Search This Blog

Showing posts with label Stealing of Sensitive data. Show all posts

Data Breach: Data of 168 Million Citizens Stolen and Sold, 7 Suspects Arrests

A new case of a massive data breach that would have had consequences over the national security has recently been exposed by Cyberabad Police. The investigation further led to the arrest of seven individuals hailing from a gang, allegedly involved in the theft and sale of the sensitive government data and some significant organizations, including credentials of defense personnel as well as the personal and confidential data of around 168 million citizens. 

The accused were discovered selling data on more than 140 distinct groups of individuals, including military personnel, bank clients, energy sector consumers, NEET students, government employees, gas agencies, high net worth individuals, and demat account holders. 

Another category of victims include Bengaluru women’s consumer data, data of people who have applied for loans and insurance, credit card and debit card holders (of AXIS, HSBC and other banks), WhatsApp users, Facebook users, employees of IT companies and frequent flyers. 

"When an individual calls the toll-free numbers of JustDial and asks for any sector or category related confidential data of individuals, their query is listed and sent to that category of the service provider. Then these fraudsters call those clients/ fraudsters and send them samples. If the client agrees to purchase, they make payment and provide the data. This data is further used for committing crime," stated the commissioner. 

The accused gang apparently operated via registered and unregistered organizations: Data Mart, Infotech, Global Data Arts and MS Digital Grow. 

The accused were found to have access to 2.5 lakh defense personnel's sensitive data, including their ranks, email addresses, places of posting, etc. The thieves gained access to the data of 35,000 Delhi government employees, 12 million WhatsApp users, 17 lakh Facebook users, and 11 million customers of six banks. Also, the defendants had access to information on 98 lakh applicants for credit cards. 

Main suspect Kumar in Noida, Nitish Bhushan had created a call center and obtained credit card records from Muskan Hassan, another defendant. The other suspects, Pooja Pal and Susheel Thomar were reportedly operating as tele-callers at Bhushan’s call center. While, Atul Pratap Singh's business, "Inspiree Digital," gathered credit cardholder data and profitably marketed it. Atul's workplace had employed Muskan as a telemarketer before she started her own business, "MS Digital Grow." She served as a middleman, selling data. She organized the data that Atul had provided and sold it to Bhushan. 

Sandeep Pal founded Global Data Arts and sold private consumer information to fraudsters engaging in online crimes through Justdial services and social media platforms. The seventh defendant, Zia Ur Rehman, shared the database with Atul and Bhushan and offered bulk message services for advertising.  

A New Android Banking Trojan Targeting Europeans is Spreading Through Google Play Store


A new Android banking malware with over 50,000 installations has been discovered and disseminated via the official Google Play Store, with the purpose of targeting 56 European banks and stealing sensitive information from affected devices. The in-development malware, dubbed Xenomorph by Dutch security firm ThreatFabric, is reported to share similarities with another banking trojan known as Alien while yet being "radically different" in terms of functionality given. 

Alien, a remote access trojan (RAT) with notification sniffing and authenticator-based 2FA stealing features, emerged shortly after the iconic Cerberus malware was decommissioned in August 2020. Other Cerberus forks have been detected in the wild since then, including ERMAC in September 2021. Xenomorph, like Alien and ERMAC, is another Android banking trojan that tries to avoid Google Play Store security by posing as productivity apps like "Fast Cleaner" to deceive unsuspecting victims into installing the malware. 

Fast Cleaner, which has the package name "" and is still available on the app store, has been most popular in Portugal and Spain, according to Sensor Tower data, with the app making its initial appearance in the Play Store at the end of January 2022. 

This Android Banking malware is still under development and mostly offers the bare minimum of capabilities expected of a modern Android banking trojan. It’s primary attack vector is the use of an overlay attack to steal credentials, along with SMS and Notification interception to log and use potential 2FA tokens. The Accessibility engine that powers this malware, as well as the infrastructure and C2 protocol, have been meticulously developed to be scalable and updatable. 

"Despite being a work-in-progress, Xenomorph is already sporting effective overlays and being actively distributed on official app stores," ThreatFabric's founder and CEO, Han Sahin, said. "In addition, it features a very detailed and modular engine to abuse accessibility services, which in the future could power very advanced capabilities, like ATS." 

The data recorded by this malware's logging capability is vast, and if sent back to the C2 server, it may be used to execute keylogging as well as collect behavioural data on victims and on installed applications, even if they are not on the list of targets. 

In the first stage, the malware sends back a list of installed packages on the device, and then it downloads the necessary overlays to inject based on which targeted application is present on the device. Xenomorph supplied a list of overlay targets that included targets from Spain, Portugal, Italy, and Belgium, as well as some general-purpose applications such as emailing services and cryptocurrency wallets.

Web Skimmer Code was Injected Into 100 Real Estate Websites


An unknown cloud video platform was used to inject web skimmer code into over 100 real estate websites owned by the same parent company. Skimmer attacks, which are becoming more common, entail the use of malicious JavaScript code to steal data provided by users on the targeted website. According to Palo Alto Networks, as part of this current attack, skimmer code was injected into a video such that it was automatically integrated into websites that imported the video. 

Palo Alto Networks, Inc. is a multinational cybersecurity company based in Santa Clara, California. Its key products are a platform with powerful firewalls and cloud-based services that expand those firewalls to encompass other elements of security. Over 70,000 enterprises in over 150 countries, including 85 of the Fortune 100, rely on the company's services.

Because the misused cloud video platform allows users to add their own JavaScript customizations to players by uploading a JavaScript file that is incorporated in the player, the attack was conceivable. Taking advantage of this feature, the threat actors offered a script that could be modified upstream, allowing them to add harmful content after the player was created. 

To gain a better grasp of the code, researchers divided it into four sections. Part one's code is used to decode the string array – u, and the decryption function is 1. Researchers obtained a plain text array after decryption. Part two defines three functions: function c replaces a string with a regex pattern, function d checks whether a string matches a credit card pattern. It was discovered by researchers using four regex patterns. And function f is used to check credit card numbers using the Luhn algorithm. 

Part three consists of anti-debug code. It just checks to see if the variables window.Firebug,, and exist. In addition, it sends a devtoolschange message to see if the Chrome console is open. After decryption, the code samples become quite evident in part four. 

“We infer that the attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player,” Palo Alto Networks notes. The JavaScript code was designed to identify credit card patterns, verify credit card numbers, collect card data, and transfer it to the attackers. It was highly obfuscated to mask its nefarious purpose.

Nearly Half a Billion Cyberattacks Targeted the Tokyo 2020 Olympic Games


The NTT Corporation, which was in charge of supplying a large portion of the network security and telecommunications services for the 2020 Olympic and Paralympic Games in Tokyo this year, claimed that over 450 million attempted cyberattacks occurred throughout the event. Officials from the company have stated that none of the attacks were successful and that the games went off without a hitch. Despite this, the total number of attacks was 2.5 times higher than during the 2012 London Olympics. 

Emotet malware, email phishing, and phoney websites that looked like the official Games sites were among the assault types, according to NTT. NTT further claims that the attacks were successfully thwarted due to 200 cybersecurity professionals who had undergone extensive training and simulations of anticipated attacks before the games. These dangers were not unexpected; the company had anticipated ransomware and Distributed Denial of Service (DDoS) attacks from state-sponsored hackers, as well as strikes against key infrastructure.

"Cybercriminals certainly saw the Games -- and its related supply chain -- as a high-value target with low downtime tolerance. After all, crime follows opportunity. And with connected stadiums, fan engagement platforms, and complete digital replicas of sporting venues and the events themselves becoming the norm, there's plenty of IT infrastructure and data to target -- and via a multitude of components," NTT's Andrea MacLean said. 

NTT released a detailed report on the games, stating that it offered both communication and broadcasting services to connect the Games venues with the Tokyo Big Sight, which served as an International Broadcast Centre. To prepare its cybersecurity team, NTT stated it performed various cybersecurity training programmes and ran simulations ahead of the event. 

However, NTT was not the only corporation to foresee the threats. The FBI also issued a private advisory before the event, advising individuals working on the 2020 Olympics to be prepared for possible threats. According to the FBI report, the attacks could include "threats to block or disrupt live broadcasts of the event, steal and possibly hack and leak sensitive data, or impact public or private digital infrastructure supporting the Olympics, or impact public or private digital infrastructure supporting the Olympics." 

The FBI's notification went on to mention the Pyeongchang cyberattack in February 2018, when Russian hackers used the OlympicDestroyer malware to destroy web servers during the opening ceremony.

Cyberextortion Threat Evolves as Clop Ransomware Attacked 6 U.S Universities Data Security


Malicious actors are now using novel ways to extract universities' data, and are threatening to share stolen data on dark websites unless universities pay them a lot of money. 
The current update reads that the Clop ransomware group claimed to have access to six top universities of the United States including institutions’ financial documents information and passport data belonging to their staff and students. According to the report, a group of hackers has first posted the stolen data online on March 29. 

The universities' that have been attacked, include — The University of Miami, the Yeshiva University, the University of Maryland, the Stanford University, the University of Colorado Boulder, And the University of California, Merced. 

However, there is no official confirmation regarding this cyber-attack from any of the aforementioned universities, it's unsure whether or not the cyberinfrastructure of these universities has been attacked or the hacker group asked for money in exchange for data. 

Additionally, a few days back, Michigan State University also confirmed a cyber attack by a group that was threatening to share it on the dark websites unless a bounty is paid. 

The data stolen by the Clop ransomware group include federal tax documents, passports, requests for tuition remission paperwork, tax summary documents, and applications for the Board of Nursing. 

This data breach affected several individuals and staff of the universities as the shared information also exposed sensitive credentials, such as names of individuals, date of birth, photos, home addresses, immigration status, passport numbers, and social security numbers. 

Not only this, but some news websites also confirmed that the leaked data included several more screenshots including retirement documentation, and 2019/2020 benefit adjustment requests, late enrollment benefit application forms for employees, and the UCPath Blue Shield health savings plan enrollment requests, amid much more. 

It should be noted that such attacks are not unusual for the Clop ransomware group as the group is known for its assault against various organizations. Furthermore, Michigan State University’s officials stated in the regard that, “Payment to these criminals only allows these crimes to be perpetuated and further target other victims. The decision not to pay was in accordance with law enforcement guidance and reached with support from the university’s Board of Trustees and president”.

Focus on HMRC as Many Targeted Through an Email Phishing Campaign

A new phishing attack discovered by Malwarebytes is said to be from under a new campaign, utilizing an old trick with an end goal to steal login credentials, payment details and other sensitive data from victims by claiming to offer them a tax refund which must be asserted online.

The mail claims to be from the UK government's tax office, HMRC, informing the potential user victims that they're due a tax refund of £542.94 "directly" onto their credit card. The attackers apparently snare the users by offering tax refunds. In order to pressure the users they additionally give due dates in their mails to claim said refunds.

The phishing email claiming to be from HMRC.

Apparently, the scam begins by requesting for the user to tap on an offered link to the "gateway portal" and thusly, they reach another page that seems like Microsoft Outlook. Here, the user will enter their email and password to the login portal. Starting here, the attackers access the email login credentials.

Thereafter, the client reaches a fake HMRC portal that displays a form. A deceived user would unknowingly handover their passwords and email, in this way falling a prey to the hackers. Further they enter more personal information such as, users' name, contact address, contact number, date of birth, a typical secret question for most records and card details.

So to say, Tax scams have become a rather basic methods for cyber criminals endeavoring to blackmail data or cash from victims as when people get enticed by the possibility of receiving money, they frequently bring down their safeguards - even by low-level attacks like this phishing trick: HMRC states it will never offer a reimbursement or request personal data by means of an email.

Chris Boyd, lead malware intelligence analyst at Malwarebytes says,

“These attacks can afford to be crude, as the main pressure point is the temptation of an easy cash windfall tied to a tight deadline. Not knowing that HMRC don't issue refund notifications in this manner would also contribute to people submitting details,"

In any case it is prescribed to remain shielded from such attacks, and ensuring that the user in every case double checks the sender's address before opening emails, in this way abstaining from following direct links and signing in to a site specifically.