Author Archives: Sandhya Chauhan

Hackers Accessed Personal Details of 29M Facebook Users



Facebook has become extraordinarily sensitive and hence susceptible to data breaches, a recuperating Facebook from the Cambridge Analytica injury says attackers accessed contact details of 29 million users — encompassing broad spheres of information from phone numbers and email addresses to more intimate details like check-ins and recent searches. The mass data breach came as a lasting bruise to the largest social network’s authenticity and deep-rooted user trust. 

Referencing from the Friday’s statement, the attackers illegally acquired access tokens for 30 million accounts, which allowed them to have a full-fledged access to those profiles from where they extracted basic contact information (name and contact no./email address). More detailed information like hometown, location, birthdates, gender and recent places they checked into were extracted for 14 million accounts.
The rest one million accounts, though affected, but were not subjected to any information extraction.

Responding to the security breach, Facebook pledged to send customized messages to the 30 million users whose accounts fall prey to what they have labeled as a “fairly broad” breach. Reportedly, the breach despite its magnitude has been indifferent enough to spare the third-party apps that were linked to the Facebook accounts of the users as Facebook said no data was accessed from the third-party apps — Whatsapp, Instagram or  Messenger.

An ongoing investigation by Facebook implies that the service providers are not ruling out the possibility of less destructive but more oblique attacks that use a similar mechanism.  Aside from that, the hackers used an automated program to navigate through accounts and extract the data rapidly, but notably, they didn’t perform any activity while they were logged in.

Facebook’s Vice President of product management, Guy Rosen said in a call with reporters, “We take these incidents really, really seriously,”

Facebook told that the FBI is investigating the hack, but has refused to disclose further details — perpetrators behind the attack, to be precise.  Facebook will not disclose the breakdowns of the affected users’ location, said a company executive on a conference call.

A Reddit user’s take on the probable horrors of the breach justifies the concern of the panicked users, apple-hacck writes,

 “many people use the same passwords across accounts (my first thought). But in the case of a Facebook data breach, since the personal details were accessed, they can commit identity fraud because they have your face (if you have a profile picture), phone number- cause many people to link their numbers to Facebook, and your name. All of which can be used to convince a bank or other institution that it is you trying to access the account.”


In the wake of the exacerbated concerns, Patrick Moorhead, founder of Moor Insights & Strategy, says, “Facebook should provide all those customers free credit monitoring to make sure the damage is minimized.”

Whatsapp Fixes Video Call Triggered Exploit which Allowed Accounts Intrusion



A potentially serious flaw that put users in a vulnerable configuration during video calls on Whatsapp has been fixed by the service providers. 

The bug allowed hijackers to hijack the app and subsequently the accounts of the users, both on iOS and Android. It left them unarmed against the attack as soon as they answered the calls. 

When the hijacker transmits a malformed RTP packet to a potential victim, heap corruption could occur - 
referenced from a bug report by Natalie Silvanovich, a security researcher with Google’s Project Zero security research team. 

Dissecting the execution, Natalie in the bug report says, "Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet," She adds, "This issue can occur when a WhatsApp user accepts a call from a malicious peer. It affects both the Android and iPhone clients."

As the usage of RTP which stands for Realtime Transport Protocol is commonly shared by both the iOS and Android versions of the messaging app, it made both the platforms vulnerable to the hijack whereas, Whatsapp Web doesn't succumb to the attack as it uses WebRTC for video calls. 

Notably, Silvanovich spotted the exploit a month earlier, but the reported vulnerabilities came into public domain only once a fix was devised. The flaws were patched on October 3rd and September 28th for iOS and Android respectively. 
In the wake of bug being fixed, to be on an even safer side users are advised to have their apps updated to the latest version available for iOS and Android. 


Cloned Profile Hoax on Facebook makes a comeback



                                     

In the wake of a hoax, which is doing rounds saying that the sender has received another friend request from the recipient, Facebook officials confirm the claims of the accounts being cloned as an attempt to befool the users.


The hoax which went viral on Sunday is woven around a duplicate friend request message that asks the receiver to forward it to their friends.
 

The message that had a terrific number of Facebook users troubled to an extent that the reports of the same saw an upsurge lately, reads "Hi I actually got another friend request from you yesterday...which I ignored so you may want to check your account.

'Hold your finger on the message until the forward button appears...then hit forward and all the people you want to forward too...I had to do the people individually. Good Luck!'


Officials of the social media giant said that there's no evidence of any virus being linked to the scam messages or the dissemination of it, the cause of the same is said to be based in fear.


It takes the form of a "chain mail" type of notice, referenced from a spokesperson's remarks, he further said, 'We've heard that some people are seeing posts or messages about accounts being cloned on Facebook. He added, 'We haven't seen an increase in incoming reports of impersonation (cloned accounts).


A cloning scam is when someone creates an alternative Id of a user and puts the pictures and data he stole from the original ID of the victim onto the duplicate account. This kind of identity assault doesn't require access to the victim's original ID. Then, in a calculated attempt to pile up more personal data, the criminal sends friend requests to the victim's original friends (via friends list).


To ensure their safety, users can go and search their name on Facebook, if accounts other than your original one having a similar display and details make it to the search results, odds are in the favor of your account being cloned.


Such cases are to be immediately reported to the Facebook, requesting a removal of the duplicate account which will be taken care of within 24 hours. 


Fallout Exploit Kit Now Installing the Kraken Cryptor Ransomware



With ‘Fallout’ making headlines once again, nao sec detected the distribution of Kraken Cryptor Ransomware by the aforementioned exploit kit which earlier made news for distributing the GandCrab Ransomware.
Going by the name of RaaS (a Service), Kraken Cryptor is being scrupulously distributed by affiliates. The vulnerable digital world is bearing witness to a virtual assemblage of attackers distributing the Kraken Cryptor using a wide array of methods.
For instance, last month, Superantispyware.com site was being compromised by a Kraken affiliate, the ransomware was being distributed disguised as an installer for the SuperAntiSpyware security program, which in reality was a counterfeit copy.
Sources on BleepingComputer’s website have it that the affiliate who pulled SuperAntiSpyware compromise had initially masterminded on placing the ransomware executable in the place of the original SuperAntiSpyware.exe file, but later for some ambiguous reason, he dumped the idea.
Referenced from the expert comments of nao sec made to the BleepingComputer, the onset of Kraken Cryptor’s malicious saga of penetration came as a bad news earlier this week, version 1.5 marked the start of a lethal series of penetrations and recently the distribution of version 1.6 came into light.
After getting itself comfortably installed into the system, the ransomware starts encrypting the user’s files. The fact that this version renames the encrypted files to a random name with a random extension is what distinguishes it from the previous versions which used sequential numbers in naming the files.
Prevention Front

In times when the dark clouds of digital vulnerabilities are looming large, users are advised to practice good computing habits and to have reliable security software. It’s needless to say that you should have a trustworthy and tested backup of your sensitive data; a backup well engineered that you can fall back on.
In order to thicken the security layer and preventing the vulnerabilities from being exploited, ensure the installation of all the latest Windows security updates and a guarded presence of the latest versions of all the programs.
That will have you guarded for the installation of Kraken via exploit kits, and ensuring that it is locked down correctly will have you covered for the installation via hacked Remote Desktop services. Meanwhile, setting up proper lockout policies will ensure a protection against brute force.
Behavioral detection can potentially provide protection against ransomware infections and encryption that follows and corrupts, Malwarebytes Anti-Malware is security software that incorporates the feature of behavioral detections and hence Ehackingnews recommends the aforementioned software to the wide user base of digital natives and immigrants. 




Phone Phishing Level Ups: Smart Slaves to Digital Wizardry


The human race has developed an unfathomable affinity towards technology and consequently is convinced that we have become smart enough to no longer be susceptible to the scams and highly innovative cyber attacks; however what escapes our notice is that unfortunately, overindulgence in anything has its own repercussions. When you fall prey to an obsolete telephone-based phishing scam, inferences that get drawn are – we are becoming smart slaves to the digital wizardry. Scam artists are paving unprecedented ways for technological complications.
Matt Haughey, the creator of ‘Weblog MetaFilter’ and a writer at Slack has given an account of how he received a call from an 800-number which bore a resemblance to the number his credit union uses. Bearing in mind the rarity of the calls he receives from his credit union, he picked up the last one of three successive calls he got. On the other end of the call, a female was explaining to him that the credit union had blocked two phony-looking charges in Ohio that was made to his ATM card. She continued the conversation as she read him the last four digits of the card that belonged to him and needless to say, it checked out.
Haughey returned that he is going to need a replacement card urgently as he has a travel planned to California. Instantly, the voice on the other end said that he could keep his card and any future charges that weren’t made in either Oregon or California would simply be blocked by the credit union.
The piece of information- that bank just called to inform him about the freezing of his card and then spontaneously launched into another accent and said that he could keep it open for his upcoming trip, wasn’t bought by Haughey and he happened to sense something that was off. He pacified his concern by assuring himself that it was a favor that the caller subjected him to. 
Battling the voices of suspicion, Matt hesitatingly co-operated as the caller verified his home address and mother’s maiden name, intention projected here was to send a new card once the California trip is over.  
Once the details were provided and cross-checked, the caller asked Matt to verify the 3 digit security code and as he had given out this code earlier while paying for things using his card, he let his guard of caution down.
She proceeded and asked for the PIN of his current card, she backed the act up in the name of applying the same PIN to the new card. The question got Haughey alarmed and he asked her to repeat what she just said. With the question being repeated, the PIN, though skeptically, was provided.
After hanging up, Haughey was entirely convinced with the legitimacy of the transaction. However, the part where the PIN was asked for kept him at unease.
Referencing an interview Matt had with KrebsOnSecurity, he said “I balked at challenging her because everything lined up,” He added, “But when I hung up the phone and told a friend about it, he was like, ‘Oh man, you just got scammed, there’s no way that’s real.'”
With amplified concerns and a forehead bearing the lines of distress, Haughey approached his credit union to ensure his travel arrangements were aligned. He narrated the terrific incident to a bank employee who, just by the look on his face subscribed to the views of his friend.
His account was reviewed and two fraudulent charges totaling $3,400 stared right into his face, but Ohio was not in this cyber-crime scene. Over $2,900 was spent at a Kroger near Atlanta and $500 was withdrawn from an ATM located in the same area using a counterfeit debit card.
Putting into perspective the fake professionalism and the realism of it all, Haughey said, “People I’ve talked to about this say there’s no way they’d fall for that, but when someone from a trustworthy number calls, says they’re from your small town bank, and sounds incredibly professional, you’d fall for it, too,”

Narrow escape

Founder of Panic Inc., Cabel Sasser gave a recent account of how he nearly fall prey to a telephonic scam which was attempted from a number similar to the one at the back of his Wells Fargo card.

“I answered, and a Fraud Department agent said my ATM card has just been used at a Target in Minnesota, was I on vacation?” a traumatized Sasser tweeted.

Sasser’s tweet didn’t carry any record of his corporate debit card being subjected to two fraudulent instances. On disputing the charge he was mailed a replacement card by his bank.

Recalling in an interview with KrebsOnSecurity, Sasser said “I used the new card at maybe four places and immediately another fraud charge popped up for like $20,000 in custom bathtubs,” He added, “The morning this scam call came in I was spending time trying to figure out who might have lost our card data and was already in that frame of mind when I got the call about fraud on my card.”
And the card-replacement drama was set into momentum, the caller asked, “Is the card in your possession?”  It was. The caller then enquired about the CVV, a three-digit code printed on the back side of his card.
Once the CVV was verified, the agent offered to expedite a replacement. Sasser recalled. “First he had to read some disclosures. Then he asked me to key in a new PIN. I picked a random PIN and entered it. Verified it again. Then he asked me to key in my current PIN.”
Following this, what dawned on Sasser was that wouldn’t an actual representative from Wells Fargo’s fraud division already have access to his current PIN?
The caller feigned authenticity by ensuring him that it’s just to confirm the change and he can’t see what he is entering.
Sasser’s counter had the fact that they are the bank, they have his PIN, and they can see what he enters. To which caller retorted, “Only the IVR [interactive voice response] system can see it,” Reaching the climax, the caller reiterated Sasser’s Social Security number and attempted for a re-confirmation.
Though the number was correct, authenticity was still struggling to be felt. Sasser decided to hang up and call back and he told the same to the agent. When he dialed the number printed on the back of his ATM card which was the source of the call he got, the person on the other end said there had been no such fraud detected on his account.
 “I was just four key presses away from having all my cash drained by someone at an ATM,” Sasser told the interviewer.  On visiting the local branch of his bank, his fears were confirmed, “The Wells person was super surprised that I bailed out when I did and said most people are 100 percent taken by this scam,” Sasser said.

Mortal, computer or a fusion?

“Vishing”- is a method which uses a combination of human and automated voice. Although, the scammer was an actual person in the aforementioned case, vishing attempts are also equally prevalent. The August case of “Curt” as reported by KrebsOnSecurity is a defining example of “vishing”.

Referenced from Curt’s writings, “I’m both a TD customer and Rogers’s phone subscriber and just experienced what I consider a very convincing and/or elaborate social engineering/vishing attempt,”

“At 7:46pm I received a call from (647-475-1636) purporting to be from Credit Alert (alertservice.ca) on behalf of TD Canada Trust offering me a free 30-day trial for a credit monitoring service.”

Reportedly, the caller introduced herself by the name of ‘Jen Hansen’, and proceeded with what Curt labeled as “over-the-top courtesy.”

“It sounded like a very well-scripted Customer Service call, where they seem to be trying so hard to please that it seems disingenuous,” Curt recollected. “But honestly it still sounded very much like a real person, not like a text to speech voice which sounds robotic. This sounded VERY natural.”
The caller then brought it to Curt’s notice that TD Bank was offering a free credit monitoring service for a month, and that he is allowed to cancel at any time. He was told that all he has to do is t0 confirm his home mailing address in order to apply.
The women on the line went on explaining the package and as she was glorifying the parts of the package that included free antivirus and anti-keylogging software, Curt interrupted and enquired about the weather at her place, a off-beat question that got her (robot) baffled and after a couple of apologies she transferred the call to another line, the question was outright ignored on this new line as well and the person kept on explaining the offered service.
After completely throwing the robots off-script using his technical reasoning, Curt hung up and immediately contacted TD Bank and was assured that he dodged a bullet as no one had called him from the Bank.

Preventive front

To guard themselves against phone phishing, users are advised to not disclose any sensitive information pertaining to their identity and banks to an unsolicited phone call. Similar to email scams, phone phishing also has an element of haste and urgency play a crucial part as the haste blocks our potential cognitive thought process and keeps us from adding the things up which works as a perfect catalyst for users to go slow on defense.

If any such call gets you troubled and you find yourself in a zone of financial worry, do not reach for help via the number offered by the caller that got you worried in the first place, rather contact the bank via the number given at the backside of your card.  Don’t hesitate while hanging up calls that turn into an inquisition in a matter of seconds; deliberate attempts to probe into your personal space are to be sensed by being a bit more alert in these times than you ever have been.


Facebook Admits Using Users’ 2FA Phone Number for ad targeting


The phone number that users enter on Facebook to ensure security via 2FA, which abbreviates for ‘two-factor authentication’, is being used to target them with ads. 2FA, as the name suggests, the method affixes another layer of security to amplify authentication.
In the wake of a report by Gizmodo, which was based on the study conducted by two American Universities, Facebook admitted that it repurposed the phone numbers put onto the platform in the name of 2FA to target advertising. Studies label the phone numbers provided for security reasons as potential fodder for advertisers.
On being inquired about the findings
"We use the information people provide to offer a better, more personalized experience on Facebook, including ads,"  a Facebook spokesperson said in a dialogue with TechCrunch. He further added, "We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts,"
The pressing claims imposed by the studies prompted the social media giant to respond, it acknowledged channeling the data intended for security purposes in the course of advertising and dollars.
The users who have contact lists uploaded to their Facebook are unwittingly assisting advertisers in laying hands on PII, which is 'Personally Identifying Information' of their contacts.
On the prevention front

Facebook gave a clarification that users can choose not be a target by selecting non-mobile-number based means of 2FA and undoing the synchronization that listed their contacts.

Referencing a spokesperson’s statement, users can manage and delete the contact information they’ve uploaded on the platform at any time.


Mozilla launched ‘Firefox Monitor’, will keep users alarmed of data breach


As an initiative to monitor breach, Mozilla, in a collaboration with Troy Hunt’s ‘Have I been Pwned’, unveiled ‘Firefox Monitor’; its free service that will assist users to identify if their accounts have been a part of a breach. Troy Hunt’s partnership is the supply source of data that powers the Firefox Monitor service.
Primarily, the service identifies whether the passwords and the emails of the users constituted to the data breach and can further be configured to send a notification to the users on the episodes of their information being detected. 
Nick Nguyen of Mozilla wrote, "It can be hard to keep track of when your information has been stolen, so we’re going to help by launching Firefox Monitor, a free service that notifies people when they’ve been part of a data breach," He continued, "After testing this summer, the results and positive attention gave us the confidence we needed to know this was a feature we wanted to give to all of our users."
Throwing a light on the functioning, Mozilla said that the service scans the database of ‘Have I Been Pwned’ and generates an alert on finding a match.    
In order to avail the service, one can visit the site “https://monitor.firefox.com/”.  Once the email address has been entered it gets checked and the user is informed whether that address constituted to any breaches and in case it did, the service lists them. To get notified on being a victim to future breaches, the users are provided with an option of signing up.
The Firefox Monitor page calls attention to certain privacy and security regulations specified in guidelines that the users are recommended to consider while browsing.
Email address pwned? Here’s what to do. 
The misfortune of being pwned if befall the users, they are advised to audit any account that succumbed to breach, enable two-factor authentication, change initially used passwords and create uncommon and unassailable passwords for all the sites they decide to create an account for.   


Malware Masked as Job Offers attacks the freelancers



Web applications – Fiverr and Freelancer which provide freelancing services to customers worldwide are abused by the hackers as they used the aforementioned platforms to deliver malware masked as job offers. Malware executes and installs keyloggers in victim’s files that came under the façade of ‘job description’ entailed in attachments.

The attacker tries to generate a counterfeit job offer for multiple users. AgentTesla and Remote Access Trojans (RATs) are two examples of keyloggers that can potentially be installed in a victim’s system. Referring to a report of MalwareHunterTeam, the attacks of such nature are preying upon widely used freelancing platforms Freelancer and Fiverr.

Unveiling the attack mechanics

The malicious malware which appears to be legitimately incorporated attacks the computer systems with Remote Desktop Monitoring software and keyloggers. Seeking assistance, victims resorted to the creator of the job offers when attacked via the documents sitting on the aforementioned freelancing platforms.
For instance, if the motive of an attacker is to take over a user’s mobile device, the user will be denied access to the document on his computer system and consequently be convinced that the document can only be opened on a mobile device. Cybercriminals have gauged unprecedented and innovative methods of injecting their malware and even worked upon the ease of injection of the malware- assisting the victims throughout the installation.
Users, while browsing these freelancing websites are advised to ensure the presence of an updated anti-virus software and OS patches on their systems. If any attachment appears dubious, users are advised to run it through ‘Virustotal’ and similar websites to cross-check the credibility.



New Xbash Malware: A Deadly Fusion of Ransomware, Botnet, Cryptominer





With cryptocurrency once again making the headlines, a new malware called Xbash has been found at Palo Alto Networks by the researchers. The malware is reported to be a deadly fusion of botnet, ransomware and cryptocurrency mining software.

The probable targets of Xbash are – servers running on Windows or Linux, it attacks poorly protected systems with weak passwords or devices functioning with unpatched known vulnerabilities.

Notably, the lethal combo comes with a customized execution based on the OS it is crippling. Dissecting it a bit, it targets Windows for cryptocurrency mining and self-propagation and Linux devices are vulnerable to Xbash’s ransomware threat which creates botnets.

The ransomware mildly assaults the victims by first encrypting a file of theirs and then with an unreliable claim of restoring the same at expenses.

Boring a startling likeness to the infamous NotPetya, Xbash too suffers a deficiency of features to assist the restoration of data. For the release of the file held captive, it asks for a ransom, however, the file continues being encrypted even after the payment has been made.

Reportedly, so far the criminals have seized a sum of $6,000 in Bitcoin from the 48 systems who succumbed to the malware. Thus, labeling Xbash as a mere ransomware won’t sum its objective up, which apparently is an irrevocable ruination of victim’s data.

Xbash is equipped with features that allow (once enabled) it to compromise an organization’s intranet. Its potential of compromising networks and equipping attackers to tamper with an organization’s major services is what elevates its rank further on the scale of danger.

First spotted in May 2018, Xbash is an 'Iron Group' manufactured malign creation. Reportedly, the entity is associated with other ransomware attacks as well.

Currently found in 4 different versions with distinct codes and timestamps, it is believed that Xbash is still under development which further implies that the attackers are strengthening the foundation by embedding more lethal functionalities in the malware or perhaps simplifying the intranet attack.

Irrespective of the scenario, users are advised to perform timely backups for crucial data and take preventive measures wherever necessary.  




Cyberworld on Rewind Mode: New Phishing Attack Stealing Passwords Using Old Tricks


The phishing world has been on rewind mode as old tactics are making periodical comebacks; using an old trick, a new phishing campaign is attempting to steal sensitive information from users like their login credentials and payment details and a lucrative claim of refunding a tax which can only be claimed online is being made to lure the gullible.
The threat executes with a message that appears to be the tax office of UK government, HMRC, and users targeted are informed of being due on a tax refund of £542.94 "directly" onto their credit card.
Referring to the scam as uncovered by Malwarebytes, victims were made to debate with their conscience as a new piece of information drapes the screen telling that the link to the “customer portal” expires on the same day the message is received – as the haste and consequently the pressure multiplies, victims, supposedly and expectedly panics which enslave their rationality and they are successfully tricked into believing that what’s slipping from their grip is a handsome sum.
The dire straits of formatting, structuring and disguising the scam and associated components explain how little effort has been deposited by the criminals while constructing a counterfeit HMRC website and substantially veiling the attack.
A counterfeit Outlook login page greets the users who clicked through to the ‘portal’, where they are required to fill login details to proceed, i.e., the username and the password, which is basically the timing and spot where the attack is based.  
Once the email and password has been provided, victims are redirected to a counterfeit ‘refund’ website where sits empty boxes vying for the sensitive data – ‘Full name’, ‘Address’, ‘Phone Number’, ‘Date of Birth’, ‘Mother’s Maiden Name’ and ‘Full Credit Card Details’ and the security code.
The haunting quality of the attack is based in its multifacetedness- which goes far beyond than acquiring bank details and ranges from a potential access to other accounts to vast amounts of personal data and records of the victims that lay vulnerable to identity theft and fraud.
In order to mitigate the losses and to equip consciences of the users to sidestep the same tempting debate that may arise in the future, HMRC states that it will never offer a repayment or ask for personal information via email.
A lead malware intelligence analyst at Malwarebytes, Chris Boyd, told ZDNet, “These attacks can afford to be crude, as the main pressure point is the temptation of an easy cash windfall tied to a tight deadline. Not knowing that HMRC don't issue refund notifications in this manner would also contribute to people submitting details,”
Although, the aforementioned attack appears elementary on designing and strength fronts but the amounts of time invested by the criminals in distributing the emails gestures towards the scam being anything but futile.
Phishing as an effective exploitative measure has become pervasive and gained an international prevalence, referencing a recent report by the US Department of Justice, it was deduced that majority of cyber attacks in recent years had a simple phishing email at the start.

Cryptomining malware infects Windows and Linux Kodi users



(Image source: Techradar.com)
Word is that the users of Kodi media player who had add-ons from the Bubbles, Gaia, and XvBMC repositories installed on their systems might have been affected with a coin miner. 

As discovered by ESET (cyber-security firm), users of Kodi, and the free and open-source media player software application which has continuously evolved over time and spawned a community of its own has been one of the many targets of a malware campaign.

Reports on ZDNet elucidate the findings of company’s malware analysts who detected that a minimum of three popular repositories of Kodi add-ons have been infected and assisted the fostering of a malware strain which covertly mined cryptocurrency on users’ computers.

For those who find the sound of ‘Kodi’ still foreign, it is an “empty” media player which functions fundamentally on add-ons. After installing Kodi, users add the URL of the add-on repositories of their preference and then from there they select which add-on to install on their players.

Though the player is predominantly used for streaming pirated content, the add-ons permit streaming everything from YouTube to Netflix.
As deduced by ESET researchers, the three aforementioned add-on repositories stations malicious code which sets into motion the download of a second Kodi add-on and as the newly downloaded Kodi add-on contains a code to fingerprint the user’s OS to later install a cryptocurrency miner, the malicious procedure comes to a noxious conclusion.
However Kodi is available for various platforms, researchers said that the programmers of this malign cryptocurrency mining program have only configured a miner for Linux and Windows users. According to the fragmented data obtained by ESET, crooks mined for Monero and affected over 4,700 users – accumulating over 62 Monero coins worth $7,000.
Countries with a high percentage of Kodi users are, as a matter of fact, the most affected ones as well, to name a few- UK, Israel, US, Netherlands, and Greece,
On the solution front, there’s no concrete way of detecting the infection but users are advised to have antivirus software installed and updated. Besides that, a high CPU usage is a probable hint of the attack as it is a common indicator of cryptocurrency mining operations.

New Address Bar Spoofing Trick preys upon Apple’s Safari


An unpatched vulnerability that sits in the Safari web browser lets cybercriminals have the command over the content that gets displayed in the browser’s address bar, this pattern of attack permits expertly designed phishing attacks which are unlikely to be noticed by the users with an average IT IQ.
The bug discovered by a security researcher – later scrutinized to be of race condition type and the cause of its occurrence is said to be the action of JavaScript being allowed by the browser to update the address bar before a web page is done loading completely.

Fix- Owners are taking their time

Reportedly, the vulnerability was only susceptible to reproduction in Safari and Edge web browsers as done by Rafay Baloch (Security researcher), who immediately brought the  risk to the notice of the makers of aforementioned browsers, but it was only Microsoft which responded with a patch on 14th August which came as a part of its periodic security updates release.
On 2nd June, Apple received a report regarding the bug, and a time span of 90 days to fix it before public disclosure which expired more than a week ago and there exists no patch for Safari yet.

Intellect and vision deluded

As of now, the vulnerability is tracked as CVE-2018-8383 and hasn’t received a severity score yet. In order to exploit it, tricking the victim in accessing a specially designed web page is a mandate and seemingly accomplishable.  
"Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing,"   Rafay further explains in a blog post.
 The attacker delays the update on the address bar which allows him to impersonate any webpage, meanwhile the address bar continues displaying the legitimate domain name to the victim, complete and equipped with the authentication marks at all the right places.
BleepingComputer tested the bug on iOS with a proof-of-concept (PoC) page set up by the researcher. The page is designed to load content from gmail[.]com that is hosted on sh3ifu[.]com, and it all works seamlessly.
Even an expert’s eye can be befooled despite the presence of certain elements that are likely to deceive suspicious activity. For example, the webpage loading wheel and the bar both are visible, signifying the unfinished process.
However, a lot of websites witness this as the background components have a lower priority score while the page is being loaded. Users tap into ‘log in’ field without reading anything into that.
The users of Safari cannot access the typing field while the status of the page is still ‘loading’ and this is where the whole problem is based. Similar to what banking Trojans did for years, Baloch said that he along with his team made past this hurdle by injecting a fake keyboard on the screen.
According to the reports, a fix would be released by Apple in their next set of security updates.

Nestled in hacked sites–New Fallout Exploit Kit injecting GandCrab Ransomware or Redirecting to PUPs

Cybercriminals made another strategic attempt to distribute GrandCrab ransomware, fake anti-virus software, malware downloading Trojans and other PUPs which abbreviates for ‘Potentially Unwanted Programs.’ The exploit kit that is being used to deliver the ransomware is called ‘Fallout.’
It was the end of August’18 that saw the discovery of the kit which is installed on hacked sites and is programmed to exploit vulnerabilities on a visitor’s system. These vulnerabilities are reported to be for two programs – Windows VBScript engine (CVE-2018-8174) and Adobe Flash player (CVE-2018-4878).
Upon its discovery. which was made by nao sec (Security Researcher), the kit was found downloading and installing a malware infection, ‘SmokeLoader’ which further downloads other malware. As per the security researcher, the kit when found was downloading and installing CoalaBot and an unidentified malware.
In a blog post exclusively written to shed a light on the ‘Fallout Exploit Kit', nao sec stated – “The exe file executed by shellcode is "Nullsoft Installer self-extracting archive.” He added, "This will run SmokeLoader and two exe files will be downloaded."
As reported by FireEye, which prides itself on embracing world-class frontline threat expertise – Fallout, the exploit kit has been noticed installing GrandCrab Ransomware on Windows and MacOS users will be redirected to pages that promote fake antivirus software or fake Adobe Flash Players.
FireEye further educates us on the procedural execution primarily, the kit will try and exploit VBScript and then it will proceed towards the Flash Player vulnerability which will be contingent on the status of scripting whether it’s disabled or not. Marching forward, the kit will cause Windows to download and install a Trojan into the system once it has been successfully exploited.

Upon its activation, the Trojan will scan for the following processes, and if found, it causes the Trojan to step in an infinite loop which consequently halts any further malicious activities. 
If not, then it downloads and executes a DLL which leads to the installation of GrandCrab ransomware. While infecting the system, GrandCrab appends the.KRAB extension to encrypted files and drops a ransom note titled KRAB-DECRYPT.txt.
Calming the bewildered spirit of inquiry of the Fallout exploit kit victims or to-be-victims, Ehackingnews advises all the users against stacking outdated programs onto their systems, for example, Flash Player. It is essential to ensure an installation of the latest Windows security updates in order to keep yourself guarded.


Vodafone: Users with “1234” passwords to pay for the stolen money


In the nefarious world of cybercrime, telecom companies continue being aimed as Vodafone reports the accounts of almost 2000 customers being hacked. Attackers used users data occupied from “an unknown source” and then attempted to breach their security by accessing accounts of 1,827 customers.
In the light of this bold attempt at rupturing the privacy, two hackers have been sentenced to three years in prison by a Czech court. Reportedly, the criminals used the stolen details to purchase 600,000 Czech Koruna worth of gambling services.
As Czech news site idnes.cz (reporting from Czech news site idnes.cz) placed the whole issue into perspective, it was deduced that the criminals used the password ‘1234’and accessed Vodafone customer’s accounts, once the access was acquired, new SIM cards from different branches were ordered and installed in their mobile phones without any further verification as they already had all the details. This consequently led the attackers to charge 30K USD (appx.) for gambling services.
Vodafone: Victims to be held responsible.
Vodafone attempted to sidestep the debate of responsibility that is bound to arise as the mobile phone provider expressed its will in antagonism to the users- they are supposed to pay for these charges as they were the ones using an assailable and weak password. And seemingly, the will has picked up momentum as debt collectors are already knocking at the doors of the users to recover the stolen money.
The narrative on the attacked users side has it that they weren’t at all aware about the passwords being set to ‘1234’ or that there even existed an online marketplace that could be used to buy services. Countering this narrative, Vodafone asserted the possibility of the password being set at default during the purchase of the phone and the user should still have it changed to an unassailable one.
As shown in the picture below, the passwords for the My Vodafone portal comprise of only 4-6 digits. The string in the password blank translates to ‘4 to 6 digit no.’ (Image source: Bleeping Computer)

According to the head of Threat detection Labs (ESET),  Jiri Kropac, the passwords requirements still lack strength. He tested it for bleeping computer, it’s because the passwords comprising of 4-6 digits will quickly succumb to the brute force attack in the scenarios where the attacker is resolute enough.
Battling the reputational damage, Vodafone has reported the incident to The National Crime Agency, the Information Commissioner's Office and Ofcom. The mobile phone provider further added, reinstating its priorities - "Our investigation and mitigating actions have meant that only a handful of customers have been subject to any attempts to use this data for fraudulent activity on their Vodafone accounts. No other customers need to be concerned, as the security of our customers' data continues to be one of our highest priorities."