Daily Archives: July 12, 2019

Google Employees Are Eavesdropping on Customers

Google employees and subcontractors are listening to recordings gleaned from Google Home smart speakers and the Google Assistant smartphone app.

A report from Belgian news outlet VRT NWS showed that Google regularly uses staff and subcontractors to transcribe audio recordings taken from its network of home devices for the stated purpose of improving its speech recognition technology. A whistleblower employed as a subcontractor for Google shared over a thousand recordings with VRT NWS, many of which were recorded unintentionally and without the user’s consent.  

While the technology and devices are meant to be restricted to requests starting with the phrase “OK Google,” VRT NWS found that over 150 of the recordings were either made accidentally or where the command “was clearly not given.” Content of the recordings included conversations between parents and children, financial information, potential domestic violence, and medical-related questions. 

“[T]his work is of crucial importance to develop technologies sustaining products such as the Google assistant,” said a spokesman for the company, who added that roughly “0.2 percent of all audio fragments” were being analyzed by employees.

Google claims the recordings are stripped of any personally identifiable information, e.g. user names are replaced with serial numbers, etc. This ultimately does little to protect user privacy, since re-identification May be possible.

“[I]t doesn’t take a rocket scientist to recover someone’s identity; you simply have to listen carefully to what is being said… these employees have to look up every word, address, personal name or company name on Google or on Facebook. In that way, they often soon discover the identity of the person speaking,” said the VRT NWS report.

Read the VRT NWS story here



The post Google Employees Are Eavesdropping on Customers appeared first on Adam Levin.

Is Your WhatsApp Being Weird? You May Need to Check For Hidden Malware

With over 2.5 billion monthly active users that have accumulated since its fruition, Android has seen massive growth over the last 10 years. With so many users, it’s no wonder why cybercriminals continuously look to exploit Android devices. In fact, 25 million Android users have recently been hit with a new malware.

Dubbed Agent Smith, this cyberthreat sneaks onto a user’s device when the user downloads a malicious app from the app store, like a photo utility or game app. The app then silently installs the malware disguised as a legitimate Google updating tool. However, no updating icon appears on the screen, making the user oblivious to their device being in danger. Once installed, the malware replaces legitimate apps on the user’s phone, such as WhatsApp, with an evil update that serves bad ads. According to security researchers, the ads themselves aren’t malicious. But if a victim accidentally clicks on the ad, the hackers can make money from these ad fraud schemes. What’s more, there’s potential that these bad ads aren’t limited to just WhatsApp and could be found on other platforms as well.

So, what can Android users do to prevent this malware from sneaking onto their device? Check out the following tips to help stay secure:

  • Be wary of WhatsApp ads. Android users should take action if they experience advertisements displayed at strange times, such as when they open WhatsApp. The legitimate WhatsApp does not serve ads, so if you experience ads on this platform your device might have been infected.
  • Look out for suspicious apps. Check the apps and notifications section of your Android settings. If you see suspicious apps with names such as Google Updater, Google Installer for U, Google Powers, and Google Installer, uninstall these apps right away.
  • Stay away from unofficial Android stores. Google has extra precautions designed to prevent malware from getting onto the official Android store website, so only downloading apps from there could help protect you.
  • Use a security solution. A solution like McAfee Mobile Security can help Android users stay protected from threats like mobile malware. It also provides a free antivirus cleaner and phone security app to protect your online privacy and enhance device performance.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Is Your WhatsApp Being Weird? You May Need to Check For Hidden Malware appeared first on McAfee Blogs.

Friday Squid Blogging: When the Octopus and Squid Lost Their Shells

Cephalopod ancestors once had shells. When did they lose them?

With the molecular clock technique, which allowed him to use DNA to map out the evolutionary history of the cephalopods, he found that today's cuttlefish, squids and octopuses began to appear 160 to 100 million years ago, during the so-called Mesozoic Marine Revolution.

During the revolution, underwater life underwent a rapid change, including a burst in fish diversity. Some predators became better suited for crushing shellfish, while some smaller fish became faster and more agile.

"There's a continual arms race between the prey and the predators," said Mr. Tanner. "The shells are getting smaller, and the squids are getting faster."

The evolutionary pressures favored being nimble over being armored, and cephalopods started to lose their shells, according to Mr. Tanner. The adaptation allowed them to outcompete their shelled relatives for fast food, and they were able to better evade predators. They were also able to keep up with competitors seeking the same prey.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Threat Roundup for July 5 to July 12

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between July 5 and July 12. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More at Talosintelligence.com


TRU071219 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Attacks in Turkey Used Excel Formula Injection

Attacks in Turkey Used Excel Formula Injection

Having tracked the activities of threat actors suspected of being involved in a large number of malicious spam attacks targeting organizations based in Turkey, Sophos researchers determined that the attackers flew under the radar using Excel formula injections to deliver the payload. 

“The threat actor predominantly targets victims based in Turkey using malspam email messages written in the Turkish language. The spam author’s grasp of Turkish grammar, among other indicators, lends credibility to the hypothesis that both the origin and targets of this campaign are in Turkey,” wrote Sophos’s Gabor Szappanos in a July 12 blog post.

Researchers suspect that the method of attack may soon extend beyond the borders of the Türkiye Cumhuriyeti. “Successful ideas eventually infiltrate the entire crimeware ecosystem, and while this may not be the most effective tool for criminals, they can still use it like any other tool in the toolbox.”

While the attack itself wasn’t highly sophisticated, it used a novel means of delivering malware through simple email messages sent with Excel file attachments that carry out the attack, yet another example of the many ways attackers are evolving their methods to go unnoticed.

Several samples of phishing emails revealed the attackers followed the same structure in crafting the lures. “Later analysis revealed that the emails were generated by a builder that randomly selected from predefined sentence components, which explains the similarities,” Szappanos wrote.

As the email messages evolved, they grew more cryptic, which researchers suspect was due to the threat actor’s attempt for the message to appear less mechanical.

During analysis, researchers found Windows programs hosed on additional servers that were hosting the payload malware. 

“These files were not downloaded by the Excel files, but they must have been placed on the servers by the threat actor. We see no reason for storing them on the servers. The executables in question turned out to be builder programs that generate both the malicious attachment files and the randomized malspam message. These tools also have SMTP mailer functionality to send out the malspam with the attachment."

Hacked Hair Straightener Could Set a Fire

Hacked Hair Straightener Could Set a Fire

Security researchers have hacked hair straighteners from Glamoriser, according to Pen Test Partners. The UK firm bills itself as the maker of the “world’s first Bluetooth hair straighteners,” devices that users can link to an app so that the owner can set the heat and style settings and switch the straighteners off from within Bluetooth range. 

Researchers found it relatively easy to send malicious Bluetooth commands within range, allowing them to remotely control the hair straighteners. The researchers demonstrated that they could send one of several commands over Bluetooth, lowering the temperature to 122°F and raising it as high as 455°F – higher than paper’s burning point. An attacker could remotely alter and override the temperature of the straighteners and how long they stay on. 

“Hair straighteners can cause house fires and skin burns if not used safely. We’ve shown that we can tamper with the temperature, so even if used safely by the user, a hacker can make them less safe,” the researchers wrote.

“It would have been so easy for the manufacturer to include a pairing/bonding function to prevent this. Something as simple as a button to push to put the straighteners in pairing mode would have solved it. Instead, we now have a method to set fire to houses.”

As the straightener is a Bluetooth, a malicious actor intending to start a fire would need to be in range in order to exploit this vulnerability, and Lamar Bailey, senior director of security research at Tripwire, said, “the probability of exploration from a hacker is very low, unless you make a sibling or neighbor (if you live in an apartment) mad at you. If you have this device, remember to be nice to anyone who could be within 33 feet of you straightening your hair.”

In order to mitigate the risks of these connected devices being compromised, Ben Goodman, CISSP, senior vice president of global business and corporate development at ForgeRock, said Glamoriser must hold themselves accountable for securely establishing and maintaining the full lifecycle of IoT devices. 

“IoT projects often prioritize connectivity and data consumption and look to security and privacy as afterthoughts. IoT is here to stay and the identities of connected devices, services and users and their associated credentials must be trusted and usable across numerous connected ecosystems to prevent man-in-the-middle as well as other types of attacks.”

Healthcare Organizations Too Confident in Cybersecurity

Healthcare Organizations Too Confident in Cybersecurity

According to a survey of 100 healthcare professionals from hospitals to physician group practices, more than half of respondents are highly confident in the cybersecurity of their patient portals. 

The State of Patient Identity Management report, published by LexisNexis® Risk Solutions, revealed that healthcare organizations (HCOs) have great confidence in their cybersecurity preparedness. While confidence in their cybersecurity is high, the survey also found that most organizations are only using basic authentication methods despite the growing number of data breaches in which patient identity has been compromised. 

The survey found that 93% of HCOs rely on username and password authentication for patient portals, yet only 65% deploy multi-factor authentication. The results continued to dwindle when respondents were asked about addition authentication methods, according to a press release.

Only 39% of HCOs reported using a knowledge-based Q&A for verification and only 38% use email verification. However, as little as 13% deploy device identification.

Respondents are confident in the strength of their cybersecurity, yet 65% reported that their individual state budgets for patient identity management will not increase in 2019, according to the press release.

"There are some surprises in the results, particularly the higher than expected confidence that organizations have in regards to the security of their patient portal and telemedicine platforms given that only 65% deploy multi-factor authentication," said Erin Benson, director of market planning for LexisNexis Health Care.

"Multi-factor authentication is considered a baseline recommendation by key cybersecurity guidelines. Every access point should have several layers of defense in case one of them doesn't catch an instance of fraud. At the same time, the security framework should have low-friction options up front to maintain ease of access by legitimate users."

The report findings suggest that traditional authentication methods are insufficient, multi-factor authentication should be considered a baseline best practice and the balance between optimizing the user experience and protecting the data must be achieved in an effective cybersecurity strategy, the press release said.

Google’s Leaked Recordings Violates Data Security Policies

A report, based on the Belgium-based NWT VRT revealed that Google employees routinely listened to audio files recorded by Google Home Smart Home speaker, and Google Assistant smartphones.

As per ZdNet, the report elucidates how employees listen to snippets of the recordings when the user activates the device with the usual “OK Google” commands.

After receiving copies of several recordings, NWS VRT approached users, asking them to check their voices or those of their children and to talk to digital assistance or PDAs.

Google responded to the report by posting a blog titled “More information about our processes to safeguard speech data”.

Google acknowledged that it uses sequences of linguists from around the world who “understood the nuances and accents of a particular language”, and had reviewed and copied a small series of questions to better understand these languages. The terms and condition indicate that the users’ conversations are recorded.

Google blog mentions that that capturing interaction is an important part of the sound technology in the process of creating products like Google Assistant. According to them, various security measures are implemented to protect the privacy of users during the review process.

However, according to Google, the availability of the document violates the privacy policy.

Google product manager of Search David Monsees in a blog penned by him said, “We just learned that one of these language reviewers has violated our data security policies by leaking confidential Dutch audio data. Our Security and Privacy Response teams have been activated on this issue, are investigating, and we will take action. We are conducting a full review of our safeguards in this space to prevent misconduct like this from happening again.”

According to Google, it applies a wide range of safeguards to protect user privacy throughout the entire review process. The blog further adds, “Language experts only review around 0.2% of all audio snippets. Audio snippets are not associated with user accounts as part of the review process, and reviewers are directed not to transcribe background conversations or other noises, and only to transcribe snippets that are directed to Google.”

The company states that Google Assistant sends audio data to Google after device activation. He also said that devices, including Google Assistant can sometimes receive something like “false accept”, which means there are fewer voices or words in the background than their software interprets as keywords.

Although Google stated that the audio was recorded after the command was heard, NWT VRT stated that out of over a thousand sample heard, 153 should never be recorded and that the “OK Google” command was not clearly given.

In February, Google detailed that its Nest Guard, the centerpiece of the Nest Secure home alarm system, would soon receive Google Assistant functionality — meaning the device needed to have both a speaker and microphone.

Users were not made aware that the Nest Guard had a microphone at all, however.
Google responded that it was nothing more than a mistake to not to tell users about the Nest Guard microphones.

Earlier this year, Amazon found a team of people to answer questions about speakers powered by Alexa Amazon, similar to Google, to improve the accuracy of its voice assistant.

The recording sent to the human team does not have a full name, but is linked to the account name, the device serial number, and the user name of the clip.

Some team members are tasked with copying commands and analyzing whether Alexa answers correctly or not. Others were asked to write background noises and poorly calculated conversations by the device.

Also, Read

Google Duplex Assistant to Reach iPhones, Most Android Phones

Google Stored G Suite Customers Passwords in Plain Text

The post Google’s Leaked Recordings Violates Data Security Policies appeared first on .

This Week in Security News: Banking Malware and Phishing Campaigns

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about the banking malware Anubis that has been retooled for use in fresh attack waves. Also, read about a new phishing campaign that uses OneNote audio recordings to fool email recipients.

Read on:

New Miori Variant Uses Unique Protocol to Communicate with C&C

A Mirai variant called Miori recently reappeared, though it has departed from the usual binary-based protocol and instead uses a text-based protocol to communicate with its command-and-control (C&C) server.

Anubis Android Malware Returns with Over 17,000 Samples

The attacker behind the malware Anubis has retooled it, changing its use from cyberespionage to banking malware, combining information theft and ransomware-like routines. Trend Micro recently discovered 17,490 new samples of Anubis on two related servers.  

DevOps Will Fail Unless Security and Developer Teams Communicate Better

According to a Trend Micro survey of IT leaders, DevOps initiatives have become important for 74 percent of organizations over the past year, but communication must improve for DevOps to be successful.

July’s Patch Tuesday Fixes Critical Flaws in Microsoft Edge and Internet Explorer, Including 2 Exploited Vulnerabilities

Microsoft’s July Patch Tuesday release includes updates for almost 80 vulnerabilities, along with two advisories. Other flaws in Azure Automation, Docker, DirectWrite, DirectX, SymCrypt, Windows DNS Server, and Windows GDI have also been resolved.

Nexus Repository Manager Vulnerabilities CVE-2019-9629 and CVE-2019-9630 Could Expose Private Artifacts

Two vulnerabilities were uncovered in Sonatype’s Nexus Repository Manager (NXRM), an open-source governance platform used by DevOps professionals for component management. The vulnerabilities result from the poor configuration of the repository manager’s default settings.

British Airways Faces Record £183m Fine for Data Breach

British Airways is facing a record fine of £183m for last year’s breach of its security systems when details of about 500,000 customers were harvested by attackers through a fraudulent site.

Powload Loads Up on Evasion Techniques

By sifting through six months’ worth of data covering over 50,000 samples from the Trend Micro Smart Protection Network infrastructure, Trend Micro gained insight into how Powload, a cybercrime staple, has incorporated new techniques to increase its effectiveness, especially in its ability to hide from detection.

Microsoft Discovers Fileless Malware Campaign Dropping Astaroth Info Stealer

The Microsoft Defender ATP Research Team released a report covering a malware campaign that dropped the Astaroth trojan into the memory of infected computers by using fileless distribution techniques to hide its activities from security solutions.

New Phishing Campaign Uses OneNote Audio to Lure Users to Fake Microsoft Login Page

In a new phishing campaign reported by Bleeping Computer, audio recordings purportedly shared via OneNote were used as a lure to lead email recipients to a fake Microsoft login page that steals user account credentials.

Zoom Flaw Turns Mac Cam into Spy Cam

A security researcher has found a flaw in the popular video conferencing app Zoom that allows any website to forcibly join a user to a Zoom call, with their video camera activated, without a user’s permission.

New Godlua Backdoor Found Abusing DNS Over HTTPS (DoH) Protocol

A newly discovered backdoor malware dubbed Godlua was discovered conducting DDoS attacks on outdated Linux systems through a vulnerability in the Atlassian Confluence Server.

Where Will Ransomware Go in The Second Half Of 2019?

Based on the latest trends, Trend Micro predicts the threat of ransomware will grow in the second half of 2019 and will continue to shift and change over the coming years.

Migrating Network Protection to the Cloud with Confidence

Trend Micro’s Cloud Network Protection is the first transparent, in-line network security offering for AWS customers: simple to deploy and manage, cloud-ready and leveraging industry leading expertise in network threat protection.

Marriott Faces $123 Million GDPR Fine in the UK for Last Year’s Data Breach

The UK’s Information Commissioner’s Office (ICO) intends to impose a fine of £99,200,396 ($123,705,870) on international hotel chain Marriott for last year’s data breach that impacted 383 million people.

eCh0raix Ransomware Found Targeting QNAP Network-Attached Storage Devices

A newly uncovered ransomware family called eCh0raix, designed for targeted ransomware attacks similar to how Ryuk or LockerGoga were used, is now targeting QNAP network-attached storage (NAS) devices.

Which newly discovered ransomware did you find most interesting this week? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.


The post This Week in Security News: Banking Malware and Phishing Campaigns appeared first on .

Cyber News Rundown: Major Spike in Magecart Attacks

Reading Time: ~ 2 min.

Magecart Attacks See Spike in Automation

The latest attack in the long string of Magecart breaches has apparently affected over 900 e-commerce sites in under 24 hours. This increase over the previous attack, which affected 700 sites, suggests that its authors are working on improving the automation of these information-stealing attacks. The results of these types of attacks can be seen in the latest major fines being issued under GDPR, including one to Marriott for $123 million and another to British Airways for a whopping $230.5 million.

Agent Smith Android Malvertiser Spotted

Researchers have been tracking the resurgence of an Android-based malware campaign that disguises itself as any number of legitimate applications to deliver spam advertisements. After being installed from a third-party app store, the malware checks both a hardcoded list and the command-and-control server for available apps to swap out for malicious copies, without alerting the device owner. The majority of targeted devices have been located in southwestern Asia, with other attacks showing up in both Europe and North America.

Third Florida City Faces Ransomware Attack

Almost exactly one month after the ransomware attack on Lake City, Florida, a third Florida city is being faced a hefty Bitcoin ransom to restore their systems after discovering a variant of the Ryuk ransomware. Similar to the prior two attacks, this one began with an employee opening a malicious link from an email, allowing the malware to spread through connected systems. It is still unclear if the city will follow the others and pay the ransom.

British Airways Receives Record GDPR Fine

Following a data breach last year that affected over 500,000 customers, British Airways has been hit with a total fine amount of $230.5 million. The amount is being seen as a warning to other companies regarding the severity of not keeping customer data safe, though it’s still much less than the maximum fine amount of up to 4% of the company’s annual turnover.

Georgia Court System Narrowly Avoids Ransomware Attack

Thanks to the quick work of the IT team from Georgia’s Administrative Office of the Courts (AOC), a ransomware attack that hit their systems was swiftly isolated, leading to minimal damage. Even more fortunate for the AOC, the only server that was affected was an applications server used by some courts but which shouldn’t disrupt normal court proceedings. Just days after the initial attack, the IT teams (aided by multiple law enforcement agencies) were already in the process of returning to normal operations without paying a ransom.

The post Cyber News Rundown: Major Spike in Magecart Attacks appeared first on Webroot Blog.

Episode 535 – Tools, Tips and Tricks – OSINT Framework

This week’s tools, tips and tricks covers the OSINT Framework. This episode goes over the website, what you can find on it and why you should add this to yout collection. Source: OSINT Framework Be aware, be safe. Become A Patron! Patreon Page *** Support the podcast with a cup of coffee *** – Ko-Fi […]

The post Episode 535 – Tools, Tips and Tricks – OSINT Framework appeared first on Security In Five.

16Shop Now Targets Amazon

Since early November 2018 McAfee Labs have observed a phishing kit, dubbed 16Shop, being used by malicious actors to target Apple account holders in the United States and Japan. Typically, the victims receive an email with a pdf file attached.

An example of the message within the email is shown below, with an accompanying translation:

When the victims click on the link in the attached pdf file, they are redirected to a phishing site where they will then be tricked in to updating their account information, which often includes credit card details.

The following is one of the many pdf files that we have seen attached to the phishing emails:

The phishing page is shown below:


The following image shows the information that is being phished:

The following map shows the locations where we have observed this phishing campaign:

The author of this phishing campaign used the conversion site Pdfcrowd.com to create the malicious pdf file, which was attached in the phishing emails. (The pdf tag can be seen below):

16Shop phishing kit

The phishing kit originates in Indonesia and the code handles multiple languages:

Most phishing kits will email the credit card and account details entered on the site directly to the malicious actor. The 16Shop kit does this, too, and also stores a local copy in other text files. This is a weakness in the kit because anyone visiting the site can download the clear-text files (if the attacker uses the default settings).

The kit includes a local blacklist, which blocks certain IP addresses from accessing the website. This blacklist contains lots of IPs of security companies, including McAfee. The blacklisting prevents malware researchers from accessing the phishing sites. A snippet is shown below:

While looking at the code we observed several comments that appear to be tags of the creator. (More on this later.)

The creator of 16Shop also developed a tool to generate and send the phishing emails. We managed to gain a copy and analyze it.

The preceding configuration shows how an attacker can set the subject field as well as the origin address of the email. While looking through the source files, we noticed the file list.txt. This file contains the list of email addresses that the phisher sends to. The example file uses the address riswandanoor@yahoo.com:

This email, along with the name in the comments from the phishing kit, could potentially tell us some more about the creators of the kit.

The author of 16Shop

The author of the kit goes by the alias DevilScreaM. We gathered lots of information on this actor and found that this individual was involved in the Indonesian hacking group “Indonesian Cyber Army.” Several websites were defaced by this group and tagged by DevilScreaM in 2012.

We found DevilScreaM created the site Newbie-Security.or.id, an Indonesian site of hacking tools frequented by members of the Indonesian Cyber Army. We also discovered two eBooks written by DevilScreaM; they contain advice on website hacking and penetration testing.

The timeline of DevilScreaM’s activity shows a notable change in late 2012 and the middle of 2013. DevilScreaM stopped defacing websites and created an anti-malware product, ScreaMAV, for the Indonesian market. This “white hat” activity did not last. In mid-2013 they began defacing sites again and posting exploits on 0day.today mostly around WordPress vulnerabilities.

DevilScreaM’s GitHub page contains various tools, including a PHP remote shell used on compromised websites as well as commits on the z1miner Monero (XMR) miner tool. in late 2017 DevilScreaM created the 16Shop phishing kit and set up a Facebook group to sell licenses and support. In November 2018. this private group had over 200 members. We checked the group in mid-June 2019 and it now has over 300 members and over 200 posts. Despite the questionable content, the group not only persists unchanged on social media, but continues to grow.

McAfee has notified Facebook of the existence of this group. The social network has taken an active posture in recent months of taking down groups transacting in such malicious content.

Recent News and Switch to Amazon

In May 2019, several blogs were published highlighting that a version of 16shop was cracked which included a backdoor that would send all data via telegram to the author of the kit. We can confirm that this was not present in the version we analysed in November. These leads us to believe that this backdoor was added by a second malicious actor and not the original author of 16Shop.

[Telegram Bot API command from Cracked 16shop kit to send stolen data]

In May 2019, we found a new phishing kit which was targeting Amazon account holders. Looking at the code of the kit, you can see it shows several similarities to the 16shop kit targeting Apple users back in November 2018.


[Fake Login page]

[PHP code of Phishing Kit and Admin page]

Around the same time that we discovered the Amazon Phishing Kit, the social media profile picture of the actors we believe are behind 16shop changed to a modified Amazon logo. This reinforces our findings that the same group is responsible for the development of the new malicious kit.

[Obfuscated Profile Pic]

We believe that victims of this kit will be led to the malicious websites via links in phishing emails.

We recommend that if users want to check any account changes on Amazon, which they received via email or other sources, that they go to Amazon.com directly and navigate from there rather than following suspicious links.


During our monitoring, we observed over 200 Malicious URLs serving this phishing kit which highlights its widespread use (all URLs seen have been classified as malicious by McAfee).

The group responsible for 16shop kit continues to develop and evolve the kit to target a larger audience. To protect themselves, users need to be extremely vigilant when receiving unsolicited email and messages.

This demonstrates how malicious actors use legitimate companies to leverage their attacks and gain victims’ trust and it is expected that these kinds of groups will use other companies as bait in the future.

Indicators of compromise

Domains (all blocked by McAfee WebAdvisor)

Apple Kit

  • hxxps://secure2app-accdetall1.usa.cc.servsdlay.com/?16shop
  • hxxps://gexxodaveriviedt0.com/app1esubm1tbybz/?16shop
  • hxxps://gexxodaveriviedt0.com/secur3-appleld-verlfy1/?16shop
  • hxxps://sec2-accountdetail.accsdetdetail.com/?16shop

Amazon Kit

  • verification-amazonaccess.secure.dragnet404.com/
  • verification-amazon.servicesinit-id.com/
  • verification-amazonlocked.securesystem.waktuakumaleswaecdvhb.com/
  • verification-amazonaccess.jaremaubalenxzbhcvhsd.business/
  • verification-amazon.3utilities.com/
  • verification-amaz0n.com/

McAfee detections

  • PDF/16shop! V2 DAT =9086 , V3 DAT = 3537

Hashes (SHA-256)

  • 34f33612c9f6b132430385e6dc3f8603ff897d34c780bfa5a4cf7663922252ba
  • b43c2ba4e312d36a1b7458d1342600957e0daf3d1fcd8c7324afd387772f2cc0
  • 569612bd90de1a3a5d959abb12f0ec66f3696113b386e4f0e3a9face084b032a
  • d9070e68911db893dfe3b6acc8a8995658f2796da44f14469c73fbcb91cd1f73

For more information on phishing attacks:

The post 16Shop Now Targets Amazon appeared first on McAfee Blogs.

Mayors Say They’ll No Longer Pay Ransoms Connected to Security Events

Mayors in the United States have collectively declared that they’ll no longer meet attackers’ ransom demands in connection to a digital security event. At its 87th annual meeting, the U.S. Conference of Mayors approved a resolution entitled, “Opposing Payment To Ransomeware Attack Perpetrators.” This decree makes clear that the Conference, the official non-partisan organization of […]… Read More

The post Mayors Say They’ll No Longer Pay Ransoms Connected to Security Events appeared first on The State of Security.

Presidential Candidate Andrew Yang Has Quantum Encryption Policy

At least one presidential candidate has a policy about quantum computing and encryption.

It has two basic planks. One: fund quantum-resistant encryption standards. (Note: NIST is already doing this.) Two, fund quantum computing. (Unlike many far more pressing computer security problems, the market seems to be doing this on its own quite nicely.)

Okay, so not the greatest policy -- but at least one candidate has a policy. Do any of the other candidates have anything else in this area?

Yang has also talked about blockchain: "

"I believe that blockchain needs to be a big part of our future," Yang told a crowded room at the Consensus conference in New York, where he gave a keynote address Wednesday. "If I'm in the White House, oh boy are we going to have some fun in terms of the crypto currency community."

Okay, so that's not so great, either. But again, I don't think anyone else talks about this.

Note: this is not an invitation to talk more general politics. Not even an invitation to explain how good or bad Andrew Yang's chances are. Or anyone else's. Please.

ZTE Aims to Win Over EU Lawmakers With New Lab

ZTE Aims to Win Over EU Lawmakers With New Lab

ZTE has launched a cybersecurity testing lab in Brussels in an attempt to improve transparency.

The firm’s new Cybersecurity Lab Europe is designed to alleviate lawmakers’ concerns over the security of its 5G equipment.

The lab, which joins similar facilities in Nanjing and Rome, will allow regulators to review source code and documents, and conduct black box and penetration testing.

“ZTE’s original intention of the Cybersecurity Lab Europe is to provide global customers, regulators and other stakeholders with great transparency by means of verification and communication,” said ZTE chief security officer, Zhong Hong. "The security for the ICT industry cannot be guarded by one sole vendor, or by one sole telecoms operator. ZTE is willing to play an important role in contributing to the industry's security along with its customers and all other stakeholders.”

The move can be seen in the context of escalating Sino-US tension over the potential for Chinese tech firms to introduce backdoors to new 5G networks, which could be seen as a national security risk.

Although ZTE and larger Shenzhen rival Huawei have both professed their innocence, US hawks warn that they would be powerless to resist an order from Beijing to provide access to such networks if one was issued.

While the US and Australia have banned Chinese companies from bidding for 5G network projects, the UK has still formally to choose a provider and many European countries are more willing to use Chinese equipment to build 5G.

However, ZTE has something of a chequered past, having been found guilty of breaching a US embargo on Iran by selling equipment to the Islamic Republic containing US components, and then lying to try and cover its tracks.

After Washington responded by banning US firms from selling the firm components it faced virtual collapse before Donald Trump decided to relax the moratorium as part of his ‘deal’ making.

The UK’s National Cyber Security Centre (NCSC) issued a damning report on ZTE last year, claiming that the national security risks of using its equipment in telecoms infrastructure “cannot be mitigated.”

Sea Turtle DNS Hijackers Go After More Victims

Sea Turtle DNS Hijackers Go After More Victims

A notorious state-sponsored cyber-espionage campaign has expanded its operations with new victims and DNS hijacking techniques, according to Cisco Talos.

The security vendor claimed in a new blog post that the actors behind the Sea Turtle attacks - first revealed in April - have not been deterred by their new-found infamy.

The campaign has mainly been targeting military organizations and governments in the Middle East. Attackers get hold of DNS server credentials via phishing or vulnerability exploitation, then modify the records to point users to malicious servers in classic Man in the Middle attacks. These harvest credentials enabling them to log-in to prized accounts to steal sensitive data.

The new technique in question has been spotted just twice in the wild, hitting targets in 2018.

“In this case, the actor-controlled name server and the hijacked hostnames would both resolve to the same IP address for a short period of time, typically less than 24 hours. In both observed cases, one of the hijacked hostnames would reference an email service and the threat actors would presumably harvest user credentials,” Cisco explained.

“One aspect of this technique that makes it extremely difficult to track is that the actor-controlled name servers were not used across multiple targets — meaning that every entity hijacked with this technique had its own dedicated name server hostname and its own dedicated IP address. Whereas previously reported name server domains such as ns1[.]intersecdns[.]com were used to target multiple organizations.”

Cisco Talos also observed continuing activity against the ccTLD for Greece, enabling the attackers to perform DNS hijacking against three government entities.

Although most primary target organizations are based in the Middle East, new Sea Turtle victims have been spotted in the US and Sudan. Energy companies, think tanks, NGOs and even an airport have been hit.

Apple Disables Walkie-Talkie App Over Privacy Concerns

Apple Disables Walkie-Talkie App Over Privacy Concerns

Apple has disabled a popular comms app on its watchOS after concerns were raised over users being able to eavesdrop on each other.

Available on the Apple Watch Series 1 or later with watchOS 5, the Walkie-Talkie app allows users “to get in touch with just one tap,” according to Apple.

However, the tech giant has been forced to switch the function off while it “quickly” fixes an emerging vulnerability.

“Although we are not aware of any use of the vulnerability against a customer and specific conditions and sequences of events are required to exploit it, we take the security and privacy of our customers extremely seriously,” it said in a statement. “We concluded that disabling the app was the right course of action as this bug could allow someone to listen through another customer’s iPhone without consent. We apologize again for this issue and the inconvenience.”

The function will be restored “as soon as possible,” Apple continued.

The news comes just a day after Cupertino issued a silent update for its Mac app to fix a widely reported privacy issue in conferencing service Zoom.

The vulnerability meant that any website could automatically open up a conference call on a user’s machine, switching on the webcam in the process. Even if users deleted their Zoom app, the service would keep a localhost web server running covertly on their Mac, so that if a link is clicked, the client would restart again without any user interaction.

Although Zoom finally patched the issue this week after dragging its heels for months, removing the localhost server, Apple seems to have been concerned that a large number of users may not apply the patch – potentially because they thought they’d already uninstalled Zoom.

Weekly Update 147

Weekly Update 147

So "Plan A" was to publish Pwned Passwords V5 on Tuesday but a last-minute check showed control characters had snuck in due to the quality (or lack thereof) of the source data. Scratch that and go to "Plan B" which was to push them out today but a last-minute check showed that my "improved" export script had screwed up the encoding and every single hash was wrong. "Plan C" is now to push them out on the weekend with everything working correctly. Hopefully. If I don't screw anything up again...

The constant challenge I've faced over the last few years is the massive amount of multi-tasking required to do all the things I'm presently doing. I touched on this in my Project Svalbard blog post and it goes a long to explaining why HIBP needs to grow up into a larger organisation. I quite literally need people to remove the horizontal tabs and get the encoding right; it's such a simple thing but it's so easy to screw up when you're stretched too thin.

Enough about that, this week I'm also talking about Scott's upcoming public Glasgow workshop, more data breaches, Namecheap's faux pas and EVE Online's great security work they've very generously shared publicly.

Weekly Update 147
Weekly Update 147
Weekly Update 147


  1. Scott will be running my Hack Yourself First workshop in Glasgow next week (this is the last stop on the UK tour, get in while you still can!)
  2. Someone also created a website dedicated to him (seems legit!)
  3. The Zhenai breach from 2011 added another 5M records to HIBP (I'm still working through a ridiculously long backlog of breaches...)
  4. I called Namecheap to account for a very misleading post on SSL (to their credit, they've now pulled the piece)
  5. EVE Online published some great material on how they're doing their security things (it's not just the practices I think are great, it's the fact that they're happy to talk about them publicly so that other companies can benefit too)
  6. Shape Security is sponsoring my blog this week (Captcha is no longer enough, they're talking about how Shape Connect blocks automation & improves security instantly, with a 30 minute implementation)

How should you investigate a data breach?

Digital Guardian recently asked a group of cyber security experts what the most important step is following a data breach. Several answered with some variation of ‘find out how it happened’.

This might seem counterproductive: with so much post-breach chaos, from isolating the incident and letting staff know what’s going on to getting back to work and notifying affected individuals, surely it’s a time to be looking forward, not backward.

But as the experts explained, understanding the cause of the incident is an essential part of the incident response process.

So how should you approach a data breach investigation?

The crime scene

Your investigation should begin at the scene of the incident. This might be, for example,the victim’s computer, a web page or a physical space in which documents were compromised.

Senior Vice President and Chair of the Litigation Practice of LEVICK Jason Maloni said that, although “few people care what got you into this situation”, your organisation needs this information so you can communicate how you’re addressing the problem.

You should therefore approach data breaches in the same way police tackle physical crime. You probably don’t have any first-hand experience doing that, but the chances are that you’re familiar with the three core aspects that establish how a crime occurred:

  • Motive: why did the criminal launch the attack? Most breaches are the result of criminals attempting to steal data, but it could have been caused by an employee, either accidentally or maliciously.
  • Means: the tools that were used to commit the crime, such as malware, hacking expertise or access to a user’s login credentials.
  • Opportunity: how and when did the perpetrator commit the attack? Some data breaches can only occur during a small window, such as when vendors release patches for system vulnerabilities, whereas others are persistent threats.

Unlike a criminal investigation, however, there’s a good chance that the culprit wasn’t acting with criminal intent. Many data breaches are accidents caused by employee negligence or process failures.

The scene of the incident will generally provide you with the clues you need to work out – or at least make an educated guess regarding – who was responsible for the breach and how it occurred.

Gathering the evidence

Now you know what to look for, it’s time to identify and interpret those clues.

The most effective method is digital forensics.

This is the collection and interpretation of electronic data in an attempt to “preserve any evidence in its most original form while performing a structured investigation by collecting, identifying and validating the digital information for the purpose of reconstructing past events”.

Digital forensic investigation requires a combination of technological tools and an expert understanding of how to use them.

Find out how you should respond to a data breach >>

In recent years, digital forensics has become more effective and accessible to organisations. However, it’s still unaffordable or impractical for many, so you might be forced to rely on more hands-on investigative techniques.

Fortunately, most IT departments have the necessary tools to unearth vital clues. Log files are key, as they will show you who accessed or modified files and their IP address.

You should also interview relevant employees to find out if they know anything about the breach. This might be to verify information from log files or to ask questions about their team’s processes, which you can use to identify anything out of the ordinary.

Whether you use digital forensics or manual investigation, you should be able to find the cause of the breach within a few hours, enabling you to progress to the recovery process.

What should you do when you’re under attack? 

When your defences fail and your organisation is compromised, every second counts. You must respond quickly and follow a systematic, structured approach to the recovery process.

That is, of course, easier said than done, particularly if you don’t have a cyber security expert onboard. Fortunately, IT Governance is here to help.

With our cyber security incident response service, expert consultants will guide you through the recovery process, from identifying the source of the breach and how to stem the damage to notifying the appropriate people and returning to business as usual.

Find out more >> 

The post How should you investigate a data breach? appeared first on IT Governance Blog.