Search This Blog

Showing posts with label Sucuri. Show all posts

BEC Scammer Infects own Device, Exposes their Activity


In some media depictions, criminal and state-backed hackers are constantly portrayed as cunning and sophisticated, gliding inexorably toward their most recent information heist. These digital operatives are, obviously, human and inclined to botches that uncover their activity. A North Korean man blamed for hacking Sony Pictures Entertainment in 2014, for instance, mixed his real identity with his alias in registering online accounts, making it simpler for U.S. investigators to track him. 

The latest illustration of blundering digital behavior happened when a scammer contaminated their own gadget, offering researchers a front-row seat to the attacker’s scheme and lessons in how to defend against it. “This is a big failure in their operational security as it gives us direct insight into some of the attacker’s tactics and operation,” said Luke Leal, a researcher at Web security firm Sucuri, which made the discovery.  

The assailant was attempting to complete a business email compromise (BEC), a plan that utilizes spoofed emails to trick individuals into sending crooks money. BEC tricks are so common they represented $1.7 billion in losses reported to the FBI in 2019 — or half of all cybercrime losses reported to the authority. To complete the scam, the scammer required more details on equipment utilized at an anonymous oil organization to make malevolent emails to the organization's workers more believable, Leal wrote in a blog post. That implied planting noxious code on gadgets utilized at the organization to monitor communications.

Simultaneously, be that as it may, the attacker obviously neglected to eliminate the malevolent code they put on their own gadget, maybe for testing purposes, giving Leal's team a window into the attacker’s machinations and frustrations. Since it was tainted by the malware, the gadget was sending screenshots back to the control panel the hacker was utilizing in the scam. The researchers saw emails the attacker sent to targeted employees and how they spread out payment demands over various invoices to make the scam more believable. Another such incident took place in 2016 when a couple of security researchers uncovered a Nigerian scammer, that they said operated a new kind of attack called “wire-wire”, this was after a couple of its individuals unintentionally infected themselves with their own malware.

Hundreds of sites left their SFTP/FTP password open to hackers

Hundreds of websites owners left their SFTP/FTP password open to hackers, according to the recent report from Sucuri.

There is a file called "sftp-config.json" which is used by some SFTP/FTP clients to pre-configure SFTP/FTP connections to remote sites and it contains sensitive information including type of the connection, host name, user, password. All details are present in plain text format.

This file allows to connect and manage remote servers. The problem is when the admin mistakenly uploads the sftp-config.json in the remote server.

You may think who is going to upload this file to remote server.  Yes there are some peoples.  According to the researchers, there are hundreds of sites host this file in remote server.

After discovering the bug, researchers has emailed them to warn them about the problem . @Admin, make sure you never upload your ftp settings to the remote servers.