Breaking News »

Latest Hacking News

World Bank site hacked to launch PayPal phishing page

A report published in SecurityWeek confirmed that the official website of a World Bank’s Climate Smart Planning Platform (CSPP) project had been hacked by two hackers which, was later used to host a well-designed PayPal phishing page.

According to the news report, the CSPP project, which focuses on helping developing countries create and implement climate-smart policies, was ideal for phishing attacks as it used an Extended Validation (EV) SSL certificate issued by Comodo for the World Bank Group.

Since the website carried EV and SSL certificate issued for the World Bank Group, it gave the phishing website enough credibility for the visitors to easily fall for it.

It is said that the certificate gives the “highest available level of trust” as it is offered after an extensive verification process.

After that it displays the name of the owner.

Now, the PayPal phishing site tricked the visitor into logging in with their PayPal credentials. Soon after, the data was submitted and stolen, the user was prompted that the site was unable to load the user’s account and required confirmation of their personal information.

The site then required the user to share their email address, name, postal address, date of birth, and phone number.

Then, it asked the user to verify their PayPal payment information, including credit card number, expiry date, its CVV number, and 3D Secure password if the card required verification. After collecting this personal and payment information, the phishing site then directed the user to the legitimate PayPal website.

The phishing page was hosted on, the fact that the green address bar in the browser displayed “World Bank Group” might have convinced users that the page was legitimate.

According to various news reports, the same CSPP website was also targeted by a different type of hacker. Although, the phishing page was removed by the CSPP webmasters, the site’s homepage was defaced by an Iraqi hacker who appears to deface random websites in an effort to boost his reputation among his peers.

Today, the site’s EV certificate has been revoked.

Nested Backdoor risks the security of 600,000 security modems

Deploying two backdoors in its hardware products, a cable modem manufacturer, Arris, put the modems at the risk of being hijacked.

Though the company added two backdoors just to be sure of security, but it turned out to be a major flaw risking around 600,000 cable modems.

This flaw was discovered by a Brazilian security researcher, Bernardo Rodrigues who explained in his blog post that as cable modems already have a backdoor in their firmware, they get affected by another backdoor.

The first backdoor is activated via the admin’s password which loads the library on the modem. When users or attackers will access the backdoor, they will be able to access the modem and enable SSH or Telnet ports which in turn will help them to launch more powerful sessions.

When Rodrigues analyzed the backdoor deeply, he found another backdoor which launched a BusyBox shell which could be accessed by last five digits of the device’s serial number and later the researcher created a tool which could generate this password automatically.

BusyBox shell is a software package that provides various UNIX utilities inside an executable file which is usually used on embedded devices where memory and storage restrictions cannot allow a more powerful Linux Operating system to run.

The company was warned about the flaw in first backdoor back in 2009 and it assured of fixing it but till now they did not bother to fix it. After the major flaw in second backdoor was discovered, the researcher gave the company time to fix it but when they failed to do so, he published his findings after 65 days.

One should avoid consumer grade routers if they care about the security of their router because the ISP can configure the router/gateway in an insecure way.

Moreover, now-a-days, router software is developed cheaply. Security seems hardly a concern for the manufacturers.

Balckhole exploit kit: Back with a bang; proving to be a threat again

Blackhole exploit tool, a tool for running drive-by download attacks, has made a comeback two years after its author arrest, according to Malwarebytes.

The security firm has detected that cybercrooks have been using Blackhole as a malware to make use of leaked code from the software. It has been highly using in active drive-by download campaigns via compromised websites.

“We noticed Java and PDF exploits collected by our honeypot which we haven’t seen in ages. Looking closer at the structure of this attack, we were surprised when we realized this was the infamous Blackhole,” the researchers from Malwarebytes wrote in a blog.

According to the researchers, the new drive-by download attacks on the same structure as the original Blackhole, even reusing the old PDF and Java exploits.

“The only difference is the malware payload being dropped, which is current and had very low detection on VirusTotal,” they said.

The server used to host the exploit infrastructure happens to be fully browsable (thanks @MeJz024 for the tip). The folder structure shows with no doubt this is taken straight from the Blackhole source code that had been leaked.

The researchers have analyzed that although the exploits are old, there are probably still vulnerable computers out there who could get compromised.

And, it is also believed that the author of the Blackhole edition was working on new landing pages, so it is possible there might be additional changes in the future.

“We are not quite sure why this old exploit kit is being used in live attacks considering the infection rate would be quite low due to the aging exploits,” they added.

However, they have assumed that the reason could be that the source code being public, it is a free platform that can be built upon and updated.

A Security bug in MetroPCS could allow hackers to access customer data

A critical security bug in MetroPCS could allow anyone who knew your phone number access your personal details from the website including your home address, phone’s model and serial number .

It was revealed in a report by Motherboard that a pair of researchers discovered a bug that left the customer’s personal data exposed to cybercriminals.

With the personal details in hand, cybercriminals could easily move on to identity theft and accessing bank accounts.

 Eric Taylor and Blake Welsh found the flaw on MetroPCS's payment page in mid-October. Motherboard independently verified the flaw and reached out to T-Mobile, which owns MetroPCS, on October 22.

Well-known researchers have claimed it as a pretty nasty bug and a serious privacy exposure.  MetroPCS was unaware of the problem before being contacted by Motherboard prior to their published report. A spokesperson for T-Mobile told Motherboard that the flaw was fixed and the data is not exposed anymore.

But the thing that raised eyebrows was that the hacker won’t even need someone's phone number. An attacker could just run an automated script and obtain the personal data of many MetroPCS customers.

Vulnerability »

Malware Report »

Defacements »

Spam Report »