Android malware iBanking helps attackers to hack Facebook account

An attacker can't hack a facebook account which has enabled two-step authentication, even if he know the username and password.  But, if you think Two-Step authentication is enough to keep your faebook account safe from hackers, Think Again!

Cyber criminals have started to use Android Banking Trojan "iBanking" to bypass Facebook's two-factor verification.

iBanking is malicious android application capable of intercepting SMS messages, forwarding incoming voice calls to any number and record victim's voice using mic.

Recently, RSA noted the release of source code for the iBanking trojan.  This source code leak helped other cyber criminals to customize this trojan according to their needs.

ESET reports that a customized iBanking malware targeting Facebook users is being delivered via a new variant of Computer Banking Trojan Qadars 

When a system is infected with Qadars Trojan, it will show a message when user is logging into Facebook telling them "Facebook introduces new extra safety protection system" and instructs them to install an android app.  This app will help cybercriminals to intercept SMS so that they can bypass the Facebook's two-factor verification.

"The way iBanking is installed on the user’s mobile is quite common, but it is the first time we have seen such a mobile application targeting Facebook users for account fraud." Researchers said.

Details of Over 480,000 people stolen from The Harley Medical Group


Hackers breached the server of an UK Plastic & Cosmetic Surgery company The Harley Medical Group and compromised personal details of over 480,000 people.

The individuals who have submitted their data via an initial inquiry form on the company's website were affected by this breach.

The information accessed by attackers include the names, email IDs ,date of birth, addresses and phone numbers , according to Hot For Security.  No clinical or Financial information has been accessed by attackers.

The company said it believed the attack was an attempt to extort money from the company.

"We have informed the police and will continue to provide whatever assistance they may require to track down the perpetrator of this illegal act" Harley chairman Peter Boddy said in the letter.

55,000 Social Security Numbers exposed in VFW.org security breach

The Veterans of Foreign Wars(VFW.org) of the United States recently began notifying affected users that hackers were able to their personal information.

In February 2014 , attackers compromised the VFW's website and planted malicious code that infects users' system with malware who visits vfw.org from vulnerable Internet Explorer versions.  The attack was believed to be originated from China.

An investigation into the incident shows that names, addresses and social security numbers of approximately 55,000 VFW members were compromised in the breach.

The letter dated April 4 said back in March VFW became aware of the security breach.

"VFW has been informed that the purpose of the attack wasn't identity theft, but rather to gain access to information regarding military plans or contracts" The letter reads.

VFW said they are offering one free year of identity theft protection services from AllClear ID to the affected members.

Opening malicious PDF in Android version of Adobe reader allows attacker to access files


The android version of Adobe PDF Reader contains a security bug that could allow an attacker to compromise documents stored in reader and other files stored on the android's SD card.

Security researcher says the problem is there because the Adobe reader exposes few insecure javascript interfaces.  These javascript interfaces allows an attacker to run malicious javascript code inside Adobe reader.

"An attacker can create a specially crafted PDF file containing Javascript that runs when the target user views (or interacts with) this PDF file" security researcher Yorick Koster from Security said.

Researcher has successfully verified the existence of vulnerability in the version 11.1.3 of the adobe reader for Android. The bug has been fixed in the latest version 11.2.0.

He also have released a poc code that will create '.txt' file, when an user open the specially crafted .pdf on vulnerable version of reader.

How researchers hack Google using XXE vulnerability !

What is most secure website? NOTHING.  Even Google is vulnerable to all sort of attacks!

Security researchers and Co-Founders of Detectify have discovered a critical security vulnerability in Google that allowed them to access Internal servers.

The vulnerability exists in the Google Toolbar button gallery.  The page allows users to customize their toolbar with buttons. It also allows users to create their own buttons by uploading XML file containing various meta data.

Researchers identified this function is vulnerable to XML External Entity vulnerability.

By sending a crafted XML file, researchers are able to gain access to internal files stored in one of Google's product server.  They have managed to read the 'etc/passwd' and 'etc/hosts' files of the server. 

By exploiting this vulnerability, researchers could have accessed any files on the Google's server, also they could have done SSRF Exploitation to access internal systems.

Google has rewarded the researchers with $10,000 for finding and reporting this vulnerability. 

GovWin IQ website hacked, credit card information of 25,000 at risk

GovWin IQ System run by an enterprise software and information solutions provider Deltek suffers a security breach that puts information of around 80,000 employees of federal contractors at risk.

GovWin  are designed specifically for Government Contractors aiming to grow their business.

The breach occurred sometime between July 3,2013 and November 2,2013.  However, the company came to know about the breach only on March 13,2014.  

The hacker exploited a security vulnerability in the GovWin IQ System and managed to access customers' data.  The information accessed by hackers includes Names, billing addresses, phone numbe,s. and business email IDs.

According to Federal News radio report, the hackers also had access to credit card information of about 25,000 of those affected customers. Those who had card information compromised are being offered free credit monitoring services.

The company says it is cooperating with law enforcement on this case.  They have also hired a cyber security forensic firm. They also claimed to have arrested the hacker believed to behind the breach.

Ministry of Health Saudi Arabia website defaced by Moroccan hackers


Moroccan Islamic Union-Mail hacks and deface the official website of prevention program of injuries and accidents - Ministry of Health Saudi Arabia(moh-ncd.gov.sa)

The site was showing a picture of Mohamed Morsi The President Of Egypt and member in the Muslim Brotherhood and a clear message in arabic which said :

"Penetration in response to a statement by the Ministry of Interior inclusion of the Muslim Brotherhood in the list of terrorist groups."

"Our message to the governor of Saudi Arabia: The day will come who are under it is exposed to more than what it is now Syria." hackers said.

" The most worthy AQIM contain the Two Holy Mosques to be a compromise in everything Do not be biased for a class to another, until he became Al Saud believe in all that is Islamic terrorist And all of the resistance for pursuing terrorism The injustice of kin most Reluctantly --- one of Hussam signed Mohannad. Signature: Moroccan Islamic Union-mail"

The mirror of the defacement is available here:  http://www.aljyyosh.org/mirror.php?id=125826

This is not the first time the site being targeted by hackers - Earlier this year, a hacker going by handle 'Dr.SHA6H' also defaced the website.

Operation Windigo: Thousands of Linux and Unix Servers hacked to deliver malware, spam

Hackers compromised thousands of Linux and Unix servers and used them for stealing SSH credentials, sending millions of spam messages and infecting visitors with malware.

The campaign has been dubbed as Operation Windigo, which was uncovered by researchers at security firm ESET.

According to the report, the operation has been ongoing since 2011 and more than 25,000 servers have been compromised in the last two years. 

Even some of high profile servers including Cpanel and Kernel.org had been affected by this campaign.

Millions of users to legitimate website hosted on affected servers are being served with malware via exploit kits and 35 Million spam messages are being sent each day from the compromised servers.

Three main components used in this operation are:

  • Linux/Ebury – an OpenSSH backdoor used to keep control of the servers and steal credentials
  • Linux/Cdorked – an HTTP backdoor used to redirect web traffic. We also detail the infrastructure deployed to redirect traffic, including a modified DNS server used to resolve arbitrary IP addresses labeled as Linux/Onimiki
  • Perl/Calfbot – a Perl script used to send spam

Detailed technical paper on "Operation Windigo" is here.

Black Hat hacker Farid Essebar arrested in Thailand


An infamous international computer hacker Farid Essebar has been arrested on Tuesday in Thailand, at the request of Swiss authorities.

Essebar, also known as Diabl0, 27 year old, who has dual Morocco-Russia nationality, was detained in Bangkok, according to the local news report.

He has been arrested on suspicion of taking part in a cyber crime which involves cracking banking systems and hacking online banking websites.  The breach was resulted in damage of $4 billion to customers in Europe in 2011.

Thailand will send the suspect to Switzerland within next 90 days.  Police are reportedly searching for two other gang members who involved in the breach.

This is not the first time he is being arrested.  In 2006, he was sentenced to two years in prison.  He was accused of spreading Zotob computer worm.  CNN, ABC News, United Parcel service, NY Times and US Depart. of Homeland Security were among those affected by this worm.

25,000 cards data compromised in Sally Beauty data breach


Earlier this month, Krebs on Security first reported that one of the largest retailers of beauty products 'Sally Beauty' had been hacked.  At the time, the Sally Beauty said there is no card data involved in the breach.

Today, the company confirmed that its network has been breached and fewer than 25,000 credits cards data may have been compromised by attackers. 

“As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation." Sally Beauty said.

"As a result, we will not speculate as to the scope or nature of the data security incident." the company added.

The company said they will continue to work with Verizon and US secret services on this investigation.  The company is taking necessary actions and precautions.

In the meantime, an unknown hacker defaced a website selling the stolen credit card data and send a message to the admin of the site as well as to Brian Krebs.

" Hi subhumans and miscreants, your fraud site is gone now. Go away.
Also, Krebs, please dont call me a punk on Twatter: im trying to be a good person :(" The defacement page reads.

"To all the people who used this service to blackmail and threaten and "dox" people's families: fuck you especially. To the "regular" fraudsters: fuck you too but slightly less.  To Cloudflare: why in a billion 6000-degree hells is your NS TTL 80000?" 

Justin Bieber Twitter account hacked, malicious url tweeted


Justin Bieber official twitter account which has more than 50 million followers has been hijacked by attackers to spread spam links from the account.

The attacker posted a tweet saying "Justin Bieber Cemberut? [Malicious link] " ( Cemberut is Indonesian word, it means  'Sullen').

The shortened link provided in the tweet leads to a .tk domain 'rumahfollowers[.]tk'.  At the time of writing, we are not able to access the site.  So, we are not able to determine exactly what has been delivered to users.

More than 13k users have favorited the spam tweets and over 7,000 users have re-tweeted them.  It means thousands of users might have followed the link and affected by this spam.

It is worth to note that this is not the first time his account being hijacked by attackers.  We are not sure how this time the account get compromised by the attacker. 

His team managed to recover the account and posted saying " all good now, we handled it".

BitStamp hacked, users are receiving spam mail containing malware


BitStamp which is said to be largest Bitcoin Exchange, has been breached and users are receiving spam mails containing a link to malware file.

BitStamp yesterday gave a warning to its users about a new phishing attack and urged users to ignore all emails with the subject "Bitstamp trading will be suspended for 24 hours".

A few days back, a BitStamp's user reported in reddit that he received a malicious email pretending to be from MtGox which asked to him to download a document saying "please sign the papers attached.  The malicious link given in the email led to page which distributes a malware with the extension '.pif'.

The user suggested that BitStamp mailing list might be compromised by attackers.  The attackers also appear to have sent spam mail pretending to be from BTC Guild and Eobot.  

BitStamp confirmed to owner of BTC Guild 'Eleuthira' that its mailing list has been compromised by attackers.  The security breach was reportedly happened before two weeks.

Bitcoin Exchange Poloniex website got hacked

Here comes another hacking news related to Bitcoin.  Multi crypto currency exchange Poloniex has announced today that their website suffered a cyber attack, leading to Bitcoins being stolen from their company.

On BitcoinTalk forum, the company explained how hackers stole the Bitcoins; Placing multiple withdrawls requests at the same time will result in negative balance but still the request is being processed.

"Another design flaw is that withdrawals should be queued at every step of the way. This could not have happened if withdrawals requests were processed sequentially instead of simultaneously" the forum post explaining another bug reads.

One of the forum's member gave a link to the attacker's bitcoin address "https://blockchain.info/address/1Ktq7TE3J5vZ3c99M5weqKfFcNkHQdqPrq".  It appears the loss is around $50,000(76BTC).

The owner of Poloniex said he will take the full responsibility and will repay the debt of BTC.  However, due to shortage of 12.3% in funds, the company will temporarily deduct 12.3% balance from all accounts.

"If I had the money to cover the entire debt right now, I would cover it in a heartbeat. I simply don't, and I can't just pull it out of thin air." he said.

Bitcoin Bank Flexcoin website hacked, $600,000 worth Bitcoins stolen

Bitcoin Bank "FlexCoin" website has been closed after reportedly hackers attacked the site and stole 896 bitcoins worth $600,320.

The organization claims the attack happened on March 2nd, in which attackers transferred the bitcoins to two different addresses.

"As Flexcoin does not have the resources, assets, or otherwise to come back from this loss, we are closing our doors immediately." the company posted a statement on its main page.

The bitcoins stored in cold storage were not affected by this breach, as coins were held offline.  Those users who put their coins into cold storage will be contacted by Flexcoin and asked to verify their identity.

For others, the company pointed out a link to TOS, where it says "Flexcoin Inc is not responsible for insuring any bitcoins stored in the Flexcoin system. You are entering into this agreement with Flexcoin Inc. You agree to not hold Flexcoin Inc, or Flexcoin Inc's stakeholders, or Flexcoin Inc's shareholders liable for any lost bitcoins."

The company says they are working with law enforcement and trying to find the cause of the security breach.  

Hackers compromise 300,000 SOHO routers and changed DNS to redirect to attacker site

A security researchers at Team Cymru have uncovered a Pharming attack campaign targeting Small office and Home office(SOHO) routers.  So far, more than 300k SOHO routers have been compromised.

The hackers altered DNS settings  to use IP addresses '5.45.75[.]11' and '5.45.75[.]36' on the compromised devices in an effort to redirect the victim to attacker's website.

Most of the compromised devices are from Vietnam.  India is also to be one of the top countries affected by this campaign.  Other affected countries are including Italy, Thailand, Indonesia, Ukraine, Turkey, Colombia.

The affected routers are from number of manufacturers including Micronet, Tenda, D-Link, TP-Link.  Researchers say that affected devices are vulnerable to multiple exploits including CSRF attack, vulnerability in ZyXEL firmware.

The vulnerability in ZyXEL's ZynOS was discovered by researcher back in January which allows attacker to directly download the routers configuration file http://[IP Address]/rom-0.

So far, the attackers didn't seem to have abused the compromised devices.  But, the attack is similar to the attack against a number of Poland's banks.  In which, the attacker changed the DNS configuration in order to steal Online Banking login credentials.

Russian Today (RT) news website hacked

On Sunday, the famous Russian news website RT.com has bee hacked and defaced.

The hackers gained access to the admin panel of the RT website and managed to publish several articles containing "Nazi" word in the headline.

The security breach also has been confirmed by the Russian Today in its official twitter account saying "Hackers deface RT.com  website, crack admin access, place "Nazi" in every headline. Back to normal now.".

Some of the published articles are entitled "Russian Senators vote to use stabilizing Nazi forces on Ukrainian territory", "Nazi nationalist leader calls on 'most wanted' Nazi umarov' to act against Russia' ".

The website has been restored and back to normal.  But still, no hackers appear to have taken credit for the breach.

KickStarter kicked by Hackers, username and password stolen

Online Crowdfunding website KickStarter is to be the latest high-profile website reporting security breach.  KickStarter became aware of the breach, after receiving a notification from Law enforcement.

Hackers breached their website( kickstarter.com) and gained access to the user's information including usernames, encrypted passwords, email IDs and phone numbers.  The company says there is No Credit card data compromised in this breach.  

Even though the password is encrypted one,  we aware the fact that attackers with enough computing power can easily crack those passwords.

The company informs that two accounts have been accessed by hackers so far.  All users are recommended to change their password immediately for the KickStarter website.

If you are using the same password in any other websites(most of us do), you are also advised to reset the password there also.

"We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting." the company apologizes in their blog post.

Bitcoin stealing Mac malware found to be hosted on Download.com and MacUpdate.com

Image Credits: ThreatPost.
Another variant of the recently discovered Mac Trojan "OSX/CoinThief" is found to be hosted on two popular download websites Download.com and MacUpdate.com.

CoinThief malware is designed to steal Bitcoins login credentials from victim as well as Mac's username and UUID(unique identifier), also collects information about the list of Bitcoin related apps installed on the system.

Few days back, SecureMac spotted this Trojan is being hosted under the name of "Stealthbit" on GitHub and downloaded by hundreds of users.  One user from reddit also pointed out the similarity between an one year old fake bitcoin related app "BitVanity" and stealthbit.

Now, experts at SecureMac have spotted one more variant being hosted under the name of "Bitcoin Ticker TTM" and "Litecoin Ticker" on popular download sites.  These app names appear to have been taken from legitimate apps in the Mac app store.

This version also installs fake browser extension called as Pop-up Blocker in Chrome, safari and firefox.  The malicious extension attempts to sniff on the web traffic to steal  bitcoin login credentials.  It will communicate with the background process and send collected data to a remote server.

SecureMac has explained how to check whether malware is installed on your system and how to remove this CoinThief malware.

The developer of legitimate Bitcoin Ticker TTM app said he has no connection with download.com & Macupdate.com and recommends users to download the app from Mac app store.

Las Vegas Sands casino websites hacked and defaced by Anti WMD Team

Las Vegas Sands Corp which is said to be the world largest casino operator, has been targeted by hackers.  Websites of Sands casino and its subsidiaries have been defaced.

The sites home page modified with the world map marking the location of sands casinos with flickering flame.

"Damn A, Don't  let your tongue cut your throat "the defacement message reads. "Encouraging the use of weapons of Mass destruction, Under Any condition , is a Crime"

The defacement also contained personal information of Sands employees including e-mail id, social security numbers and other information.

The sign left in the defacement suggest it is done by a hacker group identified as "Anti WMD team".  However, we are not able to find any history about this group.

List of affected websites are: Sands official website (sands.com), Venetian (www.venetian.com), Palazzo (palazzo.com), Sands Bethlehem (pasands.com), Marina Bay Sands (www.marinabaysands.com), Venetian Macao (venetianmacao.com), Sands Macao (sandsmacao.com) and Holiday Inn Macao Cotai Central (sandscotaicentral.com).

All of the affected websites are currently showing "Undergoing Maintenance" message.

Sands Spokesperson told Associate Press that the company is working with law enforcement to find out the hacker behind this security breach.  The company couldn't say whether customers' card data had been compromised.

Paypal President David Marcus credit card gets hacked

David Marcus, Paypal president is to be the latest person to fall victim to credit card fraud.

Marcus said on Monday that his Credit card data were compromised. The cybercriminals made several fraudulent transactions using the obtained information.

Marcus points out that his card using EMV technology which is being touted as a more secure system than magnetic stripe.  But that didn't stop the cybercriminals.

It seems like he did not want to waste this opportunity, he used this incident to promote his company's security benefits.  He said this breach would not have happened, if the merchant accepted Paypal. 

"Obfuscating card data online, on mobile, and now more and more offline remains one of PayPal's strongest value props." he said in twitter.

Paypal is claimed to be more secure and doesn't share card data or bank account details with merchant.  But, we reported that a hacker reportedly manipulate a paypal employee to get the last four digits of a card.