Search This Blog

Showing posts with label CyberCrime. Show all posts

IM Platforms Increasingly Used by Threat Actors in Place of Dark Web Marketplaces


Researchers at IntSight have discovered that IM platforms such as WhatsApp, Telegram, Discord, IRC, and Jabber are being used by cybercriminals for advertising and putting their goods and services on sale. One of the major reason as to why cybercriminals are switching to these IM platforms from the conventional ones is 'law enforcement practices'; law enforcement operations have been targeting online darknet markets one after another. Earlier in 2017, the world's largest dark web market, AlphaBay was taken offline, sending darknet users into chaos. Immediately after, the cyberspace witnesses the shut down of Hansa, another major darknet market. As more and more major dark web markets went offline due to the law enforcement penetrations, cybercriminals are wisely migrating to new platforms.

Although threat actors are loving IM platforms, the regular cybercrime sources such as dark web markets, credit card shops, and forums are still witnessing their web usual traffic. These platforms have more advantages such as chatbots, fewer rules, and automated replies due to their core nature, unlike IM platforms that are majorly meant for communication.

While giving insights, Etay Maor, IntSights CSO, said, "Telegram appears to be experiencing the most growth, with more than 56,800 Telegram invite links shared across cybercrime forums and over 223,000 general mentions of the application across forums. Telegram is also the platform most often discussed in foreign language forums."

"Financial threat actors and fraudsters exchange stolen carding information, selling or trading all kinds of credit card dumps, and publishing methods or techniques relevant for the fraud community. In addition, there is also a trade of physical items stolen or counterfeited from organizations in the retail industry.” He added.

“While the data itself is fully encrypted and law enforcement needs sophisticated algorithms in order to decrypt it, some countries have authorized law enforcement agencies to access the private information of their citizens if sanctioned by courts or other judicial authorities – including information that lives in IM platforms. Threat actors are worried about the cooperation between technology companies and law enforcement agencies, especially in the United States.” Maor further explained.

Business Email Compromise: Most Common Online Scam?


More and more small and medium enterprises are being affected by business e-mail compromise, according to a webinar, conducted by the PHD Chamber of Commerce and Industry.


Business Email Compromise also known as BEC is a security exploit in which the threat actor obtains access to a corporate email account having links to company funds and then attempts to defraud the company or the employees by spoofing the targeted employee's identity. The attackers manipulate the target to transfer money into a bank account that belongs to them.

In the year 2019, BEC scams have amounted for losses of more than $1.77 billion, as per the FBI's Internet Crime Report. Businesses are being warned as BEC exploits surge due to the ongoing pandemic; companies that rely primarily on wire transfers to transfer money to international customers are the most common target of BEC.

An infected email network can cause a significant amount of damage to a company's interests, therefore safeguarding an enterprise is crucial – along with empowering employees, it will also shield business interests and longevity.

While giving insights on the subject matter, deputy commissioner of police (cyber) Anyesh Roy said, “The fraudsters do compromise with the email account of the person who is dealing with the company accounts and financial transactions. They create an email account that is similar to either company’s or client’s account. They come in the middle and start interacting with both the parties. They change the destination of financial transactions on some pretext, following which the money goes to the fraudsters’ account.”

“Whatever an instruction has been received from the client about changing the destination of banking account, it needs to be confirmed through alternate means, including phone call, e-mail, and other.”

“Cyber-crime is like any other crime and one can report it anywhere at any police station or DCP office. The complaint can be registered through e-mail also. Cyber-crimes are happening through digital medium and the evidences can easily be destroyed so the victim needs to capture it as a screenshot and give it to police with their complaint,” the officer added.

Windows 10 New Feature Hunts and Thwarts PUAs/PUPs


Per reports, Microsoft has hinted that the next main version of Windows 10 will come stacked with a fresh security feature that would allow the users to facilitate the Windows Defender’s secret feature that helps hunt and bar the installation of known PUAs (Potentially Unwanted Applications).

PUA’s are also widely known as PUPs that stands for Potentially Unwanted Programs. These aren’t as well known by the users in the cyber-crime world as all the other major threats but are a valid threat nevertheless.

Per sources, these are software that is installed on devices via fooling the targets. The term for which the PUP/PUA stands is self-explanatory with regards to applications or programs that your device may not really need.

PUPs/PUAs go around with tactics like either by employing “silent installs” to dodge user permissions or by “bundling” an unrequired application with the installer of an authentic program.

Sources mention that PUAs most commonly contain applications that alter browser history, hinder security controls, install root certificates, track users and sell their data, and display invasive ads.

As per reports, the May 2020 update is to be rolled out to the users in the last week of this month. Microsoft mentioned that it has added a fresh new feature in its setting panel that would allow users to bar the installation of any unwanted applications or programs in the form of known PUAs/PUPs.

As it turns out, researchers mention that the feature has been available in the Windows Defender for quite a lot of time, but for it to kick start it would need group policies and not the usual Windows user interface.

As per sources, to enable the feature a user must go to ‘Start’, ‘Settings’, ‘Update & Security’, ‘Windows Security’, ‘App & Browser Control’, and finally 'Reputation-based Protection Settings’. Once updated, the feature would show two settings, the above-mentioned feature is disabled by default and would need to be enabled manually. However, Microsoft suggests, enabling both the settings.

Reports mention, that the “Block Apps” feature will scan for PUAs that have already been downloaded or installed, so if the user’s using a different browser Windows Security would intercept it after it’s downloaded. However, the “Block Downloads” feature hunts the PUAs while they are being downloaded.

Researchers Monitor Rise Of An Infostealer Dubbed As ‘Poulight’ That Most Likely Has A Russian Origin


In times where info-stealer is progressively becoming one of the most common threats, the Infostealer market has thus risen as one of the most lucrative for cyber crooks, for the data gathered from infected frameworks could be 'resold' in the cybercrime underground or utilized for credential stuffing attacks.

This class of malware is said to incorporate many well-known malware like Azorult, Tesla, and Hawkeye.

Recently over the two months, Researchers from Cybaze-Yoroi ZLab observed the evolution and the diffusion of an info stealer dubbed as Poulight that most probably has a Russian origin. First spotted by MalwareBytes specialists in middle March and indicators of compromise have been as of now shared among the security community.

The vindictive code has propelled further stealing capabilities and continues to evolve. 

Hash                                8ef7b98e2fc129f59dd8f23d324df1f92277fcc16da362918655a1115c74ab95
Threat                              Poulight Stealer
Brief Description             Poulight Stealer
Ssdeep                       1536:GJv5McKmdnrc4TXNGx1vZD8qlCGrUZ5Bx5M9D7wOHUN4ZKNJH:                                               GJeunoMXNQC+E5B/MuO0Ogt

Above is the sample information / Technical Analysis

Like a large portion of the malware of this particular family, it is created from a builder accessible to cyber-criminal groups that offer a 'subscription plan' for its "product". The outcome is a .NET executable:

Static information about the binary file

A quirk of this sample is that it doesn't have a minimal indication of obscurity; the analysis is very simple to depict the malware abilities/capabilities. When the malware is propelled, it plays out a classical evasion technique (as shown in Fig.3):

Figure 3: Evasion Technique

This implemented evasion technique is one of the most exemplary ones, where, through the utilization of Windows Management Instrumentation (WMI) by executing the inquiry "Select * from Win32_ComputerSystem". Specifically, along these lines, a few checks of the most relevant tracks of virtualization are given, as:
• “vmware”
• “VIRTUAL”
 • “VirtualBox”
• “sbiedll.dll” (Sandboxie)
• “snxhk.dll” (Avast sandbox)
• “SxIn.dll” (Avast sandbox)
• “Sf2.dll” (Avast Sandbox”)

These checks are additionally recorded from the Al-Khaser or Pafish tools which are planned to be a test suite to distinguish malware analysis environments and intended to test the strength of the sandboxes. At that point, the malware can continue with the infection beginning giving rise to another threat called "Starter".

Figure 4: Loader module of the malware

The "Starter" class contains the routine to load the segments of the malware. Prior to that, there is the initialization of certain directories and files utilized to store the accumulated data from the victim machine. This activity is performed by the primary instruction "global:: Buffer.Start()", the method is very simple and easy: a series of folders were created within Windows Special folders (AppData, Local AppData, Personal, Desktop) along these lines:

Figure 5: Creation of folders in the Windows Special Folders

From that point forward, the malware extracts the configuration document and its parameters from the asset named "String0", a Base64 encoded string and through the following strategy they are then decoded:

Figure 6: Routine to extract the configuration file

The primary data tag "prog.params" is quickly recovered in the instruction "HandlerParams.Start()" which can be seen in Figure 4. Presently, a check of a previous infection is performed before beginning another one. The instruction "AntiReplaySender.CheckReplayStart()" (in figure 4) is assigned.

Figure 7: Check of a previous infection

The malware attempts to discover the id of the mutex. In the event that the file is available, the malware doesn't execute itself some other time, else it composes this empty document to sign the infection is begun. From that point forward, it transforms into the real vindictive main contained inside the "XS" class, as seen in figure 4. The primary bit of the code is the following:


Figure 8: Initialization of the mail module 
The first instruction is "Information.Start()" where all the data about the hardware and software of the host is collected along these lines:
Figure 9: Routine for retrieving the configuration of the victim machine

It is clearly evident that the malware utilizes both English and Russian dialects to log the data assembled. From that point onward, the stealer turns to count and log all the active processes inside the operative system.

Figure 10: Routine to extract the process list

Now as seen in figure 8, a 'check' on the third parameter is performed. On the off chance that it is equivalent to one; the "clippers" module is executed.

Figure 11: Routine to decode and execute an embedded component

As show in the above figure, this code can decode a component contained inside the "clbase" tag with the AES key stored within the "update" tag. Be that as it may, in the particular configuration there is no "clbase" field, so we don't have any other component to install. The last instruction seen in Figure 8 is "CBoard.Start", which works in the following way:

Figure 12: Routine to steal clipboard data

The subsequent stage is to accumulate all the sensitive data on the victim machine:

Figure 14: Detail of the stealing modules

The malware steals an immense amount of data:
  • Desktop Snapshot 
  • Sensitive Documents 
  • Webcam snapshot 
  • Filezilla credentials 
  • Pidgin credentials 
  • Discord Credentials 
  • Telegram 
  • Skype 
  • Steam 
  • Crypto Currencies 
  • Chrome chronology  
The most fascinating part is that the module "DFiles" instructed to steal sensitive documents. It begins with looking through the records with one of the accompanying extensions:

Figure 15: Routine to search the documents with specific extensions
Within the gathered files, the malware searches for the classic keywords showing that the content of the files conserves some valuable accreditations. The keywords are the accompanying:

Figure 16: List of keywords searched within the documents

Then the malware proceeds to gather all the data inside a unique data structure and sends it to the C2 retrieved in another resource named "connect":

Figure 17: Routine to upload to the C2 the stolen information

At long last, it downloads and executes various components from the Internet. The parameters are recovered similarly observed in the past segment: a tag named "file" contains the component to download.
Figure 18: Routine to download other components from the Internet
Thus there is no doubt in the fact that Poulight stealer has a mind-boggling potential to steal delicate data and it ought not to be disregarded that later on, it may supplant other info stealers like Agent Tesla, remcos, etc.

In any case, the limitation of the embed is the absence of code obfuscation and data protection, however, this could be clarified due to the fact that, possibly, the malware is in its early stages of development.

Since now that the attackers likely will enhance these features, therefore, being aware of them is the best step forward for the users now. RN

Fake Email Campaign Demanding Ransom in Cryptocurrency


Internet users have been alerted by national federal cybersecurity agency against a fake email campaign that is going on in the country; the authors behind the campaign are threatening to post a personal video of a victim that they claim to have recorded if the demanded ransom in the form of cryptocurrency is not paid to them.

While assuring users that there's nothing major to worry about these emails as the claims made in it are fake, the Computer Emergency Response Team of India (CERT-In) in a related advisory, suggested users assign new passwords to all their online platforms including their social media handles.

CERT-In (the Indian Computer Emergency Response Team) is a government-mandated information technology security organization. It has been designated as the national agency to respond to computer security incidents. The purpose of CERT-In is to issue guidelines, advisories, and promote effective IT security practices throughout the country.

A number of emails have been sent as a part of the campaign, claiming that the receiver's computer was compromised and a video was recorded via their webcam and that the sender has access to their passwords, as per the CERT-In latest advisory on the matter. The attacker attempts to convince the user into falling in his trap by mentioning his previous password in the email, then by strategic use of computer jargon, the attacker comes up with a story to appear as a highly-skilled scammer to the recipient. The story tells the victim that while he was surfing a porn website, his display screen and webcam was compromised by a malware placed by the hacker onto the website. It states that all of the user's contacts from Facebook, email, and messenger have been hacked alongside.

As these emails are scams and claim false information, users are advised to not get tricked into paying the demanded ransom in haste as even if the password mentioned by attackers in the email seems familiar it's because they accessed it via leaked data posted online and not through hacking their account. All you have to do is change or update your password for all the online platforms where it is being used.

Google Is All Set To Fight The Coronavirus Themed Phishing Attacks and Scams


These days of lock-down have left cyber-criminals feeling pretty antsy about “working from home”. Not that it has mattered because apparently, that is why the number of cyber-crime cases has only hiked especially the Phishing attacks.

This has gotten Google working on its machine-learning models to bolster the security of Gmail to create a stronger security front against cyber-criminals.

Given the current conditions, the attackers seem to have a morbid sense when it comes to the themes of the Phishing attacks, i.e. COVID-19. Reportedly, 18 Million such attacks were blocked in a single week. Which amount up to 2.5% of the 100 Million phishing attacks it allegedly dodges every day.

Google, per sources, is also occupied with jamming around 240 Million spam messages on a daily basis. These phishing attacks and spams at such a worrisome time have impelled Google and Microsoft to modify their products’ mechanisms for creating a better security structure.

Reportedly, the number of phishing attacks, in general, hasn’t risen but in the already existing number of attacks, the use of COVID-19 or Coronavirus seems to have been used a lot.

Malware and phishing attacks, especially the ones related to COVID-19 are being pre-emptively monitored. Because being resourceful as the cyber-criminals are the existing campaigns are now being employed with little upgradations to fit the current situation.


A few of the annoying phishing emails include, ones pretending to be from the World Health Organization (WHO) to fool victims into making donations for VICTIMS to a falsified account.

Per the intelligence teams of Microsoft, the Coronavirus themed phishing attacks and scams are just the remodeled versions of the previous attacks.

The attackers are extremely adaptive to the things and issues that their victims might easily get attracted to. Hence a wide variety of baits could be noticed from time to time.

During the lock-down period of the pandemic, health-related and humanitarian organizations have been extensively mentioned in the scams and phishing emails.

Per sources, the Advanced Protection Program (APP) lately acquired new malware protections by enabling Google Play Protect On Android devices to some specifically enrolled accounts.

Allegedly, users trying to join the program with default security keys were suspended, while the ones with physical security keys were still allowed to be enrolled.

All the bettered security provisions of Google shall be turned on by default so that the users can continue to live a safe and secure life amidst the pandemic.

Double Extortion- A Ransomware Tactic That Leaves The Victims With No Choice!


In addition to all the reasons ransomware were already dangerous and compulsive, there’s another one that the recent operators are employing to scare the wits out of their targets.

Cyber-criminals now tend to be threatening their victims with publishing and compromising their stolen data if the ransom doesn’t get paid or any other conditions aren’t followed through with.

The tactic in question is referred to as “Double Extortion” and quite aptly so. Per sources, its usage emerged in the latter half of 2019 apparently in use, by the Sodinokibi, DopplePaymer and Clop ransomware families.

Double extortion is all about doubling the malicious impact a normal ransomware attack could create. So the cyber-criminals try and stack up all sorts of pressure on the victims in the form of leaked information on the dark web, etc.

They just want to make sure that the victims are left with no other option but to pay the ransom and meet all the conditions of the attack, no matter how outrageous they are.

The pattern of Double Extortion was tracked after a well-known security staffing company from America experienced the “Maze ransomware” attack and didn’t pay up the 300 Bitcoin which totaled up to $2.3 Million. Even after they were threatened that their stolen email data and domain name certificates would be used for impersonating the company!

Per sources, all of the threatening wasn’t without proof. The attackers released 700 MB of data which allegedly was only 10% of what they had wrested from the company! And what’s more, they HIKED the ransom demand by 50%!

According to sources, the Maze ransomware group has a website especially fabricated to release data of the disobliging organizations and parties that don’t accept their highly interesting “deals” in exchange for the data.

Reportedly, ranging from extra sensitive to averagely confidential data of dozens of companies and firms from all the industries has found its way to the Maze ransomware website.

Clearly impressed by it many other operators of similar intentions opened up their own versions of the above-mentioned website to carry forward their “business” of threatening companies for digital currency and whatnot! They sure seem to have a good sense of humor because per sources the blog names are the likes of “Happy Blog”.

Per reports, the Sodinokibi ransomware bullied to leak a complete database from the global currency exchange, Travelex. The company had to pay $2.3 Million worth Bitcoin to get the attackers to bring their company back online.


Per reports of the researchers, the attackers would always release some kind of proof that they have the extremely valuable data of the company, before publishing it, to give the company a fair chance at paying up the ransom demanded.

Usually, these attacks are a win-win for the attackers and a “lose-lose” for the victims because if they decide not to pay up they would be putting their company in a very dangerous situation with all the valuable data compromised online for anyone to exploit, they would have to report the breach and they would have to pay a considerably high fine to the data privacy regulator. And if they pay up, they would be losing a giant plop of money! And sadly the latter feels like a better option.

Hospitals happen to be the organizations that are the most vulnerable to these attacks because of all the sensitive health-related data their databases are jam-packed with on any other day and additionally due to the Coronavirus outbreak.

The organizations could always follow the most widely adapted multi-layered security measures for keeping their data safe obviously including updating systems, keeping backups and keeping data protected in any way they possibly can.

The most conscientious gangs of the many ransomware families, per sources, have promised to not attack hospitals amidst this pandemic. But that doesn’t stop the other mal-actors from employing cyber-attacks.

The cyber-crime forecasters have mentioned that the year 2020 would be quite a difficult year for these organizations what with the lock-down and no easier (malicious) way to earn money, apparently? Food for thought!


Meghan Markle and Prince Harry's Names Used for Fake Celebrity Endorsement of Bitcoins?


While the Coronavirus pandemic has practically driven people to stay locked up in their homes and spend a lot more (in some cases almost all) of their time online, the possibilities for cyber-criminals have only flourished.

Cyber-security experts have realized this and made a note out of it that everyone knows the kind of danger is lurking in their cyber-world.

From elaborate scams to phishing attacks that target the victim’s personal information, there is a lot of people who need to be cautious about it.

The Cryptocurrency industry is going through a lot due to the current crisis the world is in. The 'crypto-partakers" are being particularly on the hit list with something as attention-grabbing as purportedly “celebrity endorsement”. The latest bait names for this attempt happen to be that of charming Meghan Markle and Prince Harry.

Well-known personalities’ names like Bill Gates, Lord Sugar and even Richard Branson have been misused to lure people in as a part of similar scams. It is not necessary for the people mentioned to belong to a particular industry. They could be anyone famous for that matter.

The scams are so elaborate that once fooled the victims can’t even trace the mal-agent and. The latest scam, per sources, employs a fake report from the “BBC” mentioning how Prince Harry and Meghan Markle found themselves a “wealth loophole”.
Per sources, they also assure their targets that in a matter of three to four months they could convert them into millionaires. Further on, allegedly, it is also mentioned that the royals think of the Cryptocurrency auto-trading as the “Bitcoin Evolution”. It reportedly also includes a fake statement to have been made by Prince Harry.

The overconfident scammers also declare that there is no other application that performs the trading with the accuracy like theirs. Reportedly, on their website, there are banners with “countdowns” forcing people to think that there are limited period offers.

According to researchers this is one of the many schemes desperate cyber-criminals resort to. People not as used to the Cryptocurrency industry and the trading area, in particular, are more vulnerable to such highly bogus scams and tricks that the cyber-criminals usually have up their sleeves.

BEC Scams Cost American Companies Billions!


Business Email Compromise (BEC) scams have surfaced among several US companies and have caused them damage costing along the lines of Billions, mentions a warning of the Federal Bureau of Investigation.

Per sources, BECs are “sophisticated scams” aiming at businesses involving electronic payments encompassing “wire transfers or automated clearing house transfers”. Usually, these scams include a cyber-con penetrating a legitimate business email account via device intrusion procedures.

Once the access has been acquired, the cyber-con is free to deceitfully dive into the email account to obtain funds by sending emails to suppliers, loaded with invoices of modified bank account details.

The hit list mostly consists of organizations that employ cloud-based email services, which makes it easier to go for Business Email Compromise (BEC) scams.

Per FBI, specially engineered “phish kits” with the ability to impersonate the cloud-based email services are used to prompt these scams only to exploit the business accounts and request or mi-sallocate funds.

Sources mention that the Internet Crime Complaint Center (IC3) received numerous complaints over the past years about companies having experienced damages amounting to a couple of Billions in “actual losses” as a result of the BEC scams.

The IC3 focused their attention on the BEC scams right after their number began to multiply rapidly across all the states of America.

The issue allegedly stands in the configuration of the cloud-based services which makes it almost effortless for cyber-criminals to exploit the company’s email accounts.

Obviously most cloud-based services are laden with security measures that intend to block all the BEC attempts. But that depends on the ability of the users to make good use of them. The maximum of these features needs to be enabled and manually configured.

Per sources, what makes these scams dangerous is that any organization, big or small, with kerbed IT resources is vulnerable.

The cyber-cons in addition to having control over the email accounts, usually also retrieve the address books of the exploited accounts to have a list of potential targets. Hence, a single bad apple could affect the entire basket, meaning a single affected organization could have ramifications for the entire business industry.

Facebook official Twitter and Instagram accounts hacked!


"Well, even Facebook is hackable but at least their security is better than Twitter.", this opening statement was posted on Facebook's official Twitter account by the hacking group OurMine.



Though the accounts have now been restored, the hacking group OurMine posted the same on Facebook's Twitter, messenger and Instagram accounts.

OurMine says its hacks are to show the sheer vulnerability of cyberspace. In January, they attacked and hijacked dozens of US National Football League teams accounts.

They posted the following on Facebook's Twitter page-

Hi, we are O u r M i n e,
Well, even Facebook is hackable but at least their security is better than twitter. 

 to improve your account security
 Contact us: contact@o u r m In e.org 

 For security services visit: o u r m In e.org 

On Instagram, they posted OurMine logo whereas Facebook's own website was left alone. Twitter has confirmed that the accounts were hacked albeit via a third-party and the accounts were then locked.

"As soon as we were made aware of the issue, we locked the compromised accounts and are working closely with our partners at Facebook to restore them," Twitter said in a statement.

These attacks followed the same trend as they did in the attack on the teams of the National Football League.

The accounts were accessed by Khoros, a third-party platform. Khoros is a marketing platform, a software that allows people to manage their social media accounts all in one space. It can be used by businesses to manage their social media communications. These platforms like Khoros, have the login details of the customers. OurMine seemed to have gained access to these accounts through this platform.

OurMine is a Dubai based hacking group known for attacking accounts of corporations and high profile people. It has hacked social media accounts of quite a few influential individuals like Twitter's founder Jack Dorsey, Google's chief executive Sundar Pichai, and the corporate accounts of Netflix and ESPN. According to OurMine, their attacks are intended to show people cybersecurity vulnerabilities and advises it's victims to use its services to improve security.

Hacked! SCPI Protocol Vulnerabilty; Measurement Instruments Could be Hacked!


A leading cyber-security firm recently alerted all the netizens about a vulnerability discovered in the measurement tools that support the Standard Commands for Programmable Instruments (SCPI) protocol, mentioned reports.

According to sources, SCPI is an ASCII-based standard especially crafted out for the purposes of testing and measurement machines that came into existence in 1990.

SCPI still happens to be used quite a lot given its easy and user-friendly interface and the inclusion of commands that could help alter any setting on the devices.

In recent times, most of the measurement devices are connected to networks and in some cases even to the internet. Hence, SCPI’s holding no authentication mechanism is a matter of risk and insecurity for all its users.

Per sources, when one of the major cyber-security research firms ran analytic research on SCPI they uncovered all the devices that use it and therefore are vulnerable to cyber-crime.

Per reports, the aforementioned measurement devices encompass of multimeters, signal analyzers, oscilloscopes, data acquisition systems, and waveform generators.

The researchers carried forward their analysis on different brands and different products of the same type and came across the fact that all the vendors’ products could be equally susceptible to cyber-attacks of similar nature if they used SCPI.

A multimeter was analyzed by the researcher wherein they found that its web and other interfaces were quite easily available and were very easy to get to as they were neither password-protected nor had any security functions by default.

Therefore, any cyber-attack that even a basic attacker plans could have a high possibility of success as the “configuration panel” could be very easily accessed and the password could be changed to anything in accordance with the attacker’s whims.

And as if all this wasn’t enough, the attacker could actually configure the measurement instruments to cause physical harm to people. The devices could be set to show illogical and unsystematic text any number of times, as well.

Per sources, the memory of the measurement instruments could be written for a definite number of times but incessant writing could lead to the devices’ physical distortion which couldn’t be reversed without changing the parts.

The power supply units of the devices could also be easy targets for attackers, according to sources, and could trigger DoS leading to physical corruption of the device.

Understand how SIM Swapping can easily be used to hack your accounts!

We've all heard about sim swapping, SIM splitting, simjacking or sim hijacking- the recent trend with cybercriminals and now a study by Princeton University prooves the vulnerability of wireless carriers and how these SIM swapping has helped hackers ease their hands into frauds and crimes.



SIM swapping gained quite an attention when Twitter CEO Jack Dorsey’s account was hacked on his own platform. A study by Princeton University has revealed that five major US wireless carriers - AT&T, T-Mobile, Verizon, Tracfone, and US Mobile - are susceptible to SIM swap scams. And this sim hijacking is on a rise in developing countries like Africa and Latin America.

What is SIM swapping? 

SIM swapping is when your account is taken over by someone else by fraud through phone-based authentication usually two-factor authentication or two-step verification. This could give the hacker access to your email, bank accounts, online wallets and more.

How does the swap occur? 

In a SIM swap, scammers exploit the second step in two-factor verification, where either a text message or a call is given to your number for verification.

Citywire further explains the process, "Usually, a basic SIM-card swapping work when scammers call a mobile carrier, impersonating the actual owner and claiming to have lost or damaged their SIM card. They then try to convince the customer service representative to activate a new SIM card in the fraudster’s possession. This enables the fraudsters to port the victim’s telephone number to the fraudster’s device containing a different SIM."

After accessing the account, the scammers can control your email, bank accounts, online wallets and more.

 Detecting SIM swapping attack

• The first sign is if your text messages and cell phones aren't functioning, it's probable that your account is hijacked.

• If the login credentials set by you stop working then it's probably a sign that your account has been taken over. Contact your telecom provider and bank immediately.

• If you get a message from your telecom provider that your SIM card has been activated on another device, be warned it's a red sign.

British American Tobacco’s Romanian Platform Faces Data Breach; Ransomware Demands Bitcoins

British American Tobacco (BAT)’ s Romanian web platform compromised due to a ransomware attack and data breach.
BAT which is a United Kingdom-based company is one of the most gigantic manufacturers of nicotine and tobacco products.
Reportedly, the data breach was first ascertained on an Irish “unsecured Elastisearch server” with around 352 GB of data. Allegedly, the hackers had breached the data’s location.
The ransom request was waiting for the onlookers on the server in the form of a "readme" file wherein they had demanded a “Bitcoin payment” in exchange for “not deleting their data”.
Per sources, the cyber-researchers had discovered the data breach on a “server connected to the web platform YOUniverse.ro” which is part of the Romania promotional campaign for BAT, pursuing adult smokers.
The compromised data encompasses users’ “Personally Identifiable Information” (PII), like name, gender, email address, phone number, date of birth, source IP and cigarette and tobacco product preference.

Allegedly, tobacco advertising is mostly prohibited by the Romanian law, while exempting certain sorts of promotional campaigns and event sponsorship aiming at existing smokers over 18 years of age.
The platform in question aided Romanians to win tickets to events and parties studded with local and international performing stars.
Regardless of the numerous attempts made by the team to contain the breach, the database had been unprotected for the past two months and was finally contained on November 27, 2019.
According to sources, the research team has been after the company’s local branch, the global company, the server’s host, Romania’s National Authority for Consumer Protection (ANPC) and the Certification Authority (CA) for some clarification.
The CA was the only organization to revert to the team. The Romanian journalists who were contacted along with the authorities are yet to answer.   

As Venezuela's economy plunges, citizens turn to hacking and cybercrime for easy money


Cybercrime is on a rapid rise in Venezuela as an effect of the country's economic and political turmoil, according to a report released Thursday by IntSights, a global threat intelligence company. More and more people are being driven into the underground criminal world as it provides a lucrative alternative to make money.



IntSights analysts found sophisticated and systematic operations working to steal personal information of individuals from Latin America, such as bankers and retailers and they either sell the information online to the highest bidder or use it further to dig more data. These hacks and data gathering operations are quite profitable and remunerative for Venezuelans, as they sell it for cryptocurrency like Bitcoin, a better alternative to the drowning national currency-Venezuelan bolivar.

Venezuela, once amongst the richest countries in Latin America, with large oil reserves and gold mines has now become a mere shell of its former self as decades of corruption and socialist rule have plunged the economy. The political condition of the country is also severe as there have been ongoing protests and rebels against President Nicolás Maduro from last year. This hyperinflation in Venezuela has caused a deterioration in the national currency and thus citizens have turned to cryptocurrency.

The International Monetary Fund says inflation of the Venezuelan bolivar, the country’s currency, is expected to hit a startling 200,000 percent this year. A cup of coffee that cost 150 bolivars in November 2018 now costs 18,000 bolivars, according to Bloomberg (Quoting nbcnews).

These hackers are based in Venezuela and neighbouring countries like Colombia and they don't seem to be hiding unlike experienced hackers from Russia and China. Information about the operations, their phone numbers and where to find them is easily available.
“They don’t seem too concerned about hiding,” Charity Wright, an analyst at IntSights said. “I think it’s because they don’t sense law enforcement will do anything.”

The law enforcers have also turned a blind eye to the victims, as they are more concerned about handling the political turmoil, the reports said.

There has been heavy censorship in the country with bans on CNN, major newspapers, VPN's. Social networks like Instagram, Snapchat, Facebook and Twitter, and messaging apps like WhatsApp are the major means of communication for the people. Cybercriminals can also be found easily on these platforms collaborating and looking for work.

"The Venezuelan underground has risen to the surface with the anarchy and chaos of the Maduro regime,” said Tom Kellermann, head of cybersecurity strategy for cloud computer company VMware and a global fellow for cyber policy at the Wilson Center. These crimes comprise large-scale email phishing and malware campaigns, sensitive data being sold on public websites and over the dark web.

Cyber-Crime On Rise; One of A Kind Ransomware Hits Cloud Computing Giant iNSYNQ!







iNSYNQ, the cloud hosting giant recently was targeted by a ransomware attack which led to the company’s servers being shut down to confine the damage.

The Microsoft, Sage, and Intuit host provides customers with cloud-based virtual desktops aimed at hosting business applications.

The attack was executed by an unknown party and affected the iNSYNQ clients making the data inaccessible, as was mentioned in a citing from the sources.

The servers of the infected organization were immediately shut down and the next step was to safeguard the clients’ data and backup.

Cyber-security experts have been hired by the organization to help restore the infected data and eradicate any further possibility of such attacks.

The backups aren’t yet available to the customers despite repeated requests for them. The company’s doing everything in their control to mitigate the situation.


The clients’ data backups were on the unaffected servers but on the same network nevertheless.

The problem is not related with stolen data it is actually about the data being encrypted and hence being inaccessible.

On a mysterious note, the twitter account of iNSYNQ seems to have disappeared and is no longer accessible.

The data will take a good amount of time to reach the clients’ because after it’s retrieved it will be needed to be checked for any residual traces of the malware.

The company though, did not forget to mention that the kind of malware that hit them was of a new kind and had never been detected before.

Due to security reasons the organization can’t reveal much about the complexities of the attack and the entire situation because it might lead to the customers’ data being in danger.

With the help of leading experts the process of backing the data up is on full speed and the organization’s trying their hardest to get their clients’ data back to them.

Russian Intelligence Attempts to Crack Tor Anonymous Web Browser



On being breached by cybercriminals, a Russian intelligence contractor has been found to be attempting to crack an anonymous web browser, 'Tor', which is employed by the people who wish to bypass government surveillance and acquire access to the dark web. However, it is unclear how effective the attempt to crack the web browser was because the modus operandi relied largely on the luck factor to match Tor users to their activity.

According to the findings of the BBC, the intelligence contractor which is widely known in Russia is also working on various secret projects.

SyTech, a contractor for Russia's Federal Security Service FSB, fell prey to a massive data breach wherein hackers gained illicit access to around 7.5 terabytes of data and included details regarding its projects.

The internet homepage of the company was replaced by a smug smiley face by the hackers from a group namely 0v1ru$ who acquired illegal access to the company on 13th July.

In order to crack Tor, SyTech resorted to Nautilus-S which required them to become an active member of the browser's network.

Whenever a user gets connected to Tor, the usage of the web browser is visible to the internet service providers who later can provide this data to the FSB or any other state authority, on being asked.

Commenting on the viability of SyTech's attempt to crack Tor, a spokesperson for the Tor project said, "Although malicious exit nodes would see a fraction of the traffic exiting the network, by design, this would not be enough to deanonymize Tor users,"

"Large-scale effective traffic correlation would take a much larger view of the network, and we don't see that happening here," he added.


Chinese Hackers Attacked Eight Major Technology Service Providers




Eight largest technology service providers were attacked by the hackers of China’s Ministry of State Security; they attempted to access sensitive commercial information and secrets from their clients across the world.

In December, last year, a vicious operation was outlined in formal charges filed in the U.S.; it was designed to illegally access the Western intellectual property with motives of furthering China’s economic interests.

According to the findings made by Reuters, the list of the compromised technology service providers include Tata Consultancy Services, Dimension Data, Hewlett Packard Enterprise, Computer Sciences Corporation, HPE’s spun-off services arm, IBM, DXC Technology, Fujitsu and NTT Data.

Furthermore, various clients of the service providers such as Ericsson also fall prey to the attack.
However, IBM previously stated that it lacks evidence on any secret commercial information being compromised by any of these attacks.

Referencing from the statements given by HPE, they worked diligently for their “customers to mitigate this attack and protect their information.” Meanwhile, DXC told that it had, “robust security measures in place” in order to keep their clients secure.

Commenting on the matter and denying the accusations and any sort of involvement in the attacks, the Chinese government said, “The Chinese government has never in any form participated in or supported any person to carry out the theft of commercial secrets,”

“While there have been attacks on our enterprise network, we have found no evidence in any of our extensive investigations that Ericsson’s infrastructure has ever been used as part of a successful attack on one of our customers,” a spokesperson of Ericsson told as the company said, it doesn’t comment on specific cybersecurity matters.



Cybercrime goes out of control in India



Phishing, data theft, identity theft, online lottery, cyber attacks, job frauds, banking frauds, cyberbullying, online blackmailing, morphing, revenge porn, cyber hacking, child pornography, cyber grooming, cyberstalking, data diddling, software piracy, online radicalisation — the dark web of cybercrimes is spreading across the world and India is one of the hotspots of this digital crime.

With increasing mobile coverage and cheaper data, more and more Indians now access the internet even while on the move. This has exposed unsuspecting ones to fall prey to online fraudsters. Many become victims of sexual exploitation after being made to share personal details while some others use the new media like WhatsApp to spread fake news to create trouble for political and other gains. There have been several lynching incidents in the country in the past couple of years after fake messages about child lifting and cow slaughter were spread through social media.

In spite of an alarming rise in cybercrime in the country, the most recent Government statistics available on this is from 2016. Cybercrimes touched 12,317 cases in 2016 which was an increase from 9,622 reported in 2014. The National Crimes Record Bureau is yet to release the statistics for 2017 and 2018.

The data available is just a tip of the iceberg and the numbers might be much more, says a senior government official. “Many even do not report loss of money or honour out of shame. Many cannot even tell their families that they have lost money in online frauds,” the official said.

Officials say the problem is that common people are not aware of the risks involved while dealing with the internet. Many are unaware, they say, and exercise no caution while using the net. They click unwanted links, unknowingly give the cyber fraudster their personal details and get cheated.

My SQL Servers on Windows Attacked by Hackers to Distribute GrandCrab Ransomware



One of the most widespread Ransomware, GrandCrab, which keeps on making headlines every now and then us being circulated via multiple kinds of attacks like exploit kit, compromised  websites, social media campaigns, and weaponized office documents. 

A new variant of GrandCrab Ransomware which is configured to attack Internet-facing MySQL servers on Windows has been detected by the researchers; the ransomware is also reported to hold around 40% share of the ransomware market. 

How does it attack?

The malicious operation begins with the injection of a corrupted DLL file into the database server with the help of SQL database commands.
As the attack proceeds, DLL is invoked in order to get hold of the ransomware payload which is hosted on the malicious server. 
Attacker secures a reliable connection with the database server and then advances to upload the corrupted helper DLL by employing set command; it is carried out in the form of hexadecimal characters. 
“Later they issued a command to concatenate binaries to a single file and them into the server’s plug-in directory. Also, they used several commands used to swap forward slash and backslash characters that seemed designed to make an end-run around security features,” researchers observed. 

Referencing from the study conducted by the Sophos researchers, "an intriguing attack this week from a machine based in the United States. We monitored both the behavior and network traffic generated by this honeypot and were surprised to see the honeypot (which runs under Linux) download a Windows executable.”

“What makes this interesting is that the IP address of this machine hosting the GrandCrab sample geolocates to Arizona, in the desert southwest region of the United States, and the user interface of the HFS installation on this machine is in simplified Chinese.”

Decoding the threat, they said, “it does pose a serious risk to MySQL server admins who have poked a hole through the firewall for port 3306 on their database server to be reachable by the outside world,”


Cybercriminals Preferring Audio Skimmers Over Flash Skimmers






There has been a rapid increase in the number of web skimming attacks since the advancements in the technological sector; it also resulted in excessive activity in the black market of physical card skimming tools.
Web skimming attacks are designed to capture critical financial data and card details like the name of the holder and sensitive numbers. It is when attackers connect their spying tool to a point-of-sale system (PoS) or an ATM in order to get access to the data that is processed from credit/debit cards via these machines.
The ever evolving ways of web skimming are one of the reasons why it is thriving and remains undetected,  professionals skimmers have formed closed communities which are organized to coordinate during skimming processes and assist the cashers, decoders, engineers, extractors, and vendors with whatever they need.
Advanced Intelligence, a New York based fraud prevention company reported that the usual targets are gas stations, ATMs or PoS terminals. Skimming includes unauthorized access to sensitive financial information for which the cybercriminals mainly rely on upgrades and advancements in technology to produce and circulate products which are unassailable and undetectable.
Another variant includes Audio Skimmers, which have been known to exist since 2010 and the technique employed in Audio Skimming is said to be existing since 1992. The devices involved store the data and encrypt it to capture it in MP3 format. The threat rate of Audio Skimmers multiplies with the camera attached to capture the PIN number and acting as a video skimmer.
Commenting on the matter, Yelisey Boguslaskiy, director of security research at AdvIntel, said, "They use timing-calculating algorithms to “reed” the audio when the card is been scanned by the ATM, which allows them to decode a track in 1-2 seconds and immediately convert it into text format,"
"Russian-speaking real carding communities have traditionally been exclusive and tight-lipped regarding their skimming operations. Skimming developers form exclusive trusted underground criminal networks thereby connecting talented engineers, their trusted sellers, and wealthy carder buyers of such tools,” further added.