Fake WhatsApp, Netflix, Facebook Android Apps Contain SpyNote RAT

Due to its open source nature, hackers are recently targeting Android devices more as the source code is freely available for anyone who is interested in to have a look. Recently we can see a huge increase in the third party apps for the Android users but these do come with a price.

Recently, IT Security researchers at the Zhavscaler have identified many fake apps that are uploaded by hackers and cyber criminals. These apps are infected with SpyNote RAT (Remote Access Trojan). The website HackRead has reported on SpyNote in August last year back when Palo Alto’s Unit 42 revealed that their Trojan allows the hackers to gain remote administrative control of those devices upon which the users have installed applications in the APK format, process of downloading apps in APK format on Android devices is also known as “sideloading” which is only possible if you allowed “Unknown Sources” in the security settings.

“Netflix, Whatsapp, YouTube, Video Downloader, Google Update, Instagram, Hack Wifi, AirDroid, WifiHacker, Facebook, Photoshop, SkyTV, Hotstar, Trump Dash and PokemonGo.”

Among all the above-mentioned apps, the Zscaler researchers have put their interest on fake Netflix app that is being infected with a new variant of the SpyNote RAT. According to the Shivang Desai of ZScaler, “The Android apps and iOS for Netflix are very popular, properly turning a mobile device into a television using which users can stream TV programs and movies anytime and anywhere. “But these apps, with their popularity and many millions of users, have captured attention of the bad actors, too, who are now exploiting the popularity of Netflix to spread their malware.”

The new variant comes with capabilities to perform actions including viewing contacts, reading text messages, turning on the microphone of an infected device, recording screen, listening to conversations, send user files to a Command & Control (C&C) set up by cyber criminals and take screenshots.

No More Activation Lock Check In iCloud

Apple has closed its iCloud activation lock check in a possible move to neuter a bypass method that allowed stolen devices to be reactivated at the expense of legitimate devices.

Cupertino’s shuttered iCloud activation lock feature allowed users to check if a second-hand device was registered and locked to a previous owner, a security measure that renders devices unusable unless the owner’s username and password are entered.

The closure could be in response to a reckless activation lock workaround method reported by MacRumors that allowed users to modify hardware chips for stolen activation-restricted Apple devices.

The hack pinches a legitimate serial number from Apple users and applies it to the modified chip, allowing the activation process to continue.

It is not clear if the tampering method is behind Apple’s closure of the activation lock feature, but user reports have surfaced recently that legitimate iPhones and iPads have been inexplicably activation locked to other users’ accounts.

Hackers Breach California Lawmaker’s Website

The campaign website of Assemblyman Evan Low has been hit by hackers, whose motive seems linked to Low’s leadership of the Legislature’s Lesbian, Gay, Bisexual and Transgender Caucus.

The Campbell Democrat, re-elected in November to a second term, said Thursday that he learned of the hacking earlier in the day. Authorities have been notified, he said, including the Assembly sergeant-at-arms.

On its Facebook page, “Shadows Team Hackers” claims credit for the attack and lists other websites and social media handles for the lawmaker. The post identifies Low is chairman of the LGBT caucus and the page also features an image of fire burning the rainbow flag that symbolizes gay pride and diversity.

“Certainly the imagery would indicate animosity to the LGBT community,” Low said in an interview. The hacking, he added, came only days after Democratic lawmakers had a briefing on cybersecurity.

“It’s not a matter of if, it’s a matter of when,” Low said of the threat posed by hackers.

As of midday Friday, Low’s campaign website had been blocked as a security risk.

Source: sacbee

Hackers Attack Washington DC Police Cameras

Over the past year, ransomware has become an increasingly big problem, not just for you and me, but for larger organizations and governments too.

According to Washington DC’s police department and the city’s technology office, police surveillance cameras were hit little over a week before newly elected President Donald Trump’s inauguration. Around 70% of storage devices that record data from D.C. police surveillance cameras were affected and left the police unable to record any footage from the cameras between January 12 and January 15.

The attack incapacitated 123 of 187 network video recorders in a closed-circuit TV system for public spaces across the city, officials said late Friday.

Brian Ebert, a Secret Service official, claims that the attack did not compromise public safety, however. Archana Vemulapalli, the city’s Chief Technology Officer, said that the problem was resolved by simply removing the storage devices, wiping them, and then restarting them, and that no ransom was paid to the attackers. An investigation into the source of the hack continues, said Vemulapalli, adding that the only cameras affected were the police CCTV cameras that monitor public areas and that the attack did not extend deeper into D.C. computer networks.

The network video recorders are connected to as many as four cameras at each site, explained Vemulapalli, “There was no access from these devices into our environment.”

The attack was discovered on January 12, when police officers found four cameras that weren’t working. Upon closer inspection, they discovered that the cameras had two types of ransomware embedded. This prompted an investigation of other cameras in a city-wide sweep. The cameras are now back up and running after roughly 48 hours of maintenance.

Source: Washington Post

FSB Arrested Hackers Involved In Publication Of Putin Aide’s Correspondence

The Russian Federal Security Service detained the alleged founder of the Shaltay-Boltay (Humpty-Dumpty) website, Vladimir Anikeev, who gained notoriety after publishing the correspondence of high-level officials. The detention took place in October 2016. On the 28th of January 2017, Rosbalt reported on this event with a reference to its own source. Anikeev was taken into custody in Saint Petersburg after arriving from Ukraine.

"According to the edition, he was engaged in publishing the correspondence of Russian presidential aide Vladislav Surkov on one of the local websites. Rosbalt’s source said that Anikeev was lured out of Ukraine.

The Federal Security Service charged him with violations of Article 272 of the Russian Criminal Code, illegal access to computer information. Anikeev mentioned the Deputy Head of FSB’s Information Security Center, Sergei Mikhailov several times in his testimony.

Mikhailov was detained in December 2016. It is reported that hackers were spotted in the summer of 2016. Searches were conducted in Saint Petersburg although the exact location of the searches wasn’t disclosed.

The Agency further claims that Shaltay-Boltay found itself on a hook by the Federal Security Service after these events and was forced to publish materials on instructions from the Agency’s employees. On the 25th of October 2016, a gigabyte of data from the prm_surkova@gov.ru mailbox, Surkov’s reception office, for the period of 2013-2014 was published on the Internet.

The detailed reports on the situation in Ukraine, Abkhazia, documents on funding the DPR and LPR, lists and contacts of employees of the Office of the Russian President on socio-economic cooperation, data on meetings and conferences of the Russian presidential aide, scanned copies of passports of Surkov and his family were found in the released files. After publication, the Kremlin stated that Surkov does not use that email address.

Source: uawire.org

How to Prevent Someone From Using Your Firefox Browser

Privacy is a big problem in this age of information technology. In most of the cases, you don’t want someone else to know what we are doing (or we have done) with your personal devices.

There are many things you can do to prevent someone else from tracking your behaviour on your devices. If it is impossible to lock your device, why not lock a specific app and prevent someone else from using it. Here we do the same with Firefox.

By default, Firefox comes with a number lists of security. But, there is no chance to us for protecting it with a password. Thankfully, there are some add-ons that we can use to do that.

This article will show you how to protect your Firefox with password using Master Password+ add-on. In this article, I use Firefox 50.1.0 running on Ubuntu 16.04.

Step one: Installing the Master Password+ add-on

• Click on the three-line menu icon on the top right of your Firefox and choose Add-ons. Type “master password” on the search bar and hit enter.
• Install “Master Password+” and restart your Firefox.

Step two: Configuring the add-on

• Click on the three-line menu icon on the top right corner and choose Preferences -> Security. Check the “Use a master password” option.
• You will be asked to enter the password. Once you done setting the password, click on the OK button.
• Before clicking the OK button, be sure you have checked the “Ask for password on startup” option on the Startup tab.

          

    

Western Union Agrees Facilitating Wire Fraud and Pays $586 Million

The Western Union, A global financial services company has admitted to facilitating a wire fraud and it has agreed to pay $586 million as part of a settlement with U.S. Federal Trade Commission (FTC) and Department of Justice.

The services of Western Union are used by many fraudsters and cyber criminals, and the authorities in the United States are very displeased with the company failing to maintain a proper anti-fraud program.

Moreover, the company was accused of not taking an immediate action against the agents that knowingly processed the fraud payments in return for a share of the illegal profits. Since 2001, Department of Justice has convicted 29 employees and owners of Western Union agents for the fraud schemes they are involved in.

According to the authorities, Western Union has violated many laws, those include the Bank Secrecy Act (BSA) and the FTC Act.

The FTC said that more than 550,000 complaints are received by the Western Union in between January 2004 and August 2015, regarding these fraudulent transfers involving online dating, lottery, advance-fee, and family emergency scams. All these transfers sums-up to more than $632 million, but all this is believed to represent only a fraction as not all complaints are logged and not all victims filed a complaint.

As a part of its settlement with FTC and the Justice Department, Western Union agreed to pay  $586 million, a sum that will be used to compensate the innocent fraud victims. The process by which the money will be distributed will be established later.

The company will also implement and maintain a comprehensive anti-fraud program, thoroughly vet new and renewing agents, and suspend or terminate agents that don’t comply with its policies.

The FTC has ordered Western Union to stop processing fraud-induced and telemarketing-related money transfers, provide more fraud warnings, create additional channels for fraud complaints, and refund fraudulent transfers.

MoneyGram, Western Union’s main competitor, was also targeted by the FTC. The company agreed to pay $18 million in 2009 to settle charges.

Heartbleed Vulnerability Still Affects 200,000 Devices

Even though the number of services that are affected by the OpenSSL flaw also knows as Heartbleed has considerably decreased over the past decade, the Shodan search engine has still found more than 200,000 vulnerable devices.

The Heartbleed, tracked as CVE-2014-0160, is a very critical vulnerability which allows the hackers to steal information that is protected by the SSL/TLS encryption. Some researchers believe that this flaw is used in an attack where hackers stole 4.5 million healthcare records.

The search for vulnerable devices was conducted by Shodan in November 2015 and returned 238,000 results, those numbers dropped by roughly 1,000 by March 2016. A new search was carried out on this Sunday showed that there are 199,594 services which are still vulnerable to Heartbleed attacks.

Most of the affected devices are located in the United States (with 42,000), followed by South Korea (with 15,000), China (with 14,000), Germany (with 14,000), France, (with 8,700), Russia (with 6,600), UK (with 6,500), India (with 5,800), Brazil (with 5,500) and Italy (with 4,800). HTTPS accounts for a major part of the impacted services.

Initially, South Korea occupied the 8th place, but it now in the recent scans it became the second most affected country, apparently due to the devices operated by Boranet, SK Broadband and KT Corporation (formerly Korea Telecom).

The list of top affected organizations also includes Verizon Wireless, Amazon, OVH in France, German ISP Strato, Comcast, German hosting firm 1&1 Internet, and Taiwan-based HiNet.
Apache HTTP Server (httpd) is by far the most affected product, particularly versions 2.2.22 and 2.2.15, while the top operating system is Linux 3.x. Shodan also found that more than 70,000 of the affected services have expired SSL certificates.

US Makes HTTPS Mandatory for All New .Gov Websites

To increase the security of the government websites that are usually targetted by the hackers, United States will default to HTTPS to all the new .gov websites starting this year.

During the administration of Obama, the government has set December 31 as the deadline for all government websites to switch to HTTPS, but from some unofficial stats, we know that only 60 percent of these websites actually completed did the transition.

Now the General Services Administration announced that from 2017, all new .gov websites will have HTTPS automatically.

“As new executive branch domains have been registered, dotgov.gov program will submit all these websites to the web browsers for “preloading”. After the submission, nearly three organisation time is taken to complete the “preloading” in the modern browsers. All these changes will be issued to the dotgov customers when they register a new domain now under the Executive Branch, and will not have any effect on existing or any renewed domains,” reads the announcement.

GSA says that the HTTPS will be applied to all subdomains of freshly registered executive .gov websites, that include intranet web sites, saying that sticking with HTTP even for the intranet is not at all secure and is  “discouraged.”

If you are to have a target date, GSA claims it is aiming for this new measure to take place in the spring of 2017, and the domain customers will be notified 30 days before changes taken place.
“GSA provides extensive guidance to agencies on HTTPS deployment at https.cio.gov and encourages .gov domain owners to obtain low cost or free certificates, trusted by the general public. As a general matter, more expensive certificates do not offer more security value to service owners, and automatic deployment of free certificates can significantly improve service owners’ security posture,” the GSA adds.

HummingBad Malware Returns – Uses Your Phone to Make Ad Cash for Hackers

After last year clean up, looks like the HummingBad malware has made a return with its new, more powerful and annoying version.

Back in February 2016 if you remember, HummingBad has made the headlines. This malicious app affected around 10 million Android smartphones around the world.

The software gained root access on the affected devices and started collecting personal data and made it look like they are clicking on ads. They folks behind this made around $300,000 per month.

The malware was spread using third-party app stores and has managed to reach so many devices that it has become the fourth most prevalent malware known. However, it did not manage to infiltrate the official Google Play store.

The new version was dubbed as HummingWhale by the folks at Check Point Software Technologies who first spotted it and saw that it has improved add fraud capabilities in its code. So, if the user spots the app and goes to close the app process then HummingWhale will go under and turns into a virtual machine which is way lot harder to detect.

The new HummingWhale started gaining attention when the apps that were published under the names of several Chinese developers (possibly fake developers) showed the behaviour that was not normal at the startup. “It registered several events on boot, such as TIME_TICK, SCREEN_OFF and INSTALL_REFERRER which [were] dubious in that context,” wrote Check Point. They also carried an encrypted file of 1.3 MB posing as an image but acting as an executable app file.

“This .apk operates as a dropper, used to download and execute additional apps, similar to the tactics employed by previous versions of HummingBad. However, this dropper went much further. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine,” the company notes.

How Your Android’s Pattern Lock Can Be Cracked In Just 5 Attempts

A few days ago, Fossbytes wrote about the list of the most popular (dumbest) passwords of 2016. You might be wise enough to consider a tough password for your devices and online accounts. But if you think that pattern lock is more secure than common passwords, your thinking will change after reading this story.

According to a new research published on Phys.org, it possible to crack a smartphone’s pattern lock in around five attempts, after which the device gets locked. It is possible by recording a video of people entering pattern lock on their phone.

The story isn’t as childish as it sounds. You’re not supposed to decipher the pattern from the video afterward. But a computer vision algorithm developed by the researchers – from Lancaster University, Northwest University of China, and the University of Bath – is assigned to do this task.

The algorithm can work with an accuracy of more than 80 percent for complex patterns and crack them in 5 attempts. In fact, they were able to crack simple pattern in the first attempt with 60 percent accuracy.

The software doesn’t even need to look at the screen to crack the pattern lock. It understands the movements of user’s fingers relative the smartphone from the video. After analyzing a video, the algorithm suggests a bunch of possible patterns.
Overall, a total of 120 unique patterns were checked. The researchers note that patterns involving more lines and complex shapes are easier for the algorithm to crack.

The attack can be done on any smartphone. Pattern locks are primarily used on the smartphones running the Android operating system. In the case of iOS devices, Pin lock is mostly used.
How to protect yourself?

It would be hard to protect your Android or any other smartphone from the digital eyes out there in the wild. Recording a video of you entering your pattern lock on your Android smartphone is an easy task for any shoulder surfer in subways.

If we consider a practical scenario, even if a person records a video, it would be hard to gain physical access to your smartphone.

If your Android smartphone has a fingerprint sensor, you can prefer it over the pattern lock. Alternatively, you can cover your fingers while entering the pattern lock. Moreover, keeping a simple pattern lock help as the algorithm finds it difficult to crack.

Quimitchin Malware Targets Macs and Linux Systems

The IT security researchers have recently found a new malicious code that affects Mac and Linux systems. It was dubbed by the Apple Inc., as Fruitfly while the Malwarebytes named it as Quimitchin, the name is inspired by Aztec spies. The newly identified malware can spy on biomedical research centres. It was speculated that this malicious code is active for many years only to be detected now.

This malicious code was recently discovered by Malwarebytes after one of the IT administrators in there identified a strange pattern of incoming network traffic from one of the compromised Macs. Reportedly, the malware was designed to compromise the webcam and capture screenshots of Mac machine and simulate mouse clicks and key presses. Apart from all these features, it can also perform the regular malware function of providing the hacker or attacker with the ability to remotely control the machine.

According to a blog post from a researcher Thomas Reed at the Malwarebytes, both Apple and Malwarebytes are yet to discovered how this malware is being distributed. What they have managed to find so far is that it is based made using some old-school coding techniques, which are so old that they date back to 2001 when the Mac OS X was launched.

The most disturbing aspect is that Fruitfly also contains Linux shell commands and when Reed tried to run the malware on Linux machine, it worked “just fine” and only the Mac-specific code didn’t run. This means, the malware developers didn’t know much about the Mac system and they used old documentation for its development.

“The presence of Linux shell commands in the original script suggests that there may be a variant of this malware that is expressly designed to run on Linux, perhaps even with a Linux executable in place of the Mach-O executable. However, we have not found such a sample,” noted Reed.

This Android Malware Attacks Your Wi-Fi Router And Hijacks Web Traffic

The malware targeting the Android operating system aren’t new but we keep seeing different varieties from time to time. One such new Android malware, dubbed Trojan.AndroidOS.Switcher, has been discovered by the researchers at the Kaspersky Lab.

The working of this malware makes it pretty unique. Instead of attacking the user, Switcher targets Wi-Fi network of the connected user (or the Wi-Fi router of the network).

Switcher performs a brute force attack and guesses the password of the router’s web interface. Just in case it’s successful, the trojan changes the DNS server addresses stored in router’s settings.

This step reroutes all DNS queries from the devices in compromised network to the servers of hackers. It’s also known as DNS-hijacking.

Two versions of Trojan.AndroidOS.Switcher malware

The security researchers have identified two versions of Switcher malware. The first version, with package name com.baidu.com, pretends to be a mobile client for the Chinese search giant Baidu.

The second version, named com.snda.wifi, disguises itself as a version of a popular Chinese app that shares Wi-Fi information between the users.The cyber criminals have even created a website that distributes and advertises these fake apps. Also, the web server of the website and malware’s C&C server are the same.

>ROGUE DNS SETTINGS SURVIVE EVEN A REBOOT OF THE ROUTER

Due to the DNS-hijacking, a victim will be fooled into communicating with an entirely new network, which can take you to a fake Google or Facebook. Also, by targeting the entire network, all its users are exposed to a wide range of attacks. It’s also worrying to see that the changed settings won’t be changed even after a reboot.

You can read more details about the malware on Kaspersky’s blog.

Search for these rogue DNS servers

You are advised to check your DNS settings and search for these rogue DNS servers. If you find one of these, alert your ISP or owner of Wi-Fi network:

• 101.200.147.153
• 112.33.13.11
• 120.76.249.59