Researchers at cybersecurity firm Symantec have discovered malware that can steal OTP codes and use this to hijack a user’s accounts. (The malware was previously reported on by The Register.)

LastPass Phishing Attack Avoids Two-Factor Authentication In Data Theft – Publication: ZDNet – Reporter name: Charlie Osborne

This system, like many others, is not invulnerable to phishing campaigns — the use of fraudulent emails and Web pages which appear legitimate, but are used solely to steal information and install malware. The LostPass phishing campaign works because “LastPass displays messages in the browser that attackers can fake,” according to the researcher. “Users can’t tell the difference between a fake LostPass message and the real thing because there is no difference,” Cassidy noted. “It’s pixel-for-pixel the same notification and login screen.”