Banking Malware uses Fake reCAPTCHA page to target banking customers

A fake Google reCAPTCHA is one of the latest email campaigns to target a Polish bank. Sucuri researchers reported their discovery on Thursday via its blog.

How it works

Victims are typically targeted emotionally as hackers play on the urgent feeling a user gets when receiving an email relating to their financial affairs. They receive a fake confirmation email requesting them to confirm a recent transaction they carried out. As the hacker sends generalised emails, it is not specific to an actual transaction. This email will contain an attachment with a malicious.PHP file. PHP files are often used as web page files to generate HTML from a PHP engine running on a web server. The hacker will obfuscate their malicious content hidden within, to search the current directory of files with the same extensions. In this instance, the malicious email contains a log which takes the users login and serves a fake 404 error page to users with defined user agents

Where the Google reCAPTCHA replica page comes in

When a request goes through the user-agent filter, the PHP code loads a fake reCAPTHCA and determines which malware to put on users’ machines. It loads the fake page by using a combination of HTML elements and JavaScript. As these elements are static, the only way a user will be able to tell the page is fake is the fact that the still images remain the same. The only time it changes is if the malicious PHP file’s coding changes. Another way to spot the difference is to play the audio. With the fake page, this will not work.

When determining whether to put the .zip dropper or an .apk type malware on the users’ device, the PHP rechecks the user-agent. The .apk type malware will, for example, download it detects the users’ device runs on Android.

Upon the malware storing itself on a users’ device, it starts to intercept SMS multifactor authentication and further steals credentials.

Phishing emails continue to rise as well as the constant changes in  tactics carried out. The banking and financial sector particularly are frequent targets with the Bankbot Anubis Found Again in Google Play store, Redaman Banking Malware, Gozi and Gandcrab on the rise.

Original Source Here


Cryptocurrency Broker Had 450,000 of its Users Credentials Leaked on The Darkweb

Cryptocurrency broker, Coinmama, suffered a data breach with around 500,000 customers’ emails and password credentials compromised. Customers affected stretch back as far as 2017.

Coinmama is an online broker dealing with the exchange of Bitcoins and Etherium. It allows customers to buy e-currency easily with the option to purchase with a credit card. With over 1,250,000 customers since 2013, it boasts a large database and a great platform to steal masses of data from.

It comes at a time where a spade of large companies’ websites are experiencing the same breaches. MyFitnessPal. Houz and Coffee Meets Bagel are just a few of the affected companies. For more on these stories, check out ‘A Further 127 Million Users Records Found for Sale on the Dark Web’

Similarly, the latest bundle offered by the hacker, Gnosticplayers, include Coinmama’s 450,000 records. This will be the third round of mass data dumps. It is on offer for 0.351 Bitcoin (£1051), with 70,000 cracked passwords.

What do we know about Gnosticplayers

Hacker, Gnosticplayers is suspected of being behind mass data breaches happening across large company websites. Targeting such companies allowed the actor to get their hands on data in large amounts because of the companies’ large clientele.

Details on how the actor is stealing the data remain unclear. Researchers have noticed that one common trend with the attacks is the exploitation of the software PostgreSQL. There are suggestions that there are vulnerabilities in this open source software that the hacker was able to take advantage of. However, Postgre SQL developers disputed this fact stating that they are not aware of any vulnerabilities. The last known vulnerability was late last year. CVE-2018-16850 allowed an attacker to cause arbituary SQL statements to run with superuser privileges. PostgreSQL consequently released updates for all versions of the software. Alternatively, its surrounding applications have flaws that accessed PostgreSQL. Another tactic of Gnosticplayers is to target email addresses, username, passwords, phone numbers and IP addresses.

In a recent Interview with ZDNET, the alleged hacker claimed that he is directly behind the attacks and does not only act as a mediator. He also mentioned his intention is to sell over 1 billion stolen records and disappear shortly after. He is not far from his target as the total figure to date is just over 830 million.

Recommended steps Coinmama customers should take

It is recommended customers take this opportunity to change their passwords. These changes include their Coinmama account, their connected email account and to other accounts, they have with the same or similar passwords.

Additionally, users should take this opportunity to add multi-factor authentication to any of their user accounts that provide this for extra security.

Coinmama issued a statement via a blog updating its customers before the weekend about the breach that took place and its swift actions to remediate the breach. Despite this, the data resurfaced on the dark web for sale during the weekend.

Original Source Here

Cyberattack on VFEmail erases 18 years worth of customer details, including all backups

A hacker gained access to US VFEmail servers attacking and destroying data contained within. Their destruction affected 18 years’ worth of customer emails and included data held in all file and backup servers. One longtime user from Florida, John Senchak, had 60,000 emails going back a decade, wiped from his inbox and outbox.

The motive remains unclear as to why the hacker targeted VFEmail but the evidence so far shows it was to destroy data. VFEmail, an email service provider, primarily in the US, issued the following statement:

“This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can,”

The attack, which occurred earlier this week targeted externally facing servers across the data centres. The hacker managed to gain access to each operating system and bypassed various authentication measures, changing it all to the same details. The unidentified hacker also attacked VFEmail’s server based in the Netherlands. VFEmail discovered the attack at this point and consequently kicked the hacker out of the system. The IP address traced back to a service provider in Bulgaria. Restoration efforts took place, and by Monday afternoon the servers were back up and running and paid customers were receiving emails.

Organisations can put measures in place to mitigate the impact of such attacks

Cases like this are a wake-up call for organisations to ensure business continuity plans are in place with set procedures for circumstances like this that can occur. Businesses should aim to both risks assess threats to the company and carry out business impact assessments to examine and put appropriate procedures in place to bring business back to the point of normality having a little impact as possible. Preserving the availability of data is crucial to maintaining the security of data assets. Process and procedures should be mapped out for both business continuity and disaster recovery. Methods such as offline backups is an example of controls organisations need to ensure are in place following assessments. This is already a standard control in place by companies to mitigate the impact of ransomware. Testing these procedures will also allow organisations to see how effective the measures are.

Original Source Here

Stay Anonymous with kali-anonsurf

Greetings all,

Its been a while since i actually wrote a tutorial. I have been lost in space but i think i am back now.

The tutorial i want to share today is in regards to a tool call “kali-anonsurf”, this is by far the best and easiest method to set your kali system to run all its services through Tor. And more importantly, the setup is fast and convenient.

Personally i happen to cross upon this while using “The Lazy Script” and found it to be really convenient. But for this tutorial, instead of using The Lazy Script, we shall manually install it.

Lets Begin:

1) Start up your kali and load up a terminal.

2) Type : git clone

3) Type : cd kali-anonsurf to make your way into the directory.

4) To begin installing, type : ./

5) To launch kali-anonsurf , type : anonsurf

6) As you can see the switches are pretty straight foward. But lets go througt them.

7) To start your anonsurf, simply open a terminall and type : anonsurf start

8) In the event you would like to stop and restart your Anonsurf, simply type : anonsurf restart

9) If you feel the need to change your identity on your Tor network, simply type : anonsurf change

10)  To check if your Tor is set up successfully, type: anonsurf status

11) To check your new IP address, simply type : anonsurf myip

12)  To launch the i2p service, type : anonsurf starti2p

13) You will be presented the page shown below to adjust your settings.

14) And ofcourse to stop your i2p service, type : anonsurf stopi2p

15) Lets take a look at my current Tor enabled IP address.

16) 5 mins later, the IP successfully changes.

17)  As you can see, kali-anonsurf is successfully set up! Happy Anonymous Surfing!!

Hope that helps.

The Messiah

Vulnerability In Xiaomi Electric Scooters Allows Attackers to Take Control of the Machine

Xiaomi electric scooters

Electric scooters have proved to be a convenient form of travel for some over short distances. Security researchers have highlighted another problem. As discovered, Xiaomi electric scooters bear serious vulnerabilities. Exploiting the flaws could allow an attacker to remotely hack the scooters and execute commands, such as sudden breaks.

Security Flaw Discovered In Xiaomi Electric Scooters

A researcher Rani Idan from Zimperium has discovered a serious vulnerability in Xiaomi electric scooters. As per his findings, the vulnerability could allow an attacker to take control of the machine. A successful remote attack could then result in sudden breaking or acceleration.

Reportedly, he discovered problems with the user authentication process of the scooters. Describing the details of his findings in a blog post, Idan stated,

“During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password.”

Precisely, the scooters keep no track of the authentication state as the password validation takes place at the app side only. As a result, it becomes easy for an attacker to exploit the bug by sending any malicious payload to execute desired commands. The attacker may be present anywhere within proximity of 100 meters from the target device.

Idan has demonstrated the exploit in the following video. It shows successful locking of the Xiaomi M365 scooters by sending crafted payload.

A Temporary Mitigation Might Help

The researcher confirmed that he has disclosed the flaw responsibly. However, Xiaomi hasn’t patched the bug yet despite knowing about the vulnerability since January 28, 2019. Even in their acknowledgment to the researcher, they confirmed their knowledge of the flaw.

Nonetheless, the researcher suggests users connect the Xiaomi app to their mobiles before riding, as a temporary mitigation.

“Once your mobile is connected and kept connected to the scooter an attacker won’t be able to remotely flash malicious firmware or lock your scooter.”

Original Source Here

Bank of Valleta Shuts Down Their Services After Hackers Attempt To Steal 13million Euros

A cyber attack on the Bank of Valletta (BOV) was so bad that it caused them to take down their online services as a security precaution. Yesterday morning hackers broke into the banking systems and attempted to move €13million into overseas accounts. The destination of the funds included the UK, Europe, the USA and Hong Kong. Within 30 minutes the bank blocked the transactions and reported the incident to the local authorities.

As a result, BOV shut down their branches, ATMS and email services. It completely diminished from the internet as it even shut off its point-of-sale terminals, affecting local business.

Banks are a popular vector for hackers

Malta’s economy has rapidly grown making it a honey pot for organised crime group actors. The type of attempted hack has not yet been released.

The attack comes after hackers successfully stole just over €53million from the Far Eastern International Bank two years ago in Taiwan. Hackers infiltrated malware on bank hosts and servers accessing the SWIFT terminal used to transfer the staggering amount of money. They wired it to countries such as the US, Cambodia and Sri Lanka. A common tactic consists of accessing the SWIFT terminal, used again in 2016 where hackers stole just under €72 million.

In 2017 hackers took a different method where the theft of €11 million took place at Cosmos bank. Hackers targeted the ATM’s testing infrastructure either by spear phishing attacks or use of other means to gain admin rights over the network. They then created a malicious proxy switch. They set up a fake system from the switch by breaking the backend connection and putting their own counterfeit system in its place. Due to the lack of details sent to the backend, verification checks were not made on card details. In addition, there was no verification of PINs. Instead, fake responses were authorising transactions. It authorised millions worth of euros that used cloned transaction cards across 28 countries.

banking ATM switch architecture [source: Securonix blog post]

With attacks compromising different areas of the banking system, the precautions taken by BOV seem fitting in contrast to the damage that occurred previously.

Original Source Here