Categories
Apps

Phishers have targeted your Instagram accounts

Add Your Heading Text Here

Share it:

To hijack popular Instagram accounts, scammers are sending phishing e-mails with fake copyright infringement notifications.

Have you reached a few thousand followers on Instagram? More? Congratulations, you are insta-famous. Among other things, though, being an Instagram influencer means that it’s quite possible that account thieves are after you. A new phishing scheme targeting popular accounts on Instagram is gaining momentum. Here is how it works.

You’ve got copyright violation notification

“Your account will be permanently deleted for copyright infringement,” claims an e-mail notification that looks very official. It has the usual Instagram header and logo, and the e-mail address in the From field is extremely close to a legitimate one: In most cases it’s either mail@theinstagram.team or info@theinstagram.team.

The e-mail claims that you have just 24 hours (in some versions it’s 48 hours) to appeal and provides a “Review complaint” button. If you click it, you end up on a convincing phishing page, where fraudsters put an image saying they care very much about copyright protection and offer you a link to “Appeal.” To make the scam look even more legitimate, they offer a long list of language choices, although it doesn’t work — whatever you click, the phishing page always remains in English.

As soon as you click the “Appeal” link, you are invited to input your Instagram credentials. And that’s not the end. Immediately, another message appears: “We need to verify your feedback and check if your e-mail account matches the Instagram account,” it says. Click “Verify My E-mail Address,” and you’ll see a list of e-mail providers. If you choose yours, you’ll be invited to submit both your e-mail address and (surprise!) the password for your e-mail account.

Then, a “We will review your feedback” reply appears, but only for few seconds. After that you’ll be redirected to a real Instagram’s website — another simple trick that lends additional credibility to the scam.

It’s not the first time when Instagram influencers are targeted by scammers. The first wave of phishing was tempting users to apply for a blue “Verified” account badge.

Categories
International

Is the Chinese government responsible for mass surveillance on Uighurs?

Add Your Heading Text Here

Share it:

In less than two weeks, two major reports have been published that contain leaked Chinese government documents about the persecution of Uighurs and other Muslim minorities in China. Details include the extent to which technology enables mass surveillance, making it possible to track the daily lives of people at unprecedented scale

The first was a New York Times article that examined more than 400 pages of leaked documents detailing how government leaders, including President Xi Jinping, developed and enforced policies against Uighurs.

The latest comes from the International Consortium of Investigative Journalists, an independent non-profit, and reports on more than 24 pages of documents that show how the government is using technology to engage in mass surveillance and identify groups for arrest and detainment in Xinjiang region camps that may now hold as many as a million Uighurs, Kazakhs and other minorities, including people who hold foreign citizenship.

These reports are significant because leaks of this magnitude from within the Communist Party of China are rare and they validate reports from former prisoners and work by researchers and journalists who have been monitoring the persecution of the Uighurs, an ethnic group with more than 10 million people in China.

As ICIJ reporter Bethany Allen-Ebrahimian writes, the classified documents, verified by independent experts and linguists, “demonstrates the power of technology to help drive industrial-scale human rights abuses.” Furthermore, they also force members of targeted groups in Xinjiang region to live in “a perpetual state of terror.”

The ICIJ reports that the Integrated Joint Operations Platform (IJOP), a policing platform, is used by the police and other authorities to collate personal data, along with data from facial-recognition cameras and other surveillance tools, and then uses artificial intelligence to identify categories of Xinjiang residents for detention.

The Human Rights Watch began reporting on the IJOP’s police app in early 2018. The organization reverse-engineered the IJOP app used by police and found that it prompts them to enter a wide range of personal information about people they interrogate, including height, blood type, license plate numbers, education level, profession, recent travel and even household electric-meter readings, data which can be used by an algorithm (the ICIJ describes it as “as-yet-unknown”) that determines which groups of people should be viewed as “suspicious.”

The documents also say that the Chinese government ordered security officials in Xinjiang to monitor users of Zapya, which has about 1.8 million users, for ties to terrorist organizations. Launched in 2012, the app was created by DewMobile, a Beijing-based startup that has received funding from InnoSpring Silicon Valley, Silicon Valley Bank and Tsinghua University and is meant to give people a way to download the Quran and send messages and files to other users without being connected to the Web.

According to the ICIJ, the documents show that since at least July 2016, Chinese authorities have been monitoring the app on some Uighurs’ phone in order to flag users for investigation. DewMobile did not respond to ICIJ’s repeated requests for comments. Uighurs who hold foreign citizenship or live abroad are not free from surveillance, with directives in the leaked documents ordering them to be monitored as well.

Source: Tech Crunch

Categories
Apps

How the Cascade Virus Made Kaspersky Famous.

Add Your Heading Text Here

Share it:

Cascade was the first virus that Eugene Kaspersky ever encountered. It was 30 years ago, in 1989, and it changed his life completely. He disassembled the virus and wrote a tool that helped remove it. The tool became popular among his friends and acquaintances, and that was when he decided to devote all of his time to developing an antivirus solution. That antivirus became commercially available in 1992, and in 1997, the company we now know as Kaspersky was founded.

A lot has happened since 1989 — from the founding of the EU and the breakup of the USSR to the cloning of a life being and the creation of the modern Internet. Here, in the graphic below, we take a look back at those 30 years: how things have changed, how the cyberthreat landscape has become more and more complicated, how tech has evolved, and how the world has reacted to such changes.

source: Kaspersky Blog

Categories
Privacy

Understanding the new TLS protocol

Add Your Heading Text Here

Share it:

Facebook, Mozilla, and Cloudflare announced today a new technical specification called TLS Delegated Credentials, currently undergoing standardization at the Internet Engineering Task Force (IETF)

The TLS Delegate Credentials extension was specifically developed for large website setups, such as Facebook, or for website using content delivery networks (CDNs), such as Cloudflare.

How TLS Delegate Credentials works

For example, a big website like Facebook has thousands of servers spread all over the world. In order to support HTTPS traffic on all, Facebook has to place a copy of its TLS certificate private key on each one.

This is a dangerous setup. If an attacker hacks one server and steals the TLS private key, the attacker can impersonate Facebook servers and intercept user traffic until the stolen certificate expires.

The same thing is also valid with CDN services like Cloudflare. Anyone hosting an HTTPS website on Cloudflare’s infrastructure must upload their TLS private key to Cloudflare’s service, which then distributes it to thousands of servers across the world.

The TLS Delegate Credentials extension allows site owners to create short-lived TLS private keys (called delegated credentials) that they can deploy to these multi-server setups, instead of the real TLS private key.

The delegated credentials can live up to seven days and can be rotated automatically once they expire.

Source: ZDNet

Categories
Apps

Chrome zero-day exploited in the wild

Add Your Heading Text Here

Share it:

On Halloween, Google releases Chrome 78.0.3904.87 to patch a Chrome zero-day discovered by Kaspersky exploited in the wild.

Yesterday, on late Halloween night, Google engineers delivered the best scare of the evening and released an urgent update for the Chrome browser to patch an actively exploited zero-day.

The actively-exploited zero-day was described as a use-aster-free bug in Chrome’s audio component.

Use-after-free vulnerabilities are memory corruption bugs that occur when an application tries to reference memory that was previously assigned to it but has been freed or deleted in the meantime. This usually causes a program to crash, but can also sometimes lead to other, unintended consequences.

Chrome 78.0.3904.87 is available for Windows, Mac, and Linux. The release will slowly roll out to all Chrome users in the coming weeks but users can trigger a manual update right now by visiting the browser’s Help > About Google Chrome section

source: ZDNet

Categories
Internet Security

iOS 13.2 tips: Check these security and privacy settings today

Add Your Heading Text Here

Share it:

If you are the type that is security conscious, here are some steps you should take to lock down an iPhone running iOS 13.2 and iPad running iPadOS 13.2.

iPhones and iPads are, out of the box, quite robust and secure platforms. But with a few tweaks you can harden that security dramatically without adding too much burden to your dat-to-day usage of the device.

#1: Block apps from having Bluetooth access

After you install iOS 13 you might find a whole swathe of apps such as Facebook asking you for permission to transmit data over Bluetooth. You can either allow or deny access when the prompts are displayed, or you can head over to Settings > Privacy > Bluetooth and make the changes there.

Note that this doesn’t affect audio streaming to headphones and speakers.

#2: Set brute-force protection

iOS has built-in brute-force protection to prevent an unauthorized user from trying to guess your passcodes.

Go to Settings > Face ID & Passcode (or Touch ID & Passcode on older iPhones), enter your existing passcode, and scroll down to Erase Data.

After 10 attempts (toward the end there will be a time lockout to slow down the entry process), the encryption key will be deleted and your data wiped.

#3: Make sure iOS automatic updates are enabled

iOS 13 has the ability to keep itself updated automatically, which is a great way to make sure that your iPhone is fully patched.

This should be set up automatically, but you can check it over at Settings > General > Software Update and making sure Automatic Updates is enabled.

#4: Find your devices

iOS 13 has a cool new app called Find My which you can use to locate your friends and family, share your location, or find a missing device.

This app has two cool features, one is Enable Offline Finding that helps you find lost devices that aren’t connected to Wi-Fi or Bluetooth. The other is Send Last Location, which sends the device’s location to Apple when the battery is low.

#5: Control what Touch ID/Face ID is used to authenticate

Do you want the convenience of Face ID or Touch ID, or do you rather the additional protection that having to enter your passcode offers? iOS 13 allows you to switch Face ID/Touch ID on and off for:

iPhone Unlock
iTunes and App Store
Apple Pay
Password AutoFill

Go to Settings > Face ID & Passcode (or Touch ID & Passcode on older iPhones), and enter your existing passcode to take control of this.

source: ZDNet

Categories
Apps

6 accounts you should never abandon

Add Your Heading Text Here

Share it:

Can you recall every online service account you have? Maybe you signed up to access some content or because a friend asked you to, then lost interest. Many users simply stop logging in and don’t bother to delete their accounts. The accounts sit there, dormant, waiting to be hacked — but if they are, you won’t know about it anytime soon, if ever.

Abandoned account: What could go wrong

Does it really matter what happens to an unwanted profile, though? If it gets hacked, so what? You didn’t need it anyway. However, in some cases, an abandoned account can be exploited to gain access to resources and important information that you do need. Here’s what you need to know

  1. Social network accounts

Few people regularly check their accounts in all of their social networks. Say, for example, a person creates a Facebook profile, uses it to log in to Instagram and other services (handy, right?), and then realizes he doesn’t actually need Facebook — not an uncommon scenario. Sure, the social network continues to send e-mail notifications if the user didn’t bother to disable them, but they get filtered into a separate folder that he quit checking long ago.

Again, a more-than-plausible scenario. When the user receives an e-mail warning that someone logged into his account from an unknown device, he doesn’t see it. The cybercriminals who logged in have a free shot at the accounts linked to Facebook. They will also probably have time to sting some of the victim’s friends or followers on Facebook.

What to do

Set up two-factor authentication. Lots of services offer it; here are our posts on setting up security, including 2FA, in Facebook and Twitter.
Enable notifications about account logins from unknown devices — and pay attention to them.   
  1. Backup e-mail address

Many people set up a separate e-mail account for mailings and notifications so as not to clutter up their main mailbox, and use it for registering everything and anything, including profiles with important data. And no incoming e-mails there are from real-life people, so they don’t check it very often. Therefore, they may not notice for a long time that their backup e-mail has been hacked — at least not until they lose access to a very important account.

What to do

Enable two-factor authentication for this account.
Set up forwarding of messages from this mailbox to a separate folder in your primary e-mail account.
  1. Password manager

What if you saved your account credentials in a password manager, and then decided to replace it with a different app? The profile in the old manager doesn’t go anywhere, and neither do the passwords in it (half of which you probably didn’t change). If someone gains access to this profile, they will be able to get into your accounts. And even if you do discover the theft of an account, it won’t be immediately obvious how the cybercriminal got hold of the password for it.

What to do

Delete accounts in password managers if you no longer use them

How to avoid problems with abandoned accounts

As you can see, even an unneeded account can cause a lot of problems if hijacked. Preventing a problem is much easier than dealing with its consequences. Therefore, we recommend that you keep track of your accounts. Here are some general handy tips:

Recall which online services you have registered for. Check which phone numbers and e-mails your accounts in social networks, online stores, banks, and other important services are linked to, and unlink all current profiles from inactive phone numbers and mailboxes.
If you log in somewhere through Facebook, Twitter, or Google, or keep an additional e-mail or phone number for newsletters, public Wi-Fi, etc., check those accounts from time to time.
If you decide to stop using a password manager, online store, or social media account, delete your accounts in these services.
Turn on account login notifications in services that have this option — and review those notifications promptly.
Use a security solution such as Kaspersky Security Cloud, which will notify you of leaks in services you use.
Categories
Internet Security

Major Airport Malware Attack Shines a Light on OT Security

Add Your Heading Text Here

Share it:

A cryptomining infection managed to spread to half of all workstations at a major international airport in Europe – shining a spotlight on security for operational tech and IT convergence.

Researchers at Cyberbit found the XMRig Monero mining malware, which was a known strain called “Playerz,” but which skated by antivirus solutions on the endpoints by adding a new tweak.

The malware “was modified just enough to evade the vast majority of existing signatures for it” according to Meir Brown, head of research at Cyberbit, adding that it was detected by only 16 out of 73 detection products on VirusTotal.

“The modification was really simple: the MD5 was modified, however, the attacker kept the use of the original tools and even the original file names…which is an indication of simple modification, nevertheless this was sufficient to evade most AV products,” he told Threatpost.

The malicious mining activity also raised no red flags with airport personnel, according to an analysis posted this week by the firm.

“Its business impact was relatively minor, limited to performance degradations leading to quality of service and service interruptions, as well as a significant increase in power consumption throughout the airport,” the analysis noted. “The malware may have been used for months.”

This is the advantage of cryptomining for financially motivated threat actors, according to Brown: Persistence.

“We see growing usage of cryptominers in recent attacks and we see a trend to switch from ransomware to mining,” he told Threatpost. “Since ransomware attacks are more visible by nature they tend to ‘burn down’ faster. In this specific attack the malware was active for months without any indication.”

Cyberbit was tipped off to the presence of the malware while installing a security solution at the location. It observed the PAExec tool being used, which is a legitimate service used for running Windows programs on remote systems without having to physically install software on those systems. The suspicious part was that it was used several times in a short period to launch an application named player.exe.

Further, once up and running, player.exe was seen using reflective DLL loading, which the firm said is a technique for remotely injecting a DLL library into a process without using the Windows loader, thus avoiding having to access the hard drive. In short, it was clear that a remote user was attempting to stealthily access the network – multiple times.

Further digging uncovered that PAExec was being used to escalate privileges and execute the coinminer in system mode, so the miner would take priority over any other application for the use of workstation resources. Then, the reflective DLL technique was employed to load additional DLLs from memory for the cryptocurrency miner, meaning that “the file is not fetched from the hard drive and would not go through file-based detection systems like AV and most NGAV systems,” according to Cyberbit

While in this case the attackers were looking to mine Monero cryptocurrency, the fact they were able to infiltrate the network remotely and spread laterally to 50 percent of all workstations – while remaining hidden – is alarming, Brown said – especially given the unique security issues and threat surfaces present at airports.

“With the increased convergence of IT and OT networks, we strongly urge airports to also ramp up the protection of their OT network, which is used to control physical airport systems,” the firm concluded.

source: Threatpost

Categories
Internet Security

Five sources to find malware samples for testing.

Add Your Heading Text Here

Share it:

In this article, we will list five sources where you can find malware samples for testing.

Usually malware researchers search for malware samples, analyze them statically or dynamically and build a defense system via python-yarato detect similar malware.

Those interested in analyzing malware samples can grab samples for testing by visiting the following sources:

ANY.RUN is malware service that provides a collection of tools for malware researchers to analyze malware samples and even generate reports. You can retrieve malware samples submitted by other researchers to analyze.

Das Malwerk

You can also download malware samples from Das Malwerk. Unlike ANY.RUN, Das Malwerk does not provide service or tools for malware researchers to analyze malware samples on their platform.

Thus, you need to have a pre-built malware lab to test those samples. If you want to download malware samples from Das Malwerk, you do so at your own risk.

Objective-See

Are you malware researcher looking for mac-based malware samples to test, you can find some from Objective-See.

Again, you download malware samples from Objective-See at your own risk.

  • theZoo

    theZoo provides a repository of malware samples for malware researchers via Github.

This is a free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology.

You can collect malware samples too from HybridAnalysis.

Source: Michael

Categories
Internet Security

Microsoft Warns of a New Rare Fileless Malware Hijacking Windows Computers

Add Your Heading Text Here

Share it:

There’s a new strain of malware making rounds on the Internet that has already infected thousands of computers worldwide and most likely, your antivirus program would not be able to detect it.

Why? That’s because, first, it’s an advanced fileless malware and second, it leverages only legitimate built-in system utilities and third-party tools to extend its functionality and compromise computers, rather than using any malicious piece of code.

The technique of bringing its own legitimate tools is effective and has rarely been spotted in the wild, helping attackers to blend in their malicious activities with regular network activity or system administration tasks while leaving fewer footprints.

Independently discovered by cybersecurity researchers at Microsoft and Cisco Talos, the malware — dubbed “Nodersok” and “Divergent” — is primarily being distributed via malicious online advertisements and infecting users using a drive-by download attack.

First spotted in mid-July this year, the malware has been designed to turn infected Windows computers into proxies, which according to Microsoft, can then be used by attackers as a relay to hide malicious traffic; while Cisco Talos believes the proxies are used for click-fraud to generate revenue for attackers.

The infection begins when malicious ads drop HTML application (HTA) file on users’ computers, which, when clicked, executes a series of JavaScript payloads and PowerShell scripts that eventually download and install the Nodersok malware.

“All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory. No malicious executable is ever written to the disk,” Microsoft explains.

At last, the malware drops the final JavaScript payload written for the Node.js framework that converts the compromised system into a proxy.

Nodersok Infected Thousands of Windows Users

According to Microsoft, the Nodersok malware has already infected thousands of machines in the past several weeks, with most targets located in the United States and Europe.

While the malware primarily focuses on targeting Windows home users, researchers have seen roughly 3% of attacks targeting organization from industry sectors, including education, healthcare, finance, retail, and business and professional services.

Since the malware campaign employs advanced fileless techniques and relies on elusive network infrastructure by making use of legit tools, the attack campaign flew under the radar, making it harder for traditional signature-based antivirus programs to detect it.

However, the company says that the malware’s “behavior produced a visible footprint that stands out clearly for anyone who knows where to look.”

In July this year, Microsoft also discovered and reported another fileless malware campaign, dubbed Astaroth, that was designed to steal users’ sensitive information, without dropping any executable file on the disk or installing any software on the victim’s machine.

Microsoft said its Windows Defender ATP next-generation protection detects this fileless malware attacks at each infection stage by spotting anomalous and malicious behaviors, such as the execution of scripts and tools.