Search This Blog

Showing posts with label Facebook. Show all posts

NIA Starts Probe into Malware Attacks on Social Media of Defense Personnels

NIA (National Investigation Agency) has started an inquiry into the use of fake Facebook profile through which various defense personnel was contacted and their devices hacked using malware for personally identifiable information. NIA suspects that the main account was being handled from Pakistan. Vijaywada Counter Intelligence Cell first found the spying campaign in 2020, after which it registered a case under several provisions of IPC, Official Secrets Act, Information Technology Act, and UAPA (Unlawful Activities Prevention Act). 

According to the allegation, confidential information related to national security was hacked via remotely deploying a hidden malware into electronic devices, which includes mobile phones and computers, belonging to defense personnels and other defense agencies via a FB account with the profile name "Shanti Patel." Actors handling the account added concerned personnel via private Facebook messenger chats on the web. 

The victims' devices were hacked using malware to get unauthorized access to confidential data of computer resources and steal sensitive information with an aim to carry out acts of terrorism and threaten the unity, integrity, and sovereignty of India. As per the report from Counter Intelligence Cell, the threat actors distributed the malware by sending a folder that contained photos of a woman to the defense personnels. The evidence suggests that malware originated somewhere from Islamabad. A similar case happened last year where the police arrested army personnel in Rajasthan, the accused was posted in Sikkim. 

The Hindu reports "on October 31, 2020, following a tip-off from the Military Intelligence, the Rajasthan police nabbed one Ramniwas Gaura, a civilian working with a Military Engineering Services (MES) unit. The accused had been contacted using a Facebook profile by someone using pseudonyms Ekta and Jasmeet Kour. They then remained in touch on Whatsapp. "In the recent years, multiple attacks targeting defense agencies using social media have surfaced." The handlers usually send money to the information providers through the ‘hawala’ channel. Several preventive measures have been taken by the agencies concerned,” an official said," says the Hindu.

Top Israeli Officials Duped by Bearded Barbie Hackers

 

Cybercriminals appear to be aggressively promoting the Remcos RAT that first appeared in hacking forums in 2016 and was marketed sold, and offered cracks on a variety of websites and forums. In 2017, researchers discovered Remcos being distributed via a malicious PowerPoint slideshow with a CVE-2017-0199 exploit. Remcos RAT is a piece of commercial software which may be purchased online. 

An "elaborate effort" targeting high-profile Israeli individuals working in critical defense, law enforcement, and emergency services sectors has been traced to a threat actor associated with Hamas' cyber warfare section. The Hamas-backed hacker outfit dubbed 'APT-C-23' was discovered catfishing Israeli officials in defense, law enforcement, and government institutions, resulting in the deployment of new malware. 

Before delivering spyware, the campaign uses advanced social engineering techniques like creating phony social media identities and maintaining a strong partnership with the targets. AridViper has previously targeted Palestinian law enforcement, military, or educational institutions, as well as the Israel Security Agency, with spear-phishing assaults (ISA). Researchers from Cisco Talos discovered AridViper assaults against activists involved in the Israel-Palestine conflict in February.

Malicious actors have built several phony Facebook pages utilizing forged credentials and pirated or AI-generated photographs of attractive women, and have used these profiles to approach their targets. The operators have spent months curating these profiles to make them appear legitimate, posting in Hebrew and alike organizations and prominent pages in Israel. The creators of these profiles create a network of friends who are actually people who work in Israel's police, defense forces, emergency services, or government. The opponents recommend transferring the chat to WhatsApp, ostensibly for more privacy, after building the target's trust by talking with individuals for a while. 

The Android app is actually the virus VolatileVenom.The icon is concealed on pre-Android 10 devices; with Android 10, the virus utilizes the Google Play installation icon. When the victim tries to sign into the Wink Chat, an error message appears, stating the app will be deleted. With a wide spectrum of espionage capabilities, VolatileVenom continues to function in the background. 

The malicious actors will eventually email the target a RAR file containing supposedly explicit photographs or videos as part of the catfishing attempts. This RAR file, on the other hand, contains the Barb(ie) installer malware, which installs the BarbWire backdoor. The filename of a sample of Barb(ie) detected by Cybereason is "Windows Notifications," and when it is made to run, it performs basic anti-analysis checks. If the host is deemed appropriate, the downloader links to an integrated C2 server. 

The BarbWire Backdoor is sent by the C2 server. The downloader contains a backup technique for finding a different C2. If the attackers need to modify the C2 from the one inserted, they can simply send an SMS message with the new destination. All inbound SMS messages are intercepted by the downloader. If one is provided by the intruders, it can just extract the new C2 information and install the backdoor. BarbWire steals data from PDFs, Office files, archives, picture files, movies, and photos, among other file types. It also checks for external media, such as a CD-ROM file, implying it's hunting for highly sensitive material which is carried around physically or over the internet. The stolen information is stored in a RAR archive and then sent to the attackers' C2 server. 

APT-C-23 employs several approaches which have been used in previous operations against Israeli targets, but it is constantly evolving with new tools and more intricate social engineering efforts. The lack of overlapping infrastructure distinguishes Operation Bearded Barbie from past missions, indicating the group's goal of avoiding notice. Another escalation for the threat actor is the usage of two backdoors, one for Windows and one for Android, resulting in very active espionage for the compromised targets.

For Three Years, Leading Messaging Servers were Scammed Using a URL Rendering Method

 

A complex URL rendering method has now been revealed as the source of global phishing attacks on several popular messaging and email systems.  Whatsapp, Instagram, iMessage, Facebook Messenger, and Signal were all popular platforms. Over three years, this allegedly allowed some malicious attackers to create realistic-looking phishing texts. 

Experts feel the unexpected finding has arrived at precisely the right time. Furthermore, researchers claim so by injecting right to left override, these rendering issues generate a vulnerability in the application's interface by displaying wrong URLs (RTLO). 

Unicode Control Characters with these names render all clients more vulnerable to URI spoofing attacks. When an RTLO character is injected into a string, it enables the string to be shown right-to-left instead of left-to-right in a browser or messenger app. The majority of the time, this character is used to display Arabic or Hebrew messages. 

The majority of individuals are prime targets, with the final goal of acquiring access to phishing attempts by spoofing several well-known domains. A handful of these flaws have been awarded a CVE which affects a wide variety of IM program versions. 

  • CVE-2020-20093 — Facebook Messenger 227.0 or earlier on iOS and 228.1.0.10.116 or earlier on Android 
  • (CVE-2020-20093) CVE-2020-20094 — Instagram version 106.0 or earlier on iOS, and version 107.0.0.11 or earlier on Android C
  • CVE-2020-20095 — iOS 14.3 or older with iMessage
  • CVE-2020-20096 — WhatsApp 2.19.80 or earlier (iOS) and 2.19.222 or earlier (Android) 

Signal, thankfully, does not have a CVE because the exact attack method was made evident to them. 
The CVE IDs are  ancient as the vulnerabilities were first discovered in August 2019 by a researcher  named 'zadewg.' 

When two independent URLs are concatenated to look like a single entity, for example, if they are judged to be two different URLs. And if a person clicks on the URL on the left, they will be led to one website, whilst clicking on the URL on the right will take them to another. 

According to research, the rendering problem does not work as effectively on email platforms such as Outlook.com, ProtonMail, or Gmail. However, many people might predict a series of attacks on other IM or email apps. 

The one-liner PoC is freely available and simple to use, even for those with no technical knowledge or no hacking expertise. In fact, even when more advanced technical principles are involved, there is ample evidence of RTLO-based misuse in the field. 

Several more IM and email programs are likely vulnerable to the same exploit, but only those listed above have been proven as vulnerable. As a result, users of the listed apps should be vigilant when receiving messages with URLs, always click on the left side, and keep an eye out for app security upgrades which may fix the problem.

Fresh Flaws in Facebook Canvas Second Time

 

A team of cyber threat researchers at Facebook discovered the second tranche of bugs in Facebook Canvas that increase the risks of account takeover. 

Security researcher Youssef Sammouda published a detailed post last September wherein he said that he had made $126,000 in bug bounties last year for discovering a set of three flaws in Facebook’s Canvas technology, which provides services related to embedding online games and interactive apps on its platform. 

After the discovery of a new flaw in Facebook’s OAuth implementation the researchers' team has proclaimed that the team has decided to revisit the issue. 

Following the attack, Sammouda has reported in the public press that the “Meta failed to ensure either in the client-side or server-side applications that the game website would only be able to request an access_token for its application and not a first-party application like Instagram...” 

“…It also failed to ensure that the generated Facebook API access_token would only reach the domains/websites that were added by the Facebook first-party application,” the researcher added. 

These unsolved flaws can also allow threat actors to take control of the Facebook account and other accounts that are linked to it, such as Instagram or Oculus, etc. 

Reportedly, Facebook’s initial steps to patch the problem last year were found inadequate against the attack. Sammouda was able to come up with three new flaws: a race conditions issue, an issue involving encrypted parameters, and bypasses to the previous fix. But after Sammouda’s criticisms, Facebook had released a more comprehensive fix for the issues. 

“This was resolved by Meta by making sure that parameters passed in the OAuth endpoint request from the game website were whitelisted and also by always enforcing the value of app_id and client_id parameters passed to be always the game application ID that’s making the request,” Sammouda said. 

The account takeover attacks pose a significant risk to the organization because they provide hackers access to the systems like legitimate account owners. Once an attacker successfully gets access into a user’s account, they immediately move to consolidate that access and exploit it to cause harm to the organization.

Facebook, Instagram and Twitter Users from Russia have Noticed Malfunctions in their Work

 

According to Downdetector, a service for tracking problems in the work of Internet platforms, users from Russia began to complain en masse about the failures of Facebook, Instagram and Twitter. Problems in social networks began on February 25. Over 80% of users sent complaints about the functioning of the application, another 10% noticed that they could not log in to their profile, and 7% reported problems with the operation of social network sites. 

Recall that on February 25, Roskomnadzor (the Federal Service for Supervision of Communications, Information Technology, and Mass Media) partially restricted access to Facebook. On the same day, the Prosecutor General's Office recognized the social network involved in the violation of human rights and freedoms and citizens of Russia. 

On February 26, representatives of Russian media were banned from showing ads and monetization in the social network Facebook. The company took such a step because of the situation around Ukraine. At the same time, Twitter suspended advertising for Russians and Ukrainians, as well as temporarily stopped recommending tweets to avoid the spread of insulting materials. 

In addition, Roskomnadzor restored measures in the form of slowing the speed of Twitter Internet service on devices in Russia in connection with the dissemination of untrustworthy public information about the military operation in Ukraine. 

The agency recalled that since March 10, 2021, Roskomnadzor slowed down Twitter on mobile phones and fixed devices on the territory of the Russian Federation for refusal to delete information that is prohibited in the Russian Federation. On May 17, 2021, after the deletion of more than 91% of the prohibited information by Twitter's moderation services, the restrictions were lifted. 

Roskomnadzor noted that in this situation, the condition for lifting access restrictions "is the complete removal of Twitter of prohibited materials identified by Roskomnadzor, as well as the termination of participation in the information confrontation, distribution of fakes and calls for extremism". 

In the Russian segment of the Internet, you can now often find messages: "If anything, here is my Telegram account...». Since February 25, when Roskomnadzor announced the partial blocking of the Facebook network, almost every Russian user has considered it his duty to notify friends where to look for him now. 

Bloggers and media resources are increasingly posting on their pages posts with recommendations for installing a VPN and other measures to bypass blocking.

Brave Disabled a Chrome Extension Linked to Facebook Users

 

Last week, security analyst Zach Edwards stated how Brave had restricted the L.O.C. Chrome extension citing concerns it leaked the user's Facebook information to the third server without warning or authorization prompt. An access token used by L.O.C. was obtained easily from Facebook's Creator Studio online app. After retrieving this token — a text thread made up of 192 alphanumeric characters – from the apps, the chrome extensions can use it with Facebook's Graph API to get data about the signed-in user without being a Facebook-approved third-party app. 

The concern is whether this type of data access could be exploited. Without the user's knowledge, an extension using this token could, copy the user's file and transmit it to a remote server. It might also save the user's name and email address and use it to track them across websites. According to a Brave official, the business is working with the programmer to make certain changes — most likely an alert or permission prompt – to ensure the extension is appropriate in terms of privacy and security. 

In September 2018, Facebook announced a security breach impacting nearly 50 million profiles, it blamed criminals for stealing access tokens supplied by its "View As" function, allowing users to see how the profiles appear to others." They were able to steal Facebook access tokens, which subsequently used to take over people's accounts," said Guy Rosen, Meta's VP of Integrity.

Cambridge Analytica accessed people's Facebook profiles using a third-party quiz app which was linked to the social media platform. One would assume a quiz app won't disclose your Facebook profile information with others, and a Chrome extension won't do the same. Despite Facebook's assurances, some steps must be taken to prevent a repetition of the Cambridge Analytica scandal, the Creators Studio access tokens in the hands of a malicious and widely used Chrome extension might lead to a rerun of history. 

Part of the problem is Google's Chrome extensions seem easy to corrupt or exploit, and Meta, aside from reporting the matter to Google, has no immediate ability to block the deployment of extensions which abuse its Graph API. The Creator Studio token is detailed to the user's session, according to a Meta representative, meaning it will terminate if the extension user signs out of Facebook. And, if the token hasn't been transferred to the extension developer's server, as looks to be the situation with the L.O.C. extension, uninstalling it will also result in the token expiring. 

Meta has asked Google to delete the extension from the Chrome Web Store once more and is looking into alternative options.

Google Announces Privacy Sandbox on Android to Restrict Sharing of User Data

 

Google announced on Wednesday that it will extend its Privacy Sandbox activities to Android in an effort to broaden its privacy-focused, but less disruptive, advertising technologies beyond the desktop web. To that aim, Google stated it will work on solutions that prohibit cross-app tracking, similar to Apple's App Tracking Transparency (ATT) framework, essentially restricting the exchange of user data with third parties as well as removing identifiers like advertising IDs from mobile devices. 

Anthony Chavez, vice president of product management for Android security and privacy, stated, "The Privacy Sandbox on Android builds on our existing efforts on the web, providing a clear path forward to improve user privacy without putting access to free content and services at risk." 

Google's Privacy Sandbox, which was announced in 2019, is a collection of technologies that will phase out third-party cookies and limit covert monitoring, such as fingerprinting, by reducing the number of information sites that can access to keep track of users online behavior. 

The Alphabet Inc. company, which makes the majority of its revenue from advertising, says it can safeguard phone users' data while still providing marketers and app developers with new technology to deliver targeted promotions and measure outcomes. According to Anthony Chavez, vice president of product management for Android Security & Privacy, the proposed tools for the Android mobile operating system would limit the app makers' ability to share a person's information with third parties and prohibit data monitoring across several apps. Google stated the tools would be available in beta by the end of 2022, followed by "scaled testing" in 2023. Chavez said in an interview that the best path forward is an approach “that improves user privacy and a healthy mobile app ecosystem. We need to build new technologies that provide user privacy by default while supporting these key advertising capabilities." 

Google is aiming to strike a balance between the financial needs of developers and marketers and the expanding demands of privacy-conscious consumers and regulators. The company is gathering feedback on the proposal, similar to how its Privacy Sandbox effort is gradually building a new online browsing privacy standard. Google's initial idea was met with derision from UK authorities and lawmakers, but the corporation has subsequently proposed serving adverts based on themes a web user is interested in that are erased and replaced every three weeks. 

Meta Platforms Inc., the parent company of Facebook, has been at odds with Apple over the company's App Monitoring Transparency tool, which allows iPhone users to turn off tracking across all of their apps. According to executives, Google's YouTube has taken a minor financial hit as a result of the technology. In other words, it makes it more difficult for marketers to verify whether their iPhone advertising was effective. 

According to Chavez, the Android Privacy Sandbox would enable tailored advertising based on recent "topics" of interest, and enable attribution reporting, which will tell marketers if their ad was effective.

Customers  Threatened by a Data Breach at Hong Kong's Harbour Plaza Hotel

 

Hong Kong's privacy authority is looking into a hack against the Harbour Plaza hotel company, which revealed more than 1.2 million visitors' booking information. The investigation's goal is to learn more about what kind of private details were compromised. Customers have been warned to keep an eye out for any strange activity in their accounts and to be aware of any unexpected emails, calls, or messages in the meantime. 

"The impacted data was the information of visitors who remained within these hotels," the PCPD tells ISMG. "As the investigations into the cyberattack are ongoing," the PCPD told ISMG, declining to specify the type of hack, the threat actor involved, or the data compromised. 

According to Harbour Plaza's statement, the Hong Kong Police was also notified along with certain other relevant authorities. The company has hired an undisclosed third-party cybersecurity forensics agency to investigate and control the problem, as well as improve its security perimeter in the future. 

According to the company's FAQs about the data leak, those who are affected will be alerted. Customers should be "extra cautious against scamming or other attempted schemes," according to the hotel firm, which says "lodging reservation databases" were impacted. It indicates possible information such as a customer's name, email address, phone number, reservation, and stay details may have been hacked. 

Inquiry into the data leak at online retailer HKTVmall 

Separately, the PCPD is looking into a case involving HKTVmall, a well-known shopping and entertainment platform run by Hong Kong Technology Venture Co. Ltd. 

The security breach has endangered the personal details of a "small fraction" of HKTV Co. Ltd.'s 4.38 million registered customers, according to a statement made on Feb. 4. According to the notice, the connected server was in an "other Asian" country. 

According to the company, it promptly notified the Hong Kong Police or the PCPD, and hired two cybercrime firms on January 27 "to conduct an investigation and further enhance HKTVmall's server security measures." 

Customer data that may have been obtained by an unauthorized person, according to HKTVmall, includes:

  • Account names which have been registered.
  • Login passwords which are encrypted and masked.
  • Email addresses which have been registered and that can be contacted. 
  • Names of recipients, shipping addresses, and contact numbers for orders placed between December 2014 and September 2018.
  • Clients who have connected their HKTVmall account to a Facebook account or an Apple ID have the date of birth, official name, and email accounts for Facebook accounts and Apple IDs.

Facebook has Exposed a 'God Mode' Token that Might be Used to Harvest Data

 

Brave stated that it is prohibiting the installation of the popular Chrome extension L.O.C. because it exposes users' Facebook data to potential theft. "If a user is already logged into Facebook, installing this extension will automatically grant a third-party server access to some of the user's Facebook data," explained Francois Marier, a security engineer at Brave, in a post. "The API used by the extension does not cause Facebook to show a permission prompt to the user before the application's access token is issued." 

Loc Mai, the extension's developer, stated in an email that the Graph API on Facebook requires a user's access token to function. The extension sends a GET request to Creator Studio for Facebook to receive the token, which allows users of the extension to automate the processing of their own Facebook data, such as downloading messages. The request returns an access token to the extension for the logged-in Facebook user, allowing additional programmatic interactions with Facebook data. 

Zach Edwards, a security researcher, said, "Facebook faced nearly an identical scandal in 2018 when 50 million Facebook accounts were scrapped due to a token exposure." Nonetheless, Facebook appears to regard this data dispensing token as a feature rather than a bug. 

According to Mai, his extension does not harvest information, as stated in the extension's privacy policy. Currently, the extension has over 700,000 users. "The extension does not collect the user's data unless the user becomes a Premium user, and the only thing it collects is UID – which is unique to each person," explained Mai. 

As per Mai, the extension saves the token locally under localStorage.touch. This is a security concern but is not evidence of wrongdoing. L.O.C. is still available on the Chrome Web Store. A malicious developer, on the other hand, might harvest Facebook data using the same access technique, because Facebook is releasing a plain-text token that grants "god mode," as Edwards describes it. 

According to Edwards, Facebook's Terms of Service fall short in this regard because, while the company requires individuals to utilize its app platform, it does not prohibit people from utilizing browser extensions. 

This loophole, which exposes user data, is exacerbated by the way Chrome extensions now work. According to Edwards, Chrome extensions can seek authorization on one domain you control and another you don't, and then open a browser tab upon installation to scrape API tokens and session IDs for various types of apps.

Finland Alerted About Facebook Accounts Compromised via Messenger Phishing

 

The National Cyber Security Centre of Finland (NCSC-FI) has issued a warning about an ongoing phishing attack aimed at compromising Facebook accounts by masquerading victims' friends in Facebook Messenger conversations. 

According to the NCSC-FI, this ongoing scam targets all Facebook users who got messages from online acquaintances seeking their contact information and a confirmation number given through SMS. If users provide the requested information, the attackers will gain control of their accounts by altering the password and email address linked with them. 

Once taken over, the Facebook accounts will use similar schemes to target more potential victims from their friend list. 

“In the attempts, a hacked account is used to send messages with the aim of obtaining the recipients' telephone numbers and two-factor authentication codes to hijack their Facebook accounts," the cybersecurity agency described. 

The scammers will undertake the following techniques to successfully compromise the victim' Facebook accounts: 
• They start by sending a message through Facebook Messenger from the previously compromised friend's account. 
• They request the target's phone number, claiming to be able to assist with the registration for an online contest with cash awards worth thousands of euros. 
• The next step is to request a code that was supposedly given via SMS by the contest organizers to verify the entry. 
• If the fraudsters obtain the SMS confirmation code, they will combine it with the phone number to gain access to and hijack the victim's Facebook account. 

The NCSC-FI advised, "The best way to protect yourself from this scam is to be wary of Facebook messages from all senders, including people you know. If the message sender is a friend, you can contact him, for example, by phone and ask if he is aware of this message. This information should not be disclosed to strangers." 

Meta (previously Facebook) recently has filed a federal lawsuit in a California court to stop further phishing assaults that are currently targeting Facebook, Messenger, Instagram, and WhatsApp users. 

Around 40,000 phishing sites impersonating the four platforms' login pages were used by the threat actors behind these phishing attacks. These lawsuits are part of a lengthy series of lawsuits filed by Facebook against attackers who target its users and exploit its platform for nefarious purposes.

Meta Takes Legal Action Against Cyber Criminals

 

Facebook's parent company, Meta Platforms, announced on Monday that it has filed a federal lawsuit in the U.S. state of California against malicious attackers who ran more than 39,000 phishing websites impersonating its digital properties to trick consumers into disclosing their username and password. 

“Today, we filed a federal lawsuit in California court to disrupt phishing attacks designed to deceive people into sharing their login credentials on fake login pages for Facebook, Messenger, Instagram, and WhatsApp. Phishing is a significant threat to millions of Internet users”, states the report. 

The social engineering strategy entailed the construction of rogue websites that tried to portray as Facebook, Messenger, Instagram, and WhatsApp login pages, prompting victims to input their login details, which were subsequently captured by the defendants. The unidentified actors are also being sought for $500,000 by the tech behemoth. 

The assaults were conducted with the help of Ngrok, a relay service that diverted internet traffic to malicious websites while concealing the exact location of the fraudulent equipment. Meta stated that the frequency of these phishing assaults has increased since March 2021 and that it has collaborated with the relay service to restrict thousands of URLs to phishing sites. 

The lawsuit comes just days after Facebook revealed it was making efforts to disrupt the activities of seven surveillance-for-hire firms that generated over 1,500 phony identities on Facebook and Instagram to target 50,000 users in over 100 countries. Meta announced last month that it has barred four harmful cyber groups from attacking journalists, humanitarian organizations, and anti-regime military forces in Afghanistan and Syria. 

“This lawsuit is one more step in our ongoing efforts to protect people’s safety and privacy, send a clear message to those trying to abuse our platform, and increase accountability of those who abuse technology. We will also continue to collaborate with online hosting and service providers to identify and disrupt phishing attacks as they occur. We proactively block and report instances of abuse to the hosting and security community, domain name registrars, privacy/proxy services, and others. And Meta blocks and shares phishing URLs so other platforms can also block them”, mentioned the report.

Facebook Patched a Vulnerability that Exposed the Identity of Page Admins

 

Facebook gave a $4,750 bug bounty reward to a teenage researcher from Nepal for discovering a vulnerability that might have been abused to reveal the identity of a page's administrator. Businesses can use Facebook Pages to boost brand visibility on the social media network, but the Facebook account that has administrative rights over the page stays private. Sudip Shah, a 19-year-old from Pokhara, Nepal, identified an insecure direct object reference (IDOR) vulnerability in Facebook for Android that may be abused to reveal the identity of the page admin. 

Insecure direct object references (IDOR) are a form of access control vulnerability that occurs when an application directly accesses objects using user-supplied input. The term IDOR gained popularity after appearing in the OWASP Top Ten in 2007. It is, however, simply one of several access control implementation errors that can lead to access controls being evaded. IDOR vulnerabilities are most often connected with horizontal privilege escalation, although they can also occur in the context of vertical privilege escalation. 

Consider a website that accesses the customer account page via the URL https://insecure-website.com/customer account?customer number=132355 by retrieving information from the back-end database. In this case, the customer number is directly used as a record index in queries made on the back-end database. If no other restrictions are in place, an attacker can simply change the customer number value, allowing them to examine the records of other customers while avoiding access controls. This is an example of an IDOR vulnerability that results in horizontal privilege escalation. 

Shah noticed that altering the page id in a request containing a vulnerable endpoint resulted in the broadcaster id parameter in the response containing the admin ID while navigating to another page's live video section in Facebook for Android. “It leads to page admin disclosure which is a privacy issue to the page. The impact is high because the page’s admin information is meant to be kept private and not shown to the public,” the researcher says. 

The issue only affected pages with a live video function enabled, although Shah believes that most pages were affected because the feature is present on the majority of them. He further notes that an attacker would have needed a script to automatically modify the page id in the request and capture the broadcaster id in the response for mass exploitation.

The researcher also found a variation of the security flaw in which the attacker might have the admin ID disclosed in the response by including a modified live_video_id in the request. The underlying source of the issue, however, remained the same.

Citizen Lab Exposes Cytrox as Vendor Behind 'Predator' iPhone Spyware

 

The University of Toronto's Citizen Lab has found yet another player in the private sector mobile spyware market, citing a small North Macedonian firm called Cytrox as the maker of high-end iPhone implants. 

Citizen Lab worked with Facebook parent company Meta's threat-intelligence team to expose Cytrox and a handful of other PSOAs (private sector offensive actors) in the murky surveillance-for-hire industry. Citizen Lab stated that Cytrox is behind a piece of iPhone spying malware that was put on the phones of two prominent Egyptians, according to a detailed technical analysis published. 

Predator, the malware, was able to infect the most recent iOS version (14.6) utilising single URLs provided via WhatsApp. Exiled Egyptian politician Ayman Nour was spooked by his iPhone overheating, and later discovered evidence of two different spyware applications running on the device, administered by two different government APT actors. 

The Egyptian government, a known Cytrox customer, has been attributed with the attack, according to Citizen Lab. Nour's phone was infected with both Cytrox's Predator and Israeli vendor NSO Group's more well-known Pegasus spyware, according to Citizen Lab. Citizen Lab's exposé detailed Cytrox's background as a startup launched in 2017 by Ivo Malinkovksi, a North Macedonian who later integrated the company with Intellexa and publicly hawked digital forensics tools. The firm claims to be established in the European Union, with R&D labs and sites all over Europe. 

In a separate advisory published by Meta’s security team, Cytrox is listed alongside Cobwebs Technologies, Cognate, Black Cupe, Bluehawk CI, BellTroX and two unknown Chinese entities among a growing roster of private companies in the surveillance-for-hire business. 

These firms handle the reconnaissance, engagement, and exploitation phases of advanced malware campaigns for governments and law enforcement agencies all across the world, including those that target journalists, politicians, and other members of civil society. 

Cytrox was recognised as a company that "develops exploits and sells surveillance tools and viruses that enable its clients to compromise iOS and Android devices," as per Facebook's team. 

Facebook’s security team stated, “[We were] able to find a vast domain infrastructure that we believe Cytrox used to spoof legitimate news entities in the countries of their interest and mimic legitimate URL-shortening and social media service.” 

“They used these domains as part of their phishing and compromise campaigns. Cytrox and its customers took steps to tailor their attacks for particular targets by only infecting people with malware when they passed certain technical checks, including IP address and device type. If the checks failed, people could be redirected to legitimate news or other websites.” 

“Targets of Cytrox and its customers included politicians and journalists around the world, including in Egypt and Armenia.”

Meta Alerts its 50,000 Users Against Surveillance-For-Hire Firm Operations

 

Surveillance-for-hire companies have utilized Facebook, Instagram, & WhatsApp as a major opportunity to target Individuals in over 100 countries for decades. Recently, Meta eliminated 7 of them from its platforms and notified over 50,000 people that the activities might as well have affected them. Many are journalists, human rights activists, dissidents, political opposition leaders, and clergy, according to Meta, while others are ordinary people, such as those involved in a lawsuit. 

As part of the attack, Meta removed numerous accounts and disassembled other infrastructure on its platforms, blacklisted the groups, and sent cease and desist notices. According to the corporation, it is also publicly disclosing its findings and indications of infiltration so that other platforms and security companies may better spot similar conduct. The findings highlight the magnitude of the targeted surveillance industry as well as the huge scope of tailoring it facilitates globally. 

“Cyber mercenaries often claim that their services and their surveillance-ware are meant to focus on tracking criminals and terrorists, but our investigations and similar investigations by independent researchers, our industry peers, and governments have demonstrated that the targeting is, in fact, indiscriminate,” Nathaniel Gleicher, Meta's head of security policy, said to the reporters. 

“These companies … are building tools to manage fake accounts, to target and surveil people, to enable the delivery of malware, and then they’re providing them to any most interested clients—the clients who are willing to pay. This means that there are far more threat actors able to use these tools than there would be without this industry.” 

Cobwebs Technologies, an Israeli web intelligence company with offices in the United States, Cognyte, an Israeli firm previously recognized as WebintPro, Black Cube, an Israeli company with an existence in the United Kingdom and Spain, Bluehawk CI, which itself is rooted in Israel and has offices in the United States and the United Kingdom, BellTroX, a North Macedonian firm, Cytrox, a North Macedonian firm, and an unidentified organization based in China. 

Meta highlights that the surveillance-for-hire industry as a whole operates in three areas. One can conceive of it as several stages of a monitoring chain, with different firms specializing in different aspects of that superstructure. 

The very first stage is "reconnaissance," in which corporations gather comprehensive data concerning targets, frequently via automated, bulk gathering on the public internet and darknet. The second stage is "engagement," wherein operators seek out targets in an attempt to form a connection and gain their trust. Surveillance firms create bogus profiles and personalities, posing as, for example, graduate students or journalists, to reach out to targets. Hackers may also spread fake content and misinformation to establish rapport. The third stage is "exploitation," sometimes known as "hacking for hire," in which actors might use this trust to persuade targets to disclose information, click a malicious link, download a malicious file, or perform some other action. 

Every stage might take place on a variety of platforms and services. For instance, Meta's WhatsApp is a popular platform for disseminating malicious links to victims. Furthermore, Facebook and Instagram serve as natural breeding places for phony personalities. The eliminated entities, according to the social media giant, breached its Community Standards and Terms of Service. 

“Given the severity of their violations, we have banned them from our services. To help disrupt these activities, we blocked related internet infrastructure and issued cease and desist letters, putting them on notice that their targeting of people has no place on our platform,” the firm added. 

“We also shared our findings with security researchers, other platforms, and policymakers so they can take appropriate action.”

Doxy.me is Resolving a Data Leak that Exposed Patient Information to Facebook and Google

 

Doxy.me, a telehealth platform, is correcting an issue that allowed three third-party firms to obtain the names of some patients' providers. After examining the platform, privacy researcher Zach Edwards discovered that the company, which self-reports as having 30% of the growing US telemedicine market and is currently used by over 1 million providers worldwide, appeared to be sharing IP addresses and unique device identification numbers with Google, Facebook, and the marketing software company HubSpot. 

When patients clicked on a link to the platform's "virtual waiting room" service, which connects patients with medical professionals, the sensitive user data became available. According to Edwards, Doxy.me appears to have attempted to remove the doctor name from URLs given to third parties, but the three companies used particular technical loopholes to obtain the complete URL, which included the doctor names. There was no breach of patient health information.

Working with third parties like Google and Facebook to maximize data analytics and marketing poses dangers that are distinct from encrypting patient sessions or requiring strong passwords for Doxy.me. Regulators and lawmakers have shown a desire to address the privacy concerns raised by telehealth apps. In September, the Federal Trade Commission issued guidelines that would punish health applications for failing to tell consumers about the sharing of personal information without their permission. 

“As soon as you start sharing data, networks, there are some things that are out of your control and much of the responsibility here is on the ad networks themselves,” said Rykov, of the Mozilla Foundation. “They operate like a black box, we don’t really know what their algorithm is doing and what they’re capable of.” 

The problem raises broader concerns about data security in the telehealth industry. Google and Facebook use metadata gathered from throughout the web to categorize people into "audiences." Companies employ metadata collected across websites to construct audience groups, sometimes known as "lookalike" or "similar" audiences, to assist advertising customers target audiences they are attempting to reach. A marketing customer can then utilize this technique to increase the size of its own audience list. 

Such data sharing puts users in danger of being inadvertently grouped with other patients by Google and Facebook's advertising platforms, potentially providing sensitive information about a patient's condition to the companies' algorithms. Advertisers could therefore target individuals with adverts that were personalised to their specific medical issues.

Meta's New Security Program Protects Activities, Journalists, and Human Rights Defenders


Social media website Meta (earlier known as Facebook), earlier this week announced a broadening of its Facebook protect security program to add human rights activists, journalists, social activists, and government officials exposed to malicious actors throughout the social media platforms. These defenders and activists are vital for public debate in critical communities, said Nathan Gleicher, security policy head at Meta. These people safeguard human rights across the world, promote democratic elections, hold government and political parties accountable. However, this makes them a primary target for threat actors.

Facebook Protect, as of now, is being released around the world in phases, it allows users that apply for a change to have robust safety protections such as 2FA two-factor authentication, and looking out for possible hacking threats. According to Meta, around 1.5 million user profiles have enabled the Facebook Protect as of now, out of which, 9,50,000 profiles turned on the 2FA feature after the feature was on the roll since September 2021. 

The program is similar to Google's APP (Advanced Protection Program), aimed at protecting users with sensitive information and high visibility, putting them at a greater risk of online attacks. It stops suspicious account access attempts and incorporates strict checks before downloading softwares and files on Gmail and Chrome. Users eligible for Facebook Protect will be informed via a Facebook prompt, with an option to enable the advanced security features along with identifying potential problems like weak passwords, that can be easily hacked by actors for gaining access to FB accounts. 

The announcement came a week after Apple announced to notify targeted users of threat notifications by state-sponsored hackers. These notifications would be sent via email and iMessage notifications to the phone numbers and addresses linked with Apples users' IDs. Meta said "over the next several months, we’re going to carefully expand this requirement globally. We’re encouraged by our early findings and will continue to improve Facebook Protect over time."

1.5 Billion Facebook Users Data Breach or a Scam?

 

Facebook, Messenger, Instagram, and WhatsApp were all down for 7 hours worldwide meanwhile unknown hackers allegedly stole 1.5 billion Facebook users’ data and sold it on the dark web, the Russian Privacy Affairs agency confirmed in its recent findings. The data includes user names, email addresses, addresses, locations, and phone numbers, as per RPA's findings. 

“It’s the biggest and most significant Facebook data dump to date– about three times greater than the April leak of 533 million phone numbers,” the publication noted. 

However, while responding to the security incident, Facebook siad that “this was old data and the security vulnerability responsible had been patched back in 2019”. 

At present, it is yet to be confirmed if the RPA's findings are legitimate or not. However, some people reported that they tried to buy Facebook users’ data. However, after paying $5,000 amount to the hackers in exchange for data, the buyers got nothing, hence the probability of a scam underneath is on the cards. 

The fact that the buyers who paid the hackers in an attempt to buy the stolen data got nothing could be proof that the group's claims of having stolen data are baseless. However, security experts still suggest all Facebook users stay vigilant for unusual activities on their accounts. 

At a Senate subcommittee hearing with a Facebook whistle-blower on Tuesday, Senator Marsha Blackburn from Tennessee said, “News broke yesterday that the private data of over 1.5 billion — that’s right, 1.5 billion — Facebook users are being sold on a hacking forum.” “That’s its biggest data breach to date,”  the subcommittee’s ranking Republican member further added. 

Although many believe that data has been breached, there is no solid proof of it yet. Aric Toler, a researcher with Bellingcat, an investigative journalism group, made a statement and added that someone claimed to have paid for the hacked data and they found out that it was a scam so it has to be confirmed as of yet. 

Facebook Outage Caused Agitation in Nations And Highlighted Risks Of Social Networking

 

The global breakdown of Facebook Inc. highlighted the dangers of depending on its social networking platforms, supporting European regulators' efforts to limit the company's influence just as a whistle-testimony blower's in the United States threatened to draw even more undesirable attention at home. 

While Europe awakened to find Facebook, Instagram, WhatsApp, and Messenger back online and running, the extent of Monday's shutdown drew immediate and extensive outrage. Margrethe Vestager, the European Union's antitrust director and digital czar, said the Facebook failure will bring attention to the company's dominance. 

The networking issue that caused operations to go down for almost 2.75 billion people couldn't have happened at a worse moment. Following a Sunday television interview in the United States, whistle-blower Frances Haugen will testify before a Senate panel on Tuesday, telling legislators the "frightening truth" about Facebook. As Facebook services were offline, Haugen's charges that the business prioritized profit ahead of user safety were still making the headlines. 

“It’s always important that people have alternatives and choices. This is why we work on keeping digital markets fair and contestable,” Vestager said. “An outage as we have seen shows that it’s never good to rely only on a few big players, whoever they are.” 

The disclosures caused United States Representative Alexandria Ocasio-Cortez to call attention to the dangers that nations that depend on these services face. In New York, Facebook rose as high as 1.3 percent to $330.33, reversing a 4.9 percent drop on Monday. 

Facebook has increasingly been the subject of multiple antitrust and privacy probes in Europe, as well as intensive scrutiny of even minor transactions, such as its planned acquisition of a customer-service software company. Last month, the firm was fined 225 million euros ($261 million) for data privacy violations, and it is currently under investigation by the European Commission and the German competition agency Bundeskartellamt. 

In the next few months, EU lawmakers will decide on new legislation limiting the capacity of strong Internet platforms like Facebook to expand into new services. According to Rasmus Andresen, a German Green member of the European Parliament, the service outage demonstrated the "serious consequences" of relying on one firm for crucial channels of communication, and that Facebook should have never been permitted to buy Instagram and WhatsApp. 

Further, facing a political fallout - Turkish President Recep Tayyip Erdogan, who has a low tolerance for political criticism on social networking sites, has called for a new digital "order" as a result of the incident. According to Fahrettin Altun, his presidential communications director, the closure demonstrated how "fragile" social networks are, and urged the speedy development of "domestic and national" alternatives. 

“The problem we have seen showed us how our data are in danger, how quickly and easily our social liberties can be limited,” Altun said in a series of Twitter posts. 

President Muhammadu Buhari's communications staff, government officials, and governors in 36 Nigerian states were all silenced for six hours as a result of the outage. After Twitter's services were banned in Africa's most populous country on June 5th, the administration has become increasingly dependent on Facebook to keep the people informed. 

Facebook is “for us opposition politicians one of the last media outlets where we can talk to you and which isn’t dominated by” Fidesz, Orban’s political party, Budapest Mayor Gergely Karacsony said in a video posted on Tuesday. 

“This outage does show the over-dependence we have on a single company, and the need for diversity and greater competition,” Jim Killock, executive director of the Open Rights Group in London, said in an interview. “Their reliance on data-driven, attention-optimizing products is dangerous and needs to be challenged through interventions enabling greater competition.” 

Some telecommunications companies were forced to intervene as a result of the shutdown. In a blog post on its website, the Polish Play unit of Paris-based telecommunications operator Iliad SA reported an eightfold surge in the number of calls as of its customer service. To avoid overloading, it had to modify its network.

Facebook, WhatsApp, Instagram Faces Massive Global Outage: What was the Reason?

 

The massive global outage for hours halted three giant social media platforms including Facebook, Instagram, and WhatsApp. Organizations and people all across the globe who heavily rely on services of these platforms including Facebook’s own workforce faced a huge loss. According to the data, Zuckerberg suffered a 7 billion loss. 

Facebook reported on late Monday that the company is working hard to restore access to its services and is “happy to report they are coming back online now." Also, the company apologized and thanked its users for their patience. However, fixing the glitches was not easy. 

As per the users’ reviews for some users, WhatsApp was working for a while, then it was not. For others, Instagram was working but not Facebook, and so on. 

Following the global outage, Facebook Chief Technology Officer Mike Schroepfer tweeted, "To every small and large business, family, and the individual who depends on us, I'm sorry, may take some time to get to 100%." 

According to the Security experts, the disruption could be the result of an internal mistake, though sabotage by an insider would be theoretically possible. However, Facebook says "a faulty configuration change" was the main reason for Monday's hours-long global outage. 

Soon after the global outage began, Facebook started acknowledging that the platform is facing some technical issues because users were not able to access its apps, and then Facebook started examining the same.

Facebook, the social media giant, also known as the second-largest digital advertising platform in the world, has faced a loss of around $545,000 in U.S. ad revenue per hour during the global shutdown, ad measurement firm Standard Media Index reported. 

Android Malware ‘FlyTrap’ Hacks Facebook Accounts

 

A new Android trojan has been discovered to breach the Facebook accounts of over 10,000 people in at least 144 countries since March 2021 through Google Play Store and other third-party application marketplaces. 

According to a report published by Zimperium's zLabs and shared with The Hacker News, the malware, termed "FlyTrap," is presumed to be a component of a family of trojans that use social engineering techniques to compromise Facebook accounts as part of a session hijacking campaign planned and executed by malicious actors operating out of Vietnam. 

Aazim Yaswant, a Zimperium malware researcher, noted that although the nine infringing apps have been removed from Google Play or, they are still available in third-party app stores, emphasizing the danger of sideloaded applications to mobile endpoints and user data. The following is a list of available apps: 
1. GG Voucher (com.luxcarad.cardid) 
2. Vote European Football (com.gardenguides.plantingfree) 
3. GG Coupon Ads (com.free_coupon.gg_free_coupon) 
4. GG Voucher Ads (com.m_application.app_moi_6) 
5. GG Voucher (com.free.voucher) 
6. Chatfuel (com.ynsuper.chatfuel) 
7. Net Coupon (com.free_coupon.net_coupon) 
8. Net Coupon (com.movie.net_coupon) 
9. EURO 2021 Official (com.euro2021) 

The fraudulent applications claim to provide Netflix and Google AdWords coupon codes, as well as the option to vote for their favorite teams and players at UEFA EURO 2020, which took place between June 11 and July 11, 2021, but only if users log in with their Facebook accounts to vote or obtain the coupon code or credits. 

Once a user logs in, the malicious software can extract the victim's Facebook ID, location, email address, IP address, as well as the cookies and tokens linked with the profile, allowing the attacker to implement disinformation campaigns using the victim's geolocation details or spread the malware further via social engineering tactics such as sending personal messages including links to the trojan. 

This is accomplished by using a technique called JavaScript injection in which the application loads the legitimate URL inside a WebView equipped with the capability to inject JavaScript code and collects all the required information such as cookies, user account credentials, location, and IP address by inserting malicious [JavaScript] code, Yaswant stated. 

While the stolen data is hosted on a command-and-control (C2) server, security vulnerabilities in the C2 server may be leveraged to leak the whole database of stolen session cookies to anybody on the internet, as a result placing the victims at high risk. 

"Malicious threat actors are leveraging common user misconceptions that logging into the right domain is always secure irrespective of the application used to log in," Yaswant further told. "The targeted domains are popular social media platforms and this campaign has been exceptionally effective in harvesting social media session data of users from 144 countries. These accounts can be used as a botnet for different purposes: from boosting the popularity of pages/sites/products to spreading misinformation or political propaganda." 
 
On Monday, Zimperium's head of product marketing for endpoint security, Richard Melick, informed Threatpost that Android users can reduce the risk of infection instantly by ensuring that they don't allow any software from an unauthorized source to be loaded. 

While most Android smartphones have the option turned off by default, social-engineering tactics are “highly effective in tricking users into allowing it,” he stated in an email. To turn off unknown sources on Android, go to settings, security, and make sure the “unknown sources” option is turned off. 

Users should also set up multi-factor authentication (MFA) for all social media accounts, in general, be suspicious about grabby apps, Melick advised.