As phishing attacks take a toll on the internet users, the losses caused thereof only seem to multiply. Phishing attack prevention is the biggest challenge that lies ahead for netizens. Cyber attacks are imminent and so keeping abreast with the newest technology employed by adversaries is vital for anyone who wishes to keep himself safe from any such attacks. Following are some of the most precarious cyberattacks that made the world jitter in the past week:
Camscanner App Infused With Malware
Kaspersky researchers recently found the document scanning app CamScanner to be inflicted with a malware which they call “AndroidOS.Necro.n”. The app which enables the users to use their mobile devices as document scanners has been downloaded by over 100 million users through the Google Playstore. The malware was hidden in the app and has now been discovered. This malware is a dropper – a type of attack code which first infects a computer or smartphone and upon installation, attempts to install a second Trojan.
Installing these two Trojans would enable the adversaries to spread a malvertising campaign or sign up the smartphone users for services or websites they may not voluntarily want.
Researchers noted that an advertisement SDK (Software Development Kit) was added to the code of the application. The affected people reported that they had lost money after installing the app. Researchers said that often it becomes impossible for even large conglomerates like Google to stop such malware-infected apps from getting through Google Play.
However, for preventing the app from affecting more users, the infected app has been removed by Google upon the notification from Kaspersky and CamScanner has already issued an updated version of the app.
Data Breach At Foxit Software
A result of inefficient anti-phishing protection, the data breach that took place at Foxit Software has compromised the data of many of its users. Although the firm has refused to disclose the exact number of affected accounts, we can estimate the volume by evaluating its vast user base comprising of 100,000 customer organizations with 560 million users across the globe.
Foxit Software is the maker of the popular PDF and document software. Although it isn’t as famous as Adobe, nonetheless it is widely used, particularly by banks. The firm notifies that the breach occurred because the adversaries were able to gain access to its systems. As per the firm’s revelations, the attackers could access “My Account” user data which includes the email addresses, passwords, user names, phone numbers, company names, and IP addresses of the users. The My Account feature lets users download free trial software, access order histories, get product registration information, and other support information. However, the firm assures that no personal identification data or payment card information has been lost in the breach as the account doesn’t store these details.
To ensure phishing protection in the future, the firm has asked all affected users to reset their passwords. It has also hired a security management firm to carefully analyze the attack and protect any such cyber threats in the future.
Facebook Fails To Safeguard Phone Numbers Of Users In The UK
A recent report disclosed that the phone numbers of millions of British Facebook users had been left online in an unprotected database. This database contained 18 million phone numbers and the unique Facebook profile number or “ID” associated with these numbers. These are of users from the UK, and also include another 133 million and 50 million records of users from the US and Vietnam respectively.
Although the database has now been brought down, Facebook is still skeptical that the records have been lost from their end and claim that perhaps the phone numbers had been taken from public accounts before Facebook had changed its privacy settings last year. As an anti-phishing measure, Facebook had removed the feature, which allowed users to locate people using a phone number instead of their name. This was done to prevent attackers from scraping phone numbers and email addresses.
The technique of “sim swapping” or “sim jacking,” which is popular right now makes use of phone numbers of users to get into their bank accounts or other personal accounts. Adversaries scam telecommunication companies’ support assistants into canceling a SIM card over the phone, and request for a new one. The attackers then get access to the number, which is used as a back-up for security like telephone banking or in two-factor authentication. Many people have endured monetary losses because of this, including the founder of Twitter, Jack Dorsey.
Google Held Guilty Of Sharing User Preferences
Google’s contemporary search engine Brave testified that Google has secretly shared the personal details of users with ad-tech companies who then share these details on more than 8.4 million websites. The breach violated Europe’s data protection laws and is most considerable by the Irish Data Protection Commissioner. It is currently inquiring Google’s real-time bidding advertising offering based on the received complaints. A similar investigation is to be carried out by the UK’s Information Commissioner.
To add to the pieces of evidence of Google’s faulty privacy (which is but a violation of the idea of phishing prevention), everyone is trying to promote Dr. Johnny Ryan’s remark. Dr. Ryan, who is the chief policy and industry relations officer at Brave, said that his data was shared with an unknown number of companies because of using Google’s search engine. He added that Google permitted advertisers to combine information about him through hidden “push” pages, invisible to web users, which enabled third parties to locate people online easily.
However, a Google spokesperson replied to all allegations saying that they do not serve personalized ads or send bid requests to bidders without the consent of users. Though they know they aren’t responsible for the breach, Google has extended full cooperation for the investigations of the Irish DPC and the UK ICO.
Impersonated Website BleachBit Spreads Info Stealer
Defying anti-phishing tools, attackers have created a replica of BleachBit – the tool that helps Windows, Linux, and macOS users to reclaim disk space by deleting disposable data. Downloading this fraudulent website spreads an information stealer called AZORult. BleachBit has been downloaded over one million times on Sourceforge since its inception and is also available on the developer’s website.
AZORult is capable of collecting various types of sensitive data from an infected computer such as browser history, saved logins, stored credentials in FTP clients, desktop and text files, etc. The impersonated BleachBit website created by adversaries almost passes for the genuine one because of its adherence to even the minute of details. However, the suspicion bells get rung in our heads for the following reasons:
- Unlike the original website, the fake one has only one link available – the one leading to AZORult.
- The fake website has a video tutorial embedded for a beta version of the program released in 2009.
- The binary of the website, although very similar to the original one, lacks the official icon which is yet another distinguisher.
The security researcher, Benkow, was the first one to discover the fake website. It is unknown how attackers direct the victims to the phony site, but once they fall for it; a ZIP archive from Dropbox gets downloaded on the victim’s system. Once launched, it will automatically harvest a victim’s data and upload it to the attacker’s command and control servers.
Hackers Use Compromised Sharepoint Sites
The latest method adopted by adversaries involves the use of compromised SharePoint sites and OneNote documents to redirect victims from the banking sector to their fraudulent pages. The attackers use the loophole in email security gateways that often overlook the domains used by Microsoft’s SharePoint web-based collaborative platform. This allows the adversaries to give shape to their malicious attempts by making sure that they evade the phishing email prevention methods and reach the inboxes of their prospective victims.
How Does The Scam Work?
- The emails with malicious content are sent to the victims from compromised accounts. These emails ask the victims to review a legal assessors proposal with the link attached.
- These links lead the victim to a SharePoint site created using a hacked account. It asks the victim to download the full version with yet another link they attached which redirects the bank employees to the phishing page.
- Once within this trap, the victims reach the phishing landing page. This is a replica of the login page of OneDrive for Business. It wins the trust of victims with a line that is displayed above the login form which says: “This document is secure, please log in to view, edit, or download. Select an option below to continue.”
A New Medium For Astaroth Trojan Campaign
A new campaign has begun among the adversaries to propagate the famous trojan Astaroth by evading the existing anti-phishing software. Renowned for stealing valuable information, by abusing legitimate operating system tools, the Astaroth Trojan creates much disruption in the world of cybersecurity. In the recent campaign launched to spread the Trojan, Cloudflare Workers serverless computing platform has been used. This platform shall help the Trojan to easily evade being detected and also block automated analysis attempts.
How Does The Trojan Work?
The trojan executes itself in a three-step infection process:
- The first step involves sending a phishing email impersonating an automated email for audit or billing requests. The email contains an HTML attachment with a corrupt JavaScript code which downloads the next payload.
- The second step involves the download of several JSON payloads and as a ZIP file by the user’s browser. This ZIP file has a link that downloads the final payload.
- The third step involves the loading of a malicious DLL which communicates with attacker-controlled YouTube and Facebook profiles to receive the final command-and-control server address.
New Malvertising Campaign Hits WordPress Sites
WordPress websites are getting targeted in a new malvertising campaign. This campaign uses the vulnerabilities existing in WordPress plugins to access the websites. Initially redirecting users to malicious websites, the malvertising campaign has now evolved to install backdoors in the compromised sites by creating a new user with admin privileges.
The adversaries inject corrupt scripts in the WordPress sites by using vulnerabilities in some of the old WordPress plugins that are still in use. This script redirects users to malicious sites and displays unwanted pop-ups. Once, in the redirected website, the malicious droppers are introduced, and backdoors are created. In its recent version, the campaign also creates a new administrator with a JavaScript payload.
Researchers found that though there were several IP addresses behind the attacks, presently, only one of these IP addresses is functional: 104[.]130[.]139[.]134. Presumably, this is a Rackspace server that hosts compromised websites.
The only protection from phishing attacks of this kind is timely and regular updating the plugins. One needs to ensure that they have the latest versions of plugins installed on the websites while using WordPress. Apart from this, having two-factor authentication enabled is an added layer of protection that can be incorporated.
Cybercrime Theft Charges Denied By North Korea
A United Nations report recently announced that North Korea used sophisticated cyber technology to steal an amount as massive as $2 billion from banks and cryptocurrency exchanges. This money was allegedly used by the nation to fund weapons of mass destruction programs. North Korea has, however, denied all charges and has instead held the United States guilty of trying to sabotage their social image and reputation.
A news agency from the nation reported that allegations such as the one in hand are attempts of the United States and similar “hostile forces” at destroying the social image of their country. As this news unfolds, we realize that in spite of having several meetings between U.S. President Donald Trump and North Korean leader Kim Jong Un, there has been little progress in stopping North Korea from continuing its nuclear weapons program.
Quick Heal’s Annual Report On Cyber Attacks In India
Quick Heal – the Indian cybersecurity research and software firm released its annual threat report recently, which has revealed some astonishing and striking figures. Here are some of the primary findings of the report:
- Four metropolitan cities of the nation are severely hit by cyberattacks, namely, Mumbai, Delhi, Bengaluru, and Kolkata. It is not surprising to note this since these are the most vibrant and active hubs of the nation.
- However, the report mentions explicitly that Maharashtra (state), Delhi (nation capital) and West Bengal (state) are the ones most hit by attacks.
- The report states that cyber attacks in India happen under two software divisions – Windows and Android, which are the most widely used ones.
- According to the statistics, the report mentioned that as many as 973 million attacks were registered in the previous year, which means that approx. 1,852 Windows machines get infected with some malware every minute.
- While ransomware causes the least number of these enormous attacks, Trojans, cause the most considerable damage to the nation, followed by standalone worms and infectors. Cryptocurrency related thefts are not uncommon as well with 11 attacks getting registered every minute.
How To Ensure Protection From Phishing For India?
Observations suggest that it is because of the installation of corrupted apps that Android devices get attacked. Thus, the implication that Google Play needs to implement stringent means of scrutiny. As for Windows PCs, the growing number of attacks indicate that perhaps the time has come for Indians to stop compromising on investment in cybersecurity. They should shift to genuine software copies to ensure their safety online.