Alayon - Tecnologia da Informação : Wagas

Mostrando postagens com marcador Wagas. Mostrar todas as postagens

segunda-feira, 5 de fevereiro de 2018

Internet Crime Complaint Center Impersonated for Malware & Phishing Scam

Por Wagas em 03/02/2018 no site HackRead

Another day, another phishing scam – This time, hackers are impersonating Internet Crime Complaint Center (IC3) to conduct malware and phishing scam.

The Federal Bureau of Investigation (FBI) has identified a new phishing scam where hackers have created a fake federal online crime complaint portal (Internet Crime Complaint Center (IC3) on social media to deceive users into giving out their private and confidential data. The FBI has also issued a security alert on 1st February informing that it has received complaints from numerous citizens who have reported about receiving emails from the Internet Crime Complaint Centre (IC3).

The FBI noted: “As of December 2017, the IC3 had received over 100 complaints regarding this scam. No monetary losses have yet to be reported.”

It must be noted that the IC3 forum lets users file a complaint to the FBI. The scam email has four different variations, according to the FBI, and each of them claims that the recipient has become a victim of cybercrime or fraudulent campaign and therefore, the complaint center requires private, sensitive data to compensate for the loss. The email has been created in a way that it looks legit; such as it contains hyperlinks to certain news articles that are related to capturing of an online scammer.

This fake email also contains a text document that is to be downloaded by the users in order to complete the task. However, this document is infected with malware, which is embedded to further extend the data theft process. In one of the emails, a fake IC3 social media page is also evident that asks recipients to enter personal data if they want to report about any online fraud or cybercrime.

In another email, the recipient was informed that he or she has become eligible to receive compensation from the IC3 for being a victim of a recent scam and recipient can claim up to $2m or £1.5m as restitution payment. The content of one of the emails read:

“The perpetrator and his group of co-offenders had over 2000 aliases originating from Russia, Nigeria, Ghana, London, and much more masking their original identities. Our records indicate that you have been a victim of fraud because your contact details were found on several devices belonging to the perpetrator.”

In another fake email, the recipient was informed that for being treated unfairly by courier companies and banks, the victim is found eligible for restitution. The fourth email contained a form from the Internet Crime Investigation Center/Cyber Division and also had a fake case reference number. The email informed the recipient that the IP address that is being used is involved in a federal cybercrime, therefore, the recipient is required to contact the sender through the phone.

Internet Crime Complaint Center Impersonated for Malware & phishing scam — Screenshots of fake emails sent by hackers (Open in new tab for better preview).

The US Department of Homeland Security has also issued a security advisory citing the ongoing malware and phishing scam in the name of IC3.

Remember, cybercriminals have become persistent and sophisticated in their phishing attacks which has allowed them to steal millions of dollars from unsuspected users. In just last one week there have been three phishing attacks in which scammers stole $900,000 from Harris County, Texas, $150,000 in Ethereum from Experty ICO and $1M worth of Ethereum in BeeToken’s ICO as a result of a phishing scam.

terça-feira, 30 de janeiro de 2018

Phishing Scam: Hackers Steal $150,000 in Ethereum from Experty ICO

Por Wagas em 29/01/2018 no site HackRead

Just a week after the biggest hack in the history of cryptocurrency business in which Japan-based Coincheck exchange was hacked to steal $534 million the much-awaited token sale called Initial Coin Offering or ICO by Experty has landed in no man’s land after a hacker tricked the ICO participants with a fake pre-ICO sale announcement and luring those who signed up for the notifications into sending Ethereum funds to wrong wallet address. Through this targeted attack, the hacker(s) manages to steal around $150,000 in Ethereum before ICO event was held.

ICO is quite similar to a conventional Initial Public Offering or IPO but what makes it different is that buyers receive a token from an online platform instead of getting stocks in a firm. Users are allowed to keep the token until the company that issues them is ready to repurchase them. They may even sell the tokens to others who us Ethereum.

Through ICO, Experty was looking to raise funds for a VoIP calling system that could facilitate voice and video conversations like Skype as well as allow secure cryptocurrency based payments via Blockchain. Experty had high hopes in this sale since Inc.com ranked this ICO as one of the top ten ICOs due to be held this year.

Phishing Scam

What actually happened was that between January 26 and 27, Experty users who receive the announcement and signed up for notifications were asked through email to send funds to an Ethereum wallet in order to buy EXY tokens and participate in the ICO. This was a fake email because the real ICO by Experty was to be held on January 31st; hence the email was sent by a hacker and the wallet address was also not owned by the Expert team.

The fake Ethereum wallet address has at least $150,000 worth of funds that got collected through 71 transactions. It is worth noting that Experty has tied up with Bitcoin Suisse to initiate transactions. Now, both the firms are requesting users to not send money to the fake wallet.

According to the official statement, Experty and Bitcoin Suisse state that the hacker compromised the computer of one of the people who conducted the Proof-of-Care review for Experty. Initially, Experty stated that it will be giving 100 EXY tokens to every individual in its email database, which is equivalent to $120. However, now the company has announced additional compensation for users who managed to send the funds into the fake wallet.

Bitcoin Suisse also issued a statement claiming that the data that was submitted to Experty’s website has been hacked and compromised but nothing from Bitcoin Suisse has been exposed. Investors in ICO are recommended to double-check the wallet addresses sent by any project team before making transactions. They can use services like Clearify.io platform to verify the new address.

Refunds Due To The Data Breach

In a statement issued on January 28th, the company will be refunding its customers.

“We will be contacting the victims that are in our database in order to distribute the proportional amount of EXY tokens to them, including the bonuses for their tier. If someone wishes to receive ETH instead, we ask them to please contact us privately about this.”

Any ETH sent to the scammer after this announcement [January 28, 2018, at 21:30 UTC] will not be refunded in order to prevent people purposely sending money to the scam address to receive EXY tokens.”

10th Breach Against A Cryptocurrency Platform In Last 6 Months

1: July 4th, 2017: Bithumb hacked and 1.2 billion South Korean Won stolen.
2: July 17th, 2017: CoinDash hacked and $7 million in Ethereum stolen.
3: July 24th, 2017: Veritaseum hacked and $8.4 million in Ethereum stolen.
4: July 20, 2017: Parity Technologies hacked and $32 Million in Ethereum stolen.
5: August 22nd, 2017, Enigma marketplace hacked and $500,000 in Ethereum stolen.
6: November 19th, Tether hacked and $30 million worth of tokens stolen.
7: December 7, 2017: NiceHash hacked and $70 million stolen.
9: December 21, 2017: EtherDelta hacked and $266,789 in Ethereum stolen.
10: January 26th, 2017: Coincheck hacked and $534 Million stolen

segunda-feira, 29 de janeiro de 2018

Phishing Scam: Hackers Steal $900,000 from County Office

Por Wagas em 28/01/2018 no site HackRead

Another day, another phishing scam – This time Harris County, Texas wired almost $900,000 after falling for a phishing email.

In normal circumstances, cybercriminals take advantage of the lack of knowledge of their victims but in this phishing attack, they have touched new lows by making a profit out of the devastation caused by hurricane Harvey.

Transfer $888,000 “She” Said

It all started on September 21st, 2017 when an estimated 30 percent of Harris County, Texas was submerged due to hurricane Harvey. The auditor’s office of the county received an email from a woman going by the supposed name of Fiona Chambers in which she posed as an accountant for D&W Contractors, Inc.

More: Phishing Scam: Hackers Steal $11 Million from Canadian University

D&W Contractors, Inc. is a legitimate company that happened to be working that day to fix the damage caused by the hurricane in the county. In the email, Chambers asked the office to transfer a sum of $888,000 to the new bank account of the Contractors as part of its contract.

“If we can get the form and voided check back to you today would it be updated in time for our payment?” according to the email content mentioned by Houston Chronicle.

In return, the county transferred $888,000 to the bank account provided by Chambers without verifying if the bank account actually belonged to D&W Contractors, Inc. or not. The very next day, it turned out that the county has fallen for a tricky phishing scam and that there was no one by the name of Fiona Chambers in the company neither was there a bank account belonging to the contractors.

Now, the incident is being investigated by the FBI (Federal Bureau of Investigation) and their prime suspect is a group that is known for targeting local governments worldwide. On the other hand, the county has learned its lesson and vows to increase its cybersecurity and overhaul and learn from how it handled the situation.

“We live in a rapidly changing world of technology that you can’t just sit pat and expect that the bad guys aren’t going to come after you. I think we need to look at all of our systems to be sure that somebody can’t get in and steal taxpayer money” said Harris County Judge Ed Emmett said.

Previous Scam Link Back To China

In June last year, a similar incident took place in which a state Supreme Court judge Lori Sattler, who was in the process of selling her apartment to buy another one received an email she believed came from a legitimate real estate lawyer.

In the email, the supposed lawyer asked her to transfer $1 million to a bank account. Following the instruction, she transferred a sum of $1,057,500 to the bank account, however, the money was sent to a bank in China, reportedly Commerce Bank of China rather than the lawyer.

It is unclear if both cases are related but what is similar in both cases is that attackers know the exact situation of their victims along with their business dealings. Nevertheless, phishing scams are becoming sophisticated and unsuspecting users need to remain vigilant, avoid downloading attachments from unknown emails and always confirm the authenticity of the email before giving away your personal information or wiring funds.

Here are some useful tips to secure yourself from phishing attacks.

sexta-feira, 26 de janeiro de 2018

Hacker Used Malware To Hike Prices for Gas Station Customers

Por Wagas em 24/01/2018 no site HackRead

Russian authorities have identified an extensively distributed malware campaign targeting electronic gas stations using software programs at the pumps. Until now, dozens of gas stations have been attacked as customers are conned into paying more for fuel than what has actually been pumped into their vehicle tanks. Reportedly, around 3 to 7% increment per gallon of pumped gas has been added to the cost customers paid at the gas stations due to this new scam.

In lieu of this scam campaign, Russian Federal Security Service (FSB) captured Denis Zayev this Saturday from Stavropol, Russian. Zayev is a hacker and he has been charged with creating software programs for the primary purpose of swindling gas station customers and defrauding them with malware installed on the pumps.

It is worth noting that the software Zayev created was identified on several electronic gas stations where he installed the IT systems. Pumps located in and around Southern Russia have been the predominant targets in this campaign so far.

According to the investigation, the software developed ran on gas pumps as well as cash registries. This aspect allowed Zayev and his affiliates to steal at least 3% and up to 7% more on actual fuel pumped into customer cars. The software was allegedly deployed by Zayev with the approval from the operators at the gas stations since it is discovered that the malware was sold to the operators by Zayev and he remained a partner in their malicious scheme and received a share of the fraudulent earnings.

According to local media “A giant scam covered almost the entire south of Russia in which viruses were found in dozens of gas stations in the Stavropol Territory, Adygea, Krasnodar Territory, Kalmykia, several republics of the North Caucasus, etc. A whole network was built to steal fuel from ordinary citizens – they did not bear any financial loss.”

What actually happened was that the operators left the gas tank empty whenever a new gas fraud cycle took place and when customers returned to refuel their cars the malware redirected between 3 to 7% of the fuel customers already bought to the empty tank without even alerting the customer. The gas pump displayed full details and the cash register issued a receipt for both attempts of gas refueling. When the empty gas tank filled up, operators put the present gas up for sale so as to hide the transactions.

How this scheme was identified is not yet disclosed by the FSB and all that we have been told is that the authorities found it at Russian territories of North Caucasus and Stavropol, Adygea, Krasnodar, Kalmykia. Zayev has been charged with large-scale fraud, development of malicious software and selling the programs to gas station employees. “Hundreds of millions of rubles” have been collected by the schemers, investigators noted.

domingo, 14 de janeiro de 2018

Cisco’s new tool will detect malware in encrypted traffic

Por Wagas em 13/01/2018 no site HackRead

On January 10, Cisco’s officially released its software platform Encrypted Traffic Analytics (ETA)that can keep a check on network packet metadata so as to detect malicious traffic. The software was previously launched in June 2017 but it has remained in private preview ever since because only enterprises were able to use it.

Now, Cisco has released its general version, which is available on current and former generation data center network hardware and most of Cisco’s enterprise routing platforms such as Cloud Services Routers, Integrated Services Router, and its branch office router are compatible with it.

More: IXmaps Map reveals if your Internet traffic is being monitored by the NSA

The revamped ETA can now aid enterprises in inspecting encrypted malicious traffic as well without needing to decrypt it. In simple words, ETA is able to perform passive monitoring to infer content from encrypted traffic instead of opening and inspecting the content.

The software would make it easier to detect malicious traffic since cybercriminals have reached such a high level of skills where they can use encryption to hide C&C communications, payloads, data exfiltration and similar other activities from being detected.

Conventional malware detection software is unable to detect encrypted malicious traffic without decrypting it first, which is a not only complicated task but also compromises the privacy of non-malicious encrypted traffic. Given that organizations need to comply with certain data regulations (such as US-CERT prohibits organizations from implementing traffic interception software that compromises TLS security). Therefore, detection of encrypted malicious traffic became a grave issue for companies.

According to the blog post by Scott Harrell, Senior Vice President and General Manager at Cisco “ETA uses network visibility and multi-layer machine learning to look for observable differences between benign and malware traffic.”

With ETA’s arrival organizations can breathe a sigh of relief since the software provides a reliable way to detect and block such threats primarily because it doesn’t need to decrypt for inspecting traffic. It does so by inspecting three features of encrypted data; first is the initial data packet of the network, which stores important data regarding the rest of the encrypted content.

Secondly, it searches for the sequence of packet times and lengths to find clues into traffic content beyond what was identified in the initial packet. The third feature that ETA inspects is the byte distribution process across the packet payloads in the encrypted traffic flow. ETA uses StealthWatch software to compare the metadata of malicious and benign network packets in order to detect encrypted malicious traffic.

ETA can spot malware in encrypted traffic through the research conducted by Cisco to understand the salient difference between the way malicious and benign traffic uses DNS, TLS, and HTTP. Since Cisco offers telemetry services for security, therefore, the administrative and operational costs are fairly low.

sábado, 13 de janeiro de 2018

Malware infected fake Telegram Messenger app found in Play Store

por Wagas em 12/01/2018 no site HackRead

The Google Play Store is home to more than 3.5 million apps but at the same time, there are tons of apps that are malicious and infected with adware or some kind of malware targeting users who download them believing that Google is handling their security the same way it does with other platforms.

But the reality is far from the truth as the IT security researchers at Symantec have identified the presence of a fake Telegram Messenger app in Google Play Store that is, in reality, a malicious app infecting Android devices with malware and spamming them with ads.

The fake app is called “Teligram [New version updated]” in which attackers have replaced the letter “e” with “i” and changed its theme color from blue to black hoping that unsuspecting users will ignore the difference and tricked into downloading the malicious app.

Malware infected fake Telegram Messenger app found on Play Store — The difference is obvious (Credit: Symantec Via: PlayStore)

To make it a sophisticated scam, the fake app even functions as an instant messaging app, however, at the same time it contains advertisement libraries that spam users with ads to make money. Moreover, Symantec researchers have noted that the malware (Trojan.Gen.2) which Teligram installs on Android devices is built using the open source Telegram code, which is distributed to third-party app stores.

According to John Hou of Symantec’s Threat Intelligence, “While open source projects can be of huge benefit to developers and consumers, they can also be used by criminals to create convincing imitations of trusted apps.”

Furthermore, once the app is installed it executes the malware that ends up installing an ad clicker or a backdoor. Hou believes the main motive of this malware is to make money rather than stealing personal data from users however it is possible that attackers behind this scam can add features that may steal user data and perform other malicious activities in the future.

At the time of publishing this article, Teligram app was booted off from Play Store.

Remember, hackers are becoming sophisticated in their attacks. On January 11th, Trend Micro researchers discovered first ever malware app in Play Store written Kotlin language. Kotlin is used in writing Android apps and being used by prominent apps including Pinterest, Netflix, and Twitter.

Android users are advised to be vigilant, avoid downloading unnecessary apps and in case you are downloading APK files from a third party store make sure to scan it with an updated security software before installing it on your device.

segunda-feira, 8 de janeiro de 2018

New adware attack bombard phones & prevent users from disabling ads

Por Wagas em 08/01/2018 no site HackRead

It is just another day for Android users who are yet again under adware attack by malicious apps on Google Play Store.

Researchers at Check Point Software Technologies have identified a new mobile adware program, dubbed as LightsOut, in at least 22 illegitimate Android flashlight and utility apps on Google Play Store. These apps have now been removed from the Play Store, but prior to their removal, the apps had been downloaded between 1.5 and 7.5 million times.

What happens is that when any of these 22 apps get downloaded, the user’s decision to disable ads from illegitimate websites would get overridden by the malicious script and then the app’s icon would be hidden so as to prevent its deletion from the device. It is quite clear that the real objective of this campaign is to generate illegal ad revenue at the expense of the innocent and unsuspecting Android users.

New adware attack bombard phones & prevent users from disabling ads

As per the findings of some users, some of these ads forced them to answer calls or perform other activities while some noted that despite installing the ad-free version of the Android app, the malicious ad activity continued. Google was informed about the presence of suspicious apps on Play Store, and after they were removed.

“Despite the vast investment Google has recently made in the security of their App Store, ‘LightsOut’ reminds us once again that users need to be wary of downloading from App Stores and are advised to have protection while using them. Many users are still unaware of the dangers lurking for them and continue to install fishy apps such as flashlights,” said Check Point’s technical blog post.

Check Point researchers released a video as well showing the way the attack occurred. The video shows how the infected app offered a checkbox and control panel to the user for enabling or disabling different services such as ads. After different actions such as ending of a call, unlocking of the home screen, plugging in of a charger or enabling of Wi-Fi connection, ad displaying event got triggered.

The ads were not directly linked to LightsOut activity and the app icon was also hidden, therefore, users were clueless about what was causing them to appear. Resultantly, the device gets bombarded with ads and the user has no other choice but to interact with the malicious ads, even to perform the most basic functions, such as to answer a phone call.

The malicious adware campaign was reported by Check Point in its blog post published on January 5. The company noted that in order to prevent such campaigns from invading our mobiles, it is important to firstly, download apps cautiously and carefully, secondly, to have advanced a mobile threat protection software installed apart from anti-virus software.

List of malicious apps is available here.

Fake Android apps caught dropping Coinhive miner

Por Wagas em 07/01/2018 no site HackRead

In October last year, three Android apps on Play Store were found infected with Coinhive cryptocurrency miner to generate Monero digital coins. Now, an IT security researcher Elliot Alderson found fake Android apps that are infected with Coinhive cryptocurrency miner specially developed to use the CPU power of a targeted device.

Fake App Real Miner

According to Elliot, whose real name is Robert Baptiste, these apps are available on a third-party website that claims to provide free APKs (Android application package) to users but in reality, these APKs are infected with Coinhive miner from the beginning.

“I don’t think these apps are the original apps. The “hacker” modified it and repacked it and after that, he uses multiple dropper apps to distribute these modified apps. Only the package name and the app name has been changed and I just dig up more and in fact, this is the same app 291 times which means there are 291 applications with different icons and names, Baptiste told HackRead.

Upon scanning, some of the APK files available on the site, VirusTotal showed that these files were infected with the Coinhive miner. Remember, secret use of any cryptocurrency miner is considered as using malware against users. To prove the point, last year, CloudFlare booted offone of their customers for secretly using Coinhive miner and not letting site visitors to opt-out or disable the code.

300 fake Android App found infected with Coinhive miner — VirusTotal scan result

A look at the scam website (androidapk.world), that is hosting these malicious apps, shows it has been fully indexed in Google search engine without raising any suspicion. Also, the site claims to provide APKs for top apps including Super Mario Run, Netflix, Mobile Strike, Clash of Clans and others.

Moreover, the site was registered in March last year and since then the download counter shows some APK files have been downloaded millions of times. However, it is unclear if the download counter displays real-time figures or cybercriminals behind the scam are manually displaying the numbers to pose as an active and trustworthy APK download site.

Android Users Be Vigilant

Until now, the biggest victims of cryptocurrency miners were website owners and unsuspecting visitors. Now, Android users are also at risk. In the past, cybercriminals preferred malware attacks but since the price of Bitcoin has suddenly surged there has been an increase in attacks involving cryptocurrency miners.

Android users should be aware of the situation and;


Avoid downloading unnecessary apps from Play Store as well as third-party sites.

 Keep your devices updated

 Make sure to scan it with a reputed anti-malware software

 Keep an eye on your phone's CPU usage

Users On PCs

Those on computers should also be aware of the situation and use Whoismining to see if a site they are about to visit is secretly mining cryptocurrency or not. Furthermore, there are two Chrome extensions No Coin and minerBlock developed to block any crypto miners from using your computing power.

About Elliot Alderson

Elliot Alderson is the same security researcher who in November last year found two pre-installed backdoor apps in OnePlus 5, 3 or its 3T model that would allow attackers to spy and steal personal data from users.