Search This Blog

Showing posts with label WhatsApp. Show all posts

Experts Look into WhatsApp Data Leak: 500M User Records for Sale

 

On November 16, an actor advertised a 2022 database of 487 million WhatsApp user mobile numbers on a well-known hacking community forum. The dataset is said to contain WhatsApp user data from 84 different countries. 

According to the threat actor, there are over 32 million US user records included. Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), and Turkey each have a sizable number of phone numbers (20 million). The dataset for sale also allegedly contains the phone numbers of nearly 10 million Russians and over 11 million UK citizens. The threat actor told Cybernews that they were selling the US dataset for $7,000, the UK dataset for $2,500, and the German dataset for $2,000.

Since such data is frequently used by attackers in smishing and vishing attacks, we advise users to be cautious of any calls from unknown numbers, as well as unsolicited calls and messages. According to reports, WhatsApp has more than two billion monthly active users worldwide. The seller of WhatsApp's database provided a sample of data to Cybernews researchers upon request. The shared sample included 1097 UK and 817 US user numbers.

Cybernews probed all of the numbers in the sample and was able to confirm that they are all WhatsApp users. The seller did not say how they obtained the database, only that they "used their strategy" to collect it, and assured Cybernews that all the numbers in the instance belong to active WhatsApp users.

Cybernews contacted WhatsApp's parent company, Meta, but received no immediate response. We will update the article as soon as we learn more. The data on WhatsApp users could be obtained by harvesting information at scale, also known as scraping, which is against WhatsApp's Terms of Service.

This claim is entirely speculative. However, large data dumps posted online are frequently obtained through scraping. Over 533 million user records were leaked on a dark forum by Meta, which has long been chastised for allowing third parties to scrape or collect user data. The actor was practically giving away the dataset for free.

Days after a massive Facebook data leak made headlines, a popular hacker forum listed an archive containing data purportedly scraped from 500 million LinkedIn profiles for sale. Phone numbers that have been leaked could be used for marketing, phishing, impersonation, and fraud.

Head of Cybernews research team Mantas Sasnauskas said, “In this age, we all leave a sizeable digital footprint – and tech giants like Meta should take all precautions and means to safeguard that data. We should ask whether an added clause of ‘scraping or platform abuse is not permitted in the Terms and Conditions’ is enough. Threat actors don’t care about those terms, so companies should take rigorous steps to mitigate threats and prevent platform abuse from a technical standpoint.”

WhatsApp: Instant Messaging App Services Restored After a 2 Hour Outage

The instant messaging app WhatsApp is restored after a two-hour-long outage on Tuesday. WhatsApp, with around a billion active users, was alerted about the global outage when hundreds of thousands of its online users reported the disruption in their messaging app. 

Reportedly, the instant messaging platform went down at 12:30 PM IST, on Tuesday. The users reported they were unable to send messages or make calls through the app, which was earlier thought of as a mere network connectivity issue. The outage was not limited to the smartphone users of the app, since users of WhatsApp web were also facing the same consequences of the disruption. 

As per a report by Downdetector, an online platform providing real-time stats and information regarding online web services, more than 11,000 online users had reported the outage, while in the United Kingdom the count was 68,000. While in Singapore, about 19,000 users reported disruption in the app since 07:50 GMT. 

Downdetector gathers status updates from various sources, including user-submitted errors on its platform, to keep track of outages. There may have been many users who were impacted by the outage. 

Additionally, WaBetaInfo, an online portal tracking WhatsApp services claimed that the issue is indeed from the server’s side and thus cannot be resolved from the online user’s end. 

Soon after acknowledging the issue, WhatsApp’s parent company Meta said that their engineers are working on the outage issue and will solve it as soon as possible. Following this, Meta Spokesperson even apologized to the users for the inconvenience.  

“We are aware that some people are currently having trouble sending messages and we are working to restore WhatsApp for everyone as quickly as possible,” says Meta Company Spokesperson. While the reason behind the outage is still not revealed by the parent company. 

Considering the popularity of the messaging app which has increasingly emerged as an important communication tool between users, businesses, and governments globally, over 100 billion messages are exchanged daily through WhatsApp as of 2020. This recent outage may have affected a large number of users, including government officials and telecom service providers.

This Unofficial WhatsApp Android App Caught Stealing Users’ Accounts

 

Kaspersky researchers discovered 'YoWhatsApp,' an unofficial WhatsApp Android app that steals access keys for users' accounts. Mod apps are promoted as unofficial versions of genuine apps that include features that the official version does not. 

YoWhatsApp is a fully functional messenger that supports extra features such as customising the interface and blocking access to specific chats. The tainted WhatsApp app requests the same permissions as the original messenger app, such as SMS access.

“To use the WhatsApp mod, users need to log in to their account of the legitimate app. However, along with all the new features, users also receive the Triada Trojan. Having infected the victim, attackers download and run malicious payloads on their device, as well as get hold of the keys to their account on the official WhatsApp app.” reported Kaspersky. 

“Along with the permissions needed for WhatsApp to work properly, this gives them the ability to steal accounts and get money from victims by signing them up for paid subscriptions that they are unaware of.”

This mod instals the Triada Trojan, which is capable of delivering other malicious payloads, issuing paid subscriptions, and even stealing WhatsApp accounts. More than 3,600 users have been targeted in the last two months, according to Kaspersky. The official Snaptube app promoted the YoWhatsApp Android app.

The malicious app was also discovered in the popular Vidmate mobile app, which is designed to save and watch YouTube videos. Unlike Snaptube, the malicious build was uploaded to Vidmate's internal store. YoWhatsApp v2.22.11.75 steals WhatsApp keys, enabling threat actors to take over users' accounts, according to Kaspersky researchers.

In 2021, Kaspersky discovered another modified version of WhatsApp for Android that offered additional features but was used to deliver the Triada Trojan. FMWhatsApp 16.80.0 is the modified version.

The experts also discovered the advertisement for a software development kit (SDK), which included a malicious payload downloader. The FMWhatsapp was created to collect unique device identifiers (Device IDs, Subscriber IDs, MAC addresses) as well as the name of the app package in which they are deployed.

To be protected, the researchers advise:
  • Only install applications from official stores and reliable resources
  • Remembering to check which permissions you give installed applications – some of them can be very dangerous
  • Installing a reliable mobile antivirus on your smartphone, such as Kaspersky Internet Security for Android. It will detect and prevent possible threats.
Kaspersky concluded, “Cybercriminals are increasingly using the power of legitimate software to distribute malicious apps. This means that users who choose popular apps and official installation sources may still fall victim to them. In particular, malware like Triada can steal an IM account, and for example, use it to send unsolicited messages, including malicious spam. The user’s money is also at risk, as the malware can easily set up paid subscriptions for the victim.”


Pavel Durov: Users Must Cease Using WhatsApp Since it's a Spying Tool

WhatsApp is among the most popular messaging apps in the world. It was first launched in January 2009 and since then evolved to include audio and video calls, emojis, and WhatsApp Payments. However, criticism has also surrounded the well-known messaging app due to claims about privacy and security issues. 

Recently, WhatsApp disclosed a security flaw affecting its Android app that was deemed critical. Pavel Durov, the creator of Telegram, pokes fun at WhatsApp and advises users to avoid it. 

Hackers could have complete access to all aspects of WhatsApp users' phones, according to Telegram founder Pavel Durov. Additionally, he asserted that WhatsApp has been monitoring user data for the past 13 years while claiming that WhatsApp's security flaws were planned purposely.

Durov outlined Telegram's security and privacy characteristics by saying, "I'm not trying to convince anyone to use Telegram here. There is no need to promote Telegram more." He claimed that Telegram's instant messaging software prioritizes privacy. With more than 700 million active users as of right now, the app is apparently growing steadily, adding over 2 million new users every day.

Regarding security and privacy, WhatsApp states that all texts, chats, and video calls are provided with end-to-end encryption. However, the program has frequently experienced bugs and security problems, which have sparked concerns about its privacy.

In terms of private chats and user data, WhatsApp already has a complicated and distorted past. People have been worried about Facebook's handling of users' personal data ever since it purchased Meta in 2014. For revealing user data not just with governmental organizations but also with private parties, Meta has been criticized for a considerable time.

The rise in popularity of Telegram and Signal and other instant messaging services with a security and privacy focus can be attributed to this.

According to a recent report from Meta, WhatsApp users are susceptible to hacking due to a flaw in the way videos are downloaded and played back. If this flaw is exploited, hackers would have complete access to virtually everything on the phone of the WhatsApp user. Along with users' emails and pictures, this also contains other correspondence, such as SMS messages from various banks and app data from one's banking and payment apps.




WhatsApp Message Fraud Dupes Automobile Firm of Rs.1 Crore

 


A well-known automobile company, JBM Group, has been duped for Rs.1 Crore in yet another fraudulent incident that took place via fake WhatsApp messages. 

As per the police, the fraudster, in a WhatsApp message to the Chief Finance Officer of JBM, Vivek Gupta claimed to be the company’s vice chairman and had the money transferred to the bank accounts. As per the officials, a total of eight transactions had been made with seven different bank accounts, worth Rs 1,11,71,696. 

In the wake of the incident, an FIR has been registered against the unidentified fraudster under section 419 (cheating by impersonation), 420 (cheating) of IPC, and Section 66-D of IT Act at Cybercrime police station.

“The fraudsters claimed to be a JBM Group vice chairman Nishant Arya. The WhatsApp profile picture of the caller displayed Arya’s photograph. On verifying Truecaller, it reflected that the number belonged to Arya. I was also informed by the sender that he is busy in an important meeting, I could not directly call to make any further inquiry.” The CFO stated in his complaint. 

“I carried out the instructions of the sender under the bona fide impression that the instructions were coming from my superior Nishant Arya who needed to effectuate these transactions which were both very important and extremely urgent. The sums were transferred from two entities of the JBM Group, namely JBM Industries and JBM Auto. At the request of the sender, the UTR numbers confirming such transfers were also shared on the same WhatsApp chat,” Gupta further added. 

Serum Institute of India duped of Rs. 1 Crore via WhatsApp

Earlier this month, on September 7, a similar case was seen involving the Serum Institute of India (SII) which was duped for Rs. 1 Crore via a WhatsApp message sent by the threat actor posing as its CEO Adar Poonawalla. The messages were being sent to one of the institute’s directors. The transactions were then made to a few bank accounts, worth Rs. 1,01,01,554. 

The police officials are looking for the identity of the accused, the one who sent the fraudulent messages, and the holder of the bank accounts to which the transactions were made. 

How to Avoid Cyber Fraud?

With ever-increasing cases of cyber fraud via WhatsApp and other popular messaging platforms,  users are recommended to stay vigilant and follow exercise caution to avoid any scam that may result in financial loss. Users must follow the given steps in order to safeguard themselves against cyber fraud: 

1. Ensure to crosscheck the identity of a person or entity, if you receive messages from an unknown contact, claiming to be someone you know. 

2. Crosscheck the authentication of the source from where you are receiving the messages. 
 
3. Do not share your bank details with anyone. Since banks do not ask for such details, be cautious if the messages claim to be delivered from a bank. 

4. Do not click on the links sent by a suspicious number. The link may lead to malicious websites that are capable of duping you into revealing your passwords and sensitive information.

Cyberfraud has become an increasingly troublesome form of cybercrime as more and more people are falling prey to different forms and kinds of cyberfraud. While reporting it to the cybercrime branch of the police is one solution, netizens must stay wary of lures presented on social media to trap them for financial purposes.

Researchers Discovered Counterfeit Phones with Backdoor to Hack WhatsApp Accounts

 

Budget Android device models that are replicas of popular smartphone brands are infected with numerous trojans devised to target the WhatsApp and WhatsApp Business messaging apps. Doctor Web discovered the malware in the system partitions of at least four different smartphones in July 2022: P48pro, redmi note 8, Note30u, and Mate40. 

The cybersecurity firm said in a report published, "These incidents are united by the fact that the attacked devices were copycats of famous brand-name models. Moreover, instead of having one of the latest OS versions installed on them with the corresponding information displayed in the device details (for example, Android 10), they had the long outdated 4.4.2 version."

The tampering specifically affects two files, "/system/lib/libcutils.so" and "/system/lib/libmtd.so," which have been modified in such a way that when the libcutils.so system library is used by any app, it activates the execution of a trojan embedded in libmtd.so. If the apps that use the libraries are WhatsApp and WhatsApp Business, libmtd.so launches a third backdoor whose primary function is to download and install additional plugins from a remote location.

The researchers stated, "The danger of the discovered backdoors and the modules they download is that they operate in such a way that they actually become part of the targeted apps. As a result, they gain access to the attacked apps' files and can read chats, send spam, intercept and listen to phone calls, and execute other malicious actions, depending on the functionality of the downloaded modules."

Libmtd.so is configured to start a local server that enables connections from a remote or local client via the "mysh" console if the app using the libraries turns out to be wpa supplicant - a system daemon used to manage network connections.

Potential Risks

Based on the discovery of another trojan embedded in the system application responsible for over-the-air (OTA) firmware updates, Doctor Web hypothesised that the system partition implants could be part of the FakeUpdates (aka SocGholish) malware family.

The malicious app, on the other hand, is designed to exfiltrate detailed metadata concerning the infected device as well as download and install other software without the user's knowledge using Lua scripts.

Fraudulent UK Visa Scams Circulate on WhatsApp


According to a Malwarebytes report, individuals working in the UK are being scammed by a recent phishing campaign on WhatsApp. 

Scammers claim in a WhatsApp message that users who are willing to relocate to the UK for work will be eligible for a free visa as well as other perks. 

Bogus scam message 

Scam operators are disseminating information under the pretext of the UK government, promising a free visa and other advantages to anyone who wants to migrate there. The chosen candidates would be given travel and lodging expenses as well as access to medical facilities. 

The WhatsApp chat app is used to transmit to target volumes to start the fraud. Users are informed that the UK is conducting a recruiting drive with more than 186,000 open job positions because the country will require more than 132,000 additional workers by the year 2022. 

The objective of the scam 

When a victim clicks on the scam link, a malicious domain that looks like a website for UK Visas and Immigration is displayed to them. "Apply for thousands of jobs already available in the United Kingdom," is the request made to foreign nationals as per the scam.

The website's goal is to collect victims' names, email addresses, phone numbers, marital statuses, and employment statuses. 

Any information entered into the free application form is instantly 'accepted,' and the user is informed that they "will be provided a work permit, visa, plane tickets, and housing in the UK for free" according to a Malwarebytes report. 


Report fake WhatsApp messages

Users have the option to Report and Block on WhatsApp if they get a message from someone who is not on their contact list. One should disregard these spam communications and use the report button to file a complaint. Additionally, users can block these contacts in order to stop getting future scam messages from them.

Phishing attacks with a Visa theme are a typical occurrence in the world of cybercriminals. A similar hoax circulated several times in the past to entice people looking to work or study abroad.


Brazilian Banks Place a Priority on A.I. and Cybersecurity

 

According to a new survey, artificial intelligence (AI) and cybersecurity are some of the top concerns for banking institutions in Brazil's technology strategy. Analysis of data and the complexity of data analysis strategies relating to evidence gained through the ongoing Open Finance initiative are also a top priority for 78 percent of participants, according to the yearly basis research published by the Brazilian Banking Federation (Febraban) in collaboration with Deloitte.

"It merely came to our attention at the time." For the past 3 decades, it has been Brazilian banks, not fintech or startups, who are at the forefront and remain to be at the stage of international banking technology. Banks have always been digital, innovative, and sophisticated, but most importantly, safe and dependable. "We are not dedicated to it," says FEBRABAN President Isaac Sidney. 

Other innovations have been cited as vital, in addition to AI and cybersecurity, which were cited as key priorities and main areas of concentration in 2021 and remain so this year. 

Public cloud (94 %), Big Data (94 %), process mining (78 %), IoT (75 %), blockchain (67 %), and quantum computing (50 %) were all highlighted by IT decision-makers as current priorities. 

Other goals mentioned by the CEOs in the report were the creation of super apps or superstores (39%) and data-driven financial counseling (35%) as well as store transformation (30%) and WhatsApp-based transactions (30%). Initiatives focused on boosting customer trust in data sharing (22 percent) and expanding chatbot-based transactions are at the bottom of the list (17 percent ).
 
Other objectives highlighted by CEOs in the research included the construction of mega apps or superstores (39%) and data-driven financial advice (35%), as well as shop transformation (30%) and WhatsApp-based trades (30 percent ). At the bottom of the list are initiatives aimed at increasing trust in data sharing (22%), as well as extending chatbot-based transactions (17%).

For the study, Febraban polled 24 firms via a questionnaire, representing 90% of the Brazilian banking industry. The qualitative study enlisted the participation of 34 executives. During November and December 2021, one of three phases of research was completed. 

Banks are widely regarded as pioneers in digital transformation efforts. "If you look at that market, they have complexity in what they have," EY's Errol Gardner said in a recent interview with TechInformed. "But they are putting tremendous investment into digital and the services which wrap around it ." However, many banks continue to be particularly focused on the conventional, local branch network, methods of operating."

Top Israeli Officials Duped by Bearded Barbie Hackers

 

Cybercriminals appear to be aggressively promoting the Remcos RAT that first appeared in hacking forums in 2016 and was marketed sold, and offered cracks on a variety of websites and forums. In 2017, researchers discovered Remcos being distributed via a malicious PowerPoint slideshow with a CVE-2017-0199 exploit. Remcos RAT is a piece of commercial software which may be purchased online. 

An "elaborate effort" targeting high-profile Israeli individuals working in critical defense, law enforcement, and emergency services sectors has been traced to a threat actor associated with Hamas' cyber warfare section. The Hamas-backed hacker outfit dubbed 'APT-C-23' was discovered catfishing Israeli officials in defense, law enforcement, and government institutions, resulting in the deployment of new malware. 

Before delivering spyware, the campaign uses advanced social engineering techniques like creating phony social media identities and maintaining a strong partnership with the targets. AridViper has previously targeted Palestinian law enforcement, military, or educational institutions, as well as the Israel Security Agency, with spear-phishing assaults (ISA). Researchers from Cisco Talos discovered AridViper assaults against activists involved in the Israel-Palestine conflict in February.

Malicious actors have built several phony Facebook pages utilizing forged credentials and pirated or AI-generated photographs of attractive women, and have used these profiles to approach their targets. The operators have spent months curating these profiles to make them appear legitimate, posting in Hebrew and alike organizations and prominent pages in Israel. The creators of these profiles create a network of friends who are actually people who work in Israel's police, defense forces, emergency services, or government. The opponents recommend transferring the chat to WhatsApp, ostensibly for more privacy, after building the target's trust by talking with individuals for a while. 

The Android app is actually the virus VolatileVenom.The icon is concealed on pre-Android 10 devices; with Android 10, the virus utilizes the Google Play installation icon. When the victim tries to sign into the Wink Chat, an error message appears, stating the app will be deleted. With a wide spectrum of espionage capabilities, VolatileVenom continues to function in the background. 

The malicious actors will eventually email the target a RAR file containing supposedly explicit photographs or videos as part of the catfishing attempts. This RAR file, on the other hand, contains the Barb(ie) installer malware, which installs the BarbWire backdoor. The filename of a sample of Barb(ie) detected by Cybereason is "Windows Notifications," and when it is made to run, it performs basic anti-analysis checks. If the host is deemed appropriate, the downloader links to an integrated C2 server. 

The BarbWire Backdoor is sent by the C2 server. The downloader contains a backup technique for finding a different C2. If the attackers need to modify the C2 from the one inserted, they can simply send an SMS message with the new destination. All inbound SMS messages are intercepted by the downloader. If one is provided by the intruders, it can just extract the new C2 information and install the backdoor. BarbWire steals data from PDFs, Office files, archives, picture files, movies, and photos, among other file types. It also checks for external media, such as a CD-ROM file, implying it's hunting for highly sensitive material which is carried around physically or over the internet. The stolen information is stored in a RAR archive and then sent to the attackers' C2 server. 

APT-C-23 employs several approaches which have been used in previous operations against Israeli targets, but it is constantly evolving with new tools and more intricate social engineering efforts. The lack of overlapping infrastructure distinguishes Operation Bearded Barbie from past missions, indicating the group's goal of avoiding notice. Another escalation for the threat actor is the usage of two backdoors, one for Windows and one for Android, resulting in very active espionage for the compromised targets.

For Three Years, Leading Messaging Servers were Scammed Using a URL Rendering Method

 

A complex URL rendering method has now been revealed as the source of global phishing attacks on several popular messaging and email systems.  Whatsapp, Instagram, iMessage, Facebook Messenger, and Signal were all popular platforms. Over three years, this allegedly allowed some malicious attackers to create realistic-looking phishing texts. 

Experts feel the unexpected finding has arrived at precisely the right time. Furthermore, researchers claim so by injecting right to left override, these rendering issues generate a vulnerability in the application's interface by displaying wrong URLs (RTLO). 

Unicode Control Characters with these names render all clients more vulnerable to URI spoofing attacks. When an RTLO character is injected into a string, it enables the string to be shown right-to-left instead of left-to-right in a browser or messenger app. The majority of the time, this character is used to display Arabic or Hebrew messages. 

The majority of individuals are prime targets, with the final goal of acquiring access to phishing attempts by spoofing several well-known domains. A handful of these flaws have been awarded a CVE which affects a wide variety of IM program versions. 

  • CVE-2020-20093 — Facebook Messenger 227.0 or earlier on iOS and 228.1.0.10.116 or earlier on Android 
  • (CVE-2020-20093) CVE-2020-20094 — Instagram version 106.0 or earlier on iOS, and version 107.0.0.11 or earlier on Android C
  • CVE-2020-20095 — iOS 14.3 or older with iMessage
  • CVE-2020-20096 — WhatsApp 2.19.80 or earlier (iOS) and 2.19.222 or earlier (Android) 

Signal, thankfully, does not have a CVE because the exact attack method was made evident to them. 
The CVE IDs are  ancient as the vulnerabilities were first discovered in August 2019 by a researcher  named 'zadewg.' 

When two independent URLs are concatenated to look like a single entity, for example, if they are judged to be two different URLs. And if a person clicks on the URL on the left, they will be led to one website, whilst clicking on the URL on the right will take them to another. 

According to research, the rendering problem does not work as effectively on email platforms such as Outlook.com, ProtonMail, or Gmail. However, many people might predict a series of attacks on other IM or email apps. 

The one-liner PoC is freely available and simple to use, even for those with no technical knowledge or no hacking expertise. In fact, even when more advanced technical principles are involved, there is ample evidence of RTLO-based misuse in the field. 

Several more IM and email programs are likely vulnerable to the same exploit, but only those listed above have been proven as vulnerable. As a result, users of the listed apps should be vigilant when receiving messages with URLs, always click on the left side, and keep an eye out for app security upgrades which may fix the problem.

Durov Suspected WhatsApp of Intentionally Introducing Vulnerabilities

 

Russian entrepreneur and founder of the Telegram messenger Pavel Durov while criticizing the WhatsApp service said that the messenger, owned by Meta, was hardly ever secure, in his Telegram channel.

Durov also suspects that the service may intentionally introduce vulnerabilities. "Since the creation of WhatsApp, there has hardly been a moment when it was secure: every few months, researchers discover a new security problem in the application," he added. 

Durov noted that every few months researchers find a new security issue in the application. He recalled that he had already spoken out about the danger of the service in 2020. Since then, as the creator of Telegram considered, the situation with WhatsApp has not changed. 

As an illustration of his words, he cited a study by the American information technology company Boldend, which revealed a vulnerability in WhatsApp. The gap in the messenger has existed for several years and allows attackers to gain access to the correspondence of their victims unnoticed. 

In addition, the creator of Telegram commented on a Forbes report, which claims that Facebook investor Peter Thiel secretly funded a startup with the ability to hack WhatsApp. "WhatsApp users' messages have been available for attacks by potential hackers for years," Durov said about the report. 

"It would be hard to believe that WhatsApp technicians are so often incompetent. Telegram, a much more technically sophisticated application, has never had such serious security problems," Durov concluded. 

In December, Durov said that his Telegram remains protected from the influence of third parties. He cited the example of the FBI report, which claimed that the bureau has access to Viber, iMessage, WhatsApp, and Line, but Telegram, Threema, Signal, and Wickr do not transmit correspondence to third parties. At the same time, it was noted that Telegram can, at the request of law enforcement officers, issue the IP address and phone number of the user. 

Earlier, Pavel Durov's team advised the Ministry of Finance of Ukraine on cryptocurrencies. The Minister said that he actively uses the Telegram messenger for fast communications.

This Android Malware Wipes Your Device After Stealing Data

 

The BRATA Android malware has been updated to include additional functions such as GPS tracking and the ability to execute a factory reset on the device. 

The Android RAT BRATA (the term originates from 'Brazilian RAT Android') was founded in 2019 by Kaspersky security professionals and was used to eavesdrop on Brazilian users. In January 2019, the BRATA RAT was discovered circulating over WhatsApp and SMS communications. 

The RAT was distributed both through Google's official Play Store and through alternative Android app marketplaces. The majority of the infected apps masquerade as an update to the popular instant messaging service WhatsApp, claiming to fix the CVE-2019-3568 vulnerability in the app. The malware will begin keylogging after it has infected the victim's device, adding real-time streaming features to it. 

To connect with other apps on the victim's device, the malware makes use of the Android Accessibility Service function. Many instructions are supported by BRATA, including unlocking the victims' devices, gathering device information, shutting off the device's screen to run tasks in the background, executing any specific application, uninstalling itself, and removing any infection traces. 

Researchers from security firm Cleafy discovered a new variation affecting Android banking users in Europe in December 2021, with the goal of stealing their passwords. The same researchers have now discovered a new version that has the new features mentioned above. 

The Android RAT's current version is aimed at e-banking users in the United Kingdom, Poland, Italy, Spain, China, and Latin America. It uses custom overlay pages to target specific banking applications and steal users’ PINs. All the versions employ the same obfuscation strategies, allowing the danger to remain undetected. 

The following is a list of new features in the most recent BRATA releases: 

• Capability to perform the device factory reset: it appears that TAs are leveraging this feature to erase any trace, right after an unauthorized wire transfer attempt. 
• GPS tracking capability 
• Capability to use multiple communication channels (HTTP and TCP) between the device and the C2 server to keep a persistent connection. 
• Capability to continuously monitor the victim’s bank application through VNC and keylogging techniques. 

Researchers believe that the factory reset option enables threat actors to erase all signs of a hack once it has been completed or when the application detects that it is running in a virtual environment for analysis. 

The report stated, “this mechanism represents a kill switch for this malware. In fact, it was also observed that this function is executed in two cases: 
• A bank fraud has been completed successfully. In this way, the victim is going to lose even more time before understanding that a malicious action happened. 
• The application is installed in a virtual environment. BRATA tries to prevent dynamic analysis through the execution of this feature.” 

The BRATA RAT's recent evolution implies that threat actors are working to improve it in order to broaden its target demographic.

Swiss Army Bans WhatsApp at Work

 

A spokesman for the Swiss army announced Thursday that the use of WhatsApp while on duty has been prohibited, in favour of a Swiss messaging service regarded more safe in terms of data security. 

Using other messaging applications like Signal and Telegram on soldiers' personal phones during service activities is likewise barred. 

Commanders and chiefs of staff got an email from headquarters at the end of December advising that their troops switch to the Swiss-based Threema. According to army spokesman Daniel Reist, the recommendation applies "to everyone," including conscripts serving in the military and those returning for refresher courses. 

Switzerland is known for its neutrality. However, the landlocked European country's long-standing position is one of armed neutrality and has mandatory conscription for men.

During operations to assist hospitals and the vaccination campaign in Switzerland's efforts to prevent the Covid-19 pandemic, the concern of using messaging apps on duty came up, as per Reist. The Swiss army will bear the cost of downloading Threema, which is already used by other Swiss public agencies, for four Swiss francs ($4.35, 3.85 euros). 

Other messaging services, such as WhatsApp, are governed by the US Cloud Act, which permits US authorities to access data held by US operators, even if it is stored on servers located outside of the nation. Threema, which claims to have ten million users, describes itself as an instant messenger that collects as little data as possible. It is not supported by advertisements. 

The company states on its website, "All communication is end-to-end encrypted, and the app is open source." 

According to an army spokesman mentioned in a Tamedia daily report, data security is one of the reasons for the policy change. As per local surveys, WhatsApp is the most popular messenger app among 16- to 64-year-olds in Switzerland.

Meta Takes Legal Action Against Cyber Criminals

 

Facebook's parent company, Meta Platforms, announced on Monday that it has filed a federal lawsuit in the U.S. state of California against malicious attackers who ran more than 39,000 phishing websites impersonating its digital properties to trick consumers into disclosing their username and password. 

“Today, we filed a federal lawsuit in California court to disrupt phishing attacks designed to deceive people into sharing their login credentials on fake login pages for Facebook, Messenger, Instagram, and WhatsApp. Phishing is a significant threat to millions of Internet users”, states the report. 

The social engineering strategy entailed the construction of rogue websites that tried to portray as Facebook, Messenger, Instagram, and WhatsApp login pages, prompting victims to input their login details, which were subsequently captured by the defendants. The unidentified actors are also being sought for $500,000 by the tech behemoth. 

The assaults were conducted with the help of Ngrok, a relay service that diverted internet traffic to malicious websites while concealing the exact location of the fraudulent equipment. Meta stated that the frequency of these phishing assaults has increased since March 2021 and that it has collaborated with the relay service to restrict thousands of URLs to phishing sites. 

The lawsuit comes just days after Facebook revealed it was making efforts to disrupt the activities of seven surveillance-for-hire firms that generated over 1,500 phony identities on Facebook and Instagram to target 50,000 users in over 100 countries. Meta announced last month that it has barred four harmful cyber groups from attacking journalists, humanitarian organizations, and anti-regime military forces in Afghanistan and Syria. 

“This lawsuit is one more step in our ongoing efforts to protect people’s safety and privacy, send a clear message to those trying to abuse our platform, and increase accountability of those who abuse technology. We will also continue to collaborate with online hosting and service providers to identify and disrupt phishing attacks as they occur. We proactively block and report instances of abuse to the hosting and security community, domain name registrars, privacy/proxy services, and others. And Meta blocks and shares phishing URLs so other platforms can also block them”, mentioned the report.

Meta Alerts its 50,000 Users Against Surveillance-For-Hire Firm Operations

 

Surveillance-for-hire companies have utilized Facebook, Instagram, & WhatsApp as a major opportunity to target Individuals in over 100 countries for decades. Recently, Meta eliminated 7 of them from its platforms and notified over 50,000 people that the activities might as well have affected them. Many are journalists, human rights activists, dissidents, political opposition leaders, and clergy, according to Meta, while others are ordinary people, such as those involved in a lawsuit. 

As part of the attack, Meta removed numerous accounts and disassembled other infrastructure on its platforms, blacklisted the groups, and sent cease and desist notices. According to the corporation, it is also publicly disclosing its findings and indications of infiltration so that other platforms and security companies may better spot similar conduct. The findings highlight the magnitude of the targeted surveillance industry as well as the huge scope of tailoring it facilitates globally. 

“Cyber mercenaries often claim that their services and their surveillance-ware are meant to focus on tracking criminals and terrorists, but our investigations and similar investigations by independent researchers, our industry peers, and governments have demonstrated that the targeting is, in fact, indiscriminate,” Nathaniel Gleicher, Meta's head of security policy, said to the reporters. 

“These companies … are building tools to manage fake accounts, to target and surveil people, to enable the delivery of malware, and then they’re providing them to any most interested clients—the clients who are willing to pay. This means that there are far more threat actors able to use these tools than there would be without this industry.” 

Cobwebs Technologies, an Israeli web intelligence company with offices in the United States, Cognyte, an Israeli firm previously recognized as WebintPro, Black Cube, an Israeli company with an existence in the United Kingdom and Spain, Bluehawk CI, which itself is rooted in Israel and has offices in the United States and the United Kingdom, BellTroX, a North Macedonian firm, Cytrox, a North Macedonian firm, and an unidentified organization based in China. 

Meta highlights that the surveillance-for-hire industry as a whole operates in three areas. One can conceive of it as several stages of a monitoring chain, with different firms specializing in different aspects of that superstructure. 

The very first stage is "reconnaissance," in which corporations gather comprehensive data concerning targets, frequently via automated, bulk gathering on the public internet and darknet. The second stage is "engagement," wherein operators seek out targets in an attempt to form a connection and gain their trust. Surveillance firms create bogus profiles and personalities, posing as, for example, graduate students or journalists, to reach out to targets. Hackers may also spread fake content and misinformation to establish rapport. The third stage is "exploitation," sometimes known as "hacking for hire," in which actors might use this trust to persuade targets to disclose information, click a malicious link, download a malicious file, or perform some other action. 

Every stage might take place on a variety of platforms and services. For instance, Meta's WhatsApp is a popular platform for disseminating malicious links to victims. Furthermore, Facebook and Instagram serve as natural breeding places for phony personalities. The eliminated entities, according to the social media giant, breached its Community Standards and Terms of Service. 

“Given the severity of their violations, we have banned them from our services. To help disrupt these activities, we blocked related internet infrastructure and issued cease and desist letters, putting them on notice that their targeting of people has no place on our platform,” the firm added. 

“We also shared our findings with security researchers, other platforms, and policymakers so they can take appropriate action.”

Facebook, WhatsApp, Instagram Faces Massive Global Outage: What was the Reason?

 

The massive global outage for hours halted three giant social media platforms including Facebook, Instagram, and WhatsApp. Organizations and people all across the globe who heavily rely on services of these platforms including Facebook’s own workforce faced a huge loss. According to the data, Zuckerberg suffered a 7 billion loss. 

Facebook reported on late Monday that the company is working hard to restore access to its services and is “happy to report they are coming back online now." Also, the company apologized and thanked its users for their patience. However, fixing the glitches was not easy. 

As per the users’ reviews for some users, WhatsApp was working for a while, then it was not. For others, Instagram was working but not Facebook, and so on. 

Following the global outage, Facebook Chief Technology Officer Mike Schroepfer tweeted, "To every small and large business, family, and the individual who depends on us, I'm sorry, may take some time to get to 100%." 

According to the Security experts, the disruption could be the result of an internal mistake, though sabotage by an insider would be theoretically possible. However, Facebook says "a faulty configuration change" was the main reason for Monday's hours-long global outage. 

Soon after the global outage began, Facebook started acknowledging that the platform is facing some technical issues because users were not able to access its apps, and then Facebook started examining the same.

Facebook, the social media giant, also known as the second-largest digital advertising platform in the world, has faced a loss of around $545,000 in U.S. ad revenue per hour during the global shutdown, ad measurement firm Standard Media Index reported. 

Bogus Backup Message from WhatsApp Delivers Malware to Spanish Users

 

Authorities in Spain have issued a warning about a phishing campaign that impersonates WhatsApp to deceive consumers into installing a trojan. The recipients are advised to get copies of their chats and call records from a website that only sells the NoPiques virus. 

The NoPiques (“Do not chop”) malware is packaged in an a.zip archive that infects vulnerable devices on execution. The Spanish language subject line for dangerous emails is often ‘Copia de seguridad de mensajes de WhatsApp *913071605 No (xxxxx)', however, this may not be the case always as it can vary. Unlike many malware-peddling phishing messages in English and other languages, the emails are written in grammatically correct Spanish, or at least with few faults. 

The Spanish National Cybersecurity Institute's (INCIBE) Oficina de Seguridad del Internauta (OSI) has issued a warning regarding the malware campaign. “If you haven't run the downloaded file, your device may not have been infected. All you have to do is delete the file that you will find in the download folder. You should also send the mail you have received to the trash,” said INCIBE. 

“If you have downloaded and run the malicious file, your device may have been infected. To protect your device, you must scan it with an updated antivirus or follow the steps that you will find in the device disinfection section. If you need support or assistance to eliminate the Trojan, INCIBE offers you its response and support service for security incidents,” they added. 

INCIBE said that they remind consumers: in case of doubt about the legitimacy of an email, they should not click on any link or download any attached file. To check the veracity, consumers can contact the company or the service that supposedly sent them the email, always through their official customer service channels. 

They also said that in addition, for greater security, it is advisable to periodically back up all the information that consumers consider important so that, if their computer is affected by a security incident, they do not lose it. They further added that it is also advisable to keep their devices updated and always protected with an antivirus.

WhatsApp Hijack Scam, Here's All You Need To Know

 

By posing as a friend and asking for SMS security codes, scammers are continuing to target WhatsApp users and hijack their accounts. The con has been around for years, yet victims have continued to fall for it, with many sharing their stories on social media. Users should never give out their security codes to anyone, even if they appear to be a buddy, according to WhatsApp. 

If users receive six-digit WhatsApp codes that they did not expect, they should be concerned. When setting up a new account or signing in to an existing account on a new device, such codes are frequently seen. However, if the code is obtained unexpectedly (without the user's request), it could be a scammer attempting to gain access to your account. 

The fraudster would then send you a WhatsApp message asking for the code. The most essential thing to remember is not to share the code, as the message appears to be from a legitimate friend or family member in most circumstances, even though the account has already been hacked. 

One victim, Charlie, told the BBC, "I got a WhatsApp message from my good friend Michelle, stating she was locked out of her account. She stated she sent the access code to my phone instead of hers by accident and that I could just screenshot it and send it over." In actuality, Charlie had given the scammer the code to his own account. 

He told the BBC, "I guess I fell for it since we all know how annoying technology can be and I was eager to help. I didn't realise what had happened for a day." Charlie stated that he had deleted WhatsApp and would no longer use it. 

The hijacker can pretend to be you and send messages to your friends and family using a stolen account. They might act as if you're facing a financial emergency and beg your contacts for money. It also provides them with the phone numbers of your contacts, allowing them to try the six-digit code trick on fresh victims. By gaining access to your account, the fraudster will be able to see sensitive information in your group chats. 

WhatsApp advises users to be cautious and not reveal their One Time Password (OTP) or SMS security code to anybody, even friends and relatives. Citizens can also enable two-step verification for added security.

WhatsApp's New Privacy Policy: A Quick Look

 



With the advent of its latest privacy policy, the Facebook-owned messaging app is all set to block certain features if the users won't agree to the new privacy policy.

The update that was initially set to be rolled out by February 8 – making new privacy regulations applicable for all its users, got delayed till May 15 as WhatsApp faced strong contempt from the public, which allowed its competitors namely Telegram and Signal to solidify their repute with the public.

Earlier, as per the ultimatum given by WhatsApp: if the users do not accept the updated privacy policy on May 15, they won't be able to use the app. However, later on, it was said that no accounts will be deleted in case the aforementioned does not happen. 

Giving insights into the new Privacy Policy, a WhatsApp spokesperson said, “Requiring messaging apps to “trace” chats is the equivalent of asking us to keep a fingerprint of every single message sent on WhatsApp, which would break end-to-end encryption and fundamentally undermines people’s right to privacy.”

“We have consistently joined civil society and experts around the world in opposing requirements that would violate the privacy of our users. In the meantime, we will also continue to engage with the Government of India on practical solutions aimed at keeping people safe, including responding to valid legal requests for the information available to us,” the Spokesperson added.

WhatsApp told that it is not imposing its new policy on the users and that they are free to not do so. However, it might involve users deleting their WhatsApp account on their own as the other option than to accept the 2021 update, because they won't be able to access their chat lists or call their contacts via WhatsApp. 

As per WhatsApp's statements, we can deduce that whenever users will access the app, they will be constantly reminded to accept the updated privacy policy to access all its features – eventually making the platform more or less unserviceable to them. 

The users who do accept the updated privacy policy won't witness any key changes in their experience, however, those who continue to have the app installed on their device without accepting the new policy might eventually end up saying goodbye to the app due to its limited serviceability or “inactivity”. 




Toxic Eye Malware is Utilizing Telegram

 

As of 2021, numerous users left WhatsApp for messaging to various other applications that promised improved data protection only after the company announced that it might default share user metadata with Facebook. Many of those users turned to Telegram and Signal, which proves to be the competitive applications against WhatsApp. 

As per Sensor Tower, Telegram was perhaps the most installed application with over 63 million downloads in January 2021. Telegram chatting is still not encoded as in Signal Chat end-to-end encryption is there, but now Telegram does have another issue: malware. 

Software Check Point team recently found that cybercriminals use Telegram for something like a malware program named Toxic Eye as a communications platform. It turns out that certain aspects of Telegram are much more readily accessible by attackers than it is by web-based tools. Today, they have handy Telegram Bots to mess up with compromised machines. 

Toxic Eye is a kind of malware known as a remote access trojan (RAT). RATs can remotely monitor an intruder over an infected machine, which means that the attacker could steal host computer data, destroy, or copy files, hamper the operations of an infected machine, and much more. The Toxic Eye RAT is distributed through an e-mail with an encoded EXE file to a destination. The software installs the malware on the user computer if the target users access the file. 

RATs are comparable to programs of remote access and can be used to control user devices, for instance, by someone in technical support. However, even without authorization, these programs sneak in. They could imitate or hide with legitimate files that sometimes are concealed as a document or are inserted in a broader video game file. 

Attackers used Telegram to remotely manipulate malicious software. Check Point analyst Omer Hofman claims that from February until April 2021 the company found 130 Toxic Eye attacks with this tool, and some items make Telegram valuable to bad players who distribute malware. 

The firewall program doesn't obstruct Telegram. The network control tools are also not blocked. It's a user-friendly app that most people recognize as genuine, then let their guards down. 

The researcher's advice is that one must not access email attachments from unidentified senders, which raises suspicion. Also, take care of appendices containing usernames. Malicious emails also contain the username or an attachment title in the subject line. It is possibly malicious if the sender attempts to sound urgent, dangerous, or compulsive and forces the user to click upon a link or attachment or to provide sensitive data. If possible, then one must use anti-phishing tools.