World Bank site hacked to launch PayPal phishing page

A report published in SecurityWeek confirmed that the official website of a World Bank’s Climate Smart Planning Platform (CSPP) project had been hacked by two hackers which, was later used to host a well-designed PayPal phishing page.

According to the news report, the CSPP project, which focuses on helping developing countries create and implement climate-smart policies, was ideal for phishing attacks as it used an Extended Validation (EV) SSL certificate issued by Comodo for the World Bank Group.

Since the website carried EV and SSL certificate issued for the World Bank Group, it gave the phishing website enough credibility for the visitors to easily fall for it.

It is said that the certificate gives the “highest available level of trust” as it is offered after an extensive verification process.

After that it displays the name of the owner.

Now, the PayPal phishing site tricked the visitor into logging in with their PayPal credentials. Soon after, the data was submitted and stolen, the user was prompted that the site was unable to load the user’s account and required confirmation of their personal information.

The site then required the user to share their email address, name, postal address, date of birth, and phone number.

Then, it asked the user to verify their PayPal payment information, including credit card number, expiry date, its CVV number, and 3D Secure password if the card required verification. After collecting this personal and payment information, the phishing site then directed the user to the legitimate PayPal website.

The phishing page was hosted on, the fact that the green address bar in the browser displayed “World Bank Group” might have convinced users that the page was legitimate.

According to various news reports, the same CSPP website was also targeted by a different type of hacker. Although, the phishing page was removed by the CSPP webmasters, the site’s homepage was defaced by an Iraqi hacker who appears to deface random websites in an effort to boost his reputation among his peers.

Today, the site’s EV certificate has been revoked.

Teenager who hacked US and British government website faces jail

A British teenage hacker has been warned by the Birmingham Crown Court that he faces possible jail time for bringing down the FBI's and the Home Office's website.

Charlton Floate  (19) has pleaded guilty to three counts under the Computer Misuse Act and three charges for possessing prohibited images.

Charlton's lawyers argued that their client was only on the outside of the whole conspiracy and not deeply involved in the matter but the court has ruled out that possibility saying that Charlton is a very intelligent man who is an expert in computer marketing.

The judge quoted in the hearing, "A successful attack on the website is regarded by hackers as the Holy Grail of hacking. It was this which he attempted and, indeed, achieved.He was the person who instituted such attacks and assembled the tools and personnel for doing so."

The FBI site was down for about five hours where as the Home Office site crashed for 83  minutes.

PayPal fixes serious vulnerability in its domain

Photo Courtesy: Security Down

A serious flaw in PayPal Holdings Inc, an American company which operates a worldwide online payments system, has been patched. The flaw could have allowed an attacker to trick users into handing over their personal and financial details.

The flaw, which was detected by Ebrahim Hegazy, was caused by a stored cross-site scripting (XSS) bug in the domain, which is used for PayPal’s hosted solution that enables buyers to pay with a payment card or their PayPal account, eliminating the need to capture or store sensitive payment information

“I’ve found a Stored XSS vulnerability that affects the SecurePayment page directly which allowed me to alter the page HTML and rewrite the page content, An attacker can provide his own HTML forms to the user to fullfill and send the users data back to attacker’s server in clear text format, and then use this information to purchase anything in behave of users or even transfere the users fund to his own account,” the researcher posted in his blog.

According to the Egypt-based researcher, a malicious actor could have set up a rogue shopping site or hijacked a legitimate website, and alter the “Checkout” button with a URL designed to exploit the XSS vulnerability.

The flaw could allow the attacker to change the contents of the SecurePayments page and display a phishing page where the victim is instructed to enter personal and financial information. The collected data is then sent back to a server controlled by the attacker, the researcher explained.

The researcher, who had found a serious flaw in Yahoo domain last year, reported about the vulnerability to PayPal on June 19. The payment processor confirmed patching the flaw on August 25.

After that, the company concerned awarded Hegazy $750 for his findings, which is said to be the maximum bug bounty payout for XSS vulnerabilities. 

FBI catches teen accused of Swatting

A teenager from Texas has pleaded guilty to swatting and giving bomb threats to a Minnesota high school after being caught by the FBI.

The 19 year old Zachary Lee Morgenstern is accused of pulling off various swatting incidents in the Marshall, Minnesota area from Octover 2014 to May 2015.

Zachary is also accused of threatening a police officer and his family.

The FBI got hold of Zachary by sending a subpoena to Google to get details of one of Zachary's email accounts.

The FBI zeroed in on Zachary by using a twitter handle and a Google email id.

Russian APT attackers control the Hacked Machines using Twitter, Github

Russian APT attackers have used an advanced type of backdoor which tries to avoid detection by adding layers of obfuscation and mimicking the behavior of legitimate users. 

The attackers used popular legitimate websites such as Twitter, Github and other compromised web servers to send instructions and steal data from the compromised machines, according to a APT report published by the security firm FireEye.

The group is known as APT29, which creates an algorithm that generates daily Twitter handles and embedding pictures with commands. 

The attackers post instructions for their backdoors in a tweet, which contains a URL and a hashtag.  The malware will download contents hosted in the specific URL including all images in the page. 

They hide the data and other instructions within an Image file using a technology called Steganography. 

The Hashtag contains a number representing a location within the image file and a few characters that should be appended to the decryption key.  The key will be used for retrieving the data stored in the  image.

The instructions also contains where to upload the stolen data - It uploads to a specific account on a cloud storage service using the login credentials.

APT 29 is suspected to be in Russia since it is active during normal working hours in Moscow.

SEBI comes up with cyber security policy for stock exchanges, depositories and clearing corporations

Securities and Exchange Board of India (SEBI), which established in 1988 to regulate the securities market in India, asked stock exchanges, depositories and clearing corporations to put in place a system that would prevent systems, networks and databases from cyber attacks and improve its resilience.

According to a report published on LiveMint, the SEBI said these Market Infrastructure Institutions (MIIs) need to have a robust cyber security framework to provide essential facilities and perform systemically critical functions of trading, clearing and settlement in securities market.

“As part of the operational risk management framework to manage risk to systems, networks and databases from cyber attacks and threats, the MII should formulate a comprehensive cyber security and cyber resilience policy document to put in place such a framework,” the SEBI said.

It is said that the SEBI also asked the MII to restrict access controls in the time of necessary.
As per which no one will have any intrinsic right to access confidential data, applications, system resources or facilities.

The SEBI has asked it to deploy additional controls and security measures to supervise staff with elevated system access entitlements.

According to the news report, the SEBI Chairman UK Sinha said that attackers are attacking in a more sophisticated manner.  

“We are worried over state-sponsored cyber attacks. There are worries that the vulnerability in markets are increasing. We need to create a framework for future plan of action on securities market resilience,” he added.

The exchanges and other the MIIs would also have to submit quarterly reports to the SEBI, containing information on cyber attacks and threats experienced by them and measures taken to mitigate vulnerabilities, threats and attacks including information on bugs, vulnerabilities and threats that may be useful for other the MIIs.

Along with this, the MIIs have to share the useful details among themselves in masked and anonymous manner using a mechanism to be specified by the regulator from time to time, to identify critical assets based on their sensitivity and criticality for business operations, services and data management.

Likewise, it should maintain up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows.

The SEBI asked market stakeholders to establish baseline standards to facilitate consistent application of security configurations to operating systems, databases, network devices and enterprise mobile devices within the IT environment and also to restrict physical access to the critical systems to minimum. 

Selfies to use as a password for doing online payments

You know what? Selfies, which we click mostly for posting on social networking sites, are now being using as a password for doing payments. 

MasterCard, an American multinational financial services corporation headquartered in New York, United States, is trying new facial recognition technology that would let customers verify their identity online by taking a selfie.

Mastercard’ s customers, who still use a system called SecureCode to verify their identity while shopping online, requires them to enter a password at the point of sale.

In an interview with CNN Money MasterCard executive Ajay Bhalla said that they want to identify the people for who they are not what they remember.

"We have too many passwords to remember and this creates extra problems for consumers and businesses. The new generation, this is into selfies….  I think they'll find it cool. They'll embrace it," he added.

According to a news report published on The Telegraph, in order to avoid problems like forgetting passwords, stealing or intercepting, many financial organisations and technology companies are testing biometrics as an alternative form of identification.

Like a British technology firm recently launched the world’s first emoji-only passcode, which allows people to log into their banks using four emoji characters, instead of PINs or passwords.

According to the report, during the trial period, some of the Mastercard's users or customers will be prompted to snap a photograph of their face using the Mastercard app on their smartphone at the online checkout point instead of entering password.

It is said that the app then converts the photo into 1s and 0s using facial recognition technology, and transmits it over the internet to MasterCard, which compares it with a stored code representing the cardholder's face. If the two codes match up, then the purchase will be approved.

Bhalla said that MasterCard will not be able to reconstruct the user's face from the data, and that the information will be transmitted and stored securely.

The company is currently testing the technology with 500 customers, and is planning a broader trial for later this year.

Along with the selfies, the company is experimenting with other forms of identification such as fingerprint scanning and voice recognition.

US Government is moving to HTTPS everywhere

The US government has shown its mandate on backing HTTPS across its Federal websites and web services, as it will make the access safer for anyone using the government sites.

The White House Office of Management and Budget (OMB) issued the HTTPS-Only Standard directive as the unencrypted TTP connections create vulnerability and expose potentially sensitive information about users of unencrypted federal websites and services.

The acronym HTTPS stands for Hypertext Transfer Protocol Secure and it is being used by many commercial organizations to protect visitors to their websites and services which can include data like browser identity, website content, search terms, and other user-submitted information. 

OMB received many comments and suggestions from web browsers, Internet-related organizations and concerned people related to its proposal for the implementation of HTTPS-Only Standard. For the conversion to HTTPS, assistance at is available. And a dashboard has been created to keep a track of the process.

"Per the issuance of this memorandum, all publicly accessible federal websites must meet the HTTPS-Only Standard by 31 December 2016”, said Tony Scott, US Chief information Officer in a White House blog post.

He also added that HTTPS only assures the reliability of the connection between two systems, not the systems themselves. It is not designed to protect a web server from being hacked, or to keep a check from revealing the user information during the normal operation of a web service.

“An HTTPS-Only standard, however, will eliminate inconsistent, subjective decision-making regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide.”, Scott summed up in the White House blog post.

Kaspersky Lab discovers Grabit, small and mid-sized businesses targeted

A cyber-spying campaign “Grabit” has been discovered by the Kaspersky Lab that can steal about 10000 files from small and medium-sized businesses in areas like chemicals, nanotechnology, education, agriculture, media and construction in Thailand, India and the United States.

Ido Noar, Kaspersky Lab's Senior Security Researcher from the Global Research and Analysis team mentioned that a simple Grabit keylogger was found to be sustaining thousands of victim account credentials from hundreds of infected systems on the May 15.

The virus finds its feet when a user receives an email with an attachment that is a Microsoft Office Word (.doc) file. The user clicks to download it and the Grabit is delivered to the machine from a remote server.

Due to the activeness of Grabit, it is important for the users to check the network for ensuring safety in the system.

HawkEye keylogger, a commercial spying tool from Hawk Eye Products and a configuration module containing a number of Remote Administration Tools (RATs) are used by the attackers to control their victims.

Kaspersky lab revealed that 2,887 passwords, 1,053 emails and 3,023 usernames from 4,928 different hosts including Faceook, Twitter, Skype and LinkedIn were stolen by a keylogger in merely one of the command-and-control servers.
To protect against Grabit, Kaspersky Lab has recommend businesses to follow these rules:
·         Check this location C:\Users\<PC-NAME>\AppData\Roaming\Microsoft. If it contains executable files, you might be infected with the malware.
·         The Windows System Configurations should not contain a grabit1.exe in the startup table. Run "msconfig" and ensure that it is clean from grabit1.exe records.
·         Do not open attachments and links from people you don't know. If you can't open it, don't forward it to others - call for the support of an IT administrator.
·         Use an advanced, up-to-date anti-malware solution, and always follow the AV task list for suspicious processes.

North Korean hackers, now have power to kill

Prof Kim Heung-Kwang, a defector from North Korea who escaped from the country in 2004, has revealed that North Korean hackers have enough control over infrastructure that they could theoretically even kill people.

The Professor revealed this piece of information to BBC and said that North Korea approximately had around 6,000 trained military grade hackers. He has urged international organizations to step in and defuse the threat North Korea's hackers are becoming.

Before defecting from North Korea, Prof Kim taught at the Hamheung Computer Technology University for 20 years in the field of computer science.

Bureau 121, North Korea's hacking unit, has been widely accused of being responsible for recent hacks like the Sony Pictures one that occurred last year.

Many of the attacks of North Korea seem to be focused on their immediate neighbor, South Korea.

Megaupload domains serve malware and scam ads to website visitors

Three years ago, the US government had seized several Megaupload domains that are now directing visitors to malware scams and ads.The domains namely Megaupload[dot]com and Megavideo[dot]com are being exploited by cybercriminals to supply malware and carry out scams.

Seized back in January 2012, the trial and hearing have been delayed since the New Zealand police raided the mansion of Kim Dotcom in Auckland and closed the online file locker storage website. US officials still hope that New Zealand will hand over him and his colleagues.

The domains redirect people to a Zero-Click advertising feed which feeds malicious links to malware installers and other malicious ads.

Many of these redirects try to trap the visitors with the chance of winning iPhones for cheap. One of the malicious ads serves as the link to a false BBC article, offering the iPhone 6 for only £1.

It is said that the reason behind the exploitation of the domains is the failure of the FBI cybercrime unit in controlling the main nameserver, which was previously registered to the Cyber Initiative and Resource Fusion Unit (CIRFU)., the domain name for, points to a server in The Netherlands hosted by LeaseWeb; and the domain lists Syndk Media Limited as the registrant.

It seems that Megaupload and Megavideo are serving malicious ads run by the third party as the domain used as a nameserver by the Department of Justice has either expired or taken over via other means, and is no longer a part of the Government.

“With U.S. Assistant Attorney Jay Prabhu the DOJ in Virginia employs a guy who doesn’t know the difference between civil & criminal law. And after this recent abuse of our seized Mega domains I wonder how this guy was appointed Chief of the Cybercrime Unit when he can’t even do the basics like safeguard the domains he has seized,” Megaupload founder Kim Dotcom commented.

“Jay Prabhu keeps embarrassing the U.S. government. I would send him back to law school and give him a crash course in ‘how the Internet works’,” Dotcom adds.

Apart from these domains, various poker sites seized previously, naming and also are linked to malicious content now.

Will Cyber Security Companies shift their Headquarters out of US?

Until now nuclear, radiological, chemical and biological weapons considered to be a Weapon of Mass Destruction(WMD).

The Bureau of Industry and Security (BIS), an agency of the United States Department of Commerce that deals with issues involving national security and high technology, is proposing to classify cyber security tools as weapons of War in an attempt to control the distribution.

The tools used for extraction of data or information, from a computer or network-capable device, or the modification of system or user data, will come under this law and is being classified as Intrusion software. Also, the tools designed to avoid detection by 'monitoring tools'( Antivirus, IDS/IPS,End point security products) will be considered as a weapon.

Any penetration testing products designed to identify security Vulnerabilities of computers and network-capable devices fall under this category.

"The proposal is not beneficial. Most vulnerability scanners and penetration testing products come under it. The proposal means tools from US companies which have been used to do assessments and audits in corporate will need to go through the clearance. It could also lead to corporate getting tracked" says J.Prasanna, founder of Cyber Security and Privacy Foundation(CSPF).

Most of these Cyber Security firms either should convince their world wide clients to go through the process or shift their head quarter out of USA.

Prasanna pointed out that US government tried to stop the export of cryptography in the past. But, Russian, European and Israeli companies got advantage by the cryptography restriction.

He said that the new proposal is a bad news for the cyber security researchers. If it becomes a law, it will force them to find a new way to beat the Cyber Criminals.

"Hackers are already may steps ahead of us. Some tools like canvas and Metasploit Pro are important tool for penetration testing" said Prasanna.

Thomas Dullien, Google Researcher, said "addition of exploits to the Wassenaar arrangement is an egregious mistake for anyone that cares about a more secure and less surveilled Internet" in his personal blog.

Rapid7, a Boston-based cybersecurity firm, well known for its Metasploit Pentesting framework, said that they are investigating implications of Wassenaar for Metasploit and security research, and working on comments for the consultation.

According to the proposal, the governments of Australia, Canada, New Zealand or the UK will get favorable treatment for license applications, as they have partnered with the US on Cyber Security Policy and issues.

The BIS is seeking comments before 20th July 2015 on the proposed rule. You can submit the comments here.

‘India should learn from Russia and China agreement’ says security expert

India should learn from the recent cyber-security agreement between Russia and China where both of the countries have agreed to not launch cyber-security attack against each other said an Indian cyber-security expert on Thursday.

J. Prasanna, cyber-security expert and one of the founders of Cyber Security and Privacy Foundation (CSPF), an organization which solves the cyber security problems, said that India should join such initiatives as it provides a chance to share information among law enforcements of different countries.  

“The agreement is good for China and Russia,” he said.

“However, such agreements are only possible when both of the sides (countries) have equal capabilities,” said Prasanna. “Similarly, they should have advanced cyber capabilities.”

According to the agreement, which was signed on May 8 and provided by The Wall Street Journal, Russia and China agreed to share information between law enforcement agencies, share technologies and ensure security of information infrastructure.

Similarly, these countries have agreed to not “destabilize the internal political and socio-economic atmosphere," or "interfere with the internal affairs of the state".

The agreement is said to be the result of the revelations about US and Western nation hacking and surveillance operations by former US National Security Agency contractor, Edward Snowden. After the revelations, Russian lawmakers had demanded for tighter control over the Internet.

It is also believed that the agreement shows that Beijing and Moscow support changes to global Internet governance that would reduce the traditional role of the U.S.

Last year, Russian Communication Minister Nikolai Nikiforov said Russia was preparing an action plan as a backup plan in case the segment of the Internet was shut down from outside.

“For Russia the agreement with China to cooperate on cyber security is an important step in terms of pivoting to the East,” Oleg Demidov, a cyber-security consultant at the PIR Center, an independent think tank focusing on international security, told to The Wall Street Journal. “The level of cooperation between Russian and China will set a precedent for two global cyber security powers,” Mr. Demidov said.

Couple has important message for other parents

Recently, a couple in Washington gave out an important message to other parents, after they had discovered their baby monitor had been hacked.

A couple in Minnesota, whose baby monitor had also been hacked earlier, had also been in the the news before.

“ We don’t know if they could hear but we know that they were watching, for sure,” said a parent.

The couple had been using the monitor for keeping an eye on their three-year old, who complained that somebody had been talking to him over the monitor at night.

Upon investigation they found out that their baby monitor had been hacked and was being controlled by hackers.

“It got me worried that they’ve seen things maybe they shouldn’t see that are private, our privacy’s been hacked,” said the parent.

GTA V users accounts have not been hacked but change passwords to ensure safety

In a response to a number of reports from Grand Theft Auto V (GTA V) users who said their Social Club accounts have been hacked and even modified, Rockstar Games Social Club (RGSC), a hub for GTA V and other games, has confirmed that the accounts have not been hacked.

However, the user can change his/her password in order to prevent his/her account from hacking in the future.

After receiving numbers of complaints about hacking, which did not allow the users to log in to their accounts and they cannot play games, via twitter the authority concerned sent a statement to Kotaku Australia.

According to the statement, their accounts have not been hacked. It seems that some unknown users or website tried to access another’s user accounts using email and password combinations. However, the company is in the process of repairing the affected account in to the original. It also suggested the users not to share their Social Club account username and password to other multiple websites. They should keep different passwords and usernames for their different accounts.

“We are responding to customers, whose accounts got affected, to reinstate full user access within 24 hours of contacting Customer Support. Please keep looking at the Rockstar Support website for more information and updates,” mentioned in the statement.

Earlier, it was said that more than 2500 GTA V users account have been hacked. People were facing problem in drivers, download speeds from Steam, FPS hiccups while playing games.

Similarly, many users complained as the RGSC took a lot of time to take any initiative.

A GTA V user wrote on the Rockstar Support page, “I purchased the game before it got released and got my pre-order bonus. Everything was great until Wednesday night, when I received an email saying that my email address and password on social account has been changed.”

He added that he immediately emailed Rockstar Support. When he did not get any reply, he called the support team.  They gave him a ticket number 3579087 and said it was escalated. Since then, he hasn’t received any information on how long will it take to get back his account.

Flaw in Sync photos feature on Facebook mobile app

A new flaw has been detected by a hacker in Facebook, which allows any malicious application to view your synced mobile photos.

Sync photos feature allow users to sync their mobile photos with their Facebook account, and it remains private until you publish it. But by default this feature is turned on  in many mobile phones.

Laxman Muthiyah, found that "vaultimages" endpoint of Facebook Graph API is handling these synced photos, and this endpoint is vulnerable.

Facebook app would  retrieve the synced photos using a top level access token making  an HTTP GET request to a specific URL enabling a malicious app to read all your private photos in seconds.

Laxman Muthiyah, reported this flaw to Facebook Security Team, they pushed a fix in less than 30 minutes, and rewarded him $10,000 USD as a part of their bug bounty program.

PHP has fixed several vulnerabilities allowing remote code execution

The PHP development team has released new versions in order to fix three security vulnerabilities -one of them is said to be a critical one and leads to remote code execution.

The vulnerability identified as "CVE-2014-3669" can cause an integer overflow when parsing specially crafted serialized data with the unserialize ().The vulnerability is only a 32-bit system, but the danger is caused by the breach and that the serialized data often come from user-controlled channels.

In addition, the updates have been corrected errors associated with the introduction of a null byte in the library cURL, calling the damage dynamic memory during processing of the modified data as a function of exif_thumbnail () in image processing (CVE-2014-3670), as well as buffer overflow in the function mkgmtime () from the module XMLRPC (CVE-2014-3668).

These vulnerabilities were discovered by the Research lab of IT security company High-Tech Bridge.

The new versions 5.6.2,5.5.18 and 5.4.34 address these three vulnerabilities.

Pakistan targets Indian Officials with FinFisher malware

WikiLeaks last month released a set of documents and copies of 'weaponized malware' developed by FinFisher company which is said to be used by Governments around the world to spy on journalists, political dissidents and others.

Cyber Security & Privacy Foundation(CSPF) has recently published a report providing few details that might be shed an “Indian Perspective” to leaked information.

CSPF noted that a screenshot containing targets list of a Pakistani customer has 16 Indian IP addresses and only 2 Pakistani IP Addresses, suggesting that limited “domestic” use.

"One of the Exe’s leaked by Wikileaks '' MD5:074919f13d07cd6ce92bb0738971afc7 when opened shows the image of 'khushab nuclear reactor ' in Pakistan." The report reads.

"This might have been used to target Indian Officers as they might be tempted to click on it and view the image".

You can find the full report here:

Antivirus Test conducted by Cyber Security & Privacy Foundation

Cyber Security & Privacy Foundation(CSPF) has got members who have more than 30 man years of experience in Antivirus industry. Recently, due to popular demands from its members, CSPF decided to test good antivirus products. 

CSPF chose Avast antivirus and ESET NOD32 for testing from the various antivirus product available. 

Among all the products, CSPF chose ESET NOD32 best suited for Indian environment. ESET NOD32 has also shown consistency in various international testing for last few years.

To access the test report, you can follow the link :

New Android malware 'Samsapo' spreads via Text Messages

If you get a SMS from your friend asking "is this your photo?" with a link, will you open the link or not? We want a honest answer.  Most of the people will do click the link.

If you do so, your device might get infected by a new type of Android worm!

Malware analyst from security firm ESET have discovered an interesting piece of malware, called "Android/Samsapo.A" that spreads via Text messages.

So far, the malware appears to be targeting Russian users.  Once your device is infected with this worm, it will attempt to send SMS with a malware-link to your contact list in an attempt to infect your friends.

Cyber Criminals use the old social engineering trick to lure users into install the malware.  It sends a message that says "is this your photo" in Russian language(Это твои фото?) with a link to Android application package(APK).

The malware is capable of downloading additional malicious files.  It is also capable of stealing phone numbers, text messages, personal data, device info from the infected device.  It doesn't stop with spying, it also register the victim's number to premium-rate services.  So, the victims will lose money.