Search This Blog

Showing posts with label WhatsApp. Show all posts

Fraudulent UK Visa Scams Circulate on WhatsApp

According to a Malwarebytes report, individuals working in the UK are being scammed by a recent phishing campaign on WhatsApp. 

Scammers claim in a WhatsApp message that users who are willing to relocate to the UK for work will be eligible for a free visa as well as other perks. 

Bogus scam message 

Scam operators are disseminating information under the pretext of the UK government, promising a free visa and other advantages to anyone who wants to migrate there. The chosen candidates would be given travel and lodging expenses as well as access to medical facilities. 

The WhatsApp chat app is used to transmit to target volumes to start the fraud. Users are informed that the UK is conducting a recruiting drive with more than 186,000 open job positions because the country will require more than 132,000 additional workers by the year 2022. 

The objective of the scam 

When a victim clicks on the scam link, a malicious domain that looks like a website for UK Visas and Immigration is displayed to them. "Apply for thousands of jobs already available in the United Kingdom," is the request made to foreign nationals as per the scam.

The website's goal is to collect victims' names, email addresses, phone numbers, marital statuses, and employment statuses. 

Any information entered into the free application form is instantly 'accepted,' and the user is informed that they "will be provided a work permit, visa, plane tickets, and housing in the UK for free" according to a Malwarebytes report. 

Report fake WhatsApp messages

Users have the option to Report and Block on WhatsApp if they get a message from someone who is not on their contact list. One should disregard these spam communications and use the report button to file a complaint. Additionally, users can block these contacts in order to stop getting future scam messages from them.

Phishing attacks with a Visa theme are a typical occurrence in the world of cybercriminals. A similar hoax circulated several times in the past to entice people looking to work or study abroad.

Brazilian Banks Place a Priority on A.I. and Cybersecurity


According to a new survey, artificial intelligence (AI) and cybersecurity are some of the top concerns for banking institutions in Brazil's technology strategy. Analysis of data and the complexity of data analysis strategies relating to evidence gained through the ongoing Open Finance initiative are also a top priority for 78 percent of participants, according to the yearly basis research published by the Brazilian Banking Federation (Febraban) in collaboration with Deloitte.

"It merely came to our attention at the time." For the past 3 decades, it has been Brazilian banks, not fintech or startups, who are at the forefront and remain to be at the stage of international banking technology. Banks have always been digital, innovative, and sophisticated, but most importantly, safe and dependable. "We are not dedicated to it," says FEBRABAN President Isaac Sidney. 

Other innovations have been cited as vital, in addition to AI and cybersecurity, which were cited as key priorities and main areas of concentration in 2021 and remain so this year. 

Public cloud (94 %), Big Data (94 %), process mining (78 %), IoT (75 %), blockchain (67 %), and quantum computing (50 %) were all highlighted by IT decision-makers as current priorities. 

Other goals mentioned by the CEOs in the report were the creation of super apps or superstores (39%) and data-driven financial counseling (35%) as well as store transformation (30%) and WhatsApp-based transactions (30%). Initiatives focused on boosting customer trust in data sharing (22 percent) and expanding chatbot-based transactions are at the bottom of the list (17 percent ).
Other objectives highlighted by CEOs in the research included the construction of mega apps or superstores (39%) and data-driven financial advice (35%), as well as shop transformation (30%) and WhatsApp-based trades (30 percent ). At the bottom of the list are initiatives aimed at increasing trust in data sharing (22%), as well as extending chatbot-based transactions (17%).

For the study, Febraban polled 24 firms via a questionnaire, representing 90% of the Brazilian banking industry. The qualitative study enlisted the participation of 34 executives. During November and December 2021, one of three phases of research was completed. 

Banks are widely regarded as pioneers in digital transformation efforts. "If you look at that market, they have complexity in what they have," EY's Errol Gardner said in a recent interview with TechInformed. "But they are putting tremendous investment into digital and the services which wrap around it ." However, many banks continue to be particularly focused on the conventional, local branch network, methods of operating."

Top Israeli Officials Duped by Bearded Barbie Hackers


Cybercriminals appear to be aggressively promoting the Remcos RAT that first appeared in hacking forums in 2016 and was marketed sold, and offered cracks on a variety of websites and forums. In 2017, researchers discovered Remcos being distributed via a malicious PowerPoint slideshow with a CVE-2017-0199 exploit. Remcos RAT is a piece of commercial software which may be purchased online. 

An "elaborate effort" targeting high-profile Israeli individuals working in critical defense, law enforcement, and emergency services sectors has been traced to a threat actor associated with Hamas' cyber warfare section. The Hamas-backed hacker outfit dubbed 'APT-C-23' was discovered catfishing Israeli officials in defense, law enforcement, and government institutions, resulting in the deployment of new malware. 

Before delivering spyware, the campaign uses advanced social engineering techniques like creating phony social media identities and maintaining a strong partnership with the targets. AridViper has previously targeted Palestinian law enforcement, military, or educational institutions, as well as the Israel Security Agency, with spear-phishing assaults (ISA). Researchers from Cisco Talos discovered AridViper assaults against activists involved in the Israel-Palestine conflict in February.

Malicious actors have built several phony Facebook pages utilizing forged credentials and pirated or AI-generated photographs of attractive women, and have used these profiles to approach their targets. The operators have spent months curating these profiles to make them appear legitimate, posting in Hebrew and alike organizations and prominent pages in Israel. The creators of these profiles create a network of friends who are actually people who work in Israel's police, defense forces, emergency services, or government. The opponents recommend transferring the chat to WhatsApp, ostensibly for more privacy, after building the target's trust by talking with individuals for a while. 

The Android app is actually the virus VolatileVenom.The icon is concealed on pre-Android 10 devices; with Android 10, the virus utilizes the Google Play installation icon. When the victim tries to sign into the Wink Chat, an error message appears, stating the app will be deleted. With a wide spectrum of espionage capabilities, VolatileVenom continues to function in the background. 

The malicious actors will eventually email the target a RAR file containing supposedly explicit photographs or videos as part of the catfishing attempts. This RAR file, on the other hand, contains the Barb(ie) installer malware, which installs the BarbWire backdoor. The filename of a sample of Barb(ie) detected by Cybereason is "Windows Notifications," and when it is made to run, it performs basic anti-analysis checks. If the host is deemed appropriate, the downloader links to an integrated C2 server. 

The BarbWire Backdoor is sent by the C2 server. The downloader contains a backup technique for finding a different C2. If the attackers need to modify the C2 from the one inserted, they can simply send an SMS message with the new destination. All inbound SMS messages are intercepted by the downloader. If one is provided by the intruders, it can just extract the new C2 information and install the backdoor. BarbWire steals data from PDFs, Office files, archives, picture files, movies, and photos, among other file types. It also checks for external media, such as a CD-ROM file, implying it's hunting for highly sensitive material which is carried around physically or over the internet. The stolen information is stored in a RAR archive and then sent to the attackers' C2 server. 

APT-C-23 employs several approaches which have been used in previous operations against Israeli targets, but it is constantly evolving with new tools and more intricate social engineering efforts. The lack of overlapping infrastructure distinguishes Operation Bearded Barbie from past missions, indicating the group's goal of avoiding notice. Another escalation for the threat actor is the usage of two backdoors, one for Windows and one for Android, resulting in very active espionage for the compromised targets.

For Three Years, Leading Messaging Servers were Scammed Using a URL Rendering Method


A complex URL rendering method has now been revealed as the source of global phishing attacks on several popular messaging and email systems.  Whatsapp, Instagram, iMessage, Facebook Messenger, and Signal were all popular platforms. Over three years, this allegedly allowed some malicious attackers to create realistic-looking phishing texts. 

Experts feel the unexpected finding has arrived at precisely the right time. Furthermore, researchers claim so by injecting right to left override, these rendering issues generate a vulnerability in the application's interface by displaying wrong URLs (RTLO). 

Unicode Control Characters with these names render all clients more vulnerable to URI spoofing attacks. When an RTLO character is injected into a string, it enables the string to be shown right-to-left instead of left-to-right in a browser or messenger app. The majority of the time, this character is used to display Arabic or Hebrew messages. 

The majority of individuals are prime targets, with the final goal of acquiring access to phishing attempts by spoofing several well-known domains. A handful of these flaws have been awarded a CVE which affects a wide variety of IM program versions. 

  • CVE-2020-20093 — Facebook Messenger 227.0 or earlier on iOS and or earlier on Android 
  • (CVE-2020-20093) CVE-2020-20094 — Instagram version 106.0 or earlier on iOS, and version or earlier on Android C
  • CVE-2020-20095 — iOS 14.3 or older with iMessage
  • CVE-2020-20096 — WhatsApp 2.19.80 or earlier (iOS) and 2.19.222 or earlier (Android) 

Signal, thankfully, does not have a CVE because the exact attack method was made evident to them. 
The CVE IDs are  ancient as the vulnerabilities were first discovered in August 2019 by a researcher  named 'zadewg.' 

When two independent URLs are concatenated to look like a single entity, for example, if they are judged to be two different URLs. And if a person clicks on the URL on the left, they will be led to one website, whilst clicking on the URL on the right will take them to another. 

According to research, the rendering problem does not work as effectively on email platforms such as, ProtonMail, or Gmail. However, many people might predict a series of attacks on other IM or email apps. 

The one-liner PoC is freely available and simple to use, even for those with no technical knowledge or no hacking expertise. In fact, even when more advanced technical principles are involved, there is ample evidence of RTLO-based misuse in the field. 

Several more IM and email programs are likely vulnerable to the same exploit, but only those listed above have been proven as vulnerable. As a result, users of the listed apps should be vigilant when receiving messages with URLs, always click on the left side, and keep an eye out for app security upgrades which may fix the problem.

Durov Suspected WhatsApp of Intentionally Introducing Vulnerabilities


Russian entrepreneur and founder of the Telegram messenger Pavel Durov while criticizing the WhatsApp service said that the messenger, owned by Meta, was hardly ever secure, in his Telegram channel.

Durov also suspects that the service may intentionally introduce vulnerabilities. "Since the creation of WhatsApp, there has hardly been a moment when it was secure: every few months, researchers discover a new security problem in the application," he added. 

Durov noted that every few months researchers find a new security issue in the application. He recalled that he had already spoken out about the danger of the service in 2020. Since then, as the creator of Telegram considered, the situation with WhatsApp has not changed. 

As an illustration of his words, he cited a study by the American information technology company Boldend, which revealed a vulnerability in WhatsApp. The gap in the messenger has existed for several years and allows attackers to gain access to the correspondence of their victims unnoticed. 

In addition, the creator of Telegram commented on a Forbes report, which claims that Facebook investor Peter Thiel secretly funded a startup with the ability to hack WhatsApp. "WhatsApp users' messages have been available for attacks by potential hackers for years," Durov said about the report. 

"It would be hard to believe that WhatsApp technicians are so often incompetent. Telegram, a much more technically sophisticated application, has never had such serious security problems," Durov concluded. 

In December, Durov said that his Telegram remains protected from the influence of third parties. He cited the example of the FBI report, which claimed that the bureau has access to Viber, iMessage, WhatsApp, and Line, but Telegram, Threema, Signal, and Wickr do not transmit correspondence to third parties. At the same time, it was noted that Telegram can, at the request of law enforcement officers, issue the IP address and phone number of the user. 

Earlier, Pavel Durov's team advised the Ministry of Finance of Ukraine on cryptocurrencies. The Minister said that he actively uses the Telegram messenger for fast communications.

This Android Malware Wipes Your Device After Stealing Data


The BRATA Android malware has been updated to include additional functions such as GPS tracking and the ability to execute a factory reset on the device. 

The Android RAT BRATA (the term originates from 'Brazilian RAT Android') was founded in 2019 by Kaspersky security professionals and was used to eavesdrop on Brazilian users. In January 2019, the BRATA RAT was discovered circulating over WhatsApp and SMS communications. 

The RAT was distributed both through Google's official Play Store and through alternative Android app marketplaces. The majority of the infected apps masquerade as an update to the popular instant messaging service WhatsApp, claiming to fix the CVE-2019-3568 vulnerability in the app. The malware will begin keylogging after it has infected the victim's device, adding real-time streaming features to it. 

To connect with other apps on the victim's device, the malware makes use of the Android Accessibility Service function. Many instructions are supported by BRATA, including unlocking the victims' devices, gathering device information, shutting off the device's screen to run tasks in the background, executing any specific application, uninstalling itself, and removing any infection traces. 

Researchers from security firm Cleafy discovered a new variation affecting Android banking users in Europe in December 2021, with the goal of stealing their passwords. The same researchers have now discovered a new version that has the new features mentioned above. 

The Android RAT's current version is aimed at e-banking users in the United Kingdom, Poland, Italy, Spain, China, and Latin America. It uses custom overlay pages to target specific banking applications and steal users’ PINs. All the versions employ the same obfuscation strategies, allowing the danger to remain undetected. 

The following is a list of new features in the most recent BRATA releases: 

• Capability to perform the device factory reset: it appears that TAs are leveraging this feature to erase any trace, right after an unauthorized wire transfer attempt. 
• GPS tracking capability 
• Capability to use multiple communication channels (HTTP and TCP) between the device and the C2 server to keep a persistent connection. 
• Capability to continuously monitor the victim’s bank application through VNC and keylogging techniques. 

Researchers believe that the factory reset option enables threat actors to erase all signs of a hack once it has been completed or when the application detects that it is running in a virtual environment for analysis. 

The report stated, “this mechanism represents a kill switch for this malware. In fact, it was also observed that this function is executed in two cases: 
• A bank fraud has been completed successfully. In this way, the victim is going to lose even more time before understanding that a malicious action happened. 
• The application is installed in a virtual environment. BRATA tries to prevent dynamic analysis through the execution of this feature.” 

The BRATA RAT's recent evolution implies that threat actors are working to improve it in order to broaden its target demographic.

Swiss Army Bans WhatsApp at Work


A spokesman for the Swiss army announced Thursday that the use of WhatsApp while on duty has been prohibited, in favour of a Swiss messaging service regarded more safe in terms of data security. 

Using other messaging applications like Signal and Telegram on soldiers' personal phones during service activities is likewise barred. 

Commanders and chiefs of staff got an email from headquarters at the end of December advising that their troops switch to the Swiss-based Threema. According to army spokesman Daniel Reist, the recommendation applies "to everyone," including conscripts serving in the military and those returning for refresher courses. 

Switzerland is known for its neutrality. However, the landlocked European country's long-standing position is one of armed neutrality and has mandatory conscription for men.

During operations to assist hospitals and the vaccination campaign in Switzerland's efforts to prevent the Covid-19 pandemic, the concern of using messaging apps on duty came up, as per Reist. The Swiss army will bear the cost of downloading Threema, which is already used by other Swiss public agencies, for four Swiss francs ($4.35, 3.85 euros). 

Other messaging services, such as WhatsApp, are governed by the US Cloud Act, which permits US authorities to access data held by US operators, even if it is stored on servers located outside of the nation. Threema, which claims to have ten million users, describes itself as an instant messenger that collects as little data as possible. It is not supported by advertisements. 

The company states on its website, "All communication is end-to-end encrypted, and the app is open source." 

According to an army spokesman mentioned in a Tamedia daily report, data security is one of the reasons for the policy change. As per local surveys, WhatsApp is the most popular messenger app among 16- to 64-year-olds in Switzerland.

Meta Takes Legal Action Against Cyber Criminals


Facebook's parent company, Meta Platforms, announced on Monday that it has filed a federal lawsuit in the U.S. state of California against malicious attackers who ran more than 39,000 phishing websites impersonating its digital properties to trick consumers into disclosing their username and password. 

“Today, we filed a federal lawsuit in California court to disrupt phishing attacks designed to deceive people into sharing their login credentials on fake login pages for Facebook, Messenger, Instagram, and WhatsApp. Phishing is a significant threat to millions of Internet users”, states the report. 

The social engineering strategy entailed the construction of rogue websites that tried to portray as Facebook, Messenger, Instagram, and WhatsApp login pages, prompting victims to input their login details, which were subsequently captured by the defendants. The unidentified actors are also being sought for $500,000 by the tech behemoth. 

The assaults were conducted with the help of Ngrok, a relay service that diverted internet traffic to malicious websites while concealing the exact location of the fraudulent equipment. Meta stated that the frequency of these phishing assaults has increased since March 2021 and that it has collaborated with the relay service to restrict thousands of URLs to phishing sites. 

The lawsuit comes just days after Facebook revealed it was making efforts to disrupt the activities of seven surveillance-for-hire firms that generated over 1,500 phony identities on Facebook and Instagram to target 50,000 users in over 100 countries. Meta announced last month that it has barred four harmful cyber groups from attacking journalists, humanitarian organizations, and anti-regime military forces in Afghanistan and Syria. 

“This lawsuit is one more step in our ongoing efforts to protect people’s safety and privacy, send a clear message to those trying to abuse our platform, and increase accountability of those who abuse technology. We will also continue to collaborate with online hosting and service providers to identify and disrupt phishing attacks as they occur. We proactively block and report instances of abuse to the hosting and security community, domain name registrars, privacy/proxy services, and others. And Meta blocks and shares phishing URLs so other platforms can also block them”, mentioned the report.

Meta Alerts its 50,000 Users Against Surveillance-For-Hire Firm Operations


Surveillance-for-hire companies have utilized Facebook, Instagram, & WhatsApp as a major opportunity to target Individuals in over 100 countries for decades. Recently, Meta eliminated 7 of them from its platforms and notified over 50,000 people that the activities might as well have affected them. Many are journalists, human rights activists, dissidents, political opposition leaders, and clergy, according to Meta, while others are ordinary people, such as those involved in a lawsuit. 

As part of the attack, Meta removed numerous accounts and disassembled other infrastructure on its platforms, blacklisted the groups, and sent cease and desist notices. According to the corporation, it is also publicly disclosing its findings and indications of infiltration so that other platforms and security companies may better spot similar conduct. The findings highlight the magnitude of the targeted surveillance industry as well as the huge scope of tailoring it facilitates globally. 

“Cyber mercenaries often claim that their services and their surveillance-ware are meant to focus on tracking criminals and terrorists, but our investigations and similar investigations by independent researchers, our industry peers, and governments have demonstrated that the targeting is, in fact, indiscriminate,” Nathaniel Gleicher, Meta's head of security policy, said to the reporters. 

“These companies … are building tools to manage fake accounts, to target and surveil people, to enable the delivery of malware, and then they’re providing them to any most interested clients—the clients who are willing to pay. This means that there are far more threat actors able to use these tools than there would be without this industry.” 

Cobwebs Technologies, an Israeli web intelligence company with offices in the United States, Cognyte, an Israeli firm previously recognized as WebintPro, Black Cube, an Israeli company with an existence in the United Kingdom and Spain, Bluehawk CI, which itself is rooted in Israel and has offices in the United States and the United Kingdom, BellTroX, a North Macedonian firm, Cytrox, a North Macedonian firm, and an unidentified organization based in China. 

Meta highlights that the surveillance-for-hire industry as a whole operates in three areas. One can conceive of it as several stages of a monitoring chain, with different firms specializing in different aspects of that superstructure. 

The very first stage is "reconnaissance," in which corporations gather comprehensive data concerning targets, frequently via automated, bulk gathering on the public internet and darknet. The second stage is "engagement," wherein operators seek out targets in an attempt to form a connection and gain their trust. Surveillance firms create bogus profiles and personalities, posing as, for example, graduate students or journalists, to reach out to targets. Hackers may also spread fake content and misinformation to establish rapport. The third stage is "exploitation," sometimes known as "hacking for hire," in which actors might use this trust to persuade targets to disclose information, click a malicious link, download a malicious file, or perform some other action. 

Every stage might take place on a variety of platforms and services. For instance, Meta's WhatsApp is a popular platform for disseminating malicious links to victims. Furthermore, Facebook and Instagram serve as natural breeding places for phony personalities. The eliminated entities, according to the social media giant, breached its Community Standards and Terms of Service. 

“Given the severity of their violations, we have banned them from our services. To help disrupt these activities, we blocked related internet infrastructure and issued cease and desist letters, putting them on notice that their targeting of people has no place on our platform,” the firm added. 

“We also shared our findings with security researchers, other platforms, and policymakers so they can take appropriate action.”

Facebook, WhatsApp, Instagram Faces Massive Global Outage: What was the Reason?


The massive global outage for hours halted three giant social media platforms including Facebook, Instagram, and WhatsApp. Organizations and people all across the globe who heavily rely on services of these platforms including Facebook’s own workforce faced a huge loss. According to the data, Zuckerberg suffered a 7 billion loss. 

Facebook reported on late Monday that the company is working hard to restore access to its services and is “happy to report they are coming back online now." Also, the company apologized and thanked its users for their patience. However, fixing the glitches was not easy. 

As per the users’ reviews for some users, WhatsApp was working for a while, then it was not. For others, Instagram was working but not Facebook, and so on. 

Following the global outage, Facebook Chief Technology Officer Mike Schroepfer tweeted, "To every small and large business, family, and the individual who depends on us, I'm sorry, may take some time to get to 100%." 

According to the Security experts, the disruption could be the result of an internal mistake, though sabotage by an insider would be theoretically possible. However, Facebook says "a faulty configuration change" was the main reason for Monday's hours-long global outage. 

Soon after the global outage began, Facebook started acknowledging that the platform is facing some technical issues because users were not able to access its apps, and then Facebook started examining the same.

Facebook, the social media giant, also known as the second-largest digital advertising platform in the world, has faced a loss of around $545,000 in U.S. ad revenue per hour during the global shutdown, ad measurement firm Standard Media Index reported. 

Bogus Backup Message from WhatsApp Delivers Malware to Spanish Users


Authorities in Spain have issued a warning about a phishing campaign that impersonates WhatsApp to deceive consumers into installing a trojan. The recipients are advised to get copies of their chats and call records from a website that only sells the NoPiques virus. 

The NoPiques (“Do not chop”) malware is packaged in an archive that infects vulnerable devices on execution. The Spanish language subject line for dangerous emails is often ‘Copia de seguridad de mensajes de WhatsApp *913071605 No (xxxxx)', however, this may not be the case always as it can vary. Unlike many malware-peddling phishing messages in English and other languages, the emails are written in grammatically correct Spanish, or at least with few faults. 

The Spanish National Cybersecurity Institute's (INCIBE) Oficina de Seguridad del Internauta (OSI) has issued a warning regarding the malware campaign. “If you haven't run the downloaded file, your device may not have been infected. All you have to do is delete the file that you will find in the download folder. You should also send the mail you have received to the trash,” said INCIBE. 

“If you have downloaded and run the malicious file, your device may have been infected. To protect your device, you must scan it with an updated antivirus or follow the steps that you will find in the device disinfection section. If you need support or assistance to eliminate the Trojan, INCIBE offers you its response and support service for security incidents,” they added. 

INCIBE said that they remind consumers: in case of doubt about the legitimacy of an email, they should not click on any link or download any attached file. To check the veracity, consumers can contact the company or the service that supposedly sent them the email, always through their official customer service channels. 

They also said that in addition, for greater security, it is advisable to periodically back up all the information that consumers consider important so that, if their computer is affected by a security incident, they do not lose it. They further added that it is also advisable to keep their devices updated and always protected with an antivirus.

WhatsApp Hijack Scam, Here's All You Need To Know


By posing as a friend and asking for SMS security codes, scammers are continuing to target WhatsApp users and hijack their accounts. The con has been around for years, yet victims have continued to fall for it, with many sharing their stories on social media. Users should never give out their security codes to anyone, even if they appear to be a buddy, according to WhatsApp. 

If users receive six-digit WhatsApp codes that they did not expect, they should be concerned. When setting up a new account or signing in to an existing account on a new device, such codes are frequently seen. However, if the code is obtained unexpectedly (without the user's request), it could be a scammer attempting to gain access to your account. 

The fraudster would then send you a WhatsApp message asking for the code. The most essential thing to remember is not to share the code, as the message appears to be from a legitimate friend or family member in most circumstances, even though the account has already been hacked. 

One victim, Charlie, told the BBC, "I got a WhatsApp message from my good friend Michelle, stating she was locked out of her account. She stated she sent the access code to my phone instead of hers by accident and that I could just screenshot it and send it over." In actuality, Charlie had given the scammer the code to his own account. 

He told the BBC, "I guess I fell for it since we all know how annoying technology can be and I was eager to help. I didn't realise what had happened for a day." Charlie stated that he had deleted WhatsApp and would no longer use it. 

The hijacker can pretend to be you and send messages to your friends and family using a stolen account. They might act as if you're facing a financial emergency and beg your contacts for money. It also provides them with the phone numbers of your contacts, allowing them to try the six-digit code trick on fresh victims. By gaining access to your account, the fraudster will be able to see sensitive information in your group chats. 

WhatsApp advises users to be cautious and not reveal their One Time Password (OTP) or SMS security code to anybody, even friends and relatives. Citizens can also enable two-step verification for added security.

WhatsApp's New Privacy Policy: A Quick Look


With the advent of its latest privacy policy, the Facebook-owned messaging app is all set to block certain features if the users won't agree to the new privacy policy.

The update that was initially set to be rolled out by February 8 – making new privacy regulations applicable for all its users, got delayed till May 15 as WhatsApp faced strong contempt from the public, which allowed its competitors namely Telegram and Signal to solidify their repute with the public.

Earlier, as per the ultimatum given by WhatsApp: if the users do not accept the updated privacy policy on May 15, they won't be able to use the app. However, later on, it was said that no accounts will be deleted in case the aforementioned does not happen. 

Giving insights into the new Privacy Policy, a WhatsApp spokesperson said, “Requiring messaging apps to “trace” chats is the equivalent of asking us to keep a fingerprint of every single message sent on WhatsApp, which would break end-to-end encryption and fundamentally undermines people’s right to privacy.”

“We have consistently joined civil society and experts around the world in opposing requirements that would violate the privacy of our users. In the meantime, we will also continue to engage with the Government of India on practical solutions aimed at keeping people safe, including responding to valid legal requests for the information available to us,” the Spokesperson added.

WhatsApp told that it is not imposing its new policy on the users and that they are free to not do so. However, it might involve users deleting their WhatsApp account on their own as the other option than to accept the 2021 update, because they won't be able to access their chat lists or call their contacts via WhatsApp. 

As per WhatsApp's statements, we can deduce that whenever users will access the app, they will be constantly reminded to accept the updated privacy policy to access all its features – eventually making the platform more or less unserviceable to them. 

The users who do accept the updated privacy policy won't witness any key changes in their experience, however, those who continue to have the app installed on their device without accepting the new policy might eventually end up saying goodbye to the app due to its limited serviceability or “inactivity”. 

Toxic Eye Malware is Utilizing Telegram


As of 2021, numerous users left WhatsApp for messaging to various other applications that promised improved data protection only after the company announced that it might default share user metadata with Facebook. Many of those users turned to Telegram and Signal, which proves to be the competitive applications against WhatsApp. 

As per Sensor Tower, Telegram was perhaps the most installed application with over 63 million downloads in January 2021. Telegram chatting is still not encoded as in Signal Chat end-to-end encryption is there, but now Telegram does have another issue: malware. 

Software Check Point team recently found that cybercriminals use Telegram for something like a malware program named Toxic Eye as a communications platform. It turns out that certain aspects of Telegram are much more readily accessible by attackers than it is by web-based tools. Today, they have handy Telegram Bots to mess up with compromised machines. 

Toxic Eye is a kind of malware known as a remote access trojan (RAT). RATs can remotely monitor an intruder over an infected machine, which means that the attacker could steal host computer data, destroy, or copy files, hamper the operations of an infected machine, and much more. The Toxic Eye RAT is distributed through an e-mail with an encoded EXE file to a destination. The software installs the malware on the user computer if the target users access the file. 

RATs are comparable to programs of remote access and can be used to control user devices, for instance, by someone in technical support. However, even without authorization, these programs sneak in. They could imitate or hide with legitimate files that sometimes are concealed as a document or are inserted in a broader video game file. 

Attackers used Telegram to remotely manipulate malicious software. Check Point analyst Omer Hofman claims that from February until April 2021 the company found 130 Toxic Eye attacks with this tool, and some items make Telegram valuable to bad players who distribute malware. 

The firewall program doesn't obstruct Telegram. The network control tools are also not blocked. It's a user-friendly app that most people recognize as genuine, then let their guards down. 

The researcher's advice is that one must not access email attachments from unidentified senders, which raises suspicion. Also, take care of appendices containing usernames. Malicious emails also contain the username or an attachment title in the subject line. It is possibly malicious if the sender attempts to sound urgent, dangerous, or compulsive and forces the user to click upon a link or attachment or to provide sensitive data. If possible, then one must use anti-phishing tools.

Two Outdated Software Bug Patched, Says WhatsApp


WhatsApp on Monday stated that it has addressed two bugs that existed on its outdated software program and that it had no cause to imagine that “these vulnerabilities were ever abused”. The official assertion got here within the wake of the latest advisory issued by the CERT-In, which cautioned WhatsApp customers about sure vulnerabilities within the app that might result in the breach of delicate info. CERT-In is the federal expertise arm for combating cyberattacks and guarding the online world.

According to this latest advisory, the vulnerability exists due to certain features on WhatsApp and thus allows hackers to access personal data like chats, images, videos, etc. by running malicious codes remotely. This vulnerability is linked “to a cache configuration issue and missing bounds check within the audio decoding pipeline.” 

“We regularly work with security researchers to improve the numerous ways WhatsApp protects people’s messages. As is typical of software products, we have addressed two bugs that existed on outdated software, and we have no reason to believe that they were ever abused,” a WhatsApp spokesperson informed PTI in a press release. 

The spokesperson added that WhatsApp “remains safe and secure, and end-to-end encryption continues to work as intended to protect people’s messages”.

An “excessive” severity rating advisory issued by the CERT-In, or the Indian Computer Emergency Response Team, on Saturday, had said that the vulnerability has been detected in the software that has “WhatsApp and WhatsApp Business for Android previous to v2.21.4.18 and WhatsApp and WhatsApp Business for iOS previous to v2.21.32”. 

“Multiple vulnerabilities have been reported in WhatsApp applications which could allow a remote attacker to execute arbitrary code or access sensitive information on a targeted system,” the advisory had stated. The advisory had really useful customers replace their units with the newest model of WhatsApp from the Google Play retailer or iOS App Store to counter the vulnerability menace.

After facing intense scrutiny in India over its upcoming privacy update, consumer protection agencies in Brazil have now asked the government to act on the May 15 privacy update that will allow Facebook to aggregate users' data across all of its platforms.

CERT-In Issues "High" Severity Rating Advisory for WhatsApp Threats


The Indian Computer Emergency Response Team (CERT-In) has cautioned WhatsApp clients in India of various vulnerabilities it identified in the instant messaging platform, which could lead to a breach of sensitive client information and personal information. In a "high" severity rating advisory, the CERT-In said that the vulnerabilities had been recognized in specific versions of WhatsApp and WhatsApp Business for both Android and iOS platforms. 

The Indian Computer Emergency Response Team (CERT-In) is an office inside the Ministry of Electronics and Information Technology of the Government of India. It is the nodal agency to deal with cybersecurity threats like hacking and phishing. It strengthens the security-related defense of the Indian Internet domain. A memorandum of understanding (MoU) was endorsed in May 2016 between the Indian Computer Emergency Response Team (CERT-In) and the Ministry of Cabinet Office, UK.

With the MoUs, participating nations can trade technical data on Cyber assaults, respond to cybersecurity incidents, and discover solutions to counter the cyber assaults. They can likewise trade data on predominant cybersecurity policies and best practices. The MoUs help to strengthen the cyberspace of signing countries, capacity building and improving relationships between them. 

"Multiple vulnerabilities have been reported in WhatsApp applications which could allow a remote attacker to execute arbitrary code or access sensitive information on a targeted system," the advisory said. Describing the risk in detail, it said that these vulnerabilities "exist in WhatsApp applications due to a cache configuration issue and missing bounds check within the audio decoding pipeline." 

"Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary code or access sensitive information on a targeted system," it said. 

To forestall the danger, the government’s cybersecurity agency has requested that clients update their WhatsApp on Android and iOS to the most recent versions. This isn't the first occasion when that CERT-In has given a "high" severity rating advisory, cautioning clients of the presence of various vulnerabilities in the instant messaging platform.

In November 2019, CERT-In had cautioned WhatsApp clients about a buffer overflow vulnerability with the platform, which permitted an assailant to remotely target a system by sending a specially crafted MP4 audio or video file. The CERT-In had then cautioned that successful exploitation of this vulnerability would permit an attacker to cause remote code execution or denial of service condition for the clients.

Warning: Your WhatsApp May Be Hacked and There’s Nothing You Can Do


If one is not careful, things might get really unpleasant for WhatsApp users. A new vulnerability has been discovered that could enable a remote attacker to deactivate WhatsApp on one’s phone using nothing more than their phone number. 

Alarmingly, two-factor authentication would be ineffective in preventing this from happening. The way these attack works is that it requires some amount of error by the user themselves but at the next step that should be designed to protect this, the two-factor authentication also doesn’t do anything to prevent the attack. 

According to Forbes, security researchers Luis Márquez Carpintero and Ernesto Canales Perea demonstrated vulnerability and were able to disable WhatsApp on a user's phone. 

According to the report, there are two parts to this vulnerability. The first is the method for installing WhatsApp on any system. When one installs WhatsApp on their phone, they will get an SMS code to verify the SIM card and phone number. A hacker can do the same thing by installing WhatsApp on their phone using the phone number. The user will begin to receive six-digit codes via SMS at this stage, indicating that someone has requested the code for installing WhatsApp on their phone. There is nothing one can do at this moment as WhatsApp will continue to work normally. 

Since this is a part of the hacking process, these codes will appear frequently. For a duration of 12 hours, WhatsApp's verification process will limit the number of codes that can be submitted and disable the ability to create more codes. During this time, WhatsApp will continue to function normally. However, one should not deactivate WhatsApp on their phone and then try to reinstall it at this time. This vulnerability is expected to impact both WhatsApp for Android and WhatsApp for iPhone. 

In the next step, the hacker generates an email ID and then sends an email to claiming that the phone in which WhatsApp is enabled has been stolen or misplaced and that they need to deactivate WhatsApp for that number—which is the user’s phone number. WhatsApp may send an email to confirm the user’s phone number, but they have no way of knowing whether the email is being sent by a hacker or the legitimate owner. The user phone number's WhatsApp will be deactivated after a while. When they open the app again, they will see a message that says "Your phone number is no longer registered with WhatsApp on this phone." 

The reasonable next step would be to try to reinstall WhatsApp on one’s account. According to the report, no code will be sent via SMS, and the app will tell the user to "Wait before requesting an SMS or a call.", which is because now the user’s phone is also subjected to the same limitation as that of the hacker. 

After the 12-hour mark has elapsed, if the attacker waits for the 12-hour period and sends a mail to WhatsApp again, the user will not be able to set up WhatsApp on his phone even if they receive the text messages with codes. 

The researchers indicate that WhatsApp breaks down and gets confused after the third 12-hour cycle and instead of a countdown, simply says “try again after -1 seconds”. The user’s phone and the attacker's phone are both treated the same way. And this is where the issue arises. If the attacker waits until now to email WhatsApp again to deactivate the number, the user won't be able to reregister for the app on their phone once they have been kicked out. The researchers told Forbes, "It's too late." 

“There is no way of opting out of being discovered on WhatsApp. Anyone can type in a phone number to locate the associated account if it exists. Ideally, a move towards being more privacy-focused would help protect users from this, as well as forcing people to implement a two-step verification PIN,” ESET’s Jake Moore told Forbes. 

WhatsApp's response to Forbes' Zak Doffman, unfortunately, does not evoke much trust. All they state is, “providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem. The circumstances identified by this researcher would violate our terms of service and we encourage anyone who needs help to email our support team so we can investigate.”

German Company Hit By Supply Chain Attack, Only Few Device Affected

Gigaset, a German device maker, was recently hit with a supply chain attack, the hackers breached a minimum of one company server to attach the malware. Earlier known as Siemens Home and Office Communication Devices, Gigaset is Germany based MNC. The company holds expertise in communication technology area, it also manufactures DECT telephones. Gigaset had around 800 employees, had operations across 70 countries and a revenue of 280 Million euros in the year 2018. 

The attack happened earlier this month, the malware was deployed in the android devices of the German company. According to experts, various users reported cases of malware infections, complaining the devices were attacked with adwares that showed unwanted and intrusive ads. Most of the users reported their complaints on Google support forums. A German website published a list of these package names (unwanted popups) which were installed on the android devices. 

Earlier complaints from the users are suggesting that data might've also been stolen from these devices. The foremost issue that these users faced was SMS texting and sending Whatsapp messages, the latter suspended few accounts on suspicion of malicious activity. The company has confirmed about the breach and said that the only the users who installed latest firmware updates from the infected devices were affected. The company is already set on providing immediate solutions to the affected customers. "It is also important to mention at this point that, according to current knowledge, the incident only affects older devices," said the company. 

The company during its routine investigation found that few of the old devices had malware problems. It was further confirmed by the customer complaints. Gigaset says it has taken the issue very seriously and is working continuously to provide short term solution to its customers. "In doing so, we are working closely with IT forensic experts and the relevant authorities. We will inform the affected users as quickly as possible and provide information on how to resolve the problem. We expect to be able to provide further information and a solution within 48 hours," said Gigaset.

Fake Netflix App Spreads Malware via WhatsApp Messages


Researchers have discovered malware camouflaged as a Netflix application, prowling on the Google Play store, spread through WhatsApp messages. As per a Check Point Research analysis released on Wednesday, the malware took on the appearance of an application called "FlixOnline," which publicized by the means of WhatsApp messages promising "2 Months of Netflix Premium Free Anywhere in the World for 60 days." But once installed, the malware begins stealing information and credentials.

The malware was intended to monitor incoming WhatsApp messages and automatically react to any that the victims get, with the content of the response crafted by the adversaries. The reactions attempted to bait others with the proposal of a free Netflix service, and contained links to a phony Netflix site that phished for credentials and credit card information, analysts said. 

“The app turned out to be a fake service that claims to allow users to view Netflix content from around the world on their mobiles,” according to the analysis. “However, instead of allowing the mobile user to view Netflix content, the application is actually designed to monitor a user’s WhatsApp notifications, sending automatic replies to a user’s incoming messages using content that it receives from a remote server.” Once you install the FlixOnline application from the Play Store, it asks for three sorts of authorizations: screen overlay, battery optimization ignore, and notification. Researchers from Check Point noticed that overlay is utilized by malware to make counterfeit logins and steal client credentials by making counterfeit windows on top of existing applications. 

The malware was additionally able to self-propagate, sending messages to client's WhatsApp contacts and groups with links to the phony application. With that in mind, the computerized messages read, “2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE [Bitly link].”

“The malware’s technique is fairly new and innovative,” Aviran Hazum, manager of Mobile Intelligence at Check Point, said in the analysis. “The technique here is to hijack the connection to WhatsApp by capturing notifications, along with the ability to take predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager. The fact that the malware was able to be disguised so easily and ultimately bypass Play Store’s protections raises some serious red flags.”

Russian expert predicts end of WhatsApp - Users switching to Telegram

Over the past weeks, WhatsApp messenger has started losing millions of users. They migrate to Telegram. In mid-January, almost 25 million people came running to Telegram in just three days. Some WhatsApp fans went to another social network - Signal. It gained 7.5 million users in two days.

The reasons for the outflow from WhatsApp are related to the privacy policy, which allows the developer to share user data with Facebook, explained the coordinator of the Center for Secure Internet, Urvan Parfentiev. In particular, according to him, the location and phone numbers will become transparent.

Information and computer security specialist, programmer, blogger Sergey Vakulin said that in addition to the privacy policy, there are other reasons.

"First reason is the privacy policy. The second is functionality. The third reason is anonymization. People who care about their security and privacy of correspondence are less likely to trust WhatsApp," said he.

According to Mr. Vakulin, the advantage of Telegram relative to many social networks is the lack of censorship.

There are those who like to watch something cruel, a murder. But on the social network VKontakte and Odnoklassniki, it is forbidden to do this. And on Telegram, you can create a channel that will not be censored", explained the blogger.

After the outflow of users, WhatsApp launched a powerful awareness-raising campaign and abandoned the previously announced measures. Therefore, "we cannot talk about the death of WhatsApp", stressed Parfentiev.

However, Vakulin believes otherwise.

"Most likely, we will see the death of WhatsApp. The old social networks and apps don't have enough functionality. A person needs to learn something new in the social network. Therefore, we are replacing it with a new one," commented he.

At the moment, dozens of messengers are known. The most popular in Russia are the following: in the first place is WhatsApp, which in 2020 increased by five percent compared to 2019; in second place is Viber, followed by Skype. The fourth place is taken by Telegram, which grew by 10 percent. Facebook closes the top five (plus 6 percent).

Earlier, E Hacking News conducted an interview with a veteran Cyber Law specialist in India Vijayashankar Na (Mr. Naavi) and he shared with us his opinion on the new privacy policy of WhatsApp messenger and how it impacts the users.