Phishing Attacks: Via Scraping Branded Microsoft Login Pages!


Phishing Attacks: Via Scraping Branded Microsoft Login Pages!



The latest phishing attack attacks using the targets’ company-branded Microsoft 365 tenant login pages just to make it look more believable.

Microsoft’s Azure Blob Storage and the Azure Web Sites cloud storage solutions are also under usage for finding solutions to host their phishing landing pages.

This helps the users think that they’re seeing a legitimate Microsoft page. This aids the cyber-con to target Microsoft users and get their services credentials.

This phishing campaign is mostly about scraping organizations’ branded Microsoft 365 tenant login pages just to fool the targets.

The above observations were made as a part of s research of the Rapid7’s Managed Detection and Response (MDR) service team, say sources.

The cyber-criminals actually go through the list of validated email addresses before they plan on redirecting the victims to the phony login pages.

They put up actual looking logos of the brands that they want to copy and that’s what helps them to scrape the tenant login page.

In case the target organization doesn’t have a custom branded tenant page, the phishing kit is designed to make use of the default office 365 background.

The same campaign’s been launched at various different companies and organizations including in financial, insurance, telecom, energy and medical sectors.


There are several points at hand that hint at the phishing campaign still being active. In fact someone may be updating it for that matter at different times.

The “phisher” behind the campaign could easily be exploiting the “Lithuanian infrastructure”.

Besides the using the phony Microsoft phony page and stealing credentials the campaign also is up for exploiting cloud storage services.

For landing page hostings also, the campaign works perfectly. Phishing kits were discovered in April this year.

IPFs gateways were also abused by phishing attempts by using TLS certificates issued by Cloudflare, last year in October.

Per sources, the following advises and measures should be taken at once by organizations using the Microsoft office 365:
·       Multi-factor authentication via Office 365 or a third party solution for all employees.
·       Enrolling staff in phishing awareness training programs.
·       Training to help the employees spot and report phishing attacks.


State of Texas Hit By a Ransomware Attack; 23 Agencies Shut Down!





The state of Texas got hit recently by a cyber-attack as a result of which 23 government agencies were taken down offline.

Per the DIR (Department of Information Resources) of Texas most of the aggrieved parties were small local government agencies which are unnamed so far.

The Texas state networks however are still unharmed. The State Operations center of the state has been rigorously working towards the problem.

Sources mention that all the state and federal agencies handling the case hint at the fact that the attack was coordinated by a single actor.

The attack has been categorized as a sure shot ransomware attack. Per sources in it was a stain which was identified as “Nemucod”.

The aforemetioned ransomware generally “encrypts files and then at the end adds the .JSE extension”, a researcher mentioned.

Allegedly, the US have been the target for a lot of cyber-attacks of late. With an apparent total of 53% of the entire global number, the US have been victimized the most by cyber-attacks.

A state emergency was declared on Louisiana in July this year in response to a ransomware attack on school computer systems.

The situation is very critical from the point of cyber-security as municipalities falling prey to such attacks and ransomware in particular is not a good sign at all.

Mass scale attacks and their increase in number are disconcerting on so many levels. Because threat actors willing to put so many efforts, like the researchers like to say, are numerous.


Hackers Can Intercept What’s Being Typed Just By The Sound Of It?




Hack Alert! Hackers could listen to the sound of typing on a person’s phone via a nearby smartphone and intercept what’s being typed.

Possibly, the acoustic signals or sound waves produced when a message is typed on a computer or a keyboard could be picked up by a smartphone.

The sound could later be processed leading an expert hacker to easily decode which keys were hit and ultimately what was it that was typed.
 
Allegedly, this trick could work in a busy hall filled with people chattering and typing as well, because researchers tried it out.

Sources mention that the researchers could intercept what’s being typed with a “41% word accuracy rate”. It might take only a couple of seconds to know what’s being typed.

The results of the research sure are disconcerting and privacy and security levels of the smartphones and their sensors have got to be taken to a higher level.

From detecting if a phone is still or in a pocket, to detecting if it’s on the move; with the enhanced technology, sensors too have come a long way.



Some sensors need permission whereas most of them are set to function as a default. Per sources, the researchers had in their analysis used the later.

All they did was develop an application that could intercept the sound of typing and detect which key exactly is hit.

According to researchers the material of the table at which the keyboard is placed, plays a crucial role in the entire process as the keys sound different on different materials.


Fraudsters claiming to be from Bank and offers to assist you via TeamViewer


In Russia, a new way of telephone fraud is gaining momentum. Attackers disguised as a bank employee calls to Bank’s client to suspend a financial transaction but do not require to tell confidential data of Bank cards. They claim that the credit institution identified an attempt to the unauthorized withdrawal of funds from an account in another region.

As a result, the scammers report that they blocked the attempt to withdraw money, and offer to verify the devices that have access to the personal account of the client. Then attackers will find out if the client uses the Android or IOS operating system. Subsequently, the attackers offer to help disable the system, which is not used by the client, using the TeamViewer access delegation program.

The TeamViewer access delegation program allows an outsider to connect and perform any operation on your behalf. Fraudsters need to find out from the Bank's client their user id so that attackers can easily connect and take possession of confidential smartphone information. In this case, it will be extremely difficult, if not impossible to prove an attempt at unauthorized hacking. After all, the Bank's client voluntarily provided access.

It is worth noting that previously a number of large credit organizations recorded a sharp increase in fraudulent calls to customers from banks using the technology of number substitution. In some banks, the activity of fraudsters has increased tenfold.

The banks indicate that telecom operators are not effectively detecting and blocking such schemes. The solution to the problem came to the level of the Central Bank.

It is interesting to note that on August 10, the Central Bank of Russia recommended banks to inform payment systems of the number of the Bank card, account or mobile phone of the recipient. This should help identify fraudsters and block transactions. The requirements relate to P2P transfers and transfers, where a third Bank is involved, as well as payment systems.

If banks and payment systems follow the Central Bank's recommendations, data on the recipient of funds will be sent to the FinCERT (center for monitoring and responding to computer attacks in the financial sphere of the General Directorate of protection and information security at the Bank of Russia).

According to the leading anti-virus expert of Kaspersky Lab Sergey Golovanov, indicating the phone number will track cases when one person has issued many accounts for his number and uses them to transfer funds using social engineering.

Apps Generating Untraceable International Phone Numbers ?






Applications that generate international phone numbers that are super difficult to track are being employed by cyber criminals to rip people off.

A recent victim that had called the cyber-crime branch complained that they received a call from two spate numbers one with 001 and the other with 0063 as the country codes.

Per sources the app stores happen to contain 40 to 60 such apps through which cyber-cons could easily get these numbers.

Sources mentioned that allegedly “Dingtone” is an app via which a user can easily sift through a variety of country codes which are absolutely untraceable.

These cases according to the cyber-crime branch aren’t categorized separately but these are surely being registered and deliberated upon.



According to the cyber-security researchers a minimum of 500 cases come into existence per day in India alone with 40 cases pinning on major cities.

The police lack the technological efficiency as well as resources to possibly track the users of such applications. There is also a matter of jurisdiction.

Mostly, the above-mentioned apps are ‘not’ developed by Indian initiators but ironically originated from countries that have strict laws on removal of apps.

Information of the caller could seemingly be obtained by requesting the telecom service providers as such services are always linked together.

However, requesting the details of the callers from a telecom service provider abroad is extremely time-consuming. Besides, the CBI would require Mutual Legal Assistance Treaty with that very country.

As of now, such treaties exist with only 39 countries. In addition some countries could also demand a court order and furthermore the procedure in itself takes six to eighteen months.


A Bunch of Loopholes in Apple’s iMessage App?


Apple’s devices could be vulnerable to attacks owing it to a few flaws that the researchers have uncovered in its iMessage app.

Where, in one case, the extent of severity of the attack happens to be so large that the only way to safe-guard the device would be to delete all data on it.

The other case saw some files being copied off the device without needing the user to do anything. The fixes were released last week by Apple.

But somehow there was a problem which couldn’t be fixed in the updates, which was brought to the attention of the company by the researchers.

Google’s Project Zero Team was established in July 2014 with an aim to dig all the “previously undocumented cyber vulnerabilities”.

Samaung, Microsoft, Facebook and a few others were warned off by this team regarding the problems in their code.

The unrepaired flaw, according to Apple’s own sources could aid the hackers to crash an app or execute commands of its own accord on iPads, iPhones and iPod Touches.

Installation of new version of the iOS (iOS 12.4) has been strongly advised by the organization. The attacks/dangers could be easily handled by keeping the software up-to-date.


Hike in Banking Malware Attacks; Mobile Malware A Part of Cyber-Crime Too!



Banking malware is on a rise and the percentage of the wreckage it causes has risen up to 50%.

The viral banking malware usually is on the lookout for payment data, credentials and of course, cash.

Development kits for mobile malware code are easily available on underground portals and hence this issue is relevant.

The creators of mobile bankers henceforth allow the fabrication of new versions of malware that could be distributed on an enormous scale.

Ramnit (28%), Trickbot (21%) and Ursnif (10%) are apparently the most widely known types of the malware.

Mobile malware happens to be pretty difficult to identify and equally so to deal with as they use similar malicious techniques that are applied on computers.

The variants of the malware that were recurrently identified by the anti-virus solutions were Android-bound Triada (30%), Lotoor (11%) and Hidad (7%).

Turning the anti-malware off, using transparent icons with empty application labels, delayed execution to bypass sandboxes, and encrypting the malicious payload are a few of the evasion techniques being employed, per sources.


Equifax Paying Settlement around $700 Million after Massive Data Breach


Almost two years ago, Equifax suffered a massive data breach which exposed a significant amount of sensitive data of over 143 million Americans, the compromised information included that of driving licenses, social security numbers, and addresses of the victims. 

It has been uncovered by The Wall Street Journal and The New York Times that the consumer credit reporting agency is closing in on a settlement with FTC, state attorneys general, Consumer Financial Protection Bureau along with state and federal agencies. Equifax could settle up with $650 to $700 million, out of which it has put aside $690 million for the purpose of penalty. 

As per the media findings, the amount is expected to differ on the basis of the number of people filing claims and the details of the same will be released on Monday.

Notably, the settlement entails terms to devise a separate fund for the purpose of settlement, however, the amount victim's could expect in compensation is still a matter of question.

Commenting on the matter, Equifax CEO, Richard Smith, said, “At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward,” as he decided to retire in the wake of the cyberattack. 




Cyber Extortionist Pretends To Be From US Police; Demands $2000 in Bitcoin To Delete Evidence!







A cyber extortionist acts to be a US State Police detective and promises to delete child porn evidence for $2,000 in Bitcoins including a phone number which could be used to contact the scammer.

“Sextortion” emails have become quite common where the sender cites that the recipient’s computer has been hacked with the recording of them while on the adult sites.

On the other hand extortionists pretend to be hitmen and asking for money to call off the hit, bomb threats and tarnishing website’s reputation.


The aforementioned extortionist accuses the victim of child pornography and that the evidence could be deleted if they pay the sender $2,000 in Bitcoins.

Florida, Minnesota, Georgia, Tennessee, California and New York are a few of the states where the victims mentioned that the mails they got were from.

Per sources, the email sent by the extortionists pretending to be from the Tennessee State Police included the following phrases:
·       “Do not ignore the important warning”
·       “I work in the Bureau of Criminal Investigation, detective branch Crime Prevention with child abuse.”
·       “You uploaded video child-porno to websites”
·       “not possible to prove you didnt this”
·       “I retire in next month and want to earns some money for self”
·       “Pay me to Bitcoin wallet”
·       “This is anonymous money I want 2000$”
·       “Send transfer to my wallet”
·       “My temporary phone to contact”
·       “After receiving payments, I delete All materials”
·       “If you don’t pay me, I sending materials to The Tennessee Crime Laboratory.”

All the emails happen to be the same, the same Bitcoin address 17isAHrP2cZSY8vpJrTs8g4MHc1FDXvAMu


 but just the state’s name different.

The attacker(s) is/are using a data breach dump which contains both email and home address so that the state in the email could be matched up with the target’s state of residence.

Extortion scams don’t usually contain the scammers contact number and matching the state of residence with that in the email is surely a nice touch there.

But whenever an email turns up where the sender asks for money it’s obviously to be aborted.


Ransomware and their Proliferation; Major Cyber-Crime Hazards In View





Per latest reports, all around the globe, only last year we faced a hike in losses that occur due to malicious activities or cyber-crime.

Only earlier this year, cities Baltimore and Maryland of U.S. were attacked by a ransomware where computer networks got locked up and made making transactions impossible.

The administrators denied the demands for a ransom of $76,000 in exchange for unlocking systems but now have been encumbered with an estimate of $18 million to rebuild and/or restore the city’s’ computer networks.

Usually when hit by ransomware or any other malicious agent there are some pretty hard-hitting choices that the victim organizations have to face.

Two Florida cities had to pay a sum total of $1 million as ransom this year after which the same malicious group attacked the state court of Georgia.

The above data of losses generating from ransomware attacks rising by 60% was cited by the Internet Society’s Online Trust Alliance.

Since 2013, around 170 county, city and state government networks have been victims with 22 incidents being only this year.

The cities are not prepared against cyber-crime and hence are being repeatedly attacked as mentioned by a researcher at Stanford.

To pay or not to pay? This is a raging question when it comes to ransoms. FBI warns against it but researchers say that there is no clear side that could be chosen by victims who have their important data locked.

It hence becomes obvious that what needs to be done is what happens to be the best for the organization which means considering paying ransom in some cases.

To or not to pay is secondary where primary issue still happens to be with the software updates and lack of backups and security measures the users take.



Forensic services firm pays ransom after cyber-attack

The UK's biggest provider of forensic services has paid a ransom to criminals after its IT systems were disrupted in a cyber-attack, BBC News has learned.

Eurofins Scientific was infected with a ransomware computer virus a month ago, which led British police to suspend work with the global testing company.

At the time, the firm described the attack as "highly sophisticated".

BBC News has not been told how much money was involved in the ransom payment or when it was paid.

The National Crime Agency (NCA) said it was a "matter for the victim" as to whether a ransom had been paid.

The agency, which is investigating the attack, said: "As there is an ongoing criminal investigation, it would be inappropriate to comment."

Eurofins previously said the attack was "well-resourced" but three weeks later said its operations were "returning to normal".

Cyber-attack hits police forensic work

It said it would also not comment on whether a ransom had been paid or not.

It added it was "collaborating with law enforcement" in the UK and elsewhere.

The ransomware attack hit the company, which accounts for over half of forensic science provision in the UK, on the first weekend in June.

Ransomware is a computer virus that prevents users from accessing their system or personal files. Messages sent by the perpetrators demand a payment in order to unlock the frozen accounts.

Eurofins deals with over 70,000 criminal cases in the UK each year.

It carries out DNA testing, toxicology analysis, firearms testing and computer forensics for police forces across the UK.

Forensic science work has been carried out by private firms and police laboratories in England and Wales since the closure of the government's Forensic Science Service in 2012.

'Court hearings postponed'

An emergency police response to the cyber-attack was led by the National Police Chiefs' Council (NPCC) to manage the flow of forensic submissions so DNA and blood samples which needed urgent testing were sent to other suppliers.

Fake “Samsung UPDATES” App Deceives Millions!





Millions of Samsung users were massively misled by an “updates” app which actually has nothing to do with Samsung.  The app tried to harvest money in exchange for security updates.


The app was spotted by a group of researchers on the Google Play Store which was targeting Android users and the ones with Samsung phones in particular.

The app which has now been taken down would take the users to ad-filled pages and ask them for money in return for security updates and firmware.

Per the report shared by the malware analyst who discovered the application, the malware app was named “Updates for Samsung” and was installed by more than 10 million users.


The fake application lured the users in by claiming to make available free and paid Samsung updates whereas Samsung never actually charges for its legitimate firmware updates.

In addition the report cites that the app suggested the users a free download for a limited speed of 56KBps and took around 4 hours to get the 500MB download done with it, only to time-out at the end and fail.

Then of course the other option would be a premium annual subscription to download the updates with fast speed for around $34.99 (Rs. 2,400.76). Also, the app would pop a lot of ads and ask for payment to remove them.

In the list of all the “amazing provisions” of the aforementioned app, another was SIM card unlocking for nay network operator with the starting price of $19.99. (Rs. 1,371.73)

The name of the fake app which was maliciously designed to target the users of Samsung pretty well kept up to the expectations of the cyber-cons and got millions of installations.

The report additionally alluded to the fact that app doesn’t include any malicious code in itself and is simply a tactic which could be used by cyber-cons to fool people.


CDSCO Warns Users and Providers against Potentially Hack-able Insulin Pumps!





The wireless communication between Medtronic’s Minimed insulin pumps and other remote controlled related devices like blood glucose meters. These have a high risk of being hacked.

Central Drug Standard Control Organization (CDSCO), the apex drug regulator issued an alert about a few of Medtronic PLC’s insulin pumps being hack-able in response to US FDA flagging the theme.

No complaints of the sort have been received so far from the market, but nonetheless it happens to be an essential issue that needs looking into and hence CDSCO alerted the medical professionals.

Due to the aforementioned alleged cyber-security issues, (nevertheless potential in nature) few of the insulin pumps from the Medtronic Minimed have been recalled.

The US drug regulator recommends people to swap their insulin pumps for different models due to the potential risks related with the communication between these pumps and other devices like glucose meters and CareLink USB device used with them.





An insulin pump is a medical device specifically designed to help  diabetics control their glucose levels. The device pumps insulin in the user’s body in continuous doses.

Every insulin pump from Medtronic’s Minimed has a serial number which according to CDSCO should never be shared.

Per the CDSCO’s alert, the insulin pumps which are susceptible to potential hacking, namely are, MiniMed Paradigm 715, 712, 722 and 754 with software versions 2.6A or lower.

According to sources, Medtronic is pre-emptive about informing the users, regulators and medical professionals about the potential cyber-hazards of the insulin pumps.

They are also readily working with researchers to aid the patients, users, doctors and stakeholders, find answers to any questions they may have.

Medtronic alluded to it that with the evolution of technology will “continue to collaborate with industry researchers and regulators and develop high quality therapies that will positively impact lives”.

The company also remarked that over the years many models of these insulin pumps have been launched where their quality has been focused upon with utmost seriousness and concern.


Lone cyber police station in Bengaluru gets overburdened

The delay in setting up new police stations to handle cyber crime has overburdened the lone station in Bengaluru. Eight new police stations for cyber crime, economic offences and narcotics (CEN stations) were announced in December 2018 to handle the growing number of cyber crime cases in Bengaluru. One station was to be set up in each of the eight law-and-order divisions. Even six months after the announcement, the proposal is yet to be implemented.

The existing station, often crowded, has received over 4,700 complaints so far this year. It got 5,036 cases in the whole of 2018.

More cyber crime cases are registered in Bengaluru than in other Indian cities. And yet, some other cities have multiple dedicated stations. For instance, there are three cyber crime stations in Hyderabad.

Policemen say the sheer number of cases hampers investigations. In fact, the station has filed just one charge sheet until now this year against 52 in 2018 and 229 in 2017. A chargesheet is the end of the investigation process from the police side and paves the way for the case to be heard in court. Until now, there has been only one conviction for a cyber crime — in October 2018 after a case was investigated by the CID.

The existing station has a large number of visitors on most days. A policeman said, “Most of our time is spent in handling incoming cases, leaving us with hardly any time to investigate them.” Another official said though about 20 additional Central and Reserve (CAR) personnel have been deployed at the station, more stations are a must for faster resolution of cases.

Deputy commissioner of police (crime) Girish S said setting up of more stations will help the complainants as they will then have to travel only shorter distances to file complaints. Asked if the volume of cases was affecting investigations, Girish said, “I can’t say it’s affecting investigations, but what is happening is we are focusing on the more pressing, immediate cases, due to which the resolution time for other cases gets prolonged.” Cases of a very serious nature are taken up by the CID wing.

Bulgarian security expert arrested for demonstrating a vulnerability in software for kindergartens


Recently, the Bulgarian police detained an information security specialist Petko Petrov, who published a video about the vulnerability in the IT system of the municipality used in local kindergartens.

Bulgarian security researcher Petko Petkov discovered a vulnerability in the software used in local kindergartens. Petkov made a video demonstrating the vulnerability and posted it on Facebook about a week ago, on June 25. The video shows an automated attack on the portal of the local municipality, through which parents apply for admission of their child to kindergarten. The security expert was able to download the data of almost 236 thousand inhabitants of the Bulgarian city of Stara Zagora where more than 330 thousand people live using such vulnerability.

The specialist wrote a comment to the video that he tried to contact the software developer Information Services AD and the municipal authorities, but his reports about the vulnerability were ignored. Therefore, Petkov published a video to draw attention to the problem. Also, the man posted in the same comment a link to GitHub with PoC-code, opening access to it to everyone.

Even worse, the research explains that the same system is used in other Bulgarian cities, which means that hackers can freely obtain personal data of residents, including passport, information about their marital status, nationality, their relatives, etc.

Shortly after the public disclosure of information about the vulnerability, Bulgarian law enforcement officers arrested Petkov. He was arrested for 24 hours, but the researcher was later released.

According to the Bulgarian Media, the Prosecutor's office intends to charge the man under the article "illegal access to computer information protected by law". Petkov faces from one to three years in prison and a fine of about $ 2,900.

Although the man is now in trouble with the law, he achieved his goal - the problem was noticed, and after the incident the municipality refused to use vulnerable software, as they also failed to contact its developers and get official comments. The Mayor of Stara Zagora Zhivko Todorov told the media that the developer will eliminate the vulnerability at their own expense.


OceanLotus’ Ratsnif (A Remote Access Trojan)- Thinngs You Need To Know




OceanLoutus’ Ratsnif, an especially undetected remote access Trojan which mainly is used for cyber-espionage purposes has become better and is now capable of SSL hijacking and modifying web pages.

The very prominent malicious actor OceanLotus is quite fairly known for its espionage campaigns in the Vietnam. APT32, CobaltKitty, SeaLotus and APT-C-oo are few of its aliases in the infosec community.

The hackers behind this malicious threat actor usually combine “commercially available tools” such as Cobalt Strike with unique malware.

Four separate variants of the Ratsnif RAT family were analysed by prominent researchers only to find out that it evolved from a debug build to a release version.

It now comes filled with fresh features like DNS and MAC spoofing, SSL Hijacking, packet sniffing, HTTP redirection and injection, setting up remote shell access and ARP poisoning.

Per sources, the three early versions were found out to have a compilation date from 2016 whereas the most recent one was from August 2018.

The oldest variant of the Ratsnif, per the researchers, apparently was a debug build compiled in August 2016. The domain for its command and control (C2) server was activated the very day.

A newer version with no so gigantic changes was compiled the very next day. Both the samples were tested for detection against the anti-virus engines present on VirusTotal service at the same time.

A third version with September 2016 as its compilation date appeared with almost similar functioning and is believed by the researchers to be one of the earlier builds.

It wasn’t loaded with all the features but surely was capable of setting up a remote shell and serve for ARP poisoning, DNS spoofing and HTTP redirection.

In its early stages it collects information such as usernames, computer names, Windows system directory, and network adapter info and workstation configuration and sends it to C2.



The fourth Ratsnif sample was no longer accompanied by a list of C2 servers and delegated communication to a different malware used on the host victim.

It also, originally happened to introduce a configuration file and to extend the set of features to make it more effectual.

If one wishes to decrypt the traffic it could be done by using version 3.11 of the wolfSSL library which was earlier known as CyaSSL.

The configuration file happens to be unsecured and is simply a “text file encoded in Base64 with a parameter on its own line”.

Ratsnif could also cause a memory red violation owing it to a bug, when parsing a specific parameter (“dwn_ip’). Due to this the value’s passed as a string when it should be a pointer to a string.

According to the analyzers, the 2016 versions of Ratsnif contained all packets to a PCAP file but the 2018 version employs multiple sniffer classes for wresting sensitive information from packets.

This lowers the amount of data the attacker requires to collect, exfiltrate and process and also shows what information the attacker is after.

Ratsnif has done an essentially tremendous job at staying out of the limelight. Nonetheless it is not up to the standards of OceanLotus’ other malware endeavors.


Gamers’ Google and Facebook Credentials Unsafe; Android’s “Scary Granny ZOMBYE Mod: The Horror Game” To Blame!






A horror game from Android which has more than 50,000 downloads to its name. The Scary Granny ZOMBYE Mod: The Horror Game showed malicious behavior and is allegedly stealing users’ credentials after they log into their accounts.

The game is specifically designed to hoard downloads from the success of another Android game dubbed “Granny” with 100 million installs as of now.

After the researchers informed Google about the game’s phishing and siphoning abilities, the fully functional game was taken down from the Google Play Store.

A prominent research team realized that the game wouldn’t exhibit any malicious activity up to 2 days to steer clear of security checks.

It would turn in its data-stealing modules lest it were being used on older Android versions with users with new devices which run up to date.

Quite obviously it starts asking for permissions to launch itself on the smartphone or tablet and tries to gain the trust of the users.

Even after the Android users reboot their systems the game still shows full-screen phishing overlays.

Firstly it shows “a notification telling the user to update Google Security Services” and the moment they hit ‘update’ a fake Google Login page appears which looks almost legitimate except for the incorrectly spelled “Sign in”.


Scary Granny, after stealing the users’ credentials it will go on to try to harvest account information like recovery emails, phone numbers, verification codes, DOBs and cookies.

Obfuscated packages are other ways of mimicking official components of the Android apps. For example, com.googles.android.gmspackage attempts to pass itself as the original com.google.android.gms

The Scary Granny would also display some really legitimate looking ads from other prominent applications like Messenger, Pinterest, SnapChat, Zalo or TikTok.

The malicious horror game would make it appear that apps like Facebook and Amazon were actually open when actually they are only ads pretending to be actual applications.

In one of the cases the researchers tried out, the ad directed the user to a page which Google blocked flagging it as being deceptive which clearly implies that it hosts malware or a phishing attack.

After connecting with an ad network by way of com.coread.adsdkandroid2019 package, the ads would get distributed to the compromised Android devices.

At the end, to maximize the profit for its creators, the Scary Granny would try to wrest money form the users by asking them to pay for their playing privileges via a “pre-populated PayPal payment page”.


Indian Govt. Takes Steps For Preventing Incidents of Cyber Crimes; Improving Cyber Safety in the Country



With the ascent of phishing attacks being at its prime, Mr Ravi Shankar Prasad stresses at the government's contribution in finding a way to avoid more and more episodes of cyber security and improving the cyber safety in the nation.

The current Union Minister holding the Law and Justice and Electronics and Information Technology portfolios in the Govt. of India took to the Lok Sabha this issue and tended to it with most extreme consideration.

He wrote, “With the innovation of technology and rise in usage of cyber space, cyber-attacks such as phishing and identity theft are observed. Such phishing attacks are global phenomena which target users to trick them to divulge information such as online credentials."


According to the data accessible with Indian Computer Emergency Response Team (CERT-In), more than 260 phishing incidents were seen in the initial five months of 2019.

With the parliament informed on Wednesday , 26th June , the report was reviewed and it was observed that around 552 phishing incidents were observed during the year 2017, while in 2018, the number stood at 454, and in 2019 (till May) it was 268.

"CERT-In is working in coordination with Reserve Bank of India (RBI) and banks to track and disable phishing websites,” Prasad said including that CERT-In issues cautions and warnings in regards to most recent cyber threats and counter-measures on a regular basis to guarantee the safe utilization of digital technologies.