Yet another week passes by, and the number of attacks on innocent netizens only escalates. Hackers are undoubtedly on an endless spree of infecting devices with malware and disrupting the daily activities of people. While many users indirectly encourage attackers by easily giving them the demanded ransom, others choose to stay firm and not do what the hacker wants even if they have to struggle because of this decision. People may adopt the best phishing prevention measures, and yet the attackers will manage to find some tiny crevice to enter and breakdown their entire system. The internet is flooded with news of such incidents that have happened over the week. But here we bring you the most important headlines from the world of cybersecurity:
New Trojan Targets Facebook Ads Manager
In the latest phishing scheme, attackers are spreading a PDF reader, which in reality is an information-stealing trojan that steals Facebook and Amazon session cookies as well as sensitive data from the Facebook Ads Manager. Many websites distributing this so-called PDFreader have been spotted recently. The trojan has been found to have resemblance with AdKoob and Stresspaint and has been detected as “Socelars”. There are chances that this trojan derives inspiration from the others as the coding involved differs a lot.
The trojan initially steals Facebook sessions cookies from Chrome and Firefox by accessing the Cookies SQLite database and then uses it to connect a variety of Facebook URLs. This is where the user’s information gets extracted. Through the account billing URL, the user’s account id and access token get stolen, which in turn is used in a Facebook Graph API call to take details from the user’s Ads Manager settings.
This trojan manages to steal session cookies, access tokens, account ids, advertising email address, associated pages, credit card info (number, expiration date), PayPal email, ad balances, spending limits, etc. but what must not be ignored is that the trojan might be targeting Facebook at the moment but it can, at any time, try to steal session cookies for Amazon.com and Amazon.co.uk.
This trojan enables attackers to use the stolen Facebook cookies to access accounts and create their own ad campaigns. Preventing phishing attacks of this sort is challenging as they work silently in the background, with the users being unaware of the presence of malware in their system. However, researchers found an interesting link according to which many of the requests to the PDFreader domains came from adware bundles that download unnecessary programs in a user’s system such as YeaDesktop.
Malware Infects Thanksgiving Emails
As the US celebrates Thanksgiving, attackers use the opportunity and send out malware such as the Emotet Trojan via holiday-themed emails. This scheme works by sending an impersonated Thanksgiving Day greeting cards and office closing notices with last-minute invoices. If a user falls for this trap and opens the attached Word documents, then he/she gets a nice Thanksgiving present of a computer infected with a password-stealing trojan and other malware.
The said malware comes in various forms; one form identified was that of a Word document file named “Thanksgiving-eCard.doc,” containing a Thanksgiving Day Greeting Card. In yet another form, the attackers pretend that they are replying to a previous email, but in reality, this contains a malicious Word attachment. The attackers have been very cunning in their approach and have mentioned in the email of being shut for the Thanksgiving holiday as well as upcoming future holidays, which nullifies the victim’s prospects of confirming the authenticity of the email. The Word documents attached to the email contain doubtful macros that either download malware from a remote host or extract it from an embedded payload. Clicking on the “Enable Content” button allows the macros to install malware on the user’s system. Once launched, the malware downloads further malware, steals passwords, and installs ransomware at last.
The measures to prevent email phishing remain the same. One must never open emails from strangers and, more particularly, the attachments in the emails. In case an email seems ambiguous, you must confirm its authenticity from the owner. Besides, the red alert message to identify a prospective attack is when an attachment asks you to Enable Content or Enable Editing.
Data Breach At Mixcloud Reveals 20M User Records
The U.K.-based audio streaming platform, Mixcloud, recently underwent a data breach, which has left more than 20 million users exposed and vulnerable after the data was put up for sale on the dark web. The data breach, which happened in early November managed to steal details such as usernames, email addresses, and passwords of users.
The details have probably been scrambled with the SHA-2 algorithm, which makes it almost impossible to decode the passwords. In addition, the stolen data gave records of account sign-up dates and the last-login date, along with the name of the country from which the user signed up, their internet (IP) address, and links to profile photos.
Although the exact number of accounts compromised is not known, the seller claims to list at least 21 million records on the dark web, but researchers say that this figure might go up to 22 million. The sellers were demanding a sum of $4,000, or about 0.5 bitcoin for the stolen records.
Upon being asked to comment on their phishing attack prevention methods, the spokesperson of Mixcloud – Lisa Roolant maintained silence. She also refused to disclose any significant information, including if the company planned to inform regulators under U.S. state and EU data breach notification laws. Mixcloud’s co-founder Nico Perez also maintained a similar silence on the matter. Perhaps the company will have to pay a fine, going up to 4% of their annual turnover for violations of European GDPR rules.
Database Security Lapse Reveals SMS Messages Of Users
TrueDialog – a Texas-based SMS provider for businesses and higher education providers recently saw repercussions of a database security lapse on its part. The company that boasts of having a unique feature that allows recipients to reply to the automated business messages, thereby creating a domain for two-way conversations with brands or businesses, left its database containing messages sent over a span of several years unprotected on the web. This database contained millions of SMS text messages, mainly sent from businesses to potential customers.
Leaving this database unprotected and without a password, let almost anyone view the dialogue between businesses and their customers of various companies. This database was discovered online by security researchers Noam Rotem and Ran Locar. The database contained information such as a customer’s phone number and SMS message contents. It also included information about university finance applications, marketing messages from businesses with discount codes, and job alerts. Among other things contained in the database are the two-factor codes and security messages, which can very easily let an outsider access the online accounts of a customer. The list doesn’t end here; the database also contained the usernames and passwords of the customers.
However, TrueDialog is taking anti-phishing protection measures and has already brought down the unprotected database. However, the company’s chief executive John Wright is avoiding confrontation regarding the breach. He has also refrained from disclosing whether they plan to inform regulators, such as state attorneys general, as per the state data breach notification laws.
Smith & Wesson’s Targeted By Hackers
In a recent Mageart attack, the hackers tried to inject malicious JavaScript scripts into the American gun manufacturer Smith & Wesson’s online store. This script attempts to steal customer’s payment information, which is submitted by an unaware customer to a remote site that is under the control of the attacker.
Security researcher Willem de Groot from Sanguine Security located a Magecart that has compromised Smith & Wesson’s website along with some other sites. This attack is said to have happened a few days before Black Friday. The URL which has injected the malicious script is: live.sequracdn[.]net/storage/modrrnize.js. This script works undercover and is very hard to identify: it appears to be a normal 11KB and non-malicious script.
In this scheme, when a customer enters his/her payment details in the fake form created by the attacker, the information goes to https://live.sequracdn.net/t/ – which belongs to the attackers. The attacker can easily use this stolen information.
Hence, any person who has made purchases from Smith & Wesson in recent times needs to take adequate phishing protection measures and must keep in constant touch with their credit card company to look for any suspicious or fraudulent charges.
FBI Senses Security Danger From Russian Faceapp
Because of Moscow’s ability to access communications directly via internet service providers, the Federal Bureau of Investigation is skeptical about the security policy of any app of Russian origin. The FBI regards any Russian app as a “potential counterintelligence threat”. The current suspicions are about the Russian Smartphone app, which has gained worldwide popularity because of its face-editing filter that ages photos of users’ faces.
Because of this prospective threat, the Democratic National Committee has already taken anti-phishing measures by warning their 2020 presidential candidates not to use the FaceApp. The Democratic U.S. Senate minority leader Chuck Schumer too has asked the FBI and the Federal Trade Commission to have proper investigations regarding the threat factor of the app.
Although they lack evidence testifying FaceApp’s partnership with the Russian government, yet the FBI is ever doubtful of the app’s genuineness.
Launched in 2017, the FaceApp was developed by St. Petersburg based company Wireless Lab. The chief executive officer of Wireless Lab (who was also an executive at Yandex) – Yaroslav Goncharov has denied all accusations on it for selling or sharing user data with third parties. The company went on to say that their server auto deletes user data after 48 hours of submission and that there is no scope of transferring data to Russia.
Cybercrimes Triple At Scotland
The number of cyberattacks in Scotland has increased by an enormous 215% this year as compared to 2018. This indicates that the frequency of attacks has tripled in just a span of one year. The Scottish police remarked that it saw 4,495 cybercrimes reported from April to September this year, including stalking, sexual crimes, and fraud. However, this data is not cumulative of all the divisions, or else the total figure would have been much higher.
The police have also said that because of better detection and identification techniques that have been employed recently along with the latest anti-phishing solutions, the police force can now improve the quality and pace of reporting the cybercrimes in the country.
Malcolm Graham – the Deputy Chief Constable said that with the latest addition of sophisticated measures, the police can now better trace the digital nature of different types of cyberattacks. He said that there is always at least some amount of evidence which occurs in digital form, and therefore tracking the digital footprint of crimes is crucial.
The Scottish police have also initiated a campaign called “Tag it, Mark it, Log it,” whereby every member of the team has to label any crime which has a cyber-element. They believe that this new approach shall quicken the search process in today’s era, where different forms of cybercrimes can be interlinked. The boundaryless world of cybercrimes needs a solution that can trace their trail and hence this campaign of the Scottish police.
Data Breach And Ransomware Attack On BAT
A serious data breach and ransomware attack hit a Romanian web platform owned by British American Tobacco (an international tobacco company).
The data breach led to the loss of as much as 352 GB of data, and this attack was further intensified by a ransom demand from the attackers, which came in a readme file threatening to delete the data from the server if the ransom was not paid. The ransom was demanded in the form of a Bitcoin payment.
The data breach led to the compromise of user details such as their full name, email addresses, phone numbers, dates of birth, gender, source IP, Cigarette and tobacco product preferences, etc. Although the security researchers in charge of ensuring protection from phishing have attempted to uncover the attack, yet the database continues to be available online for over two months now. The team has continuously been trying to reach out to concerned organizations since September 22nd, such as the local and global offices of BAT, the server’s hosting company, Romania’s National Authority for Consumer Protection (ANPC) and the certification authority (CA) – but all to no avail. However, the latest reports state that the database has been finally brought down.
Huawei Mobile’s Twitter Account Hacked
On Black Friday, the official Twitter account of Huawei Mobile Brazil was hacked by some unidentified parties who then posted derogatory messages from Huawei’s account and also provoked the company’s rival – Apple with some offensive messages.
While some of these messages insulted the needy people of Brazil who would never buy a Huawei Smartphone, the others targeted Apple and ended with the statement, “We are the best!”
The company has acknowledged the fact that its products are unaffordable for the vast majority of Brazilians and has disclosed its plans of giving out exclusive discounts from Black Friday. The company’s investments in Brazil continue, with new product launches in recent times, such as the FreeBuds Lite wireless headsets, P30, and P30 Lite.
Despite the company’s efforts to win the Brazilian masses, the tweets on Black Friday did much harm. Huawei now attempts to ensure protection against phishing and has apologized for the shameful conduct that wasn’t intended by the company.
Data Breach At Buyback Website
The Council of Licensed Firearms Owners (COLFO) in New Zealand recently identified a data breach that has pushed the government’s firearms buyback program in turmoil. As a result of this data breach of the buyback website, the police minister – Stuart Nash, has also been asked to resign.
As per COLFO’s report, the users of the buyback web site could access the full contact details, firearm license numbers, and bank address details of more than 37,000 gun owners, along with information on 70,000 firearm hand-in notifications.
Although the New Zealand Police shut down the website immediately after getting to know about it, but it remains unclear as to the period for which the information has been publicly available and accessible online.