Security vulnerabilities fixed in latest Drupal versions

After addressing several vulnerabilities, Drupal  has asked its user to upgrade its existing Drupal 7 and 6 sites.

A XSS vulnerability found in the auto-complete functionality of forms as the requested URL is not sanitized properly, which affected both Drupal 6 and 7. The flaw could allow an attacker to upload files to vulnerable websites under another user’s account.

“For security reasons, the autocomplete system now makes Ajax requests to non-clean URLs only, although protection is also in place for custom code that does so using clean URLs,” Drupal explained.

The Drupal, which is used by more than 1.1 million websites, published a security advisory on August 19 confirming that it had patched several vulnerabilities in its versions 7.39 and 6.37.

It revealed that the version 7 was affected by a cross-site scripting (XSS) vulnerability that could allow an attacker to launch attacks by invoking Drupal.ajax() on a whitelisted HTML element.

Drupal developers warn that version 7 of the CMS is plagued by a SQL injection vulnerability that allows an attacker with elevated privileges to inject malicious code in SQL comments. The flaw, found in the SQL comment filtering system, can only be exploited on one contributed module.

“When form API token validation fails (for example, when a cross-site request forgery attempt is detected, or a user tries to submit a form after having logged out and back in again in the meantime), the form API now skips calling form element value callbacks, except for a select list of callbacks provided by Drupal core that are known to be safe. In rare cases, this could lead to data loss when a user submits a form and receives a token validation error, but the overall effect is expected to be minor,” Drupal said in the advisory.

The last vulnerability patched in Drupal 6 and 7 is an information disclosure issue related to menu links.

“Users without the ‘access content’ permission can see the titles of nodes that they do not have access to, if the nodes are added to a menu on the site that the users have access to,” reads Drupal’s advisory.

The vulnerabilities affect Drupal core 6.x versions prior to 6.37 and Drupal core 7.x versions prior to 7.39. CVE identifiers have yet to be assigned to these vulnerabilities.

Fourth Android vulnerability detected; Is it safe to use?

One after another vulnerability in Android has raised various questions about its safety. Android users are now, thinking is it safe to use or not?

Researchers from Trend Micro, a security firm, have uncovered yet another Android mediaserver vulnerability in its versions 2.3 to 5.1.1, which they have said, could allow attackers to run their code with the same permissions that the mediaserver program already has as part of its normal routines.
However, Google has patched the vulnerability via the Android Open Source Project (AOSP).

According to the researchers, the vulnerability comes with the AudioEffect, a component of the mediaserver program. It uses an unchecked variable which comes from the client, which is usually an app. In order to attack, the attacker must convince the victim to install an app that doesn’t require any required permissions, giving them a false sense of security.

“Since the mediaserver component deals with a lot of media-related tasks including taking pictures, reading MP4 files, and recording videos, the privacy of the victim may be at risk. Devices with customized versions of Android but with no modification made to the mediaserver component are also affected,” they said.

The researchers have suggested that in order to block the threat, the Android users can download Trend Micro Mobile Security (TMMS), which can detect threats trying to use this vulnerability and running any of the scenarios presented. They can also reboot their device using safe mode to uninstall the malicious app.

“We also recommend that device manufacturers patch their devices regularly to prevent their users from suffering from attacks that use this vulnerability,” they explained.

 It is said that the new flaw is quite similar to those three other major vulnerabilities in Android’s mediaserver component that detected recently. CVE-2015-3823 could allow attackers to trap phones in endless reboots and ANDROID-21296336 may render devices silent. Lastly, CVE-2015-3824 dubbed Stagefright can be used to install malware through a multimedia message.

Facebook rewards Researchers for Vulnerability Discovery Tool

(pc- google images)
Facebook has awarded a prize of $100,000 to a team of security researchers in Georgia for finding a new class of vulnerabilities in browser-based C++ programs.

The award “Internet Defense Prize” was given at the 24th USENIX Security Symposium in Washington D.C. for projects that encourage internet safety. The payout of $100,000 was double of what was awarded to German researchers Johannes Dahse and Thorsten Holz last year, who won the prize for their paper, “Static Detection of Second-Order Vulnerabilities in Web Applications.”

This year’s prize winners; PhD students Byoungyoung Lee and Chengyu Song, along with Professors Taesoo Kim and Wenke Lee revealed a new class of C++ vulnerabilities and introduced CaVeR, a runtime bad-casting detection tool.

CaVeR performs instrumentation at compile time and uses a new runtime type tracing mechanism—the type hierarchy table—to overcome the limitation of existing approaches and efficiently verify type casting dynamically. The researchers claim to have applied CAVER to the code of the Chromium and Firefox browsers and discovered 11 previously unknown security vulnerabilities: nine in GNU libstdc++ and two in Firefox.

Facebook Security Engineering Manager Ioannis Papagiannis explains, “C++ supports two major different types of casting operators to convert one type of data into another: static and dynamic casts. Dynamic casts are checked at runtime for correctness, but they also incur a performance overhead.
People typically prefer to use static casts because they avoid that overhead, but if you cast to the wrong type using a static cast, the program may end up creating a pointer that can point past the memory allocated to a particular object. That pointer can then be used to corrupt the memory of the process."

Papagiannis said that CAVER makes it possible to have the best of both worlds: using static type casting to improve performance, but identifying type casting vulnerabilities that can then be addressed.

He added, “We all benefit from this kind of work. A large part of why Facebook has been successful in serving nearly 1.5 billion people is because we have been quick to introduce and adopt categories of systems and frameworks that prevent whole classes of vulnerabilities at once. As an industry, we need to invest in those kinds of solutions that scale.”

34-year-old woman receives vulgar images on phone via Apple's Airdrop sharing function

Normal day, that was. As always, Lorraine Crighton-Smith took a train to go to her work. However, something unusual happened which left her shocked and violated.

The 34-year-old lady was holding her phone in the train as she thinking of sending message. But, two messages back to back arrived on her phone. The messages contained images pictures of an unknown man's penis on her phone via Apple's Airdrop sharing function.

Crighton-Smith told BBC, "I had Airdrop switched on because I had been using it previously to send photos to another iPhone user, and a picture appeared on the screen of a man's penis, which I was quite shocked by.”

Soon after that, she reported it to the British Transport Police (BTP).

As per the report published in BBC, the police are now investigating a "new" crime of cyber-flashing after the incident.

Since, Crighton-Smith declined the message, the BTP said that there was no technological evidence for them to work with and recorded it as intelligence.

"I declined the image, instinctively, and another image appeared, at which [point] I realised someone nearby must be sending them, and that concerned me. I felt violated, it was a very unpleasant thing to have forced upon my screen. I was also worried about who else might have been a recipient, it might have been a child, someone more vulnerable than me,” she told BBC.

According to the report, Supt Gill Murray said this particular crime was new to her force and urged people to report any other incidents.

Murray said the force had dealt with cases involving Bluetooth but an incident via Airdrop was "new to us".


"We have a dedicated Cyber Crime Unit who can analyze mobile phones and track data transfers back to suspects' devices. By linking this to physical evidence, such as CCTV footage or witness statements, we can catch offenders and bring them to justice through the courts,” Murray added.

Air gapped PC's not safe anymore

Researchers have proven that even air-gapped computers are not safe any more as they can be hacked through simple devices such as a cell phone.

The researchers who are based out of Israel achieved this extra-ordinary feat simply by making using of the GSM network, electro-magnetic waves a simple mobile phone.

The researchers wrote in a paper, “Unlike some other recent work in this field, [this attack] exploits components that are virtually guaranteed to be present on any desktop/server computer and cellular phone."

They have called for companies which work with sensitive information to improve their security standards so that they don't fall prey to suck kind of cyber attacks.

Creepy Voice that you heard from Your Baby Monitor is not of a Ghost


Beware of the cameras connected to the Internet or the security cameras and monitoring as these systems can be easily hacked by the hackers. It camera hacking has become a serious issue now as of the potential for unauthorized people to make video recordings.

Ontario Provincial Police (OPP) issued a warning on Wednesday reminding people that these systems can be susceptible to hackers because many have an option to be used remotely enabled by default after a family from southwestern Ontario witnessed on July 7 a baby monitor watching their young child when it suddenly began playing music and a voice said they were being watched.

According to Liz Melvin, the OPP Const, the child was about to sleep in the nursery when the camera was remotely activated.  


“The camera played some eerie music and a voice could be heard indicating the parent and child were being watched,” Melvin told National Post. “Obviously it’s going to be disturbing.”

She said the family’s Internet service provider confirmed the router had been hacked and the source of the hack could be from anywhere in the world.

Although, such kid monitor hacking cases have been reported every month, Melvin said no other incidences have been reported and she wasn’t aware of any past investigations into this type of camera hacking in the area.

She said there are no suspects in the case and the investigation is ongoing.

In a bid to protect, people should use passwords to protect access to the Internet connection and access to monitoring systems. Similarly, buy cameras from trusted sources and cover them cameras when not in use.

Google protests against US government's new legislation "Wassenaar Arrangement"

 
Google has protested against the proposed legislation changes in the “Wassenaar Arrangement”  that would let the US government control the export of security research and technologies.

Google’s legal team member Neil Martin, and Tim Willis, Hacker Philanthropist, Chrome Security Team, opposed the proposed legislation by saying “it will hurt general web users” in a blog post.

Blog emphasized on how the proposed changes will directly affect the security research, “The time and effort it takes to uncover bugs is significant, and the marketplace for these vulnerabilities is competitive. That’s why we provide cash rewards for quality security research that identifies problems in our own products or proactive improvements to open-source products. We’ve paid more than $4 million to researchers from all around the world - our current Hall of Fame includes researchers from Germany, the U.S., Japan, Brazil, and more than 30 other countries.”

According to the blog post proposed legislation changes would apply Wassenaar Arrangement controls to software and tools, which will hamper the companies, who hire hackers to find vulnerabilities in their network and products.

If the proposed changes are approved then the companies operating in the US have to have a license to export their security technologies, or information on newly discovered vulnerabilities to anywhere other than Canada.

Google submitted their comments on the proposed rules to the United States Commerce Department’s Bureau of Industry and Security (BIS).

GarettCom launches new versions to tackle Magnum vulnerabilities

US-based company GarrettCom has produced new firmware versions to mitigate vulnerabilities in Magnum 6k and Magnum 10k product lines. Issues like authentication, denial of service, and cross-site scripting vulnerabilities have been encountered in those versions. All versions prior to 4.5.6 of both the product lines have been affected.

The vulnerabilities can be exploited remotely by executing arbitrary code on the target device.

However, operational environment, architecture, and product implementation are the factors on which the impact on the individual organizations is based.

Researchers have found multiple XSS (cross-site scripting) vulnerabilities in the web server present on the device, which can be exploited by an unauthenticated attacker.

CVE-2015-3960 has been assigned for the vulnerabilities related to the use of hard core credentials. The firmware contains hard-coded RSA private keys and certificate files, which are used by the server for SSH connections and HTTPS connections. There is a hard-coded password for a serial console connected high privileged user.

Memory can be corrupted by issuing a certain form of URL against the device’s web server.

These vulnerabilities can be remotely exploited and no known public exploits specifically target them.

 According to the ICS-CERT, the latest versions of GarrettCom Magnum 6K and Magnum 10K software fix these vulnerabilities. Version 4.5.5 was released December 2014, and Version 4.5.6 was released January 2015. Users may download the latest software version and release notes from the following web site:
http://www.garrettcom.com/techsupport/sw_downloads.htm

ICS-CERT recommends that users should perform access control checks to limit the user’s reach of the feature. Use an application firewall to detect XSS attacks. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.


Airtel injecting Scripts into browsers? Will it Affect Your Privacy and Security?


After receiving huge criticism by its Airtel Zero plan, Bharti Airtel, an Indian multinational telecommunications services company, is now being accused of secretly injecting Javascripts, and iframes into the web browser in order to alter the browsing experience.

Thejesh GN, an info-activist and a programmer, published his findings on GitHub according to which Airtel is inserting Javascripts into user browsing sessions.

He said that the iframe tries to insert a toolbar into the browsing experience and that the parent URL of both the iframe and Javascript belongs to Bharti Airtel Bangalore.

He shared the injected script in Github.  The script is trying to inject an iframe pointing to this url "hxxp://223.224.131.144:80/l8/Layer8Servlet". 

However, Airtel has released a statement clarifying that it is building a tool to allow broadband users to get information about the amount of data they have used.

The company said that it developed new tool as non-mobile consumers demanded for easily tracking data usage while using surfing the web.

“Our customers have frequently asked us for ways of easily keeping a track of their data consumption specifically dongle and broadband users, who unlike mobile users, cannot receive real-time alerts on their usage,” Airtel said in a statement to NextBigWhat.

It is said that for an ISP, it is highly unethical to carry out such programs. However, no one has come up with any solution or anything.

In a reddit post, one of the users accused Vodafone of doing the same.

Just a month ago, a user posted the same issue in reddit.

Astoria - Researchers develop a new Tor client which aims to beat NSA


With an aim to beat powerful intelligence: like NSA, researchers have developed Astoria, a new Tor client which is said to be capable of protecting user’s privacy, even from such powerful intelligence agencies.

A cyber security researcher team from America and Israel come up with a new Tor client which is designed to make spying more difficult for the world's most capable intelligence agencies.

According to the research paper, people have used Tor, a popular anonymity system for users who wish to access the Internet anonymously or circumvent censorship, to prevent their activity from being tracked as Internet anonymity becoming difficult to establish.

However, Tor is not as safe as it was supposed to be, from the powerful intelligence agencies.

As a result the researchers have developed Astoria, which particularly focuses on defeating autonomous systems that has set up to intrude into Tor’s anonymity.

“In our experiments, we find that 58% of all circuits created by Tor are vulnerable to attacks by timing correlation and colluding sibling ASes. We find that in some regions (notably, China) there exist a number of cases where it is not possible for Tor to construct a circuit that is safe from these correlation attacks,” said in the research paper.

It added, “To mitigate the threat of such attacks, we build Astoria, an AS-aware Tor client. Astoria uses leverages recent developments in network measurement to perform pathprediction and intelligent relay selection. It not only reduces the number of vulnerable circuits to 5.8%, but also considers how circuits should be created when there are no safe possibilities. It performs load balancing across the Tor network, so as to not overload low capacity relays. Moreover, it provides reasonable performance even in its most secure configuration.”

The Astoria is aimed to do a list of things:
• Deal with asymmetric attackers.
• Deal with the possibility of colluding attackers.
• Consider the worst case possibility.
• Minimize performance impact.

An American admits hijacking plane mid-air: FBI

A security researcher told the Federal Bureau of Investigation (FBI) he had hacked an airplane’s engine with his laptop.

Chris Roberts admitted to hijacking a plane mid-flight in Feburary  taking control of its entertainment system resulting in the aircraft to fly sideways

According to a search warrant application, which was written by Mark Hurley, a FBI agent, in April, posted on Wired on Friday, Roberts said that he controlled one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights.

He was questioned last month when he was escorted off a United Airlines flight, there he had posted a tweet, which was in a humor, he gave hint in the tweet that he could control the aircraft's crew alert system and could passenger oxygen masks to drop.

After that, his computers were also seized by the FBI.

According to the application, Roberts said in a interview in February and March, he had hacked in-flight entertainment systems on 15 to 20 flights between 2011 and 2014. Every time he had pried open the cover of the electronics box which was located under passenger seats and he would connect his computer to the system with an ethernet cable. He had checked the system for security flaws and monitored communications from the cockpit.

 “We found that the electronics box under the seat in front of Roberts' showed signs of tampering,” Hurley wrote in the document.

On the same day, Roberts was removed from the flight.

Along with that the U.S. Government Accountability Office (GAO) released a report warning that hackers could bring down a plane by using onboard Wi-Fi systems.

In a report published on Sydney Morning Herald, Ken Westin, a security analyst from Tripwire said, 

“Connecting your laptop to an in-flight media system or anything on an actual plane with people on it is not the way to conduct security research."


"To also tweet a 'joke' about hacking a plane using specific technical details is also incredibly irresponsible I think," he added.

Certification problems from NetNanny exposes users to attack

NetNanny, the popular content control software has been found to be using a shared private key and root certificate authority which leaves it open to HTTPS spoofing and intercept.

“The certificate used by NetNanny is shared among all installations of NetNanny,” said Garret Wassermann, a vulnerability analyst at CERT. He added that " the private key used to generate the certificate is also shared and may be obtained in plain text directly from the software.”

An attacker can easily exploit this limitation to generate new certificates just by accessing the software. The spoofed certificate signed by NetNanny would appear to be trustworthy and might lead the user to a malicious site which is faking as a secure HTTPS site. Moreover, the attacker could intercept HTTPS traffic o carry out man in the middle attacks in the affected system without browser certificate warnings being triggered by the system.

The software, launched in 1995 is widely used by parents to filter internet services for their children. Presently the version 7.2.4.2 has been found to be vulnerable, as warned by CERT but other builds might be affected as well.Questions regarding a fix on the issue remains unanswered by ContentWatch, the dedeveloping company.

The users are strongly advised to remove NetNanny or at least remove the bogus certificates created by the service or to disable SSL filtering and manually remove certificates from there.

CSPF donates one lakh rupees to IronWASP project


Cyber Security & Privacy Foundation (CSPF), a non-profit organisation which provides solution to tackle cyber security and privacy issues, has donated Rs.1,000,00 to Iron Web application Advanced Security testing Platform (IronWASP) project, Asia's largest open source security project.

"We will use the donation to support the further development of the project," said Lavakumar Kuppan, the founder of IronWASP.

"It is really encouraging. We are not only getting funds but also feedbacks and comments which mean a lot to us."

According to Lavakumar, IronWASP’s main objective is to make web security easy and accessible to everyone. It is a scanner which automatically discovers security problems in web applications.

Though it is designed for security testers, others like admins, developers and QA testers can also use the software by following the video tutorials available on the project website. Almost anyone can download IronWASP and use it is for free.

"We are regularly adding new features to IronWASP" said Lavakumar. "We recently added Dynamic JavaScript vulnerability analysis capability, a feature that is unique to IronWASP. More additions are planned for future versions to make it more effective and help create a safer internet."

Hotel Management Company White Lodging appears to be latest victim of Data breach

There have been three massive data breaches reported in the last two months. The data breaches just keep coming. Now, it looks like people used their cards in a number of hotels might be at financial risk.

A latest report from Cybersecurity blogger Brian Krebs reveals a hotel management company White Lodging, which manages hotel franchises under nationwide brands including Hilton, Marriott, Sheraton and Westin, suffered a data breach involving customer's card information.

Krebs started the investigation, after he received reports from multiple sources in Bank industry saying that they have noticed a "pattern of fraud" on a number of cards that were previously used at Marriott hotels.

White Lodging told Krebs that an investigation is in progress and it will provide additional information as soon as it is available.

Krebs said the breach only impacted Mariott guests who used their cards at White Lodging-managed gift shops and restaurants.

Krebs is the one who uncovered the massive data breaches reported in the last two months at Target,Neiman Marcus and most recently Michaels Stores.

Google acquires a cybersecurity startup Impermium

Google has added one more startup to its acquisitions list, this time it is a cyber security startup "Impermium".

Impermium, founded three years ago, had raised $9 million in funding.  The company offers advanced risk-evaluation platform for detecting fraudulent registrations and risky transactions. 

"By joining Google, our team will merge with some of the best abuse fighters in the world. With our combined talents we’ll be able to further our mission and help make the Internet a safer place." Mark Risher, CEO and Co-founder of Impermium said in the official statement.

The company thanked its valuable investors in its statement including Accel Partners, AOL Ventures, Charles River Ventures, Data Collective.

According to Techcrunch, the company is notifying its customers that it will stop the services to third-party sites.  But, the team will be working on the same core problems and technology over at Google.  Google hasn't disclosed the value of acquisition. 

CyberTech 2014, International exhibition & conference for Cyber solutions


CyberTech 2014 (cybertechisrael.com) is one of the best International Cyber security conference going to happen in Israel which is Inaugurated by Israeli Prime Minister, Mr.Benjamin Netanyahu.

Leading multi-national companies, over a hundred start-ups, private and corporate investors, experts and many more are going to participate in this event.

The keynote speakers of the event are leading cyber security experts including Chairman and CEO of Kaspersky lab 'Eugene Kaspersky', Head of the Israeli National Cyber Bureau 'Dr.Eviatar Matania',  Senior Vice President of Cisco Systems 'Bryan Palma'.

Cyber Security Privacy Foundation(CSPF) is interested to take a delegation of corporate/companies to Israel.

Indian companies who would like to tie up with Israeli hi-tech cyber start-ups can contact CSPF.  If you need any assistance in getting VISA to Israel for the conference, you can also contact CSPF.

Contact Details of CSPF: Founder@CySecurity.org


Vevo website hacked by TeslaTeam via SQL Injection vulnerability

Tesla Team, one of the hacker group from Serbia has claimed to have breached the Vevo website(Vevo.com).

Vevo is a joint venture music video website owned and operated by Universal Music Group, Google, Sony Music Entertainment, and Abu Dhabi Media.

The team has discovered a SQL Injection vulnerability in one of the sub-domains of Vevo website that allowed hackers to compromise their database.

In a pastebin leak(pastebin.com/TAjce91x), the group leaked a vulnerable link as well as a proof of concept that exploits the vulnerability.  The dump of the database is claimed to have containing emails and password of admins and other users.

It appears some one with username "JoinSeventh" in HackForums has already published the vulnerability details in 2012.

90+ Russian Malicious domains used by Kelihos group taken down by Malware Must Die

Exclusive: Malware Must Die(MMD), the team which is dedicated to Malware analysis research, has taken down more than 90 Russian domains which have been confirmed as malicious.

It is part of their ongoing operation named "Operation Tango Down", an operation that deactivate the malicious domains with the help of Authorities - Several malware domains have been suspended.

Today, MMD announced that they are shutting down 97 .Ru Domains that serves the notorious Kelihos Trojan for the Red Kit Exploit Kit. 

Suspended Malicious .Ru domains - Image Credits: E Hacking News

According to the blog post , "the Kelihos Trojan were distributed in (mainly) East European (Ukrainian, Latvia, Belarus, Russia) and Asia servers (Japan, Korea, Taiwan and Hongkong) as the secondary layers, with also using the scattered world wide hacked machines".

You can find further details and full list of suspended domains at their blog: http://malwaremustdie.blogspot.jp

Facebook Spam abuses McAfee URL Shortener and Google Translator


We yesterday got a notification about a new facebook spam from one of EHN's reader.  What's interesting about this new spam is that it abuses the McAfee URL shortener for hiding the malicious URLs.

The spam post contains an adult picture saying "Emma Watson Star of Harry Potter made a sex Tape"  and "Link in the description".


Clicking the link will take the victim to the Google Translator page.  Within few seconds, you will be redirected to another page from translator - The page is hosted in a free hosting service "altervista.org".

As usual, the victims are asked to copy and paste the URL that contains the facebook access token in order to verify your age.

Facebook Access token stealing - Image Credits: E Hacking News


Once you clicked the "Activate" button , it will display a pop-up saying "8 New comments". Clicking the "continue" or next button will take you to a facebook app that asks the users to give permission for accessing your public profile, friend list, email addresses, birthday.

The spammers didn't ask your birthday for not sending birthday wishes :P .  The collected information will be used in future spam or for any other malicious purpose.

Permission to Access personal Information - Image Credits: E Hacking News

In the background, the spam post will be posted in your wall and your groups on behalf of you with the stolen access token. From what i observed, the spam also abuses the alturl, tinyurl, linkee and other url shortening services.

We have already warned you that Facebook is not the right place to watch porn.  Please spread this article and create awareness about the facebook spams.

Update:
We got a notification from one of our users that the same group is posting spam post with Twilight star Kristen Stewart name.

Update 2:
Redirection flow:
Url shortener link-->Google Translator --> fiddle.jshell.net --> plgngl.info -->ngltoken.altervista.org

The whois details of plgngl.info:
  • Registrant Name: Ngl Power
  • Street : Nonteladico 23
  • City : Roma
  • Email address: ngl@live.it

Other Domains registered by the same person:
buzzingcl.info
buzzingam.info
worldwarez.info
2fun4u.info

The 2fun4u.info has a text saying "If you're here maybe you're trying to steal my scripts. If so good luck" with a page title "NGL's viral scripts".

The plgngl.info has also been used in the Rihanna sex tape Facebook spam attak at the starting of this year.

*Update 3 - Tracking the Spammer:
Me and My friend "Janne Ahlberg" investigated the spam and found some interesting stuffs.  Here, I am sharing with you what we have found.

We started our investigation with the Domain Registrant name "Ngl Power". With few hints, we have managed to find the profile of the cyber criminal in one of the Top underground hacking forum.

He is distributing malicious facebook spam scripts to other cyber criminals.  From our investigation, we found that he is doing the distribution of malicious scripts since 2010.  It appears he is the criminal behind several Facebook spam campaigns.



He has provided malicious script for following SPAM campaigns:
  • "RIHANNA'S BIGGEST SCANDAL", 
  • "98 Percent Of People Cant Watch This Video For More Than 15 Seconds"
  • "Busty Heart - The woman that can smash things with her br****ts!"
  •  Man accused of trying to hide stolen TV in his pants 
  • Find Your Facebook Stalkers
  • Dad walks in on daughter... EMBARRASING!!! 
  • This is what Happend to his Ex GirlFriend
  • John Cena  died of a head injury
  • Justin Bieber Sex Tape

Janne found one of the thread posted in the forum by another cyber criminal  "kira2503" saying "NGL's money is refunded" with a screenshot where it displays the possible real name of the NGL.



However, what i observed from the thread is that it appears the spammer(NGL) got scammed by a scammer(kira2503). So we can't be sure whether the name provided in the screenshot is true one or not.

Our investigation leads to a "Facecrooks" facebook fan page where they have warned about the facebook spam.

One of the comment posted by user in the page reads "Really Angelo Tropeano?? You think with a pic of Facecrooks x'd out .. on a thread > Warning us NOT to click links Anyone is going to fall for your malware attempt?? Shameful. Reported".

One more user posted a comment "the troll known as angelo's link resolves to a html file on tumblr hxxx://static.tumblr.com/c5apoln/7Prmiktpx/cena.html? 93561071".  Following the Tumblr link leads us to the "hxxx://plgngl.info/tkn".  Yes it is the same domain used in the recent attack.


Following profiles might be associated with the spammer:

YouTube Profile: hxxx://www.youtube.com/user/nglyt2

Spammer's Blogger

Blogger  : hxxx://www.blogger.com/profile/11389969837864256446


Spammer's Twitter account

Twitter :  hxxxx://twitter.com/ngltw

We are still investigating the campaign.  If we find anything interesting, we will update.

Hackers convince bank to send $15000 wire transfer with the help of Hacked Gmail account


It is time to enable the Google two-step authentication feature.  If the website is providing you additional security feature, it is always good to use that feature.  This news will help you to understand the risk of ignoring the additional security feature.

Cybercriminals hacked the Gmail account of a Dubai based Indian expatriate Anil Abraham and used the account to convince bank to transfer $15,000 from his bank account in India.

When Anil contacted the Bank, he was told by the Branch Manager that the Money was transferred at his request only via email.  The cybercriminals are reportedly send a signed document with the email to trick the Bank into transfer the money.

According to Emirates247 report, the money was transferred to someone named Garry Albert Frazer to Westpac bank account in New Zealand.

Anil said whoever hacked into his email id had managed to steal fianancial information and managed to use those info to write email to Bank with forged signature.

I'm still wondering how bank allowed the cyber criminal to steal the money, they usually don't allow us to transfer money via email accounts without any personal verification.  As far as i know, Bank always careful when it comes to big amount of transfer - $15,000(nearly 90,0000 Rupees).

Though it is mistake of Bank, It is always good to enable security feature on your side.  Don't wait until your account get hacked, Enable the Two-step authentication : http://www.google.com/landing/2step/