Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Account Hack. Show all posts
User Security
Account Hack Cyber Fraud Cyber Scammers Data Privacy Meta User Security

Facebook Account Takeovers: Can Tech Giant Stop Hijacking Scams?

 

A Go Public investigation discovered that Meta has allowed a scam campaign to flourish on Facebook, as fraudsters lock users out of their accounts and mimic them. 

According to the CBC, Lesa Lowery is one of the many victims. For three days, she watched helplessly as Facebook scammers duped her friends out of thousands of dollars for counterfeit things. Her Facebook account was taken in early March. 

Lowery had her account hacked after changing her password in response to a Facebook-like email. The scammer locked her out, costing her friends $2,500. Many of Lowery's friends reported the incident to Facebook, but Meta did not. The scammer removed warnings and blocked friends. Lowery's ex-neighbor, Carol Stevens, lost $250 in the swindle. 

Are Meta’s efforts enough? 

Claudiu Popa, author of "The Canadian Cyberfraud Handbook," lambasted Meta for generating billions but failing to secure users, despite the fact that Meta's sales increased 16% to $185 billion last year. 

Meta wrote Go Public, stating that it has "over 15,000 reviewers across the globe" to fix breaches, but did not explain why the retirement home fraud proceeded.

Popa, a cybercrime specialist, believes that fraudsters employ AI to identify victims and create convincing emails. According to Sapio Research, 85% of cybersecurity professionals believe that AI-powered assaults have increased.

In March, 41 US state attorneys general stated that Meta assisted customers as the number of Facebook account takeovers increased. Meta indicated that it attempted to fix the issue but did not disclose specifics. Credential stuffing assaults and data breaches can result in account takeovers and dump sales.

According to The Register, Meta was taken over by Facebook via phone number recycling in the US. New telecom customers receive abandoned numbers without being disconnected from the previous owner's accounts. An outdated number may get a password reset request or a two-factor authentication token, potentially allowing unauthorised access.

Meta is aware of phone number recycling-related account takeovers; however, the social media giant noted that it "does not have control over telecom providers" reissuing phone numbers, and that users who had phone numbers linked to their Facebook accounts were no longer registered with them. 

Meanwhile, cybersecurity experts propose that the government take measures to address Facebook account takeovers. According to Popa, companies like Meta rely on legislation to protect users and respond fast to fraud.
Read more »
XSS Flaw
Account Hack Bug Bounty Cross Site Scripting Vulnerabilities and Exploits XSS Flaw

Cross Site Scripting Bugs Identified in Google Cloud and Play

 

A security researcher recently discovered a pair of vulnerabilities in Google Cloud, DevSite, and Google Play allowing hackers to launch cross-site scripting (XSS) attacks, and creating the way for account hacking. 

The first vulnerability is a reflected XSS flaw in Google DevSite. The hacker could exploit the vulnerability by employing malicious links to run JavaScript on the origins http://cloud.google.com and http://developers.google.com, meaning a malicious actor could read and alter its contents, circumventing the same-origin policy. 

“Due to a vulnerability in the server-side implementation of part of the URL was reflected as html so it was possible to get XSS on the origins using that component from the 404 page,” researcher ‘NDevTK’, explained in a blog post. 

The second vulnerability is a DOM-based XSS on Google Play. DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval() or innerHTML. This allows hackers to implement malicious JavaScript, which typically paves a way to hijack other users’ accounts.

The researcher explained in his blog that the CSP would mitigate the Google Play XSS vulnerability. Yet, Google still preferred to reward the bug discovery with a hefty bounty of $3,133.70 for the DevSite bug and $5,000 for the vulnerability in Google Play. 

“On the search page of [the] Google Play console vulnerable code was run when the search resulted in an error. Getting an error was simple as doing /?search=& and because window.location includes the hash which never encodes ' it’s possible to escape the href context and set other html attributes. Unlike the DevSite XSS this is prevented by the CSP but was still awarded more by the panel,” the researcher added. 

Last year in November, a researcher at Persistent System unearthed cross-site scripting (XSS) vulnerability in Chrome’s ‘New Tab’ page (NTP) that allowed hackers to run arbitrary JavaScript code. The hackers exploited the vulnerability by sending an HTML file to the target that contained a cross-site request forgery (CSRF). 

If the target opened the file, the CSRF script started operating and the query was stored in the browser’s search history. When the user opened an NTP for a second time and clicked on the Google search bar, the malicious code was triggered.
Read more »
WeChat
Account Hack Australia China Chinese Apps Cyber Security Mobile Apps Security WeChat

How Australia’s Leader Lost Control of His Chinese Social Media Account

 

After Prime Minister Scott Morrison's WeChat account was hacked, a Liberal member of parliament accused the Chinese government of foreign intervention. 

"It is a matter of record that the platform has stopped the Prime Minister's access, while Anthony Albanese's account is still active featuring posts criticising the government," Liberal representative Gladys Liu stated

"In an election year especially, this sort of interference in our political processes is unacceptable, and this matter should be taken extremely seriously by all Australian politicians." 

Liu stated she would stop utilizing her professional and personal WeChat accounts until the platform presented an explanation for the incident as part of her accusations against the Chinese government. 

Several Coalition members have supported Liu's charges and boycott, with Liberal Senator James Paterson, chair of the Parliamentary Joint Committee on Intelligence and Security, asking for Opposition Leader Anthony Albanese to boycott WeChat as well. 

The Prime Minister's office is attempting to contact the Chinese government regarding the account hijacking, according to Stuart Robert, the Minister responsible for digital transformation, who told The Today Show on Monday morning. 

"It is odd, and of course, the Prime Minister's office is seeking to connect through to them to work out and get it resolved," Robert said. 

Morrison's WeChat account was apparently changed and he had accessibility issues months ago, according to NewsCorp Australia, with the Prime Minister being unable to access the account at all.

Morrison's account is linked to a Chinese national based in Fujian, according to Australian Strategic Policy Institute senior analyst Fergus Ryan, because WeChat's policies at the time mandated accounts to be linked to the ID of a Chinese national or a business registered in China. 

A Tencent spokesman confirmed to ZDNet on Monday evening that the account was originally registered by a PRC individual, but that it is currently being managed by a technology services organisation. 

"Based on our information, this appears to be a dispute over account ownership -- the account in question was originally registered by a PRC individual and was subsequently transferred to its current operator, a technology services company -- and it will be handled in accordance with our platform rules," the Tencent spokesperson said. 

"Tencent is committed to upholding the integrity of our platform and the security of all users accounts, and we will continue to look into this matter." 

According to ABC News, Morrison's WeChat account was sold to Fuzhou 985 Information Technology in November of last year by the registered owner. 

The Chinese corporation allegedly purchased the social media account since it had roughly 75,000 followers and had no idea it was owned by Morrison. 

WeChat has been subjected to increasing restrictions in China, after being placed on notice last year for gathering more user data than was considered essential while providing services.
Read more »
Subscribe to: Posts (Atom)