Search This Blog

Showing posts with label User Privacy. Show all posts

Private Data of Europeans Shared 376 Times Daily in Ad Sales

 

Private information about every internet user is shared hundreds of times each day as companies bid for online advertising slots. A brand-new report by the Irish Council for Civil Liberties (ICCL), uncovered that the average European user's data is shared 376 times per day and the figure rises to 747 times daily for US-based users. 

Currently, ICCL is engaged in a legal battle with the digital ad industry and the Data Protection Commission against what it describes as an epic data breach, arguing that nobody has ever specifically consented to this practice. 

The data is shared between brokers acting on behalf of those wishing to place adverts, in real-time, as a web page loads in front of someone who is reading it. The brands in the adverts themselves are not involved. 

That data can be practically anything based on the Interactive Advertising Bureau's (IAB) audience taxonomy. The basics, of course, like age, sex, location, income, and the like are included, but it doesn't stop there. All sorts of websites fingerprint their visitors and those fingerprints can later be used to target ads on unrelated websites. 

It is used to secure the most relevant bidder for the advert space on the page. This all happens automatically, in a fraction of a second, and is a multimillion-dollar industry. Personally-identifying information is not included, but campaigners argue that the volume of the data is still a violation of privacy.  

"Every day the RTB [Real Time Bidding] industry tracks what you are looking at, no matter how private or sensitive, and it records where you go. This is the biggest data breach ever recorded. And it is repeated every day," said Dr. Johnny Ryan, senior fellow at the ICCL. 

According to the ICCL report, the source of the data was a Google feed covering a 30-day period. It is made available to the industry, but not the public. The data about US web users' habits are shared in advert sales processes 107 trillion times per year and European users' data is shared 71 billion times.  

"If the exhaust of our personal data could be seen in the same way pollution can, we'd be surrounded by an almost impenetrable haze that gets thicker the more we interact with our phones.,” tech reporter Parmy Olson, said. 

Facestealer Trojan Identified in More than 200 Apps on Google Play

 

Cybersecurity researchers at TrendMicro have identified more than 200 applications on Google Play distributing spyware called Facestealer used to steal user credentials and other sensitive data, including private keys. The worrying thing is that the number and popularity of these types of applications are increasing day by day, with some even being installed over a hundred thousand times. 

Some malicious applications that users should uninstall immediately include: Daily Fitness OL, Enjoy Photo Editor, Panorama Camera, Photo Gaming Puzzle, Swarm Photo, Business Meta Manager, and Cryptomining Farm Your Own Coin. 

Facestealer, first identified by Doctor Web in July 2021, steals Facebook information from users via malicious apps on Google Play, then uses it to infiltrate Facebook accounts, serving purposes such as scams, fake posts, and advertising bots. Similar to the Joker malware, Facestealer changes its code frequently and has multiple variations. 

"Similar to Joker, another piece of mobile malware, Facestealer changes its code frequently, thus spawning many variants," Cifer Fang, Ford Quin, and Zhengyu Dong researchers at Trend Micro stated in a new report. "Since its discovery, the spyware has continuously beleaguered Google Play." 

Since being denounced until now, the malicious apps have continuously appeared on Google Play under different guises. For example, Daily Fitness OL is ostensibly a fitness app, but its main goal is to steal Facebook data. Once the application is launched, it will send a request to download the encryption configuration. When the user logs into Facebook, the application opens a WebView browser to load the URL from the downloaded profile. 

Subsequently, a piece of JavaScript code is embedded in the web page to get the login data. After the user is successfully logged into the account, the application collects the cookie, then encrypts all the personally identifiable information (PII) and sends it to the remote server. 

In addition, TrendMicro researchers unearthed 40 fake cryptocurrency miner apps that are variants of similar apps that they discovered in August 2021. The apps trick users into subscribing to paid services or clicking on advertisements. 

To mitigate the risks, users should carefully read reviews from people who have downloaded them before. However, this is also not the optimal solution because many applications will hire highly appreciated services, for example, Photo Gaming Puzzle is rated 4.5 stars, and Enjoy Photo Editor is rated 4.1 stars. Enjoy Photo Editor surpassed 100,000 downloads before Google kicked it out of PlayStore.

Nearly 15 Million People Impacted by ElasticSearch Misconfiguration

 

Cybersecurity researchers at Website Planet have unearthed two misconfigured ElasticSearch servers owned by an anonymous organization using open-source data analytics software developed by SnowPlow Analytics, a London-based software vendor. 

The software allows entities to gather and examine information about their websites’ users apparently without their knowledge. It is worth noting that a web analytics tool can collect versatile data metrics. The collected information is then used for designing an extensive, detailed profile for site visitors.

According to researchers, both servers were unencrypted and required no password authorization. The unsecured servers exposed 359,019,902 records, nearly 579.4 GB of data. The exposed servers contained detailed logs of website user traffic — information that belongs to users of various websites collecting data with the open-source technology, including the following. 

• Referrer page 
• Timestamp IP 
• Geolocation data 
• Web page visited 
• User-agent data of website visitors 

The servers contained user information collected over two months in 2021. The first server contained data from September 2021 with 242,728,328 records or 389.7 GB of data gathered between September 2nd, 2021, and October 1st, 2021. 

The second server contained December 2021 data featuring 116,291,574 records or 189.7 GB of data collected between December 1st, 2021, and December 27th, 2021. Nearly 4 to 100 records of users appear on the two servers, and given that there are multiple logs for each user, this exposure might affect at least 15 million people, the researchers added. 

It is worth noting that the compromised data could have been accessed by anyone with eyes, and included geolocation and IP addresses. Additionally, the servers were live and actively updating new information at the time when they were discovered. However, neither ElasticSearch nor SnowPlow Analytics is responsible for this exposure because the company that owns the misconfigured servers is at fault. 

The data leak might have a far-reaching impact because users worldwide are affected by this exposure. However, it is unclear whether the servers were accessed by a third party with malicious intent or not. Fortunately, both exposed servers were secured after Website Planet sent alerts to concerned authorities.

To secure the data, users can employ Virtual Private Network (VPN) which hides the online activity and IP address, making the user anonymous to on-site tracking and cookies. People can also use the Tor browser to access the internet anonymously and maintain their data privacy.

Telegram is Selling the Eternity Malware Kit, Which Offers Malicious Services 

 

Cybercriminals have recently used Telegram to offer malware and other dangerous tools as services. Researchers have discovered a deadly new malware subscription plan which can be used to facilitate a wide range of attacks. 

The "Eternity Project," a modular malware kit, has capabilities that allow buyers to steal passwords and credit card information, launch ransomware attacks and infiltrate victims with cryptomining software. Each component of the malware toolkit, such as an information stealer, a coin miner, a clipper, ransomware software, a worm spreader, and, finally, a DDoS (distributed denial of service) bot, can be purchased separately. 

The creators share the latest update, usage instructions, and debate feature proposals on a private Telegram channel with over 500 members. Buyers can apparently use the Telegram Bot to assemble the binary automatically after choosing its desired feature set and paying the equivalent amount in cryptocurrency. The malware module is the most premium at $490 per year. The info-stealer, which costs $260 per year, steals passwords, credit cards, bookmarks, tokens, cookies, and autofill data from over twenty different web browsers. 

The malware's versatility is also highlighted through a deep-dive investigation of the infostealer module. Researchers claim that this single tool may gather data from a wide range of apps, including web browsers and cryptocurrency wallets, as well as VPN clients, messaging apps, and more. 

The miner module is $90 a year and includes features such as task manager invisibility, auto-restart once killed, and startup launch persistence. The clipper is a $110 application that scans the clipboard for cryptocurrency wallet credentials and replaces them with wallets controlled by the user. The Eternity Worm is available for $390 from the developer, and it can propagate itself using USB drivers, lan shares, local files, cloud drives, Python projects, Discord accounts, and Telegram accounts.

The authors say it's FUD (completely undetectable), a claim supported by Virus Total data showing zero detections for the strain. Surprisingly, the ransomware module provides an option of setting a timer that, when reached, renders the files entirely unrecoverable. This adds to the victim's pressure to pay the ransom as soon as possible. 

Despite the wide range of hazards posed by Eternity Project malware, Cyble says there are a few precautions consumers can take. Maintaining regular data backups, keeping software up to date, and avoiding visiting untrustworthy websites and email attachments are recommended best practices.

Cyber Agencies: Beware of State Actors Levelling up Attacks on Managed Service Providers

 

The United States, the United Kingdom, Australia, and Canada's cybersecurity agencies issued a second advisory this week, stating that cyberattacks against managed service providers (MSPs) are expected to escalate. 

According to the advice, if an attacker is able to access a service provider's infrastructure, ransomware or espionage activity could be carried out against the provider's customers. 

The nations advised, "Whether the customer's network environment is on-premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects." 

"NCSC-UK, ACSC, CCCS, CISA, NSA, and FBI expect malicious cyber actors -- including state-sponsored advanced persistent threat groups -- to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships." 

The MSP definition covers IaaS, PaaS, SaaS, process and support services, as well as cybersecurity services, for the purposes of this advice. The first piece of obvious advice is to avoid getting compromised in the first place. Beyond that, users should follow standard suggestions such as improving monitoring and logging, updating software, having backups, employing multi-factor authentication, segregating internal networks, using the least privilege approach, and removing old user accounts. Users should verify contracts for clauses that ensure MSPs have adequate security safeguards in place.

Further, the advisory stated, "Customers should ensure that they have a thorough understanding of the security services their MSP is providing via the contractual arrangement and address any security requirements that fall outside the scope of the contract. Note: contracts should detail how and when MSPs notify the customer of an incident affecting the customer's environment."
 
"MSPs, when negotiating the terms of a contract with their customer, should provide clear explanations of the services the customer is purchasing, services the customer is not purchasing, and all contingencies for incident response and recovery."

21M Users' Personal Data Exposed on Telegram

 

A database containing the personal information and login passwords of 21 million individuals was exposed on a Telegram channel on May 7th, 2022, as per Hackread.com. The data of VPN customers was also exposed in the breach, including prominent VPNs like SuperVPN, GeckoVPN, and ChatVPN. 

The database was previously accessible for sale on the Dark Web last year, but it is now available for free on Telegram. The hacked documents contained 10GB of data and exposed 21 million unique records, according to VPNMentor analysts. The following details were included: 
  • Full names
  • Usernames
  • Country names
  • Billing details
  • Email addresses
  • Randomly generated password strings
  • Premium status and validity period
Further investigation revealed that the leaked passwords were all impossible to crack because they were all random, hashed, or salted without collision. Gmail accounts made up the majority of the email addresses (99.5 percent). 

However, vpnMentor researchers believe that the released data is merely a portion of the whole dump. For the time being, it's unknown whether the information was gained from a data breach or a malfunctioning server. In any case, the harm has been done, and users are now vulnerable to scams and prying eyes. The main reason people use VPNs is to maintain their anonymity and privacy. Because VPN customers' data is regarded more valuable, disclosing it has far-reaching effects. 

People whose information was exposed in this incident may be subjected to blackmail, phishing scams, or identity theft. Because of the exposure of personally identifiable information such as country names, billing information, usernames, and so on, they may launch targeted frauds. Threat actors can easily hijack their accounts and exploit their premium status after cracking their credentials. 

If the data falls into the hands of a despotic government that prohibits VPN use, VPN users may be arrested and detained. Users should change their VPN account password and use a mix of upper-lower case letters, symbols, numbers, and other characters for maximum account security.

Scammers Employ Instagram Stories to Target Users

 

Instagram is the fourth most popular social media platform in the world, with over one billion monthly active users. Almost everyone, from celebrities to your kids, has an Instagram account. This global success makes it a very lucrative target for threat actors. 

According to BBC, the scamming has worsened over the past year, with the Instagram fraud reports increasing by 50% since the coronavirus outbreak began in 2020. Scammers just need a handful of those people who will help someone without thinking. And since they’re not after money, just a bit of someone’s time, they already have one foot in the door. 

The latest scam involves Instagram backstories. Fraudsters will ask you for help, tell their backstory, and put their fate in your hands. Here are some of the Instagram stories that fraudsters employ to target users: 

  •  "I’m launching my own product line." 
  •  "I’m in a competition and need you to vote for me." 
  • "I’m trying to get verified on Instagram and need people to confirm my fanbase with a link."
  • "I need a help link to get into Instagram on my other phone." This is the most common tactic employed by scammers. 
  • "I’m contesting for an ambassadorship spot at an online influencers program." This one is surprisingly popular, with fake influencers everywhere. 

Scammers try to get access to your Instagram account by sending you a suspicious link, either as an Instagram direct message or via email. They will then ask you not to click the link but merely take a screenshot and send the image back to them. The link is a legitimate Instagram “forgotten password” URL for your account, and fraudsters want you to screenshot it so they can use the URL to reset your password, take over your account, and lock you out. 

Regardless, any requests for link screenshots should be treated with extreme suspicion. Whether product lines or ambassador programs, you can safely ignore these messages. If you think you’ve been scammed, report it to Instagram. Change your password and enable two-factor authentication. If you reuse passwords, a scammer could break into more of your accounts. Change those passwords.

Anonymous Hacks Russian Energy Companies, Leaking 1Million+ Emails

 

Anonymous claims to have hacked into Russian energy businesses in order to expose emails and continue its cyberwar on Ukraine. On Twitter, the hacker collective claimed to have exposed over 1 million emails from ALET, a Russian customs broker for gasoline and energy firms. 

The tweet stated, "NEW: #Anonymous hacked nearly 1.1 million emails (1.1 TB of data) from ALET, a Russian customs broker for companies in the fuel and energy industries, handling exports and customs declarations for coal, crude oil, liquefied gases and petroleum products."

DDoSecrets, an organisation co-founded by Emma Best and dedicated to comprehensive data transparency in the public interest, disclosed the breach. 

What is ALET? 

ALET is a customs broker based in Russia. It manages exports and customs declarations for petroleum products, coal, liquefied gases, and crude oil for enterprises in the fuel and energy industry. It has worked with 400 businesses and filed 119,000 customs declarations since 2011 with oil products accounting for the majority of its revenues. Gazprom, Gazprom Neft, and Bashneft have all recommended it.

Anonymous has threatened to fight a cyberwar against Putin since the start of the Russia-Ukraine conflict. So far, it has lived up to that promise. Not only has the organisation disclosed Russian information, but it has also infiltrated Russian organisations in order to inform citizens about what is happening outside the nation. 

Anonymous is best known for hacking Russian streaming sites and TV networks in order to show Russian residents what was going on in Ukraine. Last week, the group hacked Enerpred, Russia's largest hydraulic equipment manufacturer dealing in the energy, coal, gas, oil, and construction industries, and stole 645,000 emails (up to 432GB of data).

The company's headquarters are in Irkutsk, Eastern Siberia's capital, and offices in major Russian cities including Moscow and St. Petersburg. DDoSecrets' (Distributed Denial of Secrets) website has the leaked data.

CNIL Imposes a Fine of 1.5 million Euros Against Software Publisher Dedalus

 

The French Authority for Data Protection (CNIL) has imposed one of its highest General Data Protection Regulation (“GDPR”) sanctions to date against Dedalus Biologie SAS (“Dedalus”), an application software editor that sells and services solutions for use by medical laboratories. 

Following a colossal health data breach disclosed in the press concerning nearly 500,000 individuals in February last year, CNIL has fined the company Dedalus Biologie 1.5 million euros mainly for failure to comply with its data security obligation. 

CNIL Findings 

The amount of the fine was determined with regard to the seriousness of the breaches, especially taking into account the fact that health personal data had been disclosed. CNIL found Dedalus Biologie to be in breach of Article 28(3) of the GDPR, given that the contractual documents concluded between Dedalus Biologie and its customers did not provide the information stipulated under the aforementioned provision. 

As part of the migration of data from one tool to another, as requested by two laboratories using the services of Dedalus Biologie, CNIL found that the latter extracted a larger volume of data than required including health personal data (e.g., health issues, infertility etc.)., and therefore processed data beyond the instructions given by the data controllers, in breach of Article 29 of the GDPR. 

Additionally, CNIL discovered a breach of the obligation to ensure the security of personal data (art 32 GDPR), due to technical breaches, such as: 

• lack of specific procedure for data migration operations; 
• lack of encryption of personal data stored on the problematic server; 
• absence of automatic deletion of data after migration to the other software; 
• lack of authentication required to access the public area of the server; 
• use of user accounts shared between several employees on the private zone of the server; and 
• absence of supervision procedure and security alert escalation on the server. 

To counter data breaches in the future, Dedalus Biologie asserted its willingness to attain the highest level of security and GDPR compliance, by strengthening its IT infrastructures, enhancing its internal and external procedures, and appointing additional DPO and IT information services managers.

42M+ People's Financial Data Compromised in UK

 

According to a press release from international law firm RPC, a growing number of ransomware attacks has resulted in the disclosure of financial data pertaining to about 42.2 million persons in the United Kingdom. 

“The surprisingly high number of people whose financial data was impacted in the last year shows how cyber-attacks have become endemic,” said RPC partner Richard Breavington. “Hackers are continually refining their methods, employing ever more complex techniques to extort money in whatever way they can. Some businesses, fearing the potential reputational costs, not to mention other consequences, decide that they will take the last-ditch approach of paying the ransom demands. As a result, these attacks have become very lucrative for cybercriminals.” 

Cyberattacks are spreading at an alarming rate, notably in the United Kingdom. In the years 2019-2020, 2.2 million people's data was stolen, compared to 42.2 million in the years 2021-2022, a startling increase of over 1,700% in just three years. One of the possible explanations for this increase in risking residents' sensitive information was pointed to as an increase in data in general. The cybercriminal network will then sell the information in a marketplace and perhaps hold financial institutions for ransom if the data has been corrupted by malware or ransomware. 

Breavington explains in the release that “criminal gangs are doing this because their blackmail threats over encryption alone are becoming less effective as businesses get better at backing up their systems. But hackers have honed their tactics and added this additional form of blackmail.” 

As a result of many firms finding it easier to just pay the ransom to attackers, several hacking groups have increased the number of attacks they carry out in a short period of time. As we saw earlier this month, ransomware and cyber threat groups will occasionally get access to a company's system and examine its inner workings for a period of time before launching an attack. 

“Before carrying out an attack, hackers are increasingly carrying out reconnaissance to scope out protections that are in place, as well as data held by the company,” Breavington said. “Businesses should not be making their jobs easier by signposting this information.” 

Many people are losing faith in firms' ability to keep their financial information secure as the number of hacks rises. As a result, many firms must recognise that it is their job to strengthen security layers, maintain a 24/7 approach to cybersecurity and online threats, and regularly self-audit their processes to ensure that they are doing everything necessary to reclaim that lost confidence.

CitySprint Confirms Security Breach, Personal Data of Drivers May be Compromised

 

CitySprint, a same-day delivery company, has issued a warning to couriers after discovering a data breach that may have given hackers access to sensitive personal information. A security issue was confirmed in an email sent to hundreds of drivers on April 7th. 

Self-employed drivers transport items across the UK for CitySprint, which was recently acquired by package delivery behemoth DPD Group. These drivers provide personal information to CitySprint using the company's iFleet interface, which includes photos of their driver's licence, car shots, and weekly earnings data. The delivery company claims that it shut down the iFleet system and restricted access to it as soon as it became aware of "the incident." 

CitySprint currently claims that it has no confirmation that personal data has been accessed, but it does not rule out the possibility. For the time being, the business's investigations are ongoing, and it has deployed forensic cybersecurity professionals to completely and comprehensively examine the event and analyse what data, if any, has been exposed. 

It states, “Our security checks, which are not quite complete yet have shown that so far, no personal data was compromised. The remaining checks will confirm if any of your data may have been affected. Therefore, as a precautionary measure, we have informed the Information Commissioner’s Office of the incident.” 

CitySprint claims it takes personal data protection "very seriously" and is investigating IT working processes across the company. Some drivers are clearly dissatisfied with the way the company handles their personal information. 

CitySprint includes several pieces of advice in its email for drivers on what to do if their personal information is compromised online. Change their passwords to something strong and unique, enable two-factor authentication on accounts that provide it, and consider signing up for an identity theft protection service. 

On 13th April, CitySprint offered the following statement, “We recently detected an apparent malicious attempt by a third party to access confidential data from our courier management platform. As soon as this issue was discovered, we took immediate steps to close off external access to this and launched a full and thorough investigation, led by independent cybersecurity experts. 

Now that this investigation has concluded, we are pleased to confirm that we believe that no personal data has been compromised. This incident has been reported to the proper authorities and we are in contact with couriers who contract with us about this as a matter of precaution.”

T-Mobile Users Targeted via New Smishing Campaign

 

Threat actors are targeting T-Mobile customers in an ongoing smishing campaign with malicious links using unblockable texts sent via SMS (Short Message Service) group messages. The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) issued a warning after multiple users have filed reports of being targeted by this new SMS phishing campaign. 

"The messages vary but typically thank the recipient for paying their bill and offer a gift. The messages include a link to accept the gift," according to the NJCCIC, which operates within the state's Office of Homeland Security and Preparedness and deals with these types of incidents. “These links may lead to malicious websites intending to steal account credentials or personal information, or install malware."

Earlier this year in In March, an identical series of smishing attacks also targeted Verizon Wireless and Spectrum users, mimicking the carriers in text messages spoofed to appear like they were sent from the target's phone number. 

The Federal Trade Commission also issued a warning to T-Mobile users to watch out for fraudsters sending them texts from their numbers. "They’ve changed (spoofed) the caller ID to look like they’re messaging you from your number, but the shock of getting a text from yourself is bound to get your attention — which is what they’re after," the FTC said. 

Cybercriminals using information from previous data breaches The NJCCIC believes that the smishing campaign was likely made possible due to previous data breaches affecting the mobile carrier and millions of its users. 

Since 2018, when info belonging to 3% of T-Mobile customers was stolen by hackers, T-Mobile has disclosed five other data breaches. In 2020, T-Mobile employees' email accounts were compromised, and phone numbers and call records were accessed by unauthorized third parties.

NJCCIC meanwhile is advising T-Mobile users targeted by smishing campaigns to contact directly to official websites and avoid clicking links delivered in SMS text messages from anonymous contacts and refrain from providing critical details to unauthorized websites.

Additionally, the firm recommended users to mute the text thread to stop getting alerts if anyone replies. They can delete the message thread, too, although that won't stop new texts from arriving.

Beware of Latest Eavesdropping Scam Targeting Victims with Vague Voicemails

 

Researchers at Hiya, a Seattle-based firm specializing in robocall-blocking algorithms and apps have uncovered the newest scam call campaign dubbed “Eavesdropping Scam”. The latest fraud campaign begins with vague voicemail messages left on a victim’s smartphone in which an unknown voice is heard talking about them to another person. 

According to researchers, since 79% of unknown calls go unanswered, the scammers leave a voicemail. If a potential victim’s curiosity picks up in a voicemail claiming “I’m trying to get ahold of them right now” and decides to call back, the fraudsters on the other end of the line attempt to steal their private details or money by offering fraudulent tax relief services.

The eavesdropping scam operates in a sophisticated manner by deploying both a new strategy (leaving non-descriptive voicemails to get a call back) and a new script (pretending to discuss the recipient). The scam evades most call protection services because it does not contain any traditional scam call markers. 

Unlike other campaigns, the scammers use authentic numbers and lure people to call back. The call seems very discreet despite being a mass volume robocall, and the content of the voicemail is so vague that it does not include any typical fraud-related keywords. 

The eavesdropping scam first emerged in early 2022, and to curb the spread of the fraud campaign researchers used the company’s Adaptive AI. It allowed the researchers to flag over 90 percent of these calls from the beginning. 

The firm’s Real-Time Intelligence Service allows its Adaptive AI to identify the latest frauds based on their strategies, even on the very first call. In this campaign, phone numbers making the Eavesdropping Scam call were flagged in less than 12 call attempts on average and after successfully spotting and flagging these calls, researchers collaborated with a third-party service provider to shut down the initial operation in 24 hours.

“Catching this new and emerging scam tactic shows the power of Hiya’s Adaptive AI capabilities. Because our models are self-learning and focus on tactics, we can detect new scam risks in real-time and, in this case, shut down the operation before it reaches most users,” Hiya CEO Alex Algard stated. “At Hiya, our mission is to fully eradicate spam and fraud calls from the voice network, and the Eavesdropping Scam is the latest example of how we’re outsmarting scammers and protecting users.”

New Android Spyware Linked to Russia Hacking Group Turla

 

A new Android spyware application has been spotted and detailed by a team of cybersecurity experts that records audio and tracks location once planted in the device. The spyware employs an identical shared-hosting infrastructure that was previously identified to be employed by a Russia-based hacking group known as Turla. 

However, it remains unclear whether the Russian hacking group has a direct connection with the recently identified spyware. It reaches through a malicious APK file that works as Android spyware and performs actions in the background, without giving any clear references to users. 

Researchers at threat intelligence firm Lab52 have discovered the Android spyware that is named Process Manager. Once installed, the malware removes its gear-shaped icon from the home screen and operates in the background, exploiting its wide permissions to access the device's contacts and call logs, track its location, send and read messages, access external storage, snap pictures, and record audio. 

The spyware collects all the data in JSON format and subsequently transmits it to a server located in Russia. It is not clear whether the app receives permissions by exploiting the Android Accessibility service or by luring users to grant their access. 

According to Lab52 researchers, authors of the Android spyware have exploited the referral system of an app called Roz Dhan: Earn Wallet Cash which is available for download on Google Play and has over 10 million downloads. The spyware attempts to download and install an application using a goo.gl that eventually helps malicious actors install it on the device and makes a profit out of its referral system.

It seems relatively odd for spyware since the cybercriminals seem to be focused on cyber espionage. According to Bleeping Computer, the strange behavior of downloading an app to earn commissions from its referral system suggests that spyware could be a part of a larger scheme that is yet to be uncovered. 

"The application, [which] is on Google Play and is used to earn money, has a referral system that is abused by the malware," the researchers said. "The attacker installs it on the device and makes a profit." 

To mitigate the risks, Lab52 researchers have recommended Android users avoid installing any unknown or suspicious apps on their devices. Users should also review the app permissions they grant to limit access of third parties to their hardware.

Hotel WiFi Across MENA Compromised, Private Information Leaked

 

Etizaz Mohsin, a Pakistani cybersecurity researcher, was in a hotel room in Qatar when he accidentally discovered a technical vulnerability in the company's internet infrastructure, compromising the personal information of hundreds of hotels and millions of tourists worldwide. 

Mohsin explained, “I discovered that there is an rsync [file synchronisation tool] service running on the device that allows me to dump the device’s files to my own computer. I was able to gain access to all other hotels’ sensitive information that was being stored on the FTP [file transfer protocol] server for backup purposes.” 

He was able to get network configurations for 629 significant hotels in 40 countries, as well as millions of customers' personal information, such as room numbers, emails, and check-in and check-out dates. Information from major hotel chains in Qatar,, Turkey, the United Arab Emirates (UAE), Saudi Arabia, Lebanon, Egypt, Bahrain, Oman, Jordan, Kuwait, and Bahrain, as well as the Kempinski, Millennium, Sheraton, and St Regis in Qatar, Turkey, the United Arab Emirates (UAE), Saudi Arabia, Lebanon, Egypt, Bahrain, Oman, Jordan, Kuwait, and Bahrain was included in the research. 

The hotels all use AirAngel's HSMX Gateway internet technology, which is a British company. Some of the world's most well-known hotel chains are among its clients. Most hotels, stores, restaurants, and cafés need guests to set up an account and fill out their personal information before they may use the internet. It does, however, have some disadvantages. 

Mohsin added, “A public WiFi network is inherently less secure than the one you use at home. It gives hackers access to critical information like banking credentials and account passwords by allowing them to monitor and intercept data transferred across the network.”

Seven years ago, researchers discovered a flaw in hotel routers that affected 277 devices in hotels and convention centres in the US, Singapore, the United Kingdom, the United Arab Emirates, and 25 other countries.

Trojanized Apps are Being Employed to Steal Cryptocurrency From iOS and Android Users

 

ESET, an antivirus manufacturer and internet security firm has unearthed and backtracked a sophisticated malicious cryptocurrency campaign that targets mobile devices using Android or iOS operating systems (iPhones). 

According to ESET, malware authors are distributing malicious apps via fake websites, mimicking legitimate wallet services such as Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey. Subsequently, attackers use ads placed on legitimate websites with misleading articles to promote the fake websites that distribute these malicious wallet apps. 

Additionally, intermediaries have been recruited via Telegram and Facebook groups, in an attempt to trick unsuspecting visitors into downloading the malicious apps. While the primary motive of the campaign is to exfiltrate users' funds, ESET researchers have mainly noticed Chinese users being targeted but with cryptocurrencies becoming more popular, the firm's researchers expect the methodologies used in it to spread to other markets. 

The campaign tracked since May 2021, seems to be controlled by a single criminal group. The malicious cryptocurrency wallet apps are designed in such a manner that they replicate the same functionality of their original counterparts, while also incorporating malicious code changes that enable the theft of crypto assets. 

"These malicious apps also represent another threat to victims, as some of them send secret victim seed phrases to the attackers' server using an unsecured HTTP connection," Lukáš Štefanko, senior malware researcher at ESET stated. "This means that victims' funds could be stolen not only by the operator of this scheme but also by a different attacker eavesdropping on the same network." 

The Slovak cybersecurity firm said it also uncovered dozens of groups promoting malicious apps on the Telegram messaging app that were, in turn, shared on at least 56 Facebook groups in hopes of landing new distribution partners for the fraudulent campaign. 

The investigation also showed that there are 13 unearthed applications that masquerade as the Jxx Liberty Waller on the Google Play store, all of which have since been removed from the Android app marketplace. However, before the takedown in January, these applications were installed more than 1100 times. "Their goal was simply to tease out the user's recovery seed phrase and send it either to the attackers' server or to a secret Telegram chat group," Štefanko concluded.

Social Engineering Attacks Resulted in Compromise of Morgan Stanley Client Accounts

 

Morgan Stanley's wealth and asset management division, Morgan Stanley Wealth Management, says that social engineering attacks have compromised some of its customers' accounts. 

Vishing (also known as voice phishing) is a social engineering attack in which scammers impersonate a reputable business (in this case Morgan Stanley) over the phone to persuade their targets to expose or pass over sensitive information such as banking or login credentials. 

According to a notice sent to impacted clients, a threat actor portraying Morgan Stanley acquired access to their accounts "on or around February 11, 2022" after deceiving them into submitting their Morgan Stanley Online account information. The attacker also electronically transferred money to their accounts after successfully compromising their own accounts. 

The alert reads, "As you are aware, on or around February 11, 2022, you were contacted by a bad actor claiming to be with Morgan Stanley. The bad actor was able to obtain information relating to your Morgan Stanley Online account, subsequently accessing this account and initiating unauthorized Zelle payments." 

A Morgan Stanley spokesperson told BleepingComputer that "there was no data breach or information leak from Morgan Stanley." The Morgan Stanley division also stated that all affected customers' accounts had been disabled, adding that its systems "remain secure." 

The company explained, "This compromise was not a result of any action of Morgan Stanley Wealth Management and our systems remain secure. Your Morgan Stanley Wealth Management account has been flagged to our Customer Call Center so that any callers into the Call Center will be prompted with additional verification. Your previous Morgan Stanley Online account was also disabled." 

Morgan Stanley advises customers not to answer calls from numbers they don't recognise as a way to protect themselves from vishing attacks and other sorts of social engineering frauds. 

"Also, be guarded when providing your personal data by phone. Make sure the person asking for the information is from a legitimate organization and is who they claim to be. You can always hang up and call the organization back using a phone number found through a trusted source – such as the company’s official website or perhaps a financial statement," the company further recommended. 

Morgan Stanley announced a data breach in July 2021 when the Clop ransomware group hacked into the Accellion FTA server of Guidehouse, one of Morgan Stanley's third-party providers, and stole personal information belonging to its clients. 

Morgan Stanley is a significant investment banking and global financial services corporation based in the United States that offers investment banking, securities, wealth management, and investment management services around the world.  

HubSpot Hack Results in Data Leak at Prominent Cryptocurrency Firms

 

HubSpot, a marketing and sales platform suffered a data breach over the weekend impacting multiple firms including Circle, BlockFi, Pantera Capital, and NYDIG.

In emails to clients, the companies revealed their operations were not impacted and their treasuries were not at risk. Although user information was leaked to hackers, passwords and other internal information were not stolen. 

The breach was the result of a hacker securing access to an employee account and using it to target our customers in the cryptocurrency industry. Threat actors stole data from 30 HubSpot portals, and the company has notified all affected firms, terminated the account, and reworked its account privileges to ensure something like this doesn’t repeat, HubSpot explained in a blog post. 

Although HubSpot did not publish a full list of impacted firms, some media managed to identify a few names. Decrypt, a crypto news platform revealed that Pantera Capital, an American Crypto venture capital firm, sent out a letter to its customers, which said "Pantera uses Hubspot as a client relationship management platform. The information that may have been accessed includes first and last names, email addresses, mailing addresses, phone numbers, and regulatory classifications." 

“While our investigation is ongoing, we wanted to share these initial findings even as we may learn additional facts through our investigation that cause the details above to change or evolve,” HubSpot concluded. At this time, a timeline of events is unknown as HubSpot has not revealed when its systems were compromised. 

“SaaS and managed service providers are enticing targets for cybercriminals as they know that if they successfully compromise the provider, they will likely gain access to the data or networks of hundreds or thousands of the providers’ downstream customers,” Chris Clements, vice president of solutions architecture at information technology service management firm Cerberus Cyber Sentinel Corp., stated. “It’s a shortcut to mass exploitation that could otherwise take the attacker months or even years to achieve independently.” 

It’s essential that firms understand that the data they share with third-party vendors largely passes out of their control and with little recourse should it be stolen if the third party is compromised, Clements concluded.

Scammers are Using Novel Technique to Target iPhone and Android Users

 

Cybersecurity researchers have unearthed a new methodology employed by fraudsters to target iPhone and Android users by tricking them into installing malware via dubious apps and use it to swipe thousands of dollars.

According to researchers at cybersecurity firm Sophos, a scam campaign dubbed CryptoRom typically begins with social-engineering attack, in which a scammer befriends a victim through dating apps like Tinder, Bumble, or Facebook Dating.

The scammer then moves their conversation to messaging apps such as WhatsApp and asks the victim to install a cryptocurrency trading application that's designed to mimic popular brands and lock people out of their accounts and freeze their funds. In some cases, victims are forced to pay a “tax” to withdraw their money, which they learn by chatting with an in-app customer service representative who is part of the malicious campaign. 

"This style of cyber-fraud, known as sha zhu pan — literally 'pig butchering plate' — is a well-organized, syndicated scam operation that uses a combination of often romance-centered social engineering and fraudulent financial applications and websites to ensnare victims and steal their savings after gaining their confidence," stated Sophos analyst Jagadeesh Chandraiah. 

The malicious campaign exploits iOS TestFlight and Apple WebClip to deploy fake mobile apps and websites onto victims’ phones without being subject to the rigorous app store approval process. The malicious campaign was initially used in Asia but has hit the U.S. and European victims since October 2021. 

TestFlight is used for testing the beta version of apps before they head to the App Store. It is used for small internal tests, sent out to 100 users by email, and public beta tests distributed to up to 10,000 users. But the scammers exploit the TestFlight feature, which provides a way for users to download bogus apps outside of the App Store, researchers explained. 

Sophos researchers said some victims installed malicious versions of the legitimate BTCBOX Japanese crypto exchange app that were made available through the TestFlight feature. 

The fraudsters also employed iOS WebClips to trick iPhone users, as they were sent malicious URLs via the service. WebClips offers fast access to favorite webpages or links, as Apple highlights, with researchers stating that it can be employed to design fake apps to appear more authentic.

Wightlink Customers' Details Compromised in Cyber Attack

 

Wightlink, a UK ferry company, has been struck by a highly complex cyber-attack that may have exposed the personal information of "a small number of customers and staff." Wightlink stated, the incident, which occurred in February, reportedly impacted certain back-office IT systems but not its ferry services, booking system, and website.

According to the company, law enforcement and the UK's Information Commissioner's Office (ICO) have been contacted, since they have possible breach victims. Wightlink has three routes between Hampshire in southeast England and the Isle of Wight, an island off the south coast. The company claims to carry 4.6 million passengers each year on over 100 daily sailings.

Wightlink claimed in a statement received by The Daily Swig: “Unfortunately, despite Wightlink taking appropriate security measures, some of its back-office IT systems were affected by a cyber-attack last month. However, this criminal action has not affected Wightlink’s ferries and FastCats, which have continued to operate normally during and following the attack, nor were its booking system and website affected.” 

Wightlink said it hired third-party cybersecurity experts to analyse and analyse the situation as soon as it was detected. The operator stated it was working with the South East Regional Organised Crime Unit in addition to reporting the incident to the ICO. 

The company stated, “Wightlink does not process or store payment card details for bookings. However, the investigation has identified a small number of customers and staff for whom other items of personal information may have been compromised during the incident. 

Wightlink chief executive Keith Greenfield stated, “I would like to thank all my colleagues at Wightlink who responded quickly ensuring that the impact to customers was minimised and that cross-Solent travel and bookings were unaffected.”