WoW players targeted with Fake version of Curse Client containing malware

Blizzard yesterday warned World of Warcraft(Wow) players regarding a new malware disguised as Curse client that attempts to hijack victim's accounts.

The fake version of the Curse Client is served in a fake version of Curse Client website.  The fake website is appeared in the search results when users search for the Curse client in major search engines.

If you believe you are one of the victim or want to make sure yourself, you can download the updated MalwareBytes software.  It is currently detecting and removing the malware in question.

If you are good at technical, you can also follow a manual removal method posted by one of the user in their support forum. 

There are 20 out of 48 antivirus detect the malware in virus total.  However, some of the major antivirus failed to detect the malware.

Users are always advised to download the softwares from official website or trustworthy third-party websites such as softpedia, cnet.

Reserve Bank of India warns public against use of Virtual Currency Bitcoin

The Reserve Bank of India(RBI) has issued a warning against the use of Virtual currencies such as controversial Bitcoin saying that they poses a potential financial, legal and security related risks.

RBI warned in its press release that creating, trading or using any of virtual currencies including Bitcoin, Litecoins, bbqcoins, dogecoins are not authorized by any central bank or monetary authority.

RBI said since the virtual currencies are stored in digital form(electronic wallets), they are prone to losses arising out of hacking, loss of password, compromise of access credentials, malware attack.

The warning comes few days after Chinese government banned the use of Bitcoin in their countries Banks, pointing out the risks of using Virtual Currency.

Earlier this month, the French Central Bank also issued a warning about the Bitcoin transaction. 

Hacker sent emails from hacked Police account

The Belington Police has issued a warning about a spam email purportedly from the Belington Police department.

According to The Exponent Telegram, an account of a police officer has been hacked by cyber criminals and sent around 500 emails from the hacked account.

Sgt. J.L. Hymes told the exponent Telegram that the email will ask recipients to donate money saying it is for a child in Ukraine.

Hymes said police will contact the recipients either in person or by phone. They also provided a department contact number ((304) 823-1613), in case the residents want to verify any police contact.

Cyber Security Awareness: How a Grandma got phished by a Hacker

Christmas is getting closer, children are expecting gifts from Santa Claus.  I'm not sure whether Santa is going to send gifts to your children but definitely cyber criminals have much interest to send phishing emails for you.

Now you should be extreme caution about the emails claiming to give special Christmas offers or free Christmas gifts.

University IT at The University of Rochester has uploaded a funny video in Youtube called "Grandma Got Phished by a Hacker" to create awareness of cyber security.

They have conveyed the warning message about phishing mails in funny way.

The University also has launched a new service called "Proofpoint Targeted Attack Protection", which is designed to improve the protection of University mail systems against phishing attacks.

CyberTech 2014, International exhibition & conference for Cyber solutions

CyberTech 2014 ( is one of the best International Cyber security conference going to happen in Israel which is Inaugurated by Israeli Prime Minister, Mr.Benjamin Netanyahu.

Leading multi-national companies, over a hundred start-ups, private and corporate investors, experts and many more are going to participate in this event.

The keynote speakers of the event are leading cyber security experts including Chairman and CEO of Kaspersky lab 'Eugene Kaspersky', Head of the Israeli National Cyber Bureau 'Dr.Eviatar Matania',  Senior Vice President of Cisco Systems 'Bryan Palma'.

Cyber Security Privacy Foundation(CSPF) is interested to take a delegation of corporate/companies to Israel.

Indian companies who would like to tie up with Israeli hi-tech cyber start-ups can contact CSPF.  If you need any assistance in getting VISA to Israel for the conference, you can also contact CSPF.

Contact Details of CSPF:

Facebook spam abuses Microsoft Translator

We recently investigated the facebook spam that abuses McAfee URL Shortener and Google Translator and published our report.

Today, we have come across a new facbeook spam campaign that abuses Microsoft Translator for redirecting victims to the spammer's site.  I have come across different variants of this spam campaign within last 24 hours.

The list of variants used in this campaign includes the old profile viewer trick " Profile Viewer version 4.6 : Check who views your profile at link in Description".

Facebook profile viewer spam

Facebook SPAMs

Unfortunately, i can't share the screenshots of other variants as it contains adult images.  So , here i am sharing only the description in the SPAM picture:

  • Look what she did after drinking , Video link in description
  • Looks like she enjoyed it, Video link in description
  • They gone too far 
  •  Massive japanise org* sports, Follow the link to watch video
  • Beautiful girl on facebook, click on the link to know about her
  • Got caught making hot video on cam, Video link in description
  • You can't believe she did it in bus,  Follow the link to watch video
  • Got caught in library, Video link in description
  • "She was seduced by her own uncle, find video link in description
All of the spam posts contain a "" link (url shortener) that redirects the victim to the Microsoft Translator page.  The Microsoft Translator is abused to hide the original spammer website and is used for redirecting to spammers website.

What's worse about these spam campaign is even security researchers fall victim to the spam.  Today, one of my friend fell prey to a post that promising "Free Gift Card to spend at Starbucks!".  So, it is useless to blame a normal users.  I believe they will realize their mistake once they find them-self victim to the attack.

Please share this article with your friends and spread the awareness about facebook spams.

Stay tuned..! I'm starting my investigation on this new campaign ;) This article will be updated if i find anything interesting.

90+ Russian Malicious domains used by Kelihos group taken down by Malware Must Die

Exclusive: Malware Must Die(MMD), the team which is dedicated to Malware analysis research, has taken down more than 90 Russian domains which have been confirmed as malicious.

It is part of their ongoing operation named "Operation Tango Down", an operation that deactivate the malicious domains with the help of Authorities - Several malware domains have been suspended.

Today, MMD announced that they are shutting down 97 .Ru Domains that serves the notorious Kelihos Trojan for the Red Kit Exploit Kit. 

Suspended Malicious .Ru domains - Image Credits: E Hacking News

According to the blog post , "the Kelihos Trojan were distributed in (mainly) East European (Ukrainian, Latvia, Belarus, Russia) and Asia servers (Japan, Korea, Taiwan and Hongkong) as the secondary layers, with also using the scattered world wide hacked machines".

You can find further details and full list of suspended domains at their blog:

Facebook Spam abuses McAfee URL Shortener and Google Translator

We yesterday got a notification about a new facebook spam from one of EHN's reader.  What's interesting about this new spam is that it abuses the McAfee URL shortener for hiding the malicious URLs.

The spam post contains an adult picture saying "Emma Watson Star of Harry Potter made a sex Tape"  and "Link in the description".

Clicking the link will take the victim to the Google Translator page.  Within few seconds, you will be redirected to another page from translator - The page is hosted in a free hosting service "".

As usual, the victims are asked to copy and paste the URL that contains the facebook access token in order to verify your age.

Facebook Access token stealing - Image Credits: E Hacking News

Once you clicked the "Activate" button , it will display a pop-up saying "8 New comments". Clicking the "continue" or next button will take you to a facebook app that asks the users to give permission for accessing your public profile, friend list, email addresses, birthday.

The spammers didn't ask your birthday for not sending birthday wishes :P .  The collected information will be used in future spam or for any other malicious purpose.

Permission to Access personal Information - Image Credits: E Hacking News

In the background, the spam post will be posted in your wall and your groups on behalf of you with the stolen access token. From what i observed, the spam also abuses the alturl, tinyurl, linkee and other url shortening services.

We have already warned you that Facebook is not the right place to watch porn.  Please spread this article and create awareness about the facebook spams.

We got a notification from one of our users that the same group is posting spam post with Twilight star Kristen Stewart name.

Update 2:
Redirection flow:
Url shortener link-->Google Translator --> --> -->

The whois details of
  • Registrant Name: Ngl Power
  • Street : Nonteladico 23
  • City : Roma
  • Email address:

Other Domains registered by the same person:

The has a text saying "If you're here maybe you're trying to steal my scripts. If so good luck" with a page title "NGL's viral scripts".

The has also been used in the Rihanna sex tape Facebook spam attak at the starting of this year.

*Update 3 - Tracking the Spammer:
Me and My friend "Janne Ahlberg" investigated the spam and found some interesting stuffs.  Here, I am sharing with you what we have found.

We started our investigation with the Domain Registrant name "Ngl Power". With few hints, we have managed to find the profile of the cyber criminal in one of the Top underground hacking forum.

He is distributing malicious facebook spam scripts to other cyber criminals.  From our investigation, we found that he is doing the distribution of malicious scripts since 2010.  It appears he is the criminal behind several Facebook spam campaigns.

He has provided malicious script for following SPAM campaigns:
  • "98 Percent Of People Cant Watch This Video For More Than 15 Seconds"
  • "Busty Heart - The woman that can smash things with her br****ts!"
  •  Man accused of trying to hide stolen TV in his pants 
  • Find Your Facebook Stalkers
  • Dad walks in on daughter... EMBARRASING!!! 
  • This is what Happend to his Ex GirlFriend
  • John Cena  died of a head injury
  • Justin Bieber Sex Tape

Janne found one of the thread posted in the forum by another cyber criminal  "kira2503" saying "NGL's money is refunded" with a screenshot where it displays the possible real name of the NGL.

However, what i observed from the thread is that it appears the spammer(NGL) got scammed by a scammer(kira2503). So we can't be sure whether the name provided in the screenshot is true one or not.

Our investigation leads to a "Facecrooks" facebook fan page where they have warned about the facebook spam.

One of the comment posted by user in the page reads "Really Angelo Tropeano?? You think with a pic of Facecrooks x'd out .. on a thread > Warning us NOT to click links Anyone is going to fall for your malware attempt?? Shameful. Reported".

One more user posted a comment "the troll known as angelo's link resolves to a html file on tumblr hxxx:// 93561071".  Following the Tumblr link leads us to the "hxxx://".  Yes it is the same domain used in the recent attack.

Following profiles might be associated with the spammer:

YouTube Profile: hxxx://

Spammer's Blogger

Blogger  : hxxx://

Spammer's Twitter account

Twitter :  hxxxx://

We are still investigating the campaign.  If we find anything interesting, we will update.

Hackers convince bank to send $15000 wire transfer with the help of Hacked Gmail account

It is time to enable the Google two-step authentication feature.  If the website is providing you additional security feature, it is always good to use that feature.  This news will help you to understand the risk of ignoring the additional security feature.

Cybercriminals hacked the Gmail account of a Dubai based Indian expatriate Anil Abraham and used the account to convince bank to transfer $15,000 from his bank account in India.

When Anil contacted the Bank, he was told by the Branch Manager that the Money was transferred at his request only via email.  The cybercriminals are reportedly send a signed document with the email to trick the Bank into transfer the money.

According to Emirates247 report, the money was transferred to someone named Garry Albert Frazer to Westpac bank account in New Zealand.

Anil said whoever hacked into his email id had managed to steal fianancial information and managed to use those info to write email to Bank with forged signature.

I'm still wondering how bank allowed the cyber criminal to steal the money, they usually don't allow us to transfer money via email accounts without any personal verification.  As far as i know, Bank always careful when it comes to big amount of transfer - $15,000(nearly 90,0000 Rupees).

Though it is mistake of Bank, It is always good to enable security feature on your side.  Don't wait until your account get hacked, Enable the Two-step authentication :

Using Internet ?! Then, Don't expect Privacy , #PRISM is here !

Yes, If you are using Internet, then forget about the Privacy.  Recent report from Guardian is another example that confirms privacy in internet is Illusion.  The whistleblower Edward Snowden has leaked few files that confirms Microsoft collaboration with the U.S authorities.

According to the Guardian report,  Microsoft helped the NSA and FBI to access the unencrypted messages sent over Outlook web chat, Hotmail services and Skype.

Microsoft also helped the authorities to access its cloud storage service SkyDrive. The Skype video & audio calls was also reportedly being collected through PRISM.

"Microsoft also worked with the FBI's Data Intercept Unit to "understand" potential issues with a feature in that allows users to create email aliases;" The report reads.

A malicious Whatsapp contact file Changes your contacts name to Priyanka

An android user has reportedly received a malicious Whatsapp contact file which is capable of changing your Whatsapp groups name and contacts name to Priyanka.

A Blogger Shivam reported in his blog that he received a contact file from his relative.  After he added to his contacts,  the file managed to replace the group names with "Priyanka".

It is not clear what exactly the malware is doing other than changing the name.  No one is going to spread a malware without any profits or the malware authors might be fan of "Priyanka Chopra" :P.

Infected whatsapp - Image Credits: TheAndroidSoul

The malware requires user to accept the contact.  So, Users are advised not to add it to your contacts.

Anyone who have the sample of this malicious contact file, please mail us if possible.

Secure Gmail Chrome extension to encrypt Gmail Messages

Are You Worrying about Privacy and PRISM? Would you like to boost little security to your confidential mails? Then, here is a small solution for you.  SecureGmail is a Google chrome extension that allows you to encrypt your Gmail messages before sending.

Once you installed the extension, you can see a lock icon near to the Compose button in your Gmail.  Just click the icon to send the Secure Mail. Once you clicked the icon, you will get a normal Gmail "compose" interface with title "Secured"

In Secure mode, the Gmail can't track what you are typing and won't able to save the message in the Draft. 

Click the "Send Encrypted" button, now you will be asked to enter the password- a long & strong password will be good and don't enter any hints.

The best part is that the encryption process will be done in your local machine, Google won't be able to read the plain-text message. 

The recipients will be able to decrypt the message only if they have the passwords that you can message them(but don't send it via Internet )

It is open source project which means that you can review the source code of the extension and help/share your ideas to improve it.
Here you can download it:

* Using the Same password for all messages is not good security measure but using unique and strong passwords will be hard to remember. 

You can use our comment section to share Your Thought about this extension- Do You think it will provide complete protection against privacy problems?

South Korean Defense Ministry Bans Smartphones usage to prevent Military data leaks

South Korean Defense Ministry is banning their staffs from using the Interent connectivity and Camera functions inside the Ministry's building in a move to prevent the Military information leaks, according to the Yonhap News

According to the newly implement mobile device management plan, the employees will be required to install a smartphone app that deactivates the most of the smartphone features while they are inside building.

Employees will still be able to make phone calls or using the text messages but those who have Apple iPhone only allowed to do that.

Visitors won't be allowed to carrying any mobile phones inside the Ministry's building. The plan goes into effect from July 15. 

The defense ministry said a trial run will be held first and it would consider revising it if necessary.

Crypted Files in Cyber Espionage

Cryptors are programs which are used for making files FUD(file undetect by antivirus)

The cryptor can make a EXE file not detectable by antivirus. Most cryptors are common and once u buy license can be used to make files undetectable by antivirus.

However antivirus companies keep a tab on almost all cryptors and they keep adding signatures of all the stubs. So cryptors come out with private versions and unique private version of their cryptors.

However portions of their code which they use in public version is reused in private version making it detectable very fast.

There are few cryptors like darksane, fileprotector, aegiscryptor, xprotect and shiekh cryptor which are available from $50-$200 for 6 months license. All these
cryptors give you scanning once you crypt the file. But these scanners are only offline. so even if you get 37/37 FUD and cryptors make tall claim about bypass all known antivirus. These claims are often not true. The scan for FUD you run is using elementscanner which can scan against 43 or 37 antiviruses and show it is FUD.

But often antivirus detects them when they are executed on the machine.

CSPF was approached by a corporate company which had series of cyber espionage attack, we evaluated all the files and found these attacks by spyware(were done using cryptors).

CSPF did a evaluation of these crypted files in run time execution and most of these crypted files get detected in run time. We also evaluated with so called private unique stub written by cryptors almost every single file got detected by kaspersky and nod32 in run time.

J Prasanna Tech CORE, Cyber Security & Privacy Foundation

Incapsula Login Protect - Boost Your Website Security with Two Factor Authentication

Exclusive: You want to Protect your Admin Panel and Feeling just a password is not good enough to secure your website? Here, Incapsula is introducing a newest security feature "Login Protect" to boost the Website Security.

Login Protect is a flexible and easy-to-integrate Two Factor Authentication solution. Incapsula clients can use it to deploy 2 Factor Authentication (2FA) on any URL (or URL group).

With Login Protect you can:
  • Protect login to administrative areas (e.g., Wordpress or Joomla admin) 
  •  Protect remote access to corporate applications (e.g., employee portal, web mail)
  • Restrict access to sites or parts of a site (e.g., staging or invitation only areas)

Unlike other 2FA services, Login Protect's integration requires absolutely no coding, data base modification of usage of additional hardware (i.e. security keys).

All Incapsula clients, free or paid, will be able benefit from this new feature and the extra layer of protection it provides to their websites and web applications.

"By now, the need for Two Factor Authentication should be quite obvious. Still, many website owners and web developers shy away from 2FA, mostly due to the complexity of integration." Igal Zeifman, Incapsula Product Evangelist told EHN.

"We aim to change that by providing a flexible and easy-to-use 2FA solution – a solution that anyone can use to secure their login pages, internal portals, staging areas and web applications."

Adriana Lima FuckTape! - Another Facebook spam campaign use New Trick

Here we go, E Hacking News have come across a new facebook spam campaign titled "Adriana Lima FuckTape! ".   I became aware of this spam after few Facebook friends got infected by this campaign.

According to Wikipedia, Adriana Lima is a Brazilian model and actress who is best known as a Victoria's Secret Angel since 2000. (Sorry i didn't know about her before Cybercriminals started to use her name :P )

Unfortunately, i can't post the screenshot of the spam post as it contains adult pictures.  "Adriana Lima FuckTape! Watch: hxxx://"  The spam post reads.

At first, i thought it is real porn website( The name made me to believe and they didn't use any URL-shortners).  So i didn't follow the provided link and asked friends how users are getting infected.  Suddenly , i realized that it is the spam website ;) 

I followed the link and the website invited me with a gif image mimicking an embedded YouTube video player.   The video player displayed an error message saying "Sorry, you must be 18+ to view this video.  Click to verify".

Here comes the interesting part.  CyberCriminals implemented a new method to trick facebook users.

Once you click the image, it will ask you to "Move the favicon out of the box".  I hope you know what will happen when you follow the instructions-  Your account will be compromised.

When you drag the favicon, it actually drags the URL Opened in the small browser(The url contains the facebook access-token).  You are unwittingly handing over the Faecbook access token to the cyber Criminals.  Using the stolen token, they can post from your facebook account.

This new method is quite different from the previous method used by the spammers in recent spam campaign titled "She went inclusively nuts and lost all control of the razor-sharp axe".

Disclosing Security vulnerabilities in India


Security Researchers usually disclose vulnerabilities openly on the internet like full disclosure. But most often the researchers dont realise it is illegal and can be punished by law under IT act and other IPC section and it can have fatal consequences.

When a researcher detects a vulnerability, he often reports to the company but most often the companies dont reply to his message. If the company is not interested to take action, the researcher feels this is in greater interest of national security/public security.

He can send this vulnerability report again to the company and send a copy to CERT-In(central emergency response team). Most often CERT-In responds back to the hacker/researcher and they also contact the company and advise them to fix it. There is no proper format for reporting, it would be nice if government can come up with a frame work which can allow a proper disclosure of vulnerability policy.

If the company does not fix, the researcher can wait for a months time before he can disclose it fully to the community through media(online and offline) also offer proofs that he has communicated enough to the company and to CERT-In before he has released it.

However, does this protect the researcher from prosecution? If the victim company decides to go in legally, the researcher can be prosecuted for publishing this vulnerability.

Some of incidents have seen where hackers work for some company and because of various problems they had with company, they get involved in revenge hacking. If any crime has pre-mediation or pre-planning the crime is considered serious according to any Law. Such actions are totally illegal.

Many companies like FB, Google offer bounty to hackers. These bugs can be reported to these companies. however if the companies dont take these vulnerabilities they can be published to CERT-In and then publically.

Law does not protect the reporter of the vulnerability. It becomes the responsbility of the hacker/researcher to prove that he did it for greater social good (which could mean lot of head ache with law). If government does not come with proper frame work, it s going to drive hackers to report vulnerabilities anonymously fearing prosecution from police(with victim /company complaining).

What happens to hackers who publish the vulnerability openly without going to CERT-In and companies. They do it ofcourse to get fame or they really didnot want to fix it. Most companies will view these hackers as some one who is not reliable due to their poor full disclosure practice and wont hire them for anything important. They lose opportunity.

It is recommended proper reporting is followed first to the company who is victim, followed by reporting to CERT-In. giving them enough time to fix. Only if the vulnerability can affect public at large and no action was taken then other option of full disclosure should be considered.

Author:J Prasanna, Founder, Cyber Security & Privacy Foundation

New 'KeyBoy' malware targets users from India, Vietnam

Security researchers have discovered a new piece of malware that targets users from India, Vietnam.  The backdoor is designed to steal information from the victim.

The malware campaign uses well-crafted Microsoft word document that exploits patched vulnerability in Microsoft office to drop a new malware referred as 'KeyBoy', according to Rapid7.

The first document found by the researchers targeting users from Vietnam is written in Vietnamese and is about reviewing and discussing best practices for teaching scientific topics.

The second document found by the researchers is written in English with title "All INDIA Bharat Sanchar Nigam Limited Executives' Association".  The title suggests the document is designed to target Indians.  The report says the document pretends to be authored by someone called Amir Kumar Gupta.  

Once the crafted-documents opened, it attempts to exploit known remote code execution vulnerabilities in Microsoft office.  If successful, the documents installs a backdoor malware dubbed as 'KeyBoy'.

After analyzing the malware, researchers identified a code that is designed to steal the login credentials stored in the Firefox and Internet explorer browsers.

Diet Spam now exploits open redirect vulnerability

Yes, One can not simply ignore Open Redirect vulnerability.  Those who think open-redirect vulnerability is not a critical bug , the recent spam campaign will be the best example for how the low severity bugs can be abused by cybercriminals.

"These issues are not a direct threat to the site itself. Users are targets - sites should protect them, " Security researcher Janne Ahlberg said.

A few days ago we reported spammers exploits the CNN's open redirect vulnerability to spread the diet spam. CNN successfully fixed the bug after we have managed to contact CNN with the help of Mikko Hyppönen.

However, I know fixing the bug in CNN is not going to stop the campaign. There are plenty of top websites are vulnerable to Open-redirect security flaw.  So, CyberCriminals always find another open door once we close the door.

Today, We got notified by Janne that attackers are now exploiting the open redirect bug in - One of the Top web search engine which has alexa rank 29.

The attackers are using the same tweets content but have managed to change the link.

"I plan to lose atleast 40 pounds with your diet program! hxxx:// …"

Apparently, the vulnerability was reported by a security researcher sony in 2010 to the company , but they failed to fix it. 

I have also discovered CNN has one more unfixed open redirect security flaw :

There are plenty of websites fail to take care of their website security.  They don't even have an email address or a contact form to send our bug reports.  It is time to create an email address especially for reporting bugs.  Eg: Security@ Your-site .com

EC-Council hacked by Godzilla for creating cyber security awareness

Yes, it is Cyberspace, here no one can assure 100% Security but it doesn't mean that you can ignore the security holes.  Godzilla the hacker who breached the Pakistani Government websites few months ago has claimed to have identified multiple security flaws in EC-Council website(

EC Council is best known for its professional certifications for the IT security field, especially 'Certified Ethical Hacker(CEH)'.

The hacker claimed to have gained access to admin desk and accessed the course materials for CEHV8, CHFIV4, ECSS,ECSA_LPT4.

Talking to EHN, the hacker said "This could take a very deadly turn if played by the cyber terrorist.They are the same org who train DOD, CIA, NSA ,NASA etc."

"If a cyber terrorist infects this material with Trojans and malware the same content will be accessed by the defense people. And this is the easy way to enter into the network of defense. They should concentrate on security and in future should avoid such situation."

" Consider it as a security alarm for USA and Defence network, you will never know in cyber space who is knocking your door."

The hacker didn't mention the type of vulnerability that gave the access to these materials.  But it appears his motive is to create cyber security awareness.

*Update *

EC-Council responded to the hacking claim by saying the hacker obtained the files due to a "human error" that allowed "Directory viewing". 

"This configuration allows a visitor to view the contents of a web directory much like visiting a web page, however instead of a webpage, the user is able to see links to files in web directories."

" This was not a breach and no systems were affected. The files contained in the listed directories were encrypted binary .Resource files; primarily DRM (Digital Rights management) protected documents that EC-Council makes available for download to paying students and organizations globally and some other non confidential files that were already in public circulation. No sensitive data or personal information was compromised."