Search This Blog

E-Commerce Attacks Didn't Increase During Coronavirus Quarantine


Due to the COVID-19 pandemic, people across the globe to stay at home. The quarantine has increased online shopping figures. Even though a majority of the people are shopping online for everything, from food to groceries to daily essentials, the web skimming attacks didn't increase and are supposedly expected not to in the near time, due to it, say cybersecurity experts. Web skimming or Magekart attacks or e-skimming is a kind of cyberattack where the attacker inserts malicious codes in the online stores' website. When the users make any payment in the checkout process while entering the data, the hackers steal their credit card credentials.


Web skimming attacks were famous amid the hackers during 2017-18 and had been rising since then. Various cybersecurity experts and agencies, when asked about 'the impact of large scale online shopping on the web skimming incidents,' they all agree that web skimming attacks will not rise just because more people are shopping now, spending most of their time online, while staying at home. It is because, for a very long time, hackers have tried to breach prominent e-commerce websites but have failed to do so, while the web skimming incidents have remained constant through the years.

According to these cybersecurity experts, there's only one condition under which web skimming attacks can increase, and that is only when the number of online stores will increase can the hackers look for new sites to attack. Unless that happens, the rate of web skimming attacks will remain the same. According to the statistical analyses by Sanguine Security, the data shows that web skimming attacks have slightly fallen during the COVID-19 pandemic. However, not every cybersecurity agency agrees with this data.

But according to Jerome Segura, who is a web analyst at Malwarebytes, the web skimming attacks on online stores have not increased, therefore it confirms with Sanguine Security's data. It may be because the number of online stores increased before 2-3 months, but nobody observed these attacks during that time. Another reason might be that buyers prefer shopping from popular e-commerce websites, which are hard to breach through for hackers.

Coronavirus Themed Phishing Attacks Continue to Rise


New data by researchers has demonstrated that cybercriminals are preying on people's concerns regarding the COVID-19 pandemic and carrying out sophisticated phishing, malware and email attacks. The sudden upsurge in the related attacks imply that attackers were quick to adapt to the new global health crisis environment and exploit it in their favor.

As per Barracuda Networks, an American IT security company, the number of email attacks associated with the new Coronavirus has seen a steady surge since January, the type of attack has recorded a 667% spike by the end of February. As per the data, January recorded a total of 137 attacks only, while in the month of February the number spiked to a whopping 1,188 and between March 1st to 23rd, there were as many as 9,116 email attacks in the regard.

Another notable kind of attack is the one where victims are receiving malicious emails with the promises of offering financial relief during the COVID-19 pandemic, researchers warned. Users are being tricked into believing that they will be receiving payments from global institutions, businesses and governments working with a common objective of providing economic aid to common people during the ongoing pandemic, as soon as the user clicks on the links or proceed to download files, the attacker gets illicit access to his credentials, card data, and other sensitive information.

One such campaign is found to be specifically attacking U.S. healthcare, IT sector and higher-education organizations, the emails sent in relation to this campaign contain a message titled "General Payroll!"

"The Trump administration is considering sending most American adults a check for $1,000 as part of the efforts to stimulate the economy and help workers whose jobs have been disrupted by business closures because of the pandemic,” it says.

“All staff/faculty & employee include students are expected to verify their email account for new payroll directory and adjustment for the month of March benefit payment.” The message further reads.

Users receiving the email are asked to access a malicious link that will direct them to a phishing page in order to verify their email account, they will be required to enter their usernames, email addresses, and passwords linked with their employee benefits. By doing so, the user will provide his personal data to the page controlled by the attackers.

“The ongoing shift to coronavirus-themed messages and campaigns is truly social engineering at scale, and these recent payment-related lures underscore that threat actors are paying attention to new developments,” researchers told.

Microsoft Issues Its First Ever ‘Targeted’ Warning ; Saving VPN Servers of Hospitals


Following a recent disclosure about Iranian hackers targeting on vulnerabilities in VPN servers like the Pulse Secure, Palo Alto Systems, Fortinet, and Citrix, Microsoft gave its first-ever 'targeted' warning to a few dozen hospitals, informing them of the vulnerabilities in their own virtual private network (VPN) appliances.

With the organizations depending all the more heavily on the VPN servers as the lockdowns are in full swing of the unfortunate outbreak of the Corona Virus. They had no other option except to fall back to this means to help telecommuters but that in the end has made that specific part of the system a weakness i.e a soft spot for ransomware attackers to target – specifically at hospitals with already stressed assets.

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (DHS CISA) a month ago cautioned all organizations to fix VPN services, however, Microsoft is especially worried about hospitals' vulnerability to human-operated ransomware due to unpatched VPN servers.

One group the Microsoft team has been following is the REvil, otherwise known as Sodinokibi, ransomware gang, which is known for setting monstrous ransom demands for businesses and government agencies.

While the ransomware gang hasn't yet developed new attack techniques but instead has repurposed strategies from state-sponsored attacks for new campaigns that exploit the heightened requirement for information in the current coronavirus crisis.

The Microsoft Threat Protection Intelligence Team uncovered in a new post, "Through Microsoft's vast network of threat intelligence sources, and we identified several dozens of hospitals with vulnerable gateway and VPN appliances in their infrastructure."

"To help these hospitals, many already inundated with patients, we sent out a first-of-its-kind targeted notification with important information about the vulnerabilities," it added later.

When mentioning these new ransomware gangs the Microsoft team noted, “We haven't seen technical innovations in these new attacks, only social engineering tactics tailored to prey on people's fears and the urgent need for information."

And so the Multinational Technology's recommendation to hospitals and various other organizations is to follow three key steps to shield their VPN services from attacks:

  • Apply all available security updates for VPN and firewall configurations. 
  • Monitor and pay special attention to your remote access infrastructure. 
  •  Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity. 

Apart from these, there are a few more published by Microsoft to further help mitigate these attacks.

Armenian Minister of Justice explains how new software will find COVID-19 infected people


Armenian President Armen Sarkisian signed the bill on amendments to the law "on the legal regime of emergency" and "on electronic communication" adopted in the Parliament.
Earlier, the Opposition disrupted the bill on control against coronavirus. Opposition deputies called it an unacceptable interference in the personal life of citizens.

The government, however, has again submitted to the National Assembly a new bill that would control the telephone contacts and location of citizens in order to combat the coronavirus.
Justice Minister Rustam Badasyan said at a press conference in the government on Wednesday that the program for monitoring citizens in Armenia will allow identifying potential infected persons using an automatic algorithm. The subjective factor is excluded here.

The approved draft amendments to the law "on electronic communication" allows monitoring the movement of citizens using data from mobile operators.

If it turns out that a user (Person X) has detected a coronavirus, the program will automatically allocate all those whom Person X made at least one call in the last 14 days, and with whom he personally contacted (the state can also collect this data from operators).

At the same time, as the Minister noted, it is necessary that these two factors coincide. In other words, if Person X called Person Y 20 times but never saw him, Person Y will not be at risk.

Only those with whom Person X at least once called up and saw each other are at risk. But this does not mean that all of them will be sent to quarantine. Emergency workers will call them and find out the circumstances of their contacts.

The Minister stressed that the program for the new system was developed in Armenia. Data on the movement of citizens will not be available to foreign companies and governments, and inside the country will be deleted immediately after the end of the state of emergency.
It should be noted that in Armenia from March 16 to April 14 a state of emergency is in place to combat the spread of coronavirus.

Winja (VirusTotal Uploader)- The Malware Detector!


Cyber-security is an important concern for everyone working from these days, amid the lock-down due to the current Coronavirus pandemic. There are several security measures one can employ to stay on top of all the cyber-hazards that hackers could be brewing.

Winja is one such free application and passive analysis tool that is designed for Microsoft Windows that helps the user find any potential malware on their system. By way of using the scanning engine of the anti-virus products, the application gives forth very specific details as to which file is hazardous in which way.

Whenever we download something from the internet our first step is to ensure that it’s safe for our device. With Winja, all you have to do is to drag the file in question on the mal window and Voila! The results apparently will show on the desktop.

In case you have a sneaking suspicion about your device being infected, you could scan all services and processes for malware and the application will help you.

Reportedly, Winja initially uses the “VirusTotal” public API to insert the fingerprint of a file. If the fingerprint is present, Winja sends the current analysis report and if it is not then Winja sends the “unknown file” to the VirusTotal servers for scanning. You can also analyze files any time you want to enhance the chances of detection.

As has been recognized by researchers over these years, hackers tend to have their places of choice in their victim’s devices to first sneak in and then hide the malware. With Winja it becomes extremely easy to locate any suspicious files in those places. Per sources, Services, Task Scheduler, Active Processes, Applications beginning with Windows and Actions that require network resources and internet are few to be mentioned.

All you need to do to scan any file that you have a suspicion on is to drag it and drop in onto the main window of the Winja application.

Plus, you can make use of an extension for the Windows Explorer that would aid you to request a scan by means of a right-click on any file of your choice from the file browser.

Per sources, all the subsequent versions after the sixth one are available in French making it a huge hit in the French-versed population. VirusTotal, which is an arm of Google, strongly suggests Winja as a substitute for their Windows desktop application.

This application goes hand in hand with the anti-virus software that you love to use for your devices. It is not a substitute for anti-virus software but it fits with them like a puzzle piece and does not intend to endanger their publicity in any way.

Hackers use fake Zoom domains to spread malware


The coronavirus pandemic is forcing many people around the world to work remotely. This has significantly increased the popularity of video conferencing services such as Zoom. Attackers took advantage of this and began to use fake Zoom domains to spread malware and gain access to other people's video conferencing. This was reported by the security company Check Point.

Researchers note that since the beginning of the virus pandemic, 1,700 domains with the word Zoom have been registered. At the same time, 25% of new domains were registered in the last seven days, and 70 of them are considered suspicious by the company.

Check Point specialists found malicious files like "zoom-us-zoom_##########.exe", where # is a set of digits. After running such a file, the InstallCore batch application is installed on the user's computer, which is used for further downloading malware.

Fraudulent sites that simulate the work of Google Classroom or Google Hangouts have also appeared on the Internet. Disguised sites are created for the purpose of phishing: stealing passwords, credit card data, and other personal information from users. Check Point Cyber Research Manager Omer Dembinsky advised all users to make sure that links to video conferences are secure before using them.

In January of this year, Check Point published a report indicating that Zoom has security flaws. According to the company, hackers could connect to video conferences by generating random numbers that became conference URLs. Zoom then fixed the security breach and made some changes to the service, for example, introducing mandatory password protection for conferences.

Zeus Sphinx Malware Reappears amid Coronavirus Phishing Scams


In this particular scam, the recipients receive phishing emails asking them to donate money by filling forms for coronavirus or COVID-19 relief fund. The scam works because people are constrained to stay at home as they can't work in the office because of the quarantine. Zeus Sphinx Banking Trojan is determined as it can replicate files and folders to expand while maintaining to generate the registry keys.


Amid the COVID-19 pandemic, the panic it has caused among the general public has proven to be an advantage for the hackers, as they see it as an opportunity to lure innocent victims in the name of relief funds for COVID-19. Cybercriminals are exploiting the COVID-19 theme by launching spams and phishing email campaigns on their targets. Joining this new stream of attacks, another malware has reappeared after a long time named Zeus Sphinx malware.

About Zeus Sphinx 

According to recent research conducted by a group of cybersecurity experts, the malware Zeus Sphinx, which is also famous as Terdot or Zloader, was used by Hackers to launch cyberattacks using the COVID-19 government relief funds as a bait to lure the victims.

  • Zeus Sphinx was first discovered in August last year, and it became famous as a banking trojan for commercial use, with Zeus v2 being the basis of its core elements. 
  • Zeus Sphinx was infamous for attacking banks over the US, UK, Brazil, and Australia. 
  • Zeus Sphinx has reappeared, but this time, it is using COVID-19 relief funds as a ploy while attacking the users of the corresponding banking institutions in the respected countries. 


How does it work?

The malware is spreading through COVID-19 relief funds files. Here's how it's being covered:

  • The recipients receive phishing emails asking them to donate money by filling forms for coronavirus or COVID-19 relief fund. 
  • The forms in.DOC or DOCX file formats are used to gain entry. 
  • When downloaded, the file asks the user for access to enable content. 
  • This activates the Zeus Sphinx, which hijacks the window and establishes a C2 (command-and-control) server for malware. 

Note: Zeus Sphinx has an integrated flaw, which is, the trojan can't attack an updated version of the browser, once it has already been attacked before the update.

Hackers use Bill Gates themed video to sell off Ponzi Crypto Scheme


Recently, tens of YouTube accounts were hacked to broadcast a Ponzi cryptocurrency scheme by renaming the hacked YouTube accounts as Microsoft accounts bearing the message from the company's former CEO Bill Gates to invest in crypto.


This is not the only attack of it's kind, various other attacks like this have become frequent on YouTube where the hacker hijacks a popular account and broadcast a message from the account- a "crypto giveaway", where the user is offered that if they give some cryptocurrency they'll get it back doubled. And of course, this is a scam and the victim does not get any returns.

These frauds first made their appearance on Twitter but moved on to YouTube as Twitter started weeding these posers out.

These hackers very efficiently gave their scheme an air of legitimacy by live streaming (on 30+ accounts) one of Bill Gates talk given to an audience at Village Global in June 2019 and adding a pop of messages of the Ponzi Scheme. This Ponzi scheme was live streaming on these accounts on YouTube- Microsoft US, Microsoft Europe, Microsoft News, and others.

Though both YouTube and Microsoft denied that any official accounts were hacked some users did report that they found the stream on Microsoft's nonverified accounts.

Most of the scam videos were streaming from hacked accounts with high subscriber numbers, that were renamed as Microsoft US, Microsoft Europe and such to seem more official. The viewed number of the videos was in tens and thousands, also the Bitcoin address in the scheme received thousands of US dollars thus successfully scamming some users.

 Various other organizations have been used by such hackers like Chaos Computer Club, a famous Germany-based hacking community, had their accounts hacked and broadcasted with a similar cryptocurrency scheme.
The most recent and popular case was when the YouTube account of YouTube's founder was hacked back in January. So, these sorts of fraudulent schemes have now become a common affair and it's at the hands of the users not to pay heed to these. Always check the legitimacy of these accounts and it's good to remember to think twice before giving in to an offer that's too good to be real.

Hackers switched from direct theft of money to gaining control over the infrastructure of companies


According to the report by Rostelecom Solar JSOC, hackers changed the focus of attacks, switching from direct theft of money to gaining control over the infrastructure of companies. Experts explain this trend by the fact that the average level of security of banks has increased significantly, which forces hackers to look for more vulnerable targets. Moreover, the demand for industrial espionage has increased on the black market. However, experts said that the activity of such hacker groups began to decrease against the background of the pandemic.

According to the report, by the end of 2019, the number of attacks aimed at gaining control over the infrastructure of companies and organizations has increased by 40%, while attacks for the purpose of stealing money have become 15% less frequent.

A long and unnoticeable presence in the organization's infrastructure allows attackers to investigate its internal processes in detail, gain deeper access to IT systems and control over them, says Vladimir Drukov, Director of Solar JSOC. He notes that hackers monetize this information by selling it on the black market, blackmailing the victim organization, or engaging in competitive intelligence.

In addition, in recent years, attacks are increasingly targeted at industrial and energy facilities, as well as government agencies whose control over infrastructure is critical for the country.

Kaspersky Lab confirmed that the number of attacks on corporate infrastructure is increasing. According to antivirus expert Denis Legezo, about 200 groups engaged in cyber espionage are currently being observed. However, the expert notes that during the coronavirus pandemic, a decline in their activity is noticeable.

Head of Analytics and Special Projects at InfoWatch Group of Companies Andrei Arsentyev noted that hackers are usually engaged in industrial espionage by order, including “hunting for various know-how, business development plans, pricing schedules”.

Attackers can monetize attacks not only through theft of funds but also by selling already configured connections to the victim’s local network to other criminals, says Evgeny Gnedin, head of Positive Technologies information security analytics department. Such a model of “access as a service” is gaining momentum today, which explains the increase in the number of such attacks.

A Rise in New Cyberspying by a Suspected Chinese Group Detected By a U.S Cybersecurity Firm


A surge in new cyberspying by a speculated Chinese group that dates as far back as to late January was recently being observed by a U.S. cybersecurity firm. 

Happening around the time when the worldwide pandemic COVID-19 began to spread outside the borders of the Chinese, a publicly-traded cybersecurity company, FireEye Inc. (FEYE.O) said in a report that it had detected a spike in movement from a hacking group it calls "APT41" that began on Jan. 20 and focused on more than 75 of its customers, from manufacturers and media companies to medicinal and healthcare services associations and non-profits. 

The report stated that it was “one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years.”

In its report, FireEye said that APT41 abused the recently revealed defects and flaws in the software created by Cisco (CSCO.O), Citrix (CTXS.O) and others to attempt to break into scores of companies' networks in the US, Canada, Britain, Mexico, Saudi Arabia, Singapore and in excess of a dozen other nations. 

Despite the fact that it declined to identify the affected customers, the Chinese Foreign Ministry didn't directly address FireEye's charges yet said in a statement that China was “a victim of cybercrime and cyberattack.”

Matt Webster, an analyst with Secureworks – Dell Technologies' (DELL.N) cybersecurity arm – said in an email that his group had likewise observed proof of the said increased movement from Chinese hacking groups over the last few weeks. 

Specifically, he said his group had recently spotted new digital infrastructure related to APT41 – which Secureworks calls “Bronze Atlas." 

Even though relating hacking campaigns to a particular nation or entity is mostly loaded with ‘uncertainty’, however, FireEye said it had evaluated "with moderate confidence" that APT41 was made out of Chinese government contractors. 

John Hultquist, FireEye's head of analysis, said the said surge was astounding in light of the fact that hacking activity ascribed to China has commonly become increasingly focused and further added that “This broad action is a departure from that norm.”

This COVID-19 Website By Google Tells You All You Need To Know About Coronavirus!


The first step anyone took after hearing the first of the Coronavirus was ‘Googling’ it. Google has been a solution, for as long as we can remember, to most of our queries. Yet again it upholds its
reputation.

Amid all the mass confusion and chaos this virus has caused for the human race, every single one of us has wanted a ‘go-to’ for a little clarity between all of this bewilderment related to COVID-19.

Be it asking about the first symptoms, vaccine information or prevention strategies, in the middle of this bewilderment people have continued to look up to search engines for answers.

Google stepped in at the right moment and launched a website that encompasses next to every single bit of information about the Coronavirus.

Per sources, by way of collaborating with the US government, Google was has developed a website fully committed to educating people about COVID-19 including the probable symptoms, ways of prevention, treatment and all the other related information.

Reportedly, in the last week of January, Google had launched an SOS “alert” packed with resources and safety details from the WHO, plus the latest news. The alert, as of now, has spread across many countries in 25 languages. Per sources, people in over 50 countries have access to localized public health guidance from authorities.

The website mostly centers on providing health-related information along with safety and preventive practices, helpful resources, updated data and insights, relief assistance, the most recent of news, the early symptoms of the disease and how it spreads.

The website strongly endorses the “Do the Five” campaign to further wakefulness about basic things people can do to control the spread of COVID-19, per the WHO. According to sources, the website also has a map of the affected areas via the WHO and links to national health authority websites.

The website is loaded with informative videos from the Ministry of Health & Family Welfare, depicting the importance of washing hands regularly, responsible behavior and fighting together.

It is a massively lucrative initiative towards putting all the misunderstandings and confusion of people regarding COVID-19, to rest. The website shall be regularly updated and improved with more details and resources.

The link to the website:
https://www.google.com/covid19/

WhatsApp's Latest Feature will Let Users Verify Forwarded Messages on Google


Owing to the lockdown due to the outbreak of the global pandemic Covid-19, people are once again resorting to their go-to messaging app – WhatsApp to spread misinformation in the name of information. Notably, WhatsApp has continued to be the most favorite platform for the circulation of fake news which also caused a number of untoward incidents in India.

It's mainly because of the rampant forwarding of messages created to promote individuals' or organizations' vested interests. While, public fear, unawareness, and lack of knowledge have a huge role to play in the equation of fake news and the consequences it had on the society, WhatsApp has constantly stood up to the issue and ensured to eliminate the flaws in its software.

The app has a massive reach across the globe with more than 2 billion active users and in an attempt to curb this circulation of misinformation, WhatsApp is reportedly working on a new feature that would allow users to verify the forwarded messages, helping them separate authenticated news from the fake ones.

As per sources, the tool will appear as a magnifying glass icon placed beside the forwarded messages on a user's WhatsApp, when the user will tap on the icon, a pop-up will appear asking him if he would like to search the message on the web, it will enable the user to directly upload the forwarded message on Google and verify the authenticity of the news.

“We are working on new features to help empower users to find out more information about the messages they receive that have been forwarded many times. This featuring is currently in testing, and we look forward to rolling it out in the near future.” WhatsApp told.

In a previous update, WhatsApp introduced a 'forwarded' label at the top of forwarded texts to make identification easier for the users.

The new feature by WhatsApp has already been sent out for testing and will be made available shortly for all the Android users and subsequently for the iOS users.

Security Experts say number of network nodes in the Russian Federation accessible via RDP


Positive Technologies experts said that the number of network nodes in the Russian Federation accessible via the Remote Desktop Protocol (RDP) for three weeks (since the end of February 2020) increased by 9% and reached over 112,000.

It is enough for hackers to send a special RDP request to vulnerable Remote Desktop Services (RDS) to attack. Authentication is not required. If successful, an attacker can install and delete programs on a compromised system, create accounts with the highest level of access, and read and edit confidential information. The vulnerabilities affect Windows 7, Windows Server 2008, and Windows Server 2008 R2 operating systems.

According to Alexey Novikov, director of Positive Technologies security expert center, attacks on the network perimeter of domestic companies have begun to grow. Hackers are trying to get access over servers and get into the local network. This boom is caused by the transfer of employees to remote work.

For a secure remote connection, employees need to use a special gateway. For RDP connections needs a RDG, for VPN requires a VPN Gateway. Experts do not recommend connecting directly to the workplace.

Experts warn that opening access to individual subnets to all VPN users at once significantly reduces the security of the organization and not only gives broad opportunities to an external attacker but also increases the risk of an insider attack. Therefore, IT professionals need to maintain network segmentation and allocate the required number of VPN pools.

Positive Technologies experts emphasize the threat of remote access channels to business-critical networks and systems, for example, production and energy technology networks, ATM management networks or card processing in banks.

In addition, Positive Technologies recommends paying attention to a critical vulnerability (CVE-2019-19781) in Citrix software that is used in corporate networks. The vulnerability in PHP 7 (CVE-2019-11043), which, according to Positive Technologies, was included in the list of the most dangerous by the end of 2019, should be eliminated.

6 Simple Tricks to Prevent your Smartphone from Hackers


If hackers trespass into your smartphones, they can send fake emails, fake alerts using your camera, and even control user activity. According to Denise DeRosa, founder of Cyber Sensible, if even a minute thing in your smartphone is not secured, it makes the device vulnerable to cyber attackers.

The basic problem is that your smartphones are connected to the central hub, where all the data is managed and regulated. If this is ever exposed, your complete digital information is at risk. Regrettably, your smartphone is not safe from all these potential threats, and it is frightening.


But there's no need to worry, follow these six simple steps to ensure the safety of your smartphone.


1. Create a secure password by using a set of random arrangements from different dictionaries. Hackers have always used algorithms to predict the patterns of your password. Experts recommend having at least a 12 character password with capital letters and unique characters. In this way, hackers can never predict your password.

2. Avoid using the same password for different platforms. 
The hacker can have access to all your accounts if you keep the same passwords. For instance, if you visit a malicious website and supply your login credentials, the hacker can steal it.

3. Update every smart device connected to your smartphone. 
It can be an android tv, Alexa, or other smart devices. Use a password manager to keep track of all your passwords. Password managers are helping to keep all your passwords in one place, especially if you have various accounts, which is hard to remember. 

4. Avoid giving privacy permissions to unnecessary apps. 
Every app asks for access permission to user data, gallery, mic, location, and camera. But they don't need all the agreements. 

5. Always use 2 step verification, wherever possible. 
It gives an additional layer of security as the user would then require both the passwords and verification through text, mail or smartphone. 

6. Inform people having access to your account to follow these security measures too. 
Google recommends to set up a family account where the user doesn't need to share his password with other members.

Hackers spy on Corporate networks via emails and FTP


Chinese security firm Qihoo 360 reported that since December 2019, a miscreants group has been hacking into DrayTek enterprise routers to record and spy on FTP ( File Transfer Protocol) and email traffic inside the corporate network.


Netlab the network security division of Qihoo published a report saying, they detected two different groups, each one exploiting a zero-day vulnerability in DrayTek Vigor-
  • Attack Group A - using load-balancing routers and 
  • Attack Group B - using VPN gateways. 

Qihoo did warn DrayTek about their zero-day vulnerability but the message was sent to the incorrect receiver and could not reach DrayTek. 

Although the company did learn about the zero-days but only after group B attacks in January and released the patches on February 10. The attacked models are discontinued routers, still, DrayTek released their patches as soon as they could. 

Qihoo reported the attacked models - DrayTek Vigor 2960, 3900, and 300B and said only 10,000 of these (active number) are running the vulnerable firmware version. 

 The Attack Groups

  • Attack Group A -
Amongst the two groups, Attack group A is quite ahead and advanced. 

It exploited a vulnerability in the RSA-encrypted login mechanism of DrayTek routers to insert malicious code in the username login fields through which the hackers could control the router. 

Now, the hackers could have used this access to launch DDos attacks or more but they used it as a spy device to record traffic coming over FTP and emails.

The recorded scripts were then uploaded to a remote server every Monday, Wednesday, and Friday at 00:00.Zdnet reports they recorded the data to access the login credentials of FTP and corporate email accounts. 

  •  Attack Group B -
Qihoo named the second group of hackers as "Attack Group B". The second group used a different zero-day vulnerability, first disclosed by Skull Army blog in a 26 Jan post. The bad actors read it from the blog and began exploiting it in mere two days.

Zdnet reports, "Per Qihoo, the hackers used this second zero-day to execute code on vulnerable DrayTek devices by exploiting a bug in the "rtick" process to create backdoor accounts on the hacked routers. What they did with those accounts remains unknown".

Check Point: 56 apps from the Google Play Store hide a new dangerous malware


Check Point experts have identified a new family of malware in the Google Play Store. It was installed in 56 Google Play Store apps that have been downloaded almost a million times by users worldwide. 24 apps among the damaged 56 are children's games, as well as utilities such as calculators, translators, cooking apps and others. As it is specified, applications emulate the behavior of a real user.

Tekya malware uses the MotionEvent mechanism in Android that simulates a click on an ad banner (first discovered in 2019) to simulate user actions and generate clicks.

Imitating the actions of a real person does not allow the program or a third-party observer to understand the presence of fraud. This helps hackers to attack online stores, make fraudulent ads, promote advertising, promote sites in search engine results, and also serve to carry out banking operations and other illegal actions.

During the research, Tekya went unnoticed by the VirusTotal and Google Play Protect programs.
Hackers created copies of official popular apps to attract an audience, mostly children since most apps with Tekya malware are children's games.

However, the good news is that all infected apps have already been removed from the Google Play.
This case shows that malicious app features can still be found in Google Play. Users have access to almost 3 million apps in the Google Play Store, and hundreds of new ones are downloaded daily, making it difficult to check the security of each individual app.

Although Google is taking steps to ensure security and prevent malicious activity on the Google Play Store, hackers are finding ways to access users' devices through the app store. So, in February, the Haken family of malware was installed on more than 50 thousand Android devices through various applications that initially seemed safe.

Home Routers Hijacked to Deliver Info-Stealing Malware 'Oski'


The spread of malware through apps being downloaded by users in the name of 'the latest information and instructions about COVID-19' is amongst one of the most prevalent threats that have been observed since the outbreak of the novel Coronavirus. As a result, users were forced to download apps such as COVID19Tracker or Covid Lock from a website, the app locked victims outside their smartphones and asked for a ransom of $100 in Bitcoin for the release of their data. Consequently, attackers threatened them to leak all their contacts, media, and social media accounts online in case they failed to pay the ransom in due time.

Users are being severely targeted amid the COVID-19 themed malware and data exploit attacks, another example resides in the discovery of a new type of attack that is targeting home routers. It redirects victims to an infected website after altering the DNS settings and then drops a file-encrypting malware 'Oski' that encrypts the important files on a victim's system. It employs a sophisticated algorithm to encrypt the files and append .Osk extension to each file. After successfully carrying out the encryption process, the malware leaves a ransom note in all the folders containing encrypted, reading, "HOW TO RECOVER ENCRYPTED FILES.TXT.'

"To make the file seem legitimate (as if the filename is any indication of legitimacy), attackers named it “runset.EXE”, “covid19informer.exe”, or “setup_who.exe”." states the Bitdefender's report on the subject.

Attackers with the malicious intent of compromising the routers go around the internet searching for the exposed home routers that are consequently subjected to 'password brute-forcing attack' with DNS IP settings being altered alongside.

DNS is an internet service that plays a crucial role in translating domain names to IP addresses and as it assists browsers in loading internet resources if the cybercriminals alter the DNS IP address from a vulnerable router they are meaning to attack, they resolve the victim's request to any website under their control. The targeted domains in this campaign include aws.amazon.com, tidd.ly, goo.gl, bit.ly, fiddler2.com, washington.edu, winimage.com, imageshack.us, ufl.edu, disney.com, cox.net, xhamster.com, pubads.g.doubleclick.net and redditblog.com. As per sources, most of the aforementioned routers that made to the attacker's target list are based in France, Germany, and the US.

"It’s recommended that, besides changing the router’s control panel access credentials (which are hopefully not the default ones), users should change their Linksys cloud account credentials, or any remote management account for their routers, to avoid any takeovers via brute-forcing or credential-stuffing attacks," Bitdefender warns.

Russian Security Services Track Down Colossal Credit Card Fraud Ring


Russian Security Services (RSB) has tracked down and charged an international credit card fraud ring arresting 25 accused. The carding kingpin is suspected to be linked with dozens of carding shops and with some of the most significant data breaches plaguing the Western World. FSB, the Russian Federal System, issued a statement this week stating they arrested 25 individuals accused of circulating illegal means of payment tied with around 90 websites that sold stolen credit cards. Though the FSB did not release a list of names, a blog LiveJournal by cybersecurity blogger Andrey Sporov leaked the details of the raid and exposed that the infamous hacker Alexey Stroganov, who goes by the hacker names "Flint" and "Flint24" was also among the arrested.


According to Intel 471, a cyber intelligence firm Stroganov is with some of the major cyber threats since 2001. Stroganov and his associate Gerasim Silivanon (a.k.a. "Gaborik ") were also sentenced to six years of imprisonment in Russia in 2006 but were out in two years. "Our continuous monitoring of underground activity revealed despite the conviction, Flint24 never left the cybercrime scene," reads an analysis by Intel 471. "You can draw your conclusions [about why he was released early]," Sporaw wrote, hinting at the use of unfair means to get out of jail early. Flint is one of the big players of the stolen credit card market, working as a wholesaler of credit card data with cyber crooks who bought these cards from him in bulk - 100,000 pieces at once.

Various cyber forums say that Stroganov and his guys were caught because they broke "the golden rule" of hackers from Soviet countries- never target your country people or bank. Flint's "Trust Your Client" These carding sites had a standard scheme they supported to earn trust and loyalty from those who bought these stolen cards. This system allowed their customers to get instant refunds on bad cards without proving that the tickets were canceled by the bank before they could be used. So, these sites installed money-back insurance called "checkers," which can be used by their customers to check the cards (accessible only for a few minutes of buying the tickets) by giving extra money, few cents per card. But slowly, it was claimed that these checkers gave inaccurate results to benefit the card shops.

So, Flint and his gang came up with a policy "Trust your client," through which if the customer claimed that the card was fraudulent, they would get a refund no question asked but only within six hours of buying the ticket. But they probably had their checkers too for checking bad cards.

Russian-Based Online Platform Taken Down By the FBI


The Federal Bureau of Investigation as of late brought down the Russian-based online platform DEER.IO that said to have been facilitating different cybercrime products and services were being sold according to announcements by the Department of Justice.

The Russian-based cyber platform known as DEER.IO has for quite some time been facilitating many online shops where illicit products and services were being sold.

A little while back, there happened the arrest of Kirill Victorovich Firsov as revealed by authorities, he was the supposed main operator behind Deer.io, a Shopify-like stage that has been facilitating many online shops utilized for the sale of hacked accounts and stole user data. Convicts ware paying around $12/month to open their online store on the platform.

When the 'crooks' bought shop access through the DEER.IO platform, a computerized set-up wizard permitted the proprietor to upload the products and services offered through the shop and configure the payment procedure by means of cryptocurrency wallets.

Arrested at the John F. Kennedy Airport, in New York, on Walk 7, Firsov has been arrested for running the Deer.io platform since October 2013 and furthermore publicized the platform on other hacking forums.

“A Russian-based cyber platform known as DEER.IO was shut down by the FBI today, and its suspected administrator – alleged Russian hacker Kirill Victorovich Firsov – was arrested and charged with crimes related to the hacking of U.S. companies for customers’ personal information.” - the official statement distributed by the DoJ.

While Feds looked into around 250 DEER.IO stores utilized by hackers to offer for sales thousands of compromised accounts, including gamer accounts and PII documents containing user names, passwords, U.S. Social Security Numbers, dates of birth, and victim addresses.

A large portion of the casualties is in Europe and the US. The FBI agents effectively bought hacked information from certain stores facilitated on the Deer.io platform, offered data were authentic as indicated by the feds.

When asked to comment for the same FBI Special Agent in Charge Omer Meisel states, “Deer.io was the largest centralized platform, which promoted and facilitated the sale of compromised social media and financial accounts, personally identifiable information (PII) and hacked computers on the Internet. The seizure of this criminal website represents a significant step in reducing stolen data used to victimize individuals and businesses in the United States and abroad.”

Latest Research Reports Prices of Your Documents on the Dark Web


Atlas VPN did a new study based on Flash Intelligence Research findings from 2017-2019. The research has revealed the costs of essential goods and services on the dark web. For instance, the Social Security Numbers, which are now out of date and insecure as they are no longer in use, especially after the 2018 Equifax Hack, they are still widely used as a primary proof of identification confirmation. Hackers tend to attack websites that can generate millions of SSNs at once so that all the data is vulnerable to hackers.


Therefore, with millions of SSNs in the open, they are sold up to $4 on the dark web. According to Flashpoint, the following services are available on the dark web along with the SSNs.

These services are divided into four types:


  •  Hacker Services
  •  Forged Documents 
  • Personal Identifiable Information (PII) 
  • Stolen Financial Information 


The PII (personally identifiable information) package, in addition to the SSN for $4, has the victim's Name, Passport No, Driver's License Details, and email id. However, access to Stolen Financial Information costs much more than SSN. According to Atlas VPN, credit cards up to $5k balance costs $10, whereas discredited bank accounts with savings more than $10000 cost $25.

Note: The price also depends on the victim's savings. If the savings go higher, the cost to obtain the details also goes higher. It is because of victims with high credit score accounts are less risky to attack as their banks won't notice it and won't cut it off.

Forged documents top the list in the prices. Physical passports are sold for $3k-$5k on the dark web. According to other reports, a 1-hour DDoS (Distributed Denial of Service allows the servers to shut down or stop working )attack on any bank or government website costs around $165.

How to prevent yourself? 

It is a bit difficult to prevent such attacks, but the users can always follow some rules to secure their account information. These are:

  •  Secure your devices with a password; a pin would be better.
  •  Avoid using public wifis while browsing or downloading apps. 
  • Use 2 step verification