Search This Blog

Showing posts with label User Security. Show all posts

Payment Gateway Firm Razorpay Loses ₹7.3 Crore in Cyber Fraud Incident

 

The South East cybercrime police are investigating a fraudulent case where a hacker stole ₹7.3 crores over three months by exploiting the authorization process of Razorpay Software Private Limited, a payment gateway company to authenticate 831 failed transactions. 

The fraud came to light when officials of the payment gateway company Razorpay Software Private Limited conducted an audit of the transactions, and they couldn’t accommodate the receipt of Rs. 7,38,36,192 against 831 transactions. 

Razorpay Software Private Limited was founded by Shashank Kumar and Harshil Mathur in 2015. The company offers online payment services that allow businesses in India to collect payments via credit card, debit card, net banking, and wallets. 

On May 16, Abhishek Abhinav Anand, head of Legal Disputes and Law Enforcement at Razorpay Software Private Limited, lodged a complaint with the South East cybercrime police. The police are currently attempting to track down the hacker on the basis of online transactions.
 
An internal probe has revealed that some person or persons have tampered with and manipulated the authorization and authentication process. As a result, false ‘approvals’ were sent to Razorpay against the 831 failed transactions, resulting in a loss amounting to ₹7,38,36,192. The company provided details of the 831 failed transactions, including date, time, IP address, and other relevant information to the police. 

"Razorpay's payment gateway is at par with the industry standards on data security. During a routine payment process, an unauthorized actor(s) with malicious intent used the browser to tamper with authorization data on a few merchant sites that used an older version of Razorpay's integration, due to gaps in their payment verification process. The company has conducted an audit of the platform to ensure no other systems, no merchant data, and funds, and neither their end-consumers were affected by this incident,” Razorpay’s spokesperson stated. 

According to the ministry of electronics and information technology (Meity), between 2018 and 2021, there was an over a five-fold jump in the number of cybercrime and fraud incidents recorded by the government. 

Basically, the number of incidents surged from 208,456 in 2018 to 1,402,809 in 2021, as per the Data available with the Indian Computer Emergency Response Team (Cert-In). Indian Computer Emergency Response Team is the government agency for computer security.

Nearly 15 Million People Impacted by ElasticSearch Misconfiguration

 

Cybersecurity researchers at Website Planet have unearthed two misconfigured ElasticSearch servers owned by an anonymous organization using open-source data analytics software developed by SnowPlow Analytics, a London-based software vendor. 

The software allows entities to gather and examine information about their websites’ users apparently without their knowledge. It is worth noting that a web analytics tool can collect versatile data metrics. The collected information is then used for designing an extensive, detailed profile for site visitors.

According to researchers, both servers were unencrypted and required no password authorization. The unsecured servers exposed 359,019,902 records, nearly 579.4 GB of data. The exposed servers contained detailed logs of website user traffic — information that belongs to users of various websites collecting data with the open-source technology, including the following. 

• Referrer page 
• Timestamp IP 
• Geolocation data 
• Web page visited 
• User-agent data of website visitors 

The servers contained user information collected over two months in 2021. The first server contained data from September 2021 with 242,728,328 records or 389.7 GB of data gathered between September 2nd, 2021, and October 1st, 2021. 

The second server contained December 2021 data featuring 116,291,574 records or 189.7 GB of data collected between December 1st, 2021, and December 27th, 2021. Nearly 4 to 100 records of users appear on the two servers, and given that there are multiple logs for each user, this exposure might affect at least 15 million people, the researchers added. 

It is worth noting that the compromised data could have been accessed by anyone with eyes, and included geolocation and IP addresses. Additionally, the servers were live and actively updating new information at the time when they were discovered. However, neither ElasticSearch nor SnowPlow Analytics is responsible for this exposure because the company that owns the misconfigured servers is at fault. 

The data leak might have a far-reaching impact because users worldwide are affected by this exposure. However, it is unclear whether the servers were accessed by a third party with malicious intent or not. Fortunately, both exposed servers were secured after Website Planet sent alerts to concerned authorities.

To secure the data, users can employ Virtual Private Network (VPN) which hides the online activity and IP address, making the user anonymous to on-site tracking and cookies. People can also use the Tor browser to access the internet anonymously and maintain their data privacy.

21M Users' Personal Data Exposed on Telegram

 

A database containing the personal information and login passwords of 21 million individuals was exposed on a Telegram channel on May 7th, 2022, as per Hackread.com. The data of VPN customers was also exposed in the breach, including prominent VPNs like SuperVPN, GeckoVPN, and ChatVPN. 

The database was previously accessible for sale on the Dark Web last year, but it is now available for free on Telegram. The hacked documents contained 10GB of data and exposed 21 million unique records, according to VPNMentor analysts. The following details were included: 
  • Full names
  • Usernames
  • Country names
  • Billing details
  • Email addresses
  • Randomly generated password strings
  • Premium status and validity period
Further investigation revealed that the leaked passwords were all impossible to crack because they were all random, hashed, or salted without collision. Gmail accounts made up the majority of the email addresses (99.5 percent). 

However, vpnMentor researchers believe that the released data is merely a portion of the whole dump. For the time being, it's unknown whether the information was gained from a data breach or a malfunctioning server. In any case, the harm has been done, and users are now vulnerable to scams and prying eyes. The main reason people use VPNs is to maintain their anonymity and privacy. Because VPN customers' data is regarded more valuable, disclosing it has far-reaching effects. 

People whose information was exposed in this incident may be subjected to blackmail, phishing scams, or identity theft. Because of the exposure of personally identifiable information such as country names, billing information, usernames, and so on, they may launch targeted frauds. Threat actors can easily hijack their accounts and exploit their premium status after cracking their credentials. 

If the data falls into the hands of a despotic government that prohibits VPN use, VPN users may be arrested and detained. Users should change their VPN account password and use a mix of upper-lower case letters, symbols, numbers, and other characters for maximum account security.

Analyzing the New Black Basta Ransomware

 

Black Basta, a new ransomware group has been highly active since April 2022 and has already breached a dozen companies worldwide. The list of victims includes the American Dental Association and German wind turbine giant Deutsche Windtechnik. 

Modus operandi of Black Basta 

While Black Basta assaults are relatively new, some information on their methodology has been made public. The data encryptor employed by ransomware requires administrator privileges to execute, otherwise, it is harmless. 

To launch the encryption executable, the ransomware targets a legitimate Windows service. After execution, the ransomware erases shadow copies from the compromised system using vssadmin.exe. This action removes the Windows backup so that after encryption victim cannot revert the system to its previous state. 

Subsequently, Black Basta drops two files: dlaksjdoiwq.jpg and fkdjsadasd.ico in the user Temp folder. The second file is a custom icon for all files with the “.basta” extension. The icon is assigned by designing and setting a new registry key “HKEY_CLASSES_ROOT\.basta\DefaultIcon”. 

The persistence technique of the Black Basta ransomware is executed by “stealing” an existing service name, deleting the service, and then creating a new service named ‘FAX. Before the encryption routine begins, the ransomware checks the boot options using GetSystemMetrics() API and then adds HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Fax entry in the registry to start the FAX service in safe mode. 

After completing all the customizations, the ransomware sets up the operating system to boot in safe mode using bcedit.exechecks. Due to the reboot mode change, the PC will reboot in safe mode with the ‘Fax’ service running. This service will then execute the ransomware again, but this time for the purpose of encryption. 

 Methodologies Identical to Conti group 

Researchers at MalwareHunterTeam attribute the Black Basta ransomware to the team behind Conti ransomware. This assumption is based on similarities between their leak sites, their payment sites, and the way their “support” employees talk and behave. 

Lawrence Abrams of BleepingComputer also mentioned that the threat actors behind Black Basta seem like they are exerting a lot of effort to avoid any resemblance to their previous identity. 

To prevent Black Basta ransomware from further encryptions, it must be eliminated from the operating system. Unfortunately, removal will not restore already compromised data. The sole solution is recovering it from a backup if one was created beforehand and is stored elsewhere. 

Additionally, to avoid permanent data loss, researchers recommend keeping backups in multiple different locations (e.g., remote servers, unplugged storage devices, etc.

Scammers Employ Instagram Stories to Target Users

 

Instagram is the fourth most popular social media platform in the world, with over one billion monthly active users. Almost everyone, from celebrities to your kids, has an Instagram account. This global success makes it a very lucrative target for threat actors. 

According to BBC, the scamming has worsened over the past year, with the Instagram fraud reports increasing by 50% since the coronavirus outbreak began in 2020. Scammers just need a handful of those people who will help someone without thinking. And since they’re not after money, just a bit of someone’s time, they already have one foot in the door. 

The latest scam involves Instagram backstories. Fraudsters will ask you for help, tell their backstory, and put their fate in your hands. Here are some of the Instagram stories that fraudsters employ to target users: 

  •  "I’m launching my own product line." 
  •  "I’m in a competition and need you to vote for me." 
  • "I’m trying to get verified on Instagram and need people to confirm my fanbase with a link."
  • "I need a help link to get into Instagram on my other phone." This is the most common tactic employed by scammers. 
  • "I’m contesting for an ambassadorship spot at an online influencers program." This one is surprisingly popular, with fake influencers everywhere. 

Scammers try to get access to your Instagram account by sending you a suspicious link, either as an Instagram direct message or via email. They will then ask you not to click the link but merely take a screenshot and send the image back to them. The link is a legitimate Instagram “forgotten password” URL for your account, and fraudsters want you to screenshot it so they can use the URL to reset your password, take over your account, and lock you out. 

Regardless, any requests for link screenshots should be treated with extreme suspicion. Whether product lines or ambassador programs, you can safely ignore these messages. If you think you’ve been scammed, report it to Instagram. Change your password and enable two-factor authentication. If you reuse passwords, a scammer could break into more of your accounts. Change those passwords.

Misconfiguration Identified in Google Cloud Platform

 

A misconfiguration discovered in the Google Cloud Platform could allow threat actors to gain complete control over virtual devices by exploiting legitimate features in the system, researchers at Mitiga, a Cloud Incident Response firm, stated. 

Mitiga uncovered a misconfiguration several months ago while examining Google Cloud Platform’s Compute Engine (GCP), specifically virtual machine (VM) services. The Cloud incident response vendor identified a misconfiguration that allowed attackers to send and receive data from the VM and possibly secure complete control over the system. However, Mitiga emphasizes that this is not a security loophole, or system error – it’s described as a “dangerous functionality”. 

Mitiga notes that malicious actors could use a compromised metadata API, named “getSerialPortOutput”, which is used for the purpose of tracking and reading serial port keys. The researchers described the API call as a “legacy method of debugging systems”, as serial ports are not ports in the TCP/UP sense, but rather files of the form /dev/ttySX, given that this is Linux. 

"We at Mitiga believe that this misconfiguration is likely common enough to warrant concern; however, with proper access control to the GCP environment there is no exploitable flaw," Andrew Johnston, principal consultant at Mitiga, stated. 

After reporting the findings to Google, the company agreed that misconfiguration could be exploited to bypass firewall settings. Mitiga proposed two changes to the getSerialPortOutput function by Google, including restricting its use to only higher-tiered permission roles and allowing organizations to disable any additions or alterations of VM metadata at runtime. 

Additionally, the company advised Google to revise its GCP documentation, to further clarify that firewalls and other network access controls don’t fully restrict access to VMs. However, Google disagreed with a majority of the recommendations. 

"After a long exchange, Google did ultimately concur that certain portions of their documentation could be made clearer and agreed to make changes to documentation that indicated the control plane can access VMs regardless of firewall settings. Google did not acknowledge the other recommendations nor speak to specifics regarding whether a GCP user could evade charges by using the getSerialPortOutput method," Johnston wrote in the report.

WooCommerce Credit Card Stealer Found Implanted in Fake Images

 

Card skimming and card details theft is one such sophisticated technique attack that seldom fails. Earlier this week, cybersecurity researchers at Sucuri blog unmasked a malicious campaign where a credit card swiper was injected into WordPress’ wp-settings.php file. The WooCommerce customers reported that images were disappearing from the cart almost as soon as they were uploaded. 

According to researchers, the credit card skimmer was buried deep down into the file titled '../../Maildir/sub.main', and it was easy to miss on a casual review. Scammers usually prefer to deploy malicious content out of the way so it is more difficult to detect. The common tactic employed is to create directories that look like system directories, or to place malware in existing core CPanel or other server directories. 

Upon analyzing the malicious file, researchers uncovered over 150 lines of code that had been obfuscated with str_rot13 and base64. Attackers also used multiple functions to store credit card data concealed in the wp-content/uploads/highend/dyncamic.jpg image file. When decoded, that data revealed not only credit card details submitted to the site, but also admin credentials to the site’s backend. 

Injecting card skimmers into WordPress plugin files is the newest trend, avoiding the heavily watched ‘wp-admin’ and ‘wp-includes’ core folders, where most injections are short-lived. It is one of the most lucrative and stealth attack tactics employed by scammers to make money. 

There are a couple reasons why this is a useful tactic. The primary reason is that it makes it very easy for scammers to download the stolen details in their browser or a console. Secondly, most website/server malware detection scans focus on website file extensions such as PHP, JS, and HTML. Image files, particularly those in a wp-content/uploads sub-directories, can sometimes be overlooked.

“Scammers are aware that most security plugins for WordPress contain some way to monitor the file integrity of core files (that is, the files in wp-admin and wp-includes directories). This makes any malware injected into these files very easy to spot even by less experienced website administrators. The next logical step for them would be to target plugin and theme files,” researchers explained.

Magniber Ransomware Tricking Users via Fake Windows 10 Updates

 

Security analysts have unearthed a new ransomware campaign targeting Windows systems. Malicious actors are using fake Windows 10 updates to spread the Magniber ransomware strain. 

Since April 27, users around the world have been posting their stories on the BleepingComputer forum seeking a solution. According to the publication, these fake Windows 10 updates are being distributed under multiple names such as Win10.0_System_Upgrade_Software.msi and Security_Upgrade_Software_Win10.0.msi via platforms such as pirated sites, posing as legitimate cumulative or security updates.

Aside from these files, there also are other fake knowledge-based articles on Microsoft that can install the Magniber ransomware: 

• System.Upgrade.Win10.0-KB47287134.msi 
• System.Upgrade.Win10.0-KB82260712.msi 
• System.Upgrade.Win10.0-KB18062410.msi 
• System.Upgrade.Win10.0-KB66846525.msi

Based on the submissions to VirusTotal, this malicious campaign appears to have started on April 8th, 2022 and has seen massive distribution worldwide since then. Meanwhile, it remains unclear how the fake Windows 10 updates are being promoted and distributed from fake warez and crack sites. 

Once installed, Magniber will erase shadow volume copies and then encrypt files. When encrypting files, the ransomware will append a random 8-character extension, such as .gtearevf,. The ransomware also produces a README.html document in each folder which it encrypts. The documents then redirect users to Magniber’s Tor payment site, which is called 'My Decryptor'.

The payment site allows a victim to decrypt one file for free, contact 'support,' or determine cryptocurrency address to send coins to if they decide to pay the ransom. The ransomware demands tend to be around $2,500 or 0.068 bitcoin, Bleeping Computer reported. 

“The only 1 way to decrypt your files is to receive the private key and decryption program,” the ransom note reads. “Any attempts to restore your files with the third-party software will be fatal for your files!”

According to security researchers, no safe decryptor exists for the ransomware. Nor any weaknesses of the malware are known to reverse its infection. The ransomware presently targets regular users and students, and not corporate customers. Thus, the users need to remain vigilant, avoid downloading cracked versions, and use legit sites only. 

The ransomware was first spotted in 2017 targeting victims in South Korea. Back in 2021, the ransomware was using the PrintNightmare exploit to Target Windows user, and earlier this year in January, it was distributed via Microsoft Edge and Chrome.

Google's Safety Section Will Show What Android Apps Do With the User Data

Earlier this week, Google rolled out a new Data Safety section for Android apps on Play Store to mention the type of data that is collected and given to third parties. It is the users' right to know why their data is collected and if the developer shares user data with a third party. 

Besides this, users should know how application developers are protecting user data when an app is downloaded. The transparency measure, built in accordance with Apple's Privacy Nutrition Labels, was first announced by Google last year in May 2021. 

The Data safety section will show up against all app listings on the digital storefront, presenting a unified view of what kind of data is getting collected, why it's being collected, and how it'll be used, also mentioning what data is shared with the third parties. Moreover, the labels may also show an app's security practices, for instance, data encryption in transit and if the user can ask for the data to be deleted. 

Additionally, it will validate these practices against security standards like Mobile Application Security Verification Standard (MASVS). The feature will probably be rolled out for all users, app developers can expect a deadline of 20 July 2022 to finalize the work and update the users if there is any change in the apps' functionality or data handling practices. 

Data safety may face similar concerns that Apple did, as the system is built entirely on an honor system, which needs app developers, to be honest, and clear about what they'll do with the data, avoiding listing it as inaccurate labels. 

Since then, Apple said that the company will audit labels for authenticity, and make sure that these labels are dependable and don't give the users fake assurance about security. 

"Google, last year, had said that it intends to institute a mechanism in place that requires developers to furnish accurate information and that it will mandate them to fix misrepresentations should it identify instances of policy violations," reports The Hacker News.

Black Basta Ransomware Hits American Dental Association

 

A new ransomware gang dubbed Black Basta is exfiltrating corporate data and documents before encrypting the firm’s devices. It has quickly catapulted into operation this month and has targeted more than twelve firms in just a few weeks. 

The malicious actors then employ stolen data in double-extortion assaults and demand hefty amounts to decrypt files and prevent the publishing of the victim's stolen data. 

According to BleepingComputer, the American Dental Association was targeted by Black Basta last weekend, prompting the shutdown of some parts of its network. The ADA sent emails to its members noting that some of its systems, including ADA email and Aptify, as well as its webchat and telephone lines, have been disrupted as a result of the attack. 

Impacted systems were immediately taken down, with the ADA leveraging Gmail addresses while its email systems are offline. State dental associations, including those in Florida, New York, and Virginia, have also been hit by the ADA breach. 

The attackers claimed to have leaked 2.8GB of data, which they believe accounts for about 30% of the stolen data from the attack. The exfiltrated files include non-disclosure agreements, W2 forms, accounting spreadsheets, and ADA member data. 

The researchers first uncovered the Black Basta attacks in the second week of April, as the operation quickly began targeting firms worldwide. While not much else is known about the new ransomware gang as they have not begun marketing their operation or recruiting affiliates on hacking forums. 

Black Basta modus operandi 

The ransomware infiltrates into an existing Windows service and exploits it to launch the ransomware decryptor executable. The ransomware then changed the wallpaper to display a message stating, “Your network is encrypted by the Black Basta group. Instructions in the file readme.txt” and reboot the computer into Safe Mode with Networking. 

According to security expert Michael Gillespie, the portal Black Basta ransomware utilizes the ChaCha20 algorithm to encrypt files. Each folder on the encrypted device contains a readme.txt file that has information about the attack and a link and unique ID to log in to the negotiation chat session with the threat actors. 

Subsequently, the ransomware operators demand a ransom and threaten to leak data if payment is not made in seven days, and promise to secure data after a ransom is paid. Unfortunately, the encryption algorithm is secure and there is no way to recover files for free. The data extortion part of these attacks is conducted on the 'Black Basta Blog' or 'Basta News' Tor site, which contains a list of all victims who have not paid a ransom.

Critical Vulnerability Identified in Ever Surf Blockchain Wallet

 

A vulnerability identified in the browser version of the Ever Surf blockchain wallet could have allowed attackers full control over a victim’s wallet and subsequent funds, say threat analysts at Check Point Research. 

Available on Google Play and Apple iOS Store, Ever Surf is described as a cross-platform messenger, blockchain browser, and crypto wallet for the Everscale blockchain network. It currently has nearly 670,000 active accounts worldwide and claims it has facilitated at least 31.6 million transactions.

According to Check Point researchers, the web version of the Ever Surf blockchain wallet suffered from a relatively simple bug that allowed malicious actors to exfiltrate private keys and plant phrases stored in local browser storage. To do that, threat actors first needed to secure the encrypted keys of the wallet, which is usually done via malicious browser extensions, infostealer malware, or plain old phishing.

Subsequently, the bad actors could have used a simple script to perform decryption. The susceptibility made decryption possible in “just a couple of minutes, on consumer-grade hardware," the researchers stated. 

CPR reported the vulnerability to Ever Surf developers, who then published a desktop version that mitigates the flaw, the company said in a press release. The web version is now declared deprecated and should only be used for development purposes. Seed phrases from accounts that store real value in crypto should not be used in the web version of Ever Surf, the researchers warned. 

“Everscale is still in the early stages of development. We assumed that there might be vulnerabilities in such a young product,” said Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Software 

“When working with cryptocurrencies, you always need to be careful, ensure your device is free of malware, do not open suspicious links, and keep OS and antivirus software updated. Despite the fact that the vulnerability we found has been patched in the new desktop version of the Ever Surf wallet, users may encounter other threats such as vulnerabilities in decentralized applications, or general threats like fraud, phishing,” Chailytko added. 

To mitigate the risks, researchers recommended users not to follow suspicious links, particularly those sent from unknown sources, always keep their OS and antivirus software updated, and avoid downloading any software or browser extensions before verifying the identity of the source.

Researchers Warn of Fake Windows 11 Upgrade Containing Info Stealing Malware

 

Cybercriminals are tricking users into installing a fake Windows 11 upgrade that includes malware that steals data from web browsers and crypto-wallets. The malicious campaign that is still running operates by poisoning search results to drive traffic to a website impersonating Microsoft’s Windows 11 advertising page and offering the information stealer. 

According to CloudSEK threat researchers who analyzed the malware and published a technical report, malicious actors are focusing on people who rush to install Windows 11 without first learning that the OS must satisfy specific requirements. 

The rogue website advertising the false Windows 11 has official Microsoft logos, favicons, and a “Download Now” button. It looks legitimate at first glance, but the URL reveals the site as fraudulent. If visitors access the malicious website directly (download is not possible via TOR or VPN), they will receive an ISO file containing the executable for new information-stealing malware. 

The CloudSEK researchers named the new malware 'Inno Stealer' as it uses the Inno Setup Windows Installer. The researchers said that Inno Stealer has no code in common with other presently circulating info-stealers. Once active, the malware plants a pair of files that disable various Windows security measures, including those in the registry. They also wipe out software from anti-virus companies Emsisoft and ESET. 

Inno Stealer’s capabilities are typical for this kind of malware, including the ability to collect web browser cookies and passwords, data from cryptocurrency wallets, and data from the disk. The set of targeted browsers and crypto wallets is extensive, including Chrome, Edge, Brave, Opera, Vivaldi, 360 Browser, and Comodo. 

The malware can also steal extra payloads, an action only performed at night, potentially to take advantage of the victim’s absence from the computer. These additional Delphi payloads, which are TXT files, use the same Inno-based loader that fiddles with the host’s security tools and employs an identical persistence methodology. They also have the ability to grab clipboard data and exfiltrate directory enumeration data. 

To mitigate the risks, researchers recommended avoiding downloading ISO files from obscure sources and instead undertaking significant OS updates using the Windows 10 control panel or obtaining the installation files directly from the source. If you can’t upgrade to Windows 11, there’s no point in attempting to bypass the limitations manually since this will come with a slew of drawbacks and severe security risks.

42M+ People's Financial Data Compromised in UK

 

According to a press release from international law firm RPC, a growing number of ransomware attacks has resulted in the disclosure of financial data pertaining to about 42.2 million persons in the United Kingdom. 

“The surprisingly high number of people whose financial data was impacted in the last year shows how cyber-attacks have become endemic,” said RPC partner Richard Breavington. “Hackers are continually refining their methods, employing ever more complex techniques to extort money in whatever way they can. Some businesses, fearing the potential reputational costs, not to mention other consequences, decide that they will take the last-ditch approach of paying the ransom demands. As a result, these attacks have become very lucrative for cybercriminals.” 

Cyberattacks are spreading at an alarming rate, notably in the United Kingdom. In the years 2019-2020, 2.2 million people's data was stolen, compared to 42.2 million in the years 2021-2022, a startling increase of over 1,700% in just three years. One of the possible explanations for this increase in risking residents' sensitive information was pointed to as an increase in data in general. The cybercriminal network will then sell the information in a marketplace and perhaps hold financial institutions for ransom if the data has been corrupted by malware or ransomware. 

Breavington explains in the release that “criminal gangs are doing this because their blackmail threats over encryption alone are becoming less effective as businesses get better at backing up their systems. But hackers have honed their tactics and added this additional form of blackmail.” 

As a result of many firms finding it easier to just pay the ransom to attackers, several hacking groups have increased the number of attacks they carry out in a short period of time. As we saw earlier this month, ransomware and cyber threat groups will occasionally get access to a company's system and examine its inner workings for a period of time before launching an attack. 

“Before carrying out an attack, hackers are increasingly carrying out reconnaissance to scope out protections that are in place, as well as data held by the company,” Breavington said. “Businesses should not be making their jobs easier by signposting this information.” 

Many people are losing faith in firms' ability to keep their financial information secure as the number of hacks rises. As a result, many firms must recognise that it is their job to strengthen security layers, maintain a 24/7 approach to cybersecurity and online threats, and regularly self-audit their processes to ensure that they are doing everything necessary to reclaim that lost confidence.

Beware of iCloud Phishing Attacks, MetaMask Warns Apple Users

 

ConsenSys-owned crypto wallet provider MetaMask is warning its community regarding possible phishing attacks via Apple’s iCloud service. In a Twitter thread posted on April 17, the company warned its customers that the encrypted passwords for their accounts, called MetaMask vaults, will be uploaded to Apple’s cloud service if the iCloud backup option is enabled on the app. 

 As a result, a phishing account that exploits a customer’s iCloud account will also compromise their passwords and hence their crypto wallets. This comes after an Apple user, who goes by “revive_dom” claimed on Twitter to have lost crypto assets worth $650,000 from his MetaMask crypto wallet. 

“This is how it happened. Got a phone call from Apple, literally from Apple (on my caller Id) Called it back because I suspected fraud and it was an Apple number. So, I believed them. They asked for a code that was sent to my phone and 2 seconds later my entire MetaMask was wiped,” the user wrote in his thread. 

The phishing campaign involves certain default device settings in iPhones, iPads which see a user’s seed phrase or “password-encrypted MetaMask vault” stored on the iCloud if the user has enabled automatic backups for their application data. Metamask is an online crypto wallet that allows users to store their crypto assets such as Bitcoin, Ethereum, etc, as well as non-fungible-tokens (NFTs).

“If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds,” the company tweeted. 

Serpent, the founder of a project called DAPE NFT, explained how the fraudsters stole from a victim. On April 15, the victim received multiple text messages asking to reset his Apple ID password along with a supposed call from Apple which was ultimately a spoofed caller ID.

During the call, the fraudsters said there was unusual activity on the victim’s Apple ID and asked for a one-time verification code. This is the six-digit verification code sent out to a user when they want to reset their Apple ID password or even login from a different laptop or iPhone, iPad, etc. After receiving the 2FA code, they were able to take control over the Apple ID, and access iCloud which gave them access to the victim's MetaMask.

 How to shut cloud backups?

Metamask in a warning tweet has requested users to disable iCloud backups by following the steps mentioned below: - 

Go to Settings > Profile > iCloud > Manage Storage > Backups, then turn off the toggle. 

To ensure that iCloud will not “surprise” you with backups you didn’t allow, go to Settings > Apple ID/iCloud > iCloud Backup and turn it off.

CitySprint Confirms Security Breach, Personal Data of Drivers May be Compromised

 

CitySprint, a same-day delivery company, has issued a warning to couriers after discovering a data breach that may have given hackers access to sensitive personal information. A security issue was confirmed in an email sent to hundreds of drivers on April 7th. 

Self-employed drivers transport items across the UK for CitySprint, which was recently acquired by package delivery behemoth DPD Group. These drivers provide personal information to CitySprint using the company's iFleet interface, which includes photos of their driver's licence, car shots, and weekly earnings data. The delivery company claims that it shut down the iFleet system and restricted access to it as soon as it became aware of "the incident." 

CitySprint currently claims that it has no confirmation that personal data has been accessed, but it does not rule out the possibility. For the time being, the business's investigations are ongoing, and it has deployed forensic cybersecurity professionals to completely and comprehensively examine the event and analyse what data, if any, has been exposed. 

It states, “Our security checks, which are not quite complete yet have shown that so far, no personal data was compromised. The remaining checks will confirm if any of your data may have been affected. Therefore, as a precautionary measure, we have informed the Information Commissioner’s Office of the incident.” 

CitySprint claims it takes personal data protection "very seriously" and is investigating IT working processes across the company. Some drivers are clearly dissatisfied with the way the company handles their personal information. 

CitySprint includes several pieces of advice in its email for drivers on what to do if their personal information is compromised online. Change their passwords to something strong and unique, enable two-factor authentication on accounts that provide it, and consider signing up for an identity theft protection service. 

On 13th April, CitySprint offered the following statement, “We recently detected an apparent malicious attempt by a third party to access confidential data from our courier management platform. As soon as this issue was discovered, we took immediate steps to close off external access to this and launched a full and thorough investigation, led by independent cybersecurity experts. 

Now that this investigation has concluded, we are pleased to confirm that we believe that no personal data has been compromised. This incident has been reported to the proper authorities and we are in contact with couriers who contract with us about this as a matter of precaution.”

T-Mobile Users Targeted via New Smishing Campaign

 

Threat actors are targeting T-Mobile customers in an ongoing smishing campaign with malicious links using unblockable texts sent via SMS (Short Message Service) group messages. The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) issued a warning after multiple users have filed reports of being targeted by this new SMS phishing campaign. 

"The messages vary but typically thank the recipient for paying their bill and offer a gift. The messages include a link to accept the gift," according to the NJCCIC, which operates within the state's Office of Homeland Security and Preparedness and deals with these types of incidents. “These links may lead to malicious websites intending to steal account credentials or personal information, or install malware."

Earlier this year in In March, an identical series of smishing attacks also targeted Verizon Wireless and Spectrum users, mimicking the carriers in text messages spoofed to appear like they were sent from the target's phone number. 

The Federal Trade Commission also issued a warning to T-Mobile users to watch out for fraudsters sending them texts from their numbers. "They’ve changed (spoofed) the caller ID to look like they’re messaging you from your number, but the shock of getting a text from yourself is bound to get your attention — which is what they’re after," the FTC said. 

Cybercriminals using information from previous data breaches The NJCCIC believes that the smishing campaign was likely made possible due to previous data breaches affecting the mobile carrier and millions of its users. 

Since 2018, when info belonging to 3% of T-Mobile customers was stolen by hackers, T-Mobile has disclosed five other data breaches. In 2020, T-Mobile employees' email accounts were compromised, and phone numbers and call records were accessed by unauthorized third parties.

NJCCIC meanwhile is advising T-Mobile users targeted by smishing campaigns to contact directly to official websites and avoid clicking links delivered in SMS text messages from anonymous contacts and refrain from providing critical details to unauthorized websites.

Additionally, the firm recommended users to mute the text thread to stop getting alerts if anyone replies. They can delete the message thread, too, although that won't stop new texts from arriving.

Beware of Latest Eavesdropping Scam Targeting Victims with Vague Voicemails

 

Researchers at Hiya, a Seattle-based firm specializing in robocall-blocking algorithms and apps have uncovered the newest scam call campaign dubbed “Eavesdropping Scam”. The latest fraud campaign begins with vague voicemail messages left on a victim’s smartphone in which an unknown voice is heard talking about them to another person. 

According to researchers, since 79% of unknown calls go unanswered, the scammers leave a voicemail. If a potential victim’s curiosity picks up in a voicemail claiming “I’m trying to get ahold of them right now” and decides to call back, the fraudsters on the other end of the line attempt to steal their private details or money by offering fraudulent tax relief services.

The eavesdropping scam operates in a sophisticated manner by deploying both a new strategy (leaving non-descriptive voicemails to get a call back) and a new script (pretending to discuss the recipient). The scam evades most call protection services because it does not contain any traditional scam call markers. 

Unlike other campaigns, the scammers use authentic numbers and lure people to call back. The call seems very discreet despite being a mass volume robocall, and the content of the voicemail is so vague that it does not include any typical fraud-related keywords. 

The eavesdropping scam first emerged in early 2022, and to curb the spread of the fraud campaign researchers used the company’s Adaptive AI. It allowed the researchers to flag over 90 percent of these calls from the beginning. 

The firm’s Real-Time Intelligence Service allows its Adaptive AI to identify the latest frauds based on their strategies, even on the very first call. In this campaign, phone numbers making the Eavesdropping Scam call were flagged in less than 12 call attempts on average and after successfully spotting and flagging these calls, researchers collaborated with a third-party service provider to shut down the initial operation in 24 hours.

“Catching this new and emerging scam tactic shows the power of Hiya’s Adaptive AI capabilities. Because our models are self-learning and focus on tactics, we can detect new scam risks in real-time and, in this case, shut down the operation before it reaches most users,” Hiya CEO Alex Algard stated. “At Hiya, our mission is to fully eradicate spam and fraud calls from the voice network, and the Eavesdropping Scam is the latest example of how we’re outsmarting scammers and protecting users.”

Australian Consumer Watchdog Reports Massive Surge of Crypto Use in Investment Scams

 

Australians’ losses from investment frauds surged 90% to AU$103 million from the start of the year to March 20, with the Australian Competition and Consumer Commission (ACCC) confirming payments to fraudsters are most often carried out in cryptocurrency. 

Consumer and Fair Trade Executive Managing Director Rami Greiss said that while the increase in the use of crypto follows its growing popularity, it has facets that lend themselves to being exploited by fraudsters. “It’s also the fact that it’s an unregulated product, so there are no controls. There are no institutions that can be roped in to assist. So really, it’s the fact that it’s the wild west,” Greiss explained.

"In relation to scamwatch, we see a number of scams relating to investment schemes, and we are now seeing that the payments in relation to those are now more often by way of cryptocurrency than by way of bank transfer," Gina Cass-Gottlieb, the new president of the ACCC stated. 

According to ACCC, it has received 66 reports of money recovery frauds this year on its website Scamwatch which is a 725 percent increase compared to the same period in 2021. The commission also disclosed that fraudsters target previous scam victims by contacting them and then posing as someone representing a trusted firm such as a law firm, fraud task force, or government agency. 

Subsequently, the fraudsters ask victims to fill out fake paperwork or provide identity documents and seek upfront payments. They may request remote access to computers or smartphones, enabling them to scam their unsuspecting victims. Earlier this year, the Australian government announced it would design a crypto badge of approval to licence intermediaries such as exchanges.

Last week, Australia’s Financial Services Minister Jane Hume stated that the license will include a "fit and proper person" test, and could include anti-hawking measures to prevent cold calling. Hume also explicitly ruled out a ban. 

“Crypto values will go up and down sure as eggs, and the government will not be protecting consumers from market volatility—and nor should they,” she said. But Australian investors will be sure that if they use a licensed Australian exchange, they can trust the exchange will deliver on its commitments to customers and have appropriate protections.”

SharkBot Android Trojan Resurfaces On Google Play Store

 

Check Point researchers have unearthed multiple malicious Android apps on the Google Play Store posing as an antivirus applications to deploy the SharkBot Android trojan. 

The malicious banking trojan was initially spotted in November last year when it was only being deployed via third-party application stores. The primary motive was on initiating illegal money transfers via Automatic Transfer Systems (ATS) by auto-filling fields in authentic applications. 

Last month, NCC Group reported that multiple SharkBot droppers had infiltrated Google Play, all of which showed similar code and behavior. The first SharkBot dropper discovered in Google Play masqueraded as antivirus solutions. It was identified as a downgraded version of the trojan containing only minimum features, but capable of fetching and installing the full version at a later date. 

Apparently, on March 9th, Google removed four apps in question, and a few days after that, another SharkBot dropper was identified. The app was reported right away, so no installations for this one. The same happened on March 22 and 27. Those new droppers got removed from Google Play due to quick discovery. 

According to Check Point researchers, they identified a total of seven droppers in Google Play, published from developer accounts that were active in late 2021, and which had some of their applications removed from the store. However, these malicious apps have been already installed more than 15,000 times before the takedown from the store. 

Once installed on an Android device, SharkBot exploits Android's Accessibility Services permissions to present fake overlay windows on top of legitimate banking apps. Thus, when victims enter their usernames and passwords in the windows that mimic benign credential input forms, the stolen data is sent to a malicious server. 

“What is interesting and different from the other families is that SharkBot likely uses ATS to also bypass multi-factor authentication mechanisms, including behavioral detection like bio-metrics, while at the same time it also includes more classic features to steal user’s credentials,” NCC Group stated. 

The malicious Android trojan also employs geofencing features and bypassing techniques, which makes it unique from other mobile banking viruses. The particular features include ignoring the users from China. Romania, Russia, Ukraine, Belarus, India. The majority of victims reside in Italy and the United Kingdom.

Cybercriminals Employ Malicious Shopping Apps to Exfiltrate Banking Data of Malaysian Users

 

Cyber criminals have been distributing malicious applications disguised as legitimate shopping apps to steal customers’ financial data belonging to eight Malaysian banks. Earlier this week on Wednesday, researchers at Slovak security firm ESET shared new research reporting three separate apps targeting Malaysian customers. 

First discovered in November 2021, the malicious campaign began by distributing a fraudulent app pretending to be Maid4u, a legitimate-looking cleaning service brand. The cybercriminals responsible designed a website with an identical name -- a methodology known as typosquatting -- and attempted to trick users into downloading the malicious Maid4u app. To make the website appear legitimate, the attackers even used paid Facebook ads. 

Earlier this year in January, MalwareHunterTeam found three other malicious websites employing the same technique, and the campaign is still ongoing. ESET has since spotted another four malicious websites that mimic legitimate cleaning services such as Maid4u, Grabmaid, Maria's Cleaning, Maid4u, YourMaid, Maideasy and MaidACall and a pet store named PetsMore, all of which are aimed at users in Malaysia. 

The malicious websites do not provide an option to shop directly through them. Instead, they include buttons that claim to download apps from Google Play. However, clicking these buttons redirect users to rogue servers under the attackers’ control. To succeed, this malicious campaign requires the intended victims to enable the non-default “Install unknown apps” option on their devices. 

Subsequently, the victims are presented with payment options, such as credit cards or transferring the required amount from their bank accounts. After choosing the direct transfer option, victims are presented with a fake FPX payment page that lists eight Malaysian banks: Maybank, Affin Bank, Public Bank Berhad, CIMB Bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank. 

When users submit their bank credentials, they are sent to the attacker's command-and-control (C2) server. The victim is then shown an error message. "To make sure the threat actors can get into their victims' bank accounts, the fake e-shop applications also forward all SMS messages received by the victim to the operators in case they contain two-factor authentication (2FA) codes sent by the bank," the ESET researcher Lukáš Štefanko explained. 

"While the campaign targets Malaysia exclusively for now, it might expand to other countries and banks later on," Štefanko added. "At this time, the attackers are after banking credentials, but they may also enable the theft of credit card information in the future."