Category Archives: Latest Security News

Massachusetts General Hospital Warns of Privacy Incident

Massachusetts General Hospital (MGH) announced that it learned of a privacy incident involving its Department of Neurology. MGH said that it learned on 24 June 2019 of an instance where someone gained unauthorized access to databases related to two computer applications used by its Neurology Department for research studies. Upon taking a closer look, MGH […]… Read More

The post Massachusetts General Hospital Warns of Privacy Incident appeared first on The State of Security.

Visa Adds New Security Capabilities to Detect Fraud and Disrupt Threats

Visa unveiled a suite of new security capabilities designed to help detect fraud and disrupt threats targeting financial institutions and merchants. At its U.S. Security Summit 2019, the multinational financial services corporation announced that the new capabilities will be available to all Visa clients at no additional cost or sign-up. The company specifically highlighted the […]… Read More

The post Visa Adds New Security Capabilities to Detect Fraud and Disrupt Threats appeared first on The State of Security.

Supermarket Chain Notifies Customers of Payment Card Data Incident

A supermarket chain based in the Midwestern United States notified customers of a data incident that potentially involved their payment cards. On 14 August, Hy-Vee revealed it was investigating a security incident that affected its payment systems responsible for processing transactions at its fuel pumps, drive-thru coffee shops and restaurants. Hy-Vee, which operates 245 branches […]… Read More

The post Supermarket Chain Notifies Customers of Payment Card Data Incident appeared first on The State of Security.

Police Recovered $300K Stolen in Spotslyvania Schools Phishing Attack

Police recovered over $300,000 stolen by phishers from Spotslyvania County Public Schools in Spotslyvania County, Virginia. On 15 August, Virginia State Police announced that it had reclaimed over half the amount of money stolen in a phishing attack against the Spotslyvania County Public Schools. The law enforcement agency subsequently handed over checks totaling $347,010.39 to the Spotslyvania […]… Read More

The post Police Recovered $300K Stolen in Spotslyvania Schools Phishing Attack appeared first on The State of Security.

New “Norman” Malware Took Part in Large-Scale Cryptominer Infection

Researchers identified a large-scale cryptocurrency miner infection in which a new malware family called “Norman” took part. The Varonis Security Research team made the discovery while investigating a cryptominer infection at a mid-sized company. Here’s what they found through this effort: Almost every server and workstation was infected with malware. Most were generic variants of […]… Read More

The post New “Norman” Malware Took Part in Large-Scale Cryptominer Infection appeared first on The State of Security.

Fraudsters Used Phishing Emails to Target Hotels in North America

Fraudsters launched an attack campaign that distributed phishing emails designed to target the hotel industry in North America. In summer 2019, researchers at 360 Security Center discovered that bad actors had sent attack emails to financial personnel working at various hotels throughout North America. These emails informed recipients that their organizations had not paid for […]… Read More

The post Fraudsters Used Phishing Emails to Target Hotels in North America appeared first on The State of Security.

Compromised Websites Hosting Troldesh Ransomware Samples

Digital attackers are using multiple compromised websites in order to distribute samples of the Troldesh ransomware family. Sucuri Security observed malicious emails and services like social media spreading a URL in the form of a PHP file. Once clicked, the URL downloaded a JScript file to a victim’s downloader. This file, which specifically targeted Windows […]… Read More

The post Compromised Websites Hosting Troldesh Ransomware Samples appeared first on The State of Security.

Apple Increases Maximum Bug Bounty Program Payout to $1M

Apple announced that it will be expanding the scope of its bug bounty program and increasing its maximum possible reward payout to $1 million. Ivan Krstić, Apple’s head of security engineering, made the announcement during a presentation on iOS and macOS security at Black Hat USA 2019. He revealed that Apple’s bug bounty program will […]… Read More

The post Apple Increases Maximum Bug Bounty Program Payout to $1M appeared first on The State of Security.

A Team Of Law Enforcers Took Down Major Illegal Merchandise Site

A team of law enforcers from Romania, Netherlands, the United States, Germany, and Europol have taken down the servers linked to Wall Street Market (WSM), a Dark Web website specifically designed for transacting weapons, stolen passwords, drugs, and other illegal substances. This comes right after an alleged theft done by Wall Street Market admins which cost their customers to loss over $14.2 million in Bitcoins and other cryptocurrencies. One of the vocal site admins under the account named Med3l1n blackmailed some users of the site that they need to pay $280 worth of Bitcoins, if not the said admin will disclose illegal transactions to authorities upon discovery that the affected users made a support request unencrypted.

“One of Europol’s initiatives is to create a coordinated law enforcement approach to tackle crime on the dark web with the participation of law enforcement agencies from across EU Member States, operational third parties and other relevant partners, such as Eurojust. To achieve this goal, Europol has established a dedicated Dark Web Team to work together with EU partners and law enforcement across the globe to reduce the size of this underground illegal economy. The team also aims to enhance joint technical and investigative actions, organise training and capacity-building initiatives, together with prevention and awareness-raising campaigns – a 360° strategy against criminality on the dark web,” said the Europol’s Press Release.

Med3l1n then proceeded with disclosing the IP addresses and username/passwords (including his) of users connected with Dread, an affiliate community site used for communication between dark web netizens. At that moment the real world location of the servers which host WSM was exposed publicly, all types of users with varying goals were able to extract as much information from the site. This “data breach” escalated to a point that WSM users lost contents of their cryptocurrency wallet.

“Of much greater concern to users: The same mod has posted his login credentials to Dread. This gives anyone the ability to sign in to WSM as the mod and access all information pertaining to users and their orders that isn’t encrypted. He also gave the server IP address up,” explained Patrick Shortis, a security researcher.

The law enforcement agencies began their operation since April 30, 2019, and complete shutdown of the site occurred May 2, 2019. The exact URL of WSM was wallstyizjhkrvmj.onion in the Dark Web, which can only be reached through the use of dark web navigation web browser like TOR browser (The Onion Router). Aside from the takedown, the German police members of the team claimed that they were able to place three persons of interest under arrest and confiscated €550,000 in-cash. Apparently, they were drug traffickers who were using WSM to sell their “products”. Aside from that, a similar site named Silkkietie was also taken down, the dark web site was operating for at least 6 years.

“These two investigations show the importance of law enforcement cooperation at an international level and demonstrate that illegal activity on the dark web is not as anonymous as criminals may think,” emphasized Catherine De Bolle, Europol Executive Director.

The post A Team Of Law Enforcers Took Down Major Illegal Merchandise Site appeared first on .

President Trump Signs EO to Bolster Federal Digital Security Workforce

President Trump has signed an executive order (EO) that seeks to bolster the U.S. federal government’s digital security workforce. On 2 May, President Trump authorized the “Executive Order on America’s Cybersecurity Workforce.” This directive sets out various actions designed to strengthen the federal digital security workforce. For instance, it requires the Secretary of Homeland Security […]… Read More

The post President Trump Signs EO to Bolster Federal Digital Security Workforce appeared first on The State of Security.

Unprotected Database Exposed 13.7M Users’ Employment Information

An unprotected database made it possible for anyone on the web to view the personal and employment information of 13.7 million users. Security researcher and GDI Foundation member Sanyam Jain discovered the database and determined that it belonged to Ladders, a New York-based job recruitment site which specializes in high-end jobs. Jain then shared his […]… Read More

The post Unprotected Database Exposed 13.7M Users’ Employment Information appeared first on The State of Security.

Kodi Hardware Add-on Users, Mostly At Risk With Malware

Kodi used to be a software-only solution that provides a user seeking to share media in a certain geographic area seamless, but the people behind the software went ahead and supplied their patrons with hardware version. This lessened the need for someone to have the technical expertise in setting up a separate PC for media consumption and sharing for the home/neighborhood. Making Kodi just like any other appliance for the home, commoditization brings a bad problem of malware infection, however.

More and more security and privacy organizations distrust the makers of Kodi the software, let alone its appliance counterpart. The Digital Citizen Alliance (DCA) has nothing but the bad comment about Kodi’s hardware, especially of it allegedly being the centerpiece of piracy in the neighborhood. As per their study, Kodi Box, they gray market $100 machine is a dream piracy device of the 270 Americans they have surveyed, but at the same time at risks with a malware infection.

The Kodi software itself, open-source software is not designed for piracy but rather just a tool for sharing content. But most of the users were not keen on checking if the content being shared and used through the software is legal or not.

“By plugging the device into a home network, [users] are enabling hackers to bypass the security designed to protect their system. If apps on the box or that are later downloaded have malware, the user has helped the hacker past network security. (We) uncovered a clever scheme that enabled criminals to pose as well-known streaming sites, such as Netflix, to facilitate illegal access to a legitimate subscription of an actual Netflix subscriber,” explained a Digital Citizens Alliance representative.

DCA has partnered with an IT Security firm, Group sense to monitor black market sales. The latter found evidence of hacker group discussing amongst themselves the feasibility of tapping to Kodi in order to propagate their malware, expand their botnet and the chances of successfully planting a crypto jacking malware to the computers of the victims while sharing content.

Kodi is an open-source software can be extended beyond the features the authors provided it by default. Some versions of Kodi were deliberately rebuilt to include capabilities to attempt a DoS attack against a certain target chosen by the hacking groups. XBMC, the developers of Kodi strongly deny the accusation that their creation is the culprit for helping expand malware infection. XBMC also highlighted the fact that they do not support platform expansion to original Kodi. Such add-on products are creations of their respective vendors and XBMC was not in any way involved with the development of those add-ons, hardware or software.

“If you are selling a box on your website designed to trick users into thinking broken add-ons come from us and work perfectly, so you can make a buck, we’re going to do everything we can to stop you,” said an XBMC representative.

The bottom line, the choice of using Kodi’s unofficial extensions and hardware add-ons is the responsibility of the user. If they purchase those unsupported products, XBMC cannot be blamed for any issue arising for the use of those products.

Also, Read:

BabyShark Malware Targeting Nuclear and Cryptocurrency Industries

Static Malware Analysis Vs Dynamic Malware Analysis

Game of Thrones Downloads Widely Used to Spread Malware

The post Kodi Hardware Add-on Users, Mostly At Risk With Malware appeared first on .

Unprotected Database Exposed Details of Over 80 Million U.S. Households

Security researchers found an unprotected database stored on the cloud that contained detailed information of over 80 million U.S. households. vpnMentor’s Noam Rotem and Ran Locar discovered the unprotected database hosted on a Microsoft cloud server during the course of a web mapping project. When they peered inside, they found that the asset contained 24 […]… Read More

The post Unprotected Database Exposed Details of Over 80 Million U.S. Households appeared first on The State of Security.

Puma Australia Hit With Credit Card Hack Malware

Sophisticated malware was planted by hackers on Puma Australia’s website, with the intention to steal customer’s credit card information at checkout, a security researcher found.

A suspicious code tucked away on Puma Australia’s page containing a script that logged people’s credit card numbers, names, and addresses when they typed them in on the website. The code sent victims’ data over to a server registered in Ukraine, said Willem de Groot, Sanguine Security forensic analyst.

To a request for comment, Puma didn’t immediately respond when the security researcher notified them about this attack.

The skimming campaign is made up of multiple hacking groups, and Puma is the latest in a long line of businesses hit with credit card skimming malware. A massive hacking operation is targeting online shops connected to Magecart.

This is the kind of malware that goes after popular websites with vulnerabilities. The earlier victims include the Atlanta Hawks, British Airways, and NewEgg, among many other businesses targeted by Magecart over the past few years.

“The single largest problem with Magecart is that consumers have absolutely no way to know that they got skimmed until it’s too late and that merchants lack the tools to properly deal with this,” de Groot said.

Puma is one of the top sportswear brands in the world, with sales reaching $4 billion in 2018, according to financial reports. In the last year, Puma saw major growth in the Asia/Pacific region, where its Australian team operates.

Puma’s popularity as a worldwide brand makes it a prime target for Magecart attackers. De Groot said he found the malware through a detection tool he developed, which finds Magecart code embedded on hundreds of stores a day.

The security researcher de Groot said, “The skimmer found on Puma Australia’s website was one of the most sophisticated ones he had seen yet.”

This skimmer was able to camouflage itself by using typical code like “optEmbed” and “selectDuration.” Typically, skimmers have to be specifically tailored for the payment system it’s targeting, but de Groot found that this skimmer on Puma Australia’s website was a jack of all trades.

He said he’s found 77 other stores online with this new kind of skimmer from Magecart. It supports payment systems across the world, indicating a collaborative effort between hackers internationally.

“It has adapters for over 50 payment gateways, which means that the owner can deploy it quickly to newly hacked stores,” de Groot said in a message. “It clearly took a massive effort to build support for all these payment systems.”

Related Resources:

Vulnerability Helps Researchers Expose Malware C&C Servers

What’s New With Separ Malware Family in 2019

Hackers Surgically Infected Asus Computers with Malware

4 Most Recognizable Android Antimalware Apps You Can Install Today

The post Puma Australia Hit With Credit Card Hack Malware appeared first on .

Fraudster Posed as Jason Statham to Prey Upon Star-Struck Users

A digital fraudster posed as English actor and film producer Jason Statham to prey upon and steal money from star-struck users. A woman who asked not to be named said the scam began when someone posing as Statham contacted her while she was on a Facebook page dedicated to the actor. She thought it was […]… Read More

The post Fraudster Posed as Jason Statham to Prey Upon Star-Struck Users appeared first on The State of Security.

Qualcomm SOC Bug Disclosed, Critical Patch Needed

Qualcomm emerged as a mainstream microprocessor manufacturer since the explosion of the smartphone, tablets, and IoT (Internet-of-Things) devices. As one of the three leading ARM-based System-on-the-Chip vendors (the other two are Samsung and MediaTek), their SOCs are common on all mobile computing segment. Like its desktop/laptop counterparts, the SOC is not immune to hardware bugs. In fact, a SOC is not just the microprocessor, it includes the GPU, radio and memory modules that run the mobile device. It means there are many discrete parts which may go wrong.

That possibility has come to pass, as a flaw in the Qualcomm chipset’s Secure Execution Environment (QSEE) has been discovered. Documented under CVE-2018-11976, the flaw is expected to elevate towards critical level since Android updates are far and few in between for Non-Pixel devices, Pixel is Google’s own smartphone line. QSEE is an implementation of the Trusted Execution Environment, similar to its x86 counterpart, it is the hardware part that isolates data from the processor’s execution area. It is where the Android operating system operates free from any 3rd party apps accessibility. It is the area where passwords, encryption keys, and other internal Android data are stored.

The flaw was demonstrated by Keegan Ryan of the NCC Group, by using the ECDSA algorithm, it can bypass restriction which enables data to be stored in QSEE. However, by default, this cannot be done as it requires root access. By combining this exploit with another exploit that can root the Android device, the attack can become practically feasible.

“We examine ECDSA signing in Qualcomm’s implementation of Android’s hardware-backed keystore and identify a series of vulnerabilities that leak sensitive cryptographic information through shared microarchitectural structures. This should not be possible, since the hardware-backed keystore is supposed to prevent any sort of key extraction, even against an attacker who has fully compromised the Android OS,” explained Ryan.

As of this writing, there is still no known patch or firmware update that can potentially plug the hole. The good news is the demonstration only shows that the attacks are limited with how large the memory cache is. The 16-byte resolution is too small to pull a large enough instructional data to launch a continues attack against the SOC.

“We found two locations in the multiplication algorithm which leak information about the nonce. Both of these locations contain countermeasures against side-channel attacks, but due to the spatial and temporal resolution of our microarchitectural attacks, it is possible to overcome these countermeasures and distinguish a few bits of the nonce. These few bits are enough to recover 256-bit ECDSA keys,” added Ryan.

The actual disclosure of the hardware bug to Qualcomm was in March 2018, the chip-maker was given until October 2018 to actually create a firmware fix for it. The following SOCs are affected, please be alert for any updates for your device if you have these chipsets:

IPQ8074, MDM9150, MDM9206, MDM9607, MDM9650, MDM9655, MSM8909W, MSM8996AU, QCA8081, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, and SXR1130

Also, Read:

runC Major Security Flaw Patched At Record Time, All Container Admins Expected To Update

Kubernetes’ Huge Privilege Escalation Bug Patched, Immediate Installation Is a Must

2019’s Google New Policy for Android: Forced Patch Update from Device Vendors

The post Qualcomm SOC Bug Disclosed, Critical Patch Needed appeared first on .

15,000 Spam Domains Banned By GoDaddy

The security team Palo Alto Network’s Unit 42 and GoDaddy had partnered in taking down 15,000 domains that host spam and tasteless products online. Offers from these websites range from fly-by-night weight-loss drugs, dodgy food supplements and everything in between. The project to purge 15,000 spammy domains didn’t occur overnight, it took the Unit 42 and GoDaddy teams two years in conducting their investigation, this with the goal of minimizing false positives.

In their investigation, many names of celebrities were named by the domains as being their “endorsers” of the products they sell. This was an attempt to increase the reputation of the products they sell. Names such as Gwen Stefani and even the deceased Stephen Hawking were named as endorsers of medical products, stating that they were beneficial for their healthy living. The websites associated with the spamvertising were also seen as copying the visual designs of genuine prominent websites like E! Online and TMZ.

The sites mentioned also implement Facebook-like elements, like the “Like” button, but it does not function similar to how Facebook implements them. They were only there just as another link to selling more dodgy products. The websites also have the habit of asking people to use their credit card when buying their products, which adds more risk when it comes to their financial security.

“When people go to cancel, they realize that they can’t. A lot of times when they try to contact the company, no one gets back to them. No one’s ever going to get back to them, because that’s how these companies make their money, off of these refills,” explained Jen Miller-Osborn, Unit 42’s Deputy Director of Threat Intelligence.

All is not lost for the victims, as they may attempt to call their credit card provider in hopes of canceling the questionable credit card transaction. Of course, if the charge happened a long time ago, there will be challenges to cancel the transaction, and the charge already incurs its corresponding interest.

“In our process of analysis, we’re presented with an array of screenshots from the virtual systems that crawl these websites; this is why after seeing these images time and time again they eventually became ingrained in my mind and I could start to recognize templates being used and their slight variations over time. While this campaign phased out, there was another running in parallel with the same tactics but a different product, switching from “brain supplements” to ‘weight loss.’ It keeps the celebrity endorsement theme and continues masquerading as a legitimate website,” emphazed Jeff White, Senior Threat Researcher at Palo Alto Networks.

Some parts of the websites use URL-shortening service, these types of redirects are dangerous to any users as the only practical way to determine the destination site of a shortened URL is to visit it. Knowing the exact website where the shortened URL points to require knowledge that such service is available. One such service is but of course not all Internet users are aware of such, we hope that through this article we help you educate yourself in lessening the risks you face in the Internet every day.

Also, Read:

Beware! Even Good Domains Also Carries Malicious URLs

Federal Websites Shutdown Due to Expired Security certificates

The post 15,000 Spam Domains Banned By GoDaddy appeared first on .

Washington State Legislature Passes New Data Breach Law

The Washington legislature has passed a bill that effectively expands the state’s consumer data breach notification requirements. Previously, Washington-based organizations needed to notify consumers of a data breach only in the event that the security incident exposed users’ names in combination with their Social Security Numbers, driver’s license numbers, state ID numbers or financial account […]… Read More

The post Washington State Legislature Passes New Data Breach Law appeared first on The State of Security.

Among Many ASUS Was One of ShadowHammer Target

ShadowHammer hacking operation infiltrated at least six other organizations and ASUS was one of them.

As further found out by Kaspersky’s security researchers, ASUS’ supply chain was compromised by trojanizing ASUS Live Updater, which eventually was downloaded and installed on the computers of thousands of customers according to experts’ estimations.

The attackers tampered with binaries and broke the digital signature using a legitimate certificate and having the malicious updater flagged.

The researchers were able to find that ASUS was not the only company which got its IT infrastructure infiltrated during Operation ShadowHammer. A number of other malware samples that employed similar algorithms were also signed with valid and legitimate certificates. The newly found ones and the ASUS samples were both using similar algorithms to calculate API function hashes. The PHLPAPI.dll was heavily used within all malware samples for various reasons.

Electronics Extreme, Innovative Extremist, and Zepetto, besides these three Asian gaming companies, Kaspersky was also able to find three other organizations which were successfully compromised, “another video gaming company, a conglomerate holding company and a pharmaceutical company, all in South Korea.”

In the cases of the three Asian vendors, the threat actors were able to drop a malicious payload, designed to collect system information and download extra payloads from its command-and-control (C&C) server.

However, the researchers are in the process of alerting them that they were also attacked by Operation ShadowHammer.

After getting installed on the victims’ computers, the trojanized games used as malware droppers will first check if a number of traffic/processor monitoring tools are running or if the system language is set to Simplified Chinese or Russian and, if both available then, the backdoor will automatically stop the execution.

If successful, the malware starts collecting system info (Network adapter MAC address, System username, System hostname and IP address, Windows version, CPU architecture, Current host FQDNm, Domain name, Current executable file name, Drive C: volume name and serial number, Screen resolution, and System default language ID).

All the info is sent to the C&C server via HTTP with a POST request and the backdoor will then send a GET request with the purpose of receiving commands.

The following commands were discovered:

  • DownUrlFile – download URL data to file
  • DownRunUrlFile – download URL data to file and execute it
  • RunUrlBinInMem – download URL data and run as shellcode
  • Uninstall – set the registry flag to prevent malware start

The UnInstall command sets the registry value

HKCU\SOFTWARE\Microsoft\Windows\{0753-6681-BD59-8819} to 1, which blocks the malware from contacting the C2 again. No files are deleted from the disk and can be recovered through forensic analysis.

This time, the researchers also found out that the ShadowPad backdoor used in Operation ShadowHammer now employs editable Google docs for C&C communication.

As discovered by Kaspersky, “ShadowHammer reused algorithms in multiple malware samples, including PlugX, which is a popular backdoor among Chinese-speaking hacker groups

After the ShadowHammer attack, ASUS also confirmed the hacking incident and stated that “only the version of Live Update used for notebooks has been affected,” with all other devices not being affected by the supply chain attack.

ASUS users can also check if their notebooks have been targeted in the attack with the help of offline checkers provided by ASUS and Kaspersky, or the online web checker available on Kaspersky’s website.

On the other hand, software vendors are advised by Kaspersky’s research team to “introduce another procedure into their software production process that additionally checks their software for potential malware injections even after the code is digitally signed.”

The researchers also stated that “how many more companies are compromised out there is not known. What is known is that ShadowPad succeeded in backdooring developer tools and, one way or another, injected malicious code into digitally signed binaries, subverting trust in this powerful defense mechanism.”

Related Resources:

Hacker Group Has Been Hacking DNS Traffic on D-Link Routers

Common Hacking Techniques and Best Prevention Strategies

8 Classic Hacking Tools A Budding Hacker Can Use Today

The post Among Many ASUS Was One of ShadowHammer Target appeared first on .

PayPal Anti-Ransomware Patent: End of Its Effectiveness?

Ransomware attacks and massive infections have been plaguing the business and even personal computing since 2017. Creating an atmosphere of fear makes people do something that is otherwise unbelievable, like paying for the ransom just to “recover” the lost files due to ransomware infection. Ransomware is a cash cow for the cybercriminals, with WannaCry alone earned an estimated $4 billion worth of ransom payment in the whole 2017. This has grown in the first quarter of 2019, with 90% growth in infection numbers compared to the same quarter of 2018. It is a technological invention for securing files turned upside down and used to cause trouble for computers instead, by encrypting critical user files.

Paypal, of all tech companies, has announced that they have the technology to massively fight ransomware campaigns. It is a long time in coming, as their application for the patent was pending with the U.S. Patent and Trademark office since September 2016, which has something to do with preventing the encryption process. The patent application was described as: “By detecting that ransomware is operating on a computer (e.g. by correlating between the original data and content in different cache layers), the negative effects of the ransomware may be mitigated or avoided.”

Basically, ransomware operates a time-limited decryption-key for sale business, offered to the very victims of it. Paypal has developed a way to check the cache area of the operating system (as files need to be loaded in computer memory before the CPU can manipulate it), saving its contents somewhere for later use as a comparison device. The Paypal system can, therefore, prevent an encrypted copy of the file from persisting, as it will be overwritten by the decrypted original version from a saved copy. The ransomware authors need to make major adjustments to continue its “business”.

This can be best described as disarming an armed enemy, with ransomware continues to run to the computer but unable to perform any encryption damage against the user files stored in the computer or inside a network share. The PayPal patent is designed as a lightweight system, to spare the user from incurring performance penalties while it is currently running in the system. It was only tested inside the confines of the PayPal company and no working prototype has been made available for download for public testing. Paypal has not disclosed when they will release the new product or service, or if it will only be available for Paypal users.

Though Paypal never claims that this technology will be the final silver bullet against ransomware, the company hopes to use this technology for the cybercriminals to lose its cash cow. The latter needs to go back to the drawing board in order to “finetune” their ransomware to bypass the algorithm used by the Paypal patent. Of course, the company is still strongly recommending for firms to roll-out a reliable backup system. This is because ransomware will have the least impact if the recent backup can be restored instead of paying for the ransom.

Also, Read:

PayPal Phishing Scam Coming From Official PayPal Email Address

PayPal Block The Hacker News

What to do if Ransomware attacks your computer?

The post PayPal Anti-Ransomware Patent: End of Its Effectiveness? appeared first on . Suffered Security Incident Potentially Involving Customer Info

American online retailer suffered a security incident that might have exposed customers’ personal information. In February 2019, learned of an instance where unknown actors gained unauthorized access to its systems. The fitness platform responded by retaining a data forensics firm to investigate what happened. This effort, which concluded in April 2019, traced the […]… Read More

The post Suffered Security Incident Potentially Involving Customer Info appeared first on The State of Security.

“123456” Remains the World’s Most Breached Password

“123456” remains the most common password which digital criminals abuse to steal unsuspecting users’ sensitive information. On 21 April, the United Kingdom’s National Cyber Security Centre (NCSC) partnered with security researcher Troy Hunt to publish the top 100,000 passwords from Hunt’s Pwned Password service. Here are the top 20 passwords from this list: 123456 123456789 […]… Read More

The post “123456” Remains the World’s Most Breached Password appeared first on The State of Security.

Google to Block Sign-ins from Embedded Browser Frameworks

In a bid to improve its phishing protections and to protect users from MITM attacks, Google has come up with a new move- a decision to block users sign-in using Embedded browser frameworks.

GBHackers on Security reports, “Google announced a new security update to block users sign-in using Embedded browser frameworks in order to improve the protection against Phishing and MitM attacks.”

In a blog post dated April 18, 2019, Jonathan Skelker, Product Manager, Account Security at Google clarifies that MITM (Man in the Middle), which is one form of phishing, becomes, “…hard to detect when an embedded browser framework (e.g., Chromium Embedded Framework – CEF) or another automation platform is being used for authentication.”

He adds, “MITM intercepts the communications between a user and Google in real-time to gather the user’s credentials (including the second factor in some cases) and sign in. Because we can’t differentiate between a legitimate sign in and a MITM attack on these platforms, we will be blocking sign-ins from embedded browser frameworks starting in June. This is similar to the restriction on webview sign-ins announced in April 2016.”

Google has been constantly working to improve its protections against phishing attacks and to keep users’ information secure. Last year, Google had announced JavaScript to be enabled in the browser whenever users sign in. This way Google could run a risk assessment whenever a user enters credentials on a sign-in pace and if there is any suspicion of an attack happening, the sign-in would be blocked. Now, this new announcement adds to the protection that Google provides its users against credentials-based phishing and MITM attacks.

Google suggests that developers start using browser-based OAuth authentication as an alternative to embedded browser frameworks. Jonathan Skelker writes, “The solution for developers currently using CEF for authentication is the same: browser-based OAuth authentication. Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices. If you are a developer with an app that requires access to Google Account data, switch to using browser-based OAuth authentication today.”

Related Resources:

Google Helps Identify Crime Suspects Using Location History

Google Releases Android Q Beta 2, Bubbles Feature a Highlight

Google Removes 85 Adware-Infected Android Apps

Google Duplex Assistant to Reach iPhones, Most Android Phones

The post Google to Block Sign-ins from Embedded Browser Frameworks appeared first on .

Massive Malvertising in Chrome iOS Variant, Caused By eGobbler Group

The notorious eGobbler group has set its sight on the iOS version of Chrome browser, as they use the platform for malvertising. Also, known as Malicious advertising, malvertising is a deceptive action of a group to publish a certain advert on a website, but instead of directing the user to the publisher of the advert, it points them to a malicious website instead. In the case of Chrome for iOS, eGobbler group was able to hijack some genuine advert servers, which then delivers a certain number of malformed adverts that redirects visitors to a scam/phishing website instead.

Confiant, a cybersecurity consulting firm, confirmed that at least 500 million malicious ads had already displayed itself inside a Chrome for iOS browser in the first 10 days. eGobbler’s motivation for the campaign is very clear, earn a profit. An additional profit stream for eGobbler may come from advert-supported landing pages and through covert user data collection.

Unlike the Chrome browser in Windows, Linux, MacOS and in Android, the iOS version of Chrome uses Apple’s Webkit engine instead of the Google-developed Blink. This behavior is by design, as Apple devices cannot run other browser engines other than Webkit, which severely limits other browser vendors in providing a leveled feature set of their browsers across platforms.

Further, checking revealed that the exploit only affects Chrome for iOS, as the exact condition that can trigger the malvertising is only executable and hardcoded in the iOS platform. Confiant provided an example below on how eGobbler customized its message in order to make itself persuasive:


“Like other bad actors, eGobbler leverages cloaking techniques and obfuscation to make their payloads look like legitimate ads, but a closer look at the payload behind these recent attacks reveals a very special twist. We were already aware from our internal blocking metrics that the campaign is iOS targeted. Normally this would not be alarming, as this is common among malvertisers for varying reasons. However, given the volume of this attack we decided to inspect it with extra scrutiny,” emphasized Eliya Stein, Confiant’s Sr. Security Engineer.

This can happen through the use of browser session hijacking, a technique used in order to force a web browser to immediately open a website that the users themselves never intended to open just because an unrelated link was clicked. This is done through the use of a malformed JavaScript which tells the browser to proceed to open another site (seemingly not related to the site the user visited) on another tab.

All modern browsers have a pop-up blocker, in fact, if we can remember, even the dreaded Internet Explorer 6.0 way back in the Windows XP days (circa 2001), Microsoft added a pop-up blocker in IE as part of Service Pack 2. However, the Chrome for iOS has a flaw in its detection mechanism of pop-ups, hence the pop-up blocker is bypassed, allowing the malvertising to be displayed uninterrupted.

“We tested the eGobbler payload against the standard set of sandboxing attributes as they exist in 90% of Google’s ad serving products. While on the surface the allow-popups directives seem like there’s nothing special about eGobbler’s payload, this is not true, because these actions should only be possible as a result of direct user interaction , a requirement that the eGobbler exploit successfully circumvents. The fact that this exploit is able to bypass that need for user interaction should be impossible according to the same-origin policy as it pertains to cross-origin iframes,” concluded Stein.

Also, Read:

Android is Now as Secure as iOS!

New Google Chrome Zero-Day Vulnerability Detected

Google’s New Chrome Extension Seeks to Secure Accounts


The post Massive Malvertising in Chrome iOS Variant, Caused By eGobbler Group appeared first on .

Windows 10, 8.1 and 7 Getting Bricked After April 2019 Windows Update

Seems like Redmond continues to have nightmares when it comes to their Windows update roll-out, as reports of a massive number of bricked computers are occurring for Windows 10, 8.1 and 7 after the April 2019 Patch Tuesday. The affected computers are no longer booting to Windows after the installation of the Patch Tuesday updates, probable culprit is antivirus software conflicting with the updates. The bricked devices apparently have either Avira, Avast, AVG Antivirus, and ArcaBit antivirus installed. A special Knowledgebase article has been published by Microsoft, addressing the concerns about the unbootable Windows computers.

“Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing this update. Microsoft has temporarily blocked devices from receiving this update if Avira antivirus software is installed. We are presently investigating this issue with Avira and will provide an update when available,” explained to a Microsoft representative when asked for comment.

Antimalware traditionally takes administrative privileges during the installation phase and runs with a system-level process. It monitors the behavior of system files, and in the normal day blocks changes to them unless if done during a Windows update process. It is not uncommon to have an antivirus software blocks overwrites to system files, which is the critical part of any Windows update procedure. This creates a conflict, as it becomes a cat vs mouse situation, as the antimalware seeing the changes made by a Windows update as a potential “suspicious behavior”.

“Microsoft and Avast have identified an issue on devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software after you install this update and restart. Devices may become unresponsive at the login or Welcome screen. Additionally, you may be unable to log in or log in after an extended period of time,” added Microsoft.

Microsoft had hindsight that they are aware of the issue, as Windows 10 May 2019 Upgrade, also known as 1903 is designed to have a reformed Windows Update behavior. Under 1903, after a Windows Update process, Windows will try to uninstall the updates if it detects that the computer continues to fail when booting. This is to lessen the instances that a computer running Windows 10 gets bricked due to an incompatible update. “This will give Microsoft and our partners the opportunity to investigate the failure and fix any issues. After 30 days, Windows will again try to install the updates,” said Microsoft describing the new feature.

There is no information if Windows 7 and Windows 8.1 will receive a similar feature, as they both considered under Extended Support. Windows 7 will continue receiving critical security updates until Jan 2020, while Windows 8.1 will be discontinued in 2023.

Also, Read:

Windows 10 1903 Upgrade: A Repeat Of 1809 Nightmare?

Nasty Side-Channel Attack Vulnerability (Again) In Windows & Linux Discovered

Down But Not Out, WannaCry Malware Continues to Infect Unpatched Windows PCs

Windows-based Forensic Tools Available for Everyone

The post Windows 10, 8.1 and 7 Getting Bricked After April 2019 Windows Update appeared first on .

On Mid 2019: No Facebook Messenger P2P Service For UK and France

Facebook has expressed its plan of discontinuing the person-to-person payment procedure through the Facebook Messenger app in France and in the UK. All users of the payment feature will only be available before June 15, 2019. P2P payment scheme through Facebook Messenger is a system launched by the social media giant that enabled money transfers between Facebook friends.

“We’re contacting you because you have used our payments Pear-to_pear (P2P) service to send and receive money with friends and family on Messenger. On 15 June 2019, we will discontinue P2P services on Messenger or through Facebook messages for all residents in the UK and France. While you won’t be able to exchange money with friends and family, you’ll still be able to complete other transactions through Facebook, such as making donations to charitable organizations,” explained Facebook Messenger spokesperson.

Facebook has not specifically explained why only France and the UK will have the service discontinued, while for the rest of Europe and the United States the service remains to have a healthy market share. Facebook entered the P2P payment market in November 2017, and since then became a direct competitor with payment services giants and Western Union. Leveraging its billions of active users worldwide, the social media giant has taken a chunk of the market share even if it is the newest kid on the block.

It is not yet known if Facebook will re-enter the market, reintroducing P2p again in France and UK at a later date, or engage in the cryptocurrency market, tapping an underutilized market in the process. Facebook has not disclosed how many users are regularly using the P2P payment system, but the company has highlighted the fact that all their customers were given a notification about the discontinuation.

“After evaluating how we give people the best experiences in Messenger, we made the decision to focus our efforts on experiences that people find most useful. Users have been notified in preparation for this change,” concluded Facebook.

It is not clear how much money Facebook is set to lose for discontinuing P2P service for the two mentioned countries. The move of Facebook to lessen its customer payment service market share is the total opposite of what Apple is planning to do. Cupertino is expanding its business portfolio by releasing an Apple credit card for iPhone and Apple device owners. All of these developments are happening at the wake of the release of the EU’s Payment Service Directive, specifically the Strong Customer Authentication initiative which is set for release on September 2019. It will legally force all vendors who host any payment schemes to utilize the hardened 3D Secure protocol to hopefully discourage if not prevent transaction fraud.

Also, Read:

Facebook Messages about Jayden K. Smith a Hoax

Telegram Gained 3 Million New Users Due To Facebook Downtime

Facebook Suffers Biggest Ever Outage in its History

Facebook Share Plunges Following Allegations of Data Sharing



The post On Mid 2019: No Facebook Messenger P2P Service For UK and France appeared first on .

The Weather Channel Suffers Ransomware Attack

Local and national weather forecast provider The Weather Channel suffered a ransomware attack that temporarily prevented it from going live on the air. Regular viewers got a surprise when they tuned into The Weather Channel on the morning of 18 April. They were expecting to watch “AMHQ,” the network’s live morning show which begins at […]… Read More

The post The Weather Channel Suffers Ransomware Attack appeared first on The State of Security.

Is There A Way To Lessen User Tracking?

With every website these days have some form of tracking cookie, script or 3rd-party tracking service, seems like all of us Internet users have thrown personal privacy out of the window. With the growth of social media platforms like Facebook, Twitter, and Youtube, they started offering their login credentials as login credential for thousands of other website and web services as well. Before this, each web service or website requires its users to sign-up for an account individually. This means either Facebook, Twitter, and Youtube (owned by Google) is given more influence and power over users’ data for the sake of convenience.

Add to that social media platforms is entering the realm of Artificial Intelligence research, whether the user is a rocking an Android or iOS device, it comes with a voice assistant. That in itself is listening for “Hey Siri” or “Hi Google”, more privacy is surrendered by users to Tech giants. So the solution to remain private is totally stop using these services, right? Fortunately, that is not always the case. Google itself created a website that shows the actual data that the search giant and all its services under its umbrella.

The website that Google has provided all their users is google myactivity, a powerful tool in order to opt-out of Google tracking across its many services such as Gmail, Search, Youtube, and Android-related data if the Google account is synced with it. Facebook also offers users the capability to know all the data that the social media giant has collected from the user through the years since the account is created. Everyone can head to for the details in order to know all the data that Facebook knows about you, there is also a feature to download the same data to your local computer for archiving purposes. This download option is very vital, especially if the user decides to quit the social media network, but wish to download an archive of their profile prior to the account deletion request.

Of course, for those who want to use the Google and Facebook services may opt to use a dummy account. However, since Facebook according to its terms of service demands that whoever signs-up to their service need to use their real-world names/identity, any suspicion from Facebook may make them ban your dummy account. Other users may also report you if they have reasonable suspicion that the account they are interacting with is just a dummy. Of course, all of these can be prevented by being under the radar. That means, stay-away from being critical of others, especially on topics that are highly heated, lessening the chances of getting reported.

Facebook has deployed a face-recognition technology that is sophisticated enough to determine if the account holder and the profile pictures they use are of the same person. This is through the AI technology that has deployed that compares the uploaded pictures of people within Facebook’s ecosystem. Any instances of impersonation sooner or later will get detected, this is for the social media giant to combat fake profiles.

Of course, we can choose to stay out of Facebook, Google, and whatever company’s ecosystems by choosing a similar 3rd party services. Social media is not new, Facebook just made it mainstream. Google is not even the first search engine around, it just made searching much friendlier and straight to the point. Youtube is not the only video sharing website on the Internet, many smaller competing services exist, but their community is also much smaller. The bottom line, the Internet is vast, we can find whatever web services we wish for, and there is a certain possibility that service already exists.

Related Resources:

Google Faces Lawsuit, Accused Of Tracking Locations

Google Helps Identify Crime Suspects Using Location History

The post Is There A Way To Lessen User Tracking? appeared first on .

Malformed .MHT File in Internet Explorer May Lead To File Theft

As Microsoft is gearing up with a new version of Microsoft Edge based-on Chromium engine, Internet Explorer, its ugly step-mother remains as part of Windows 10, and it is dragging its vulnerability towards Redmond’s latest operating system. The Proof-Of-Concept code has been released to demonstrate the XML eXternal Entity flaw in Internet Explorer 11, which Microsoft refused to fix for an undisclosed reason. This is a huge departure to Microsoft’s earlier commitment that the software giant will continue to patch Internet Explorer 11 which is bundled on all versions of Windows.

Internet Explorer with its aging Trident engine has a flaw with handling MHTML Web Archive file format. A malformed. MHT file can allow remote actors to transfers/extract local files that reside in the computer’s hard drive. All the user need to do is to open an MHT file which by default is associated with Internet Explorer even if another browser is the default browser. The attacker can also launch a JavaScript file from the malformed .mht file in order to access local files that should not be accessible.

“This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information. Example, a request for ‘c:\Python27\NEWS.txt’ can return version information for that program. A simple call to the window.print() Javascript function should do the trick without requiring any user interaction with the webpage. Typically, when instantiating ActiveX Objects like ‘Microsoft.XMLHTTP’ users will get a security warning bar in IE and be prompted to activate blocked content. However, when opening a specially crafted .MHT file using malicious < xml > markup tags the user will get no such active content or security bar warnings. Typically, when instantiating ActiveX Objects like “Microsoft.XMLHTTP” users will get a security warning bar in IE and be prompted to activate blocked content. However, when opening a specially crafted .MHT file using malicious <xml> markup tags the user will get no such active content or security bar warnings,” explained John Page, a security researcher.

Internet Explorer is used for companies with Intranet systems still using ActiveX control, a legacy technology designed to deliver dynamic content to a webpage. However, such high interactivity comes with a huge setback, as malware from the early 2000s were based-on ActiveX technology. As Internet Explorer has almost the same market share as Mozilla Firefox today, users are advised to change the association of .mht files to notepad or some other text editor instead of Internet Explorer. This will cancel the possibility of automatically open .mht files in Internet Explorer.

“We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case,” said a Microsoft representative in response to the issue.

Related Resources:

Use Of Internet Explorer Heavily Discouraged. Major Flaw Discovered

All Browser Vendors Unite: Goodbye to TLS 1.0 and 1.1 on 2020

The post Malformed .MHT File in Internet Explorer May Lead To File Theft appeared first on .

Ransomware Attack Targeted Data Intelligence Firm Verint

Bad actors used a ransomware attack to target the Israeli offices of the customer engagement and digital intelligence company Verint. On 17 April, ZDNet received a screenshot taken by an employee who works at one of Verint’s Israeli offices. The screenshot shows what appears to be a warning message which the data intelligence firm displayed […]… Read More

The post Ransomware Attack Targeted Data Intelligence Firm Verint appeared first on The State of Security.

Navicent Health Discloses Data Breach as the Result of a Digital Attack

Navicent Health, a part of Central Georgia Health System, has disclosed that it suffered a data breach as the result of a digital attack. The second-largest hospital in Georgia and the only regional Level I Trauma Center, Navicent Health explains in a data breach notice that it learned of a digital attack involving some of […]… Read More

The post Navicent Health Discloses Data Breach as the Result of a Digital Attack appeared first on The State of Security.

Spear Phishing Campaign Targeted Ukraine Government Entities

Researchers observed bad actors using a spear phishing campaign to target government entities in Ukraine including military departments. In the beginning of 2019, FireEye Threat Intelligence analyzed an email sent out as part of this campaign. The email used “SPEC-20T-MK2-000-ISS-4.10-09-2018-STANDARD” as its subject line. It also spoofed the sender address so that it appeared to […]… Read More

The post Spear Phishing Campaign Targeted Ukraine Government Entities appeared first on The State of Security.

RobbinHood Ransomware Demands Grow $10K Per Day after Fourth Day

The ransom demands imposed by the new “RobbinHood” ransomware family increase $10,000 each day beginning on the fourth day following encryption. The creators of RobbinHood appear to be aiming their attacks at entire networks. When they’ve gained access to a target, they use their ransomware to encrypt as many computers as possible. They then drop […]… Read More

The post RobbinHood Ransomware Demands Grow $10K Per Day after Fourth Day appeared first on The State of Security.

MuddyWater Group Using Spam Campaign to Hijack Victims’ Computers

The MuddyWater threat attack group is using a spam campaign to hijack victims’ computers and steal sensitive information. Discovered by Heimdal Security in early April, the campaign begins when malicious actors use social engineering techniques to trick a user into opening a malicious Microsoft Office document attached to a phishing email. The document contains VBA […]… Read More

The post MuddyWater Group Using Spam Campaign to Hijack Victims’ Computers appeared first on The State of Security.

TRITON Framework Leveraged at a Second Critical Infrastructure Facility

Researchers have discovered that malicious actors leveraged the TRITON framework at a second critical infrastructure facility. In this particular attack, the threat actor maintained access to the target corporate networks for nearly a year before gaining access to the Safety Instrumented System (SIS) engineering workstation. They remained relatively quiet all the while as they worked […]… Read More

The post TRITON Framework Leveraged at a Second Critical Infrastructure Facility appeared first on The State of Security.

AeroGrow Discloses Data Breach of Customers’ Payment Card Information

Indoor gardening system manufacturer AeroGrow has disclosed a data breach that involved customers’ payment card information. In a sample data breach notice obtained by the Office of Attorney General for the State of California, AeroGrow senior vice president of finance and accounting Grey H. Gibbs explains that the company learned of the security incident on […]… Read More

The post AeroGrow Discloses Data Breach of Customers’ Payment Card Information appeared first on The State of Security.

Planetary Ransomware Victims Can Now Recover Their Files for Free

Security researchers have released a decryptor that enables victims of the Planetary ransomware family to recover their files for free. Released by Emsisoft, this decryptor requires a victim to have a copy of the ransom note. It’s not hard to find. Planetary ransomware, which earns its name for its use of planet-related file extensions including […]… Read More

The post Planetary Ransomware Victims Can Now Recover Their Files for Free appeared first on The State of Security.