Sunday, 15 January 2017

On 22:59 by Vismit Rakhecha   No comments
Eight security flaws and 62 bugs have been addressed with the release of WordPress 4.7.1 on Wednesday. The latest update for the content management system (CMS) has been classified as a security release.

The list of vulnerabilities fixed this week includes the recently disclosed remote code execution flaw affecting PHPMailer. While WordPress Core and the plugins analyzed by the WordPress security team don’t appear to be affected by the weakness, PHPMailer has been updated to patched version 5.2.22 as a precaution.

Chris Jean and Brian Krogsgard reported an information disclosure vulnerability. The experts discovered that the REST API exposed data on all users who had authored a post of a public post type.
The latest update also patches two cross-site request forgery (CSRF) flaws. One of them, discovered by Ronnie Skansing, affects the accessibility mode of widget editing, while the other, reported by Abdullah Hussam, can be exploited via a specially crafted Flash file.

A couple of cross-site scripting (XSS) vulnerabilities have also been fixed. These affect the plugin name or version header in the update-core.php file, and “theme name fallback.”

The latest WordPress update also addresses a weak crypto issue related to multisite activation keys and a flaw described in the release notes as “post via email checks mail.example.com if default settings aren’t changed.”

These vulnerabilities affect WordPress 4.7 and earlier. Since version 4.7 has been downloaded more than 10 million times since its release in December, malicious actors have plenty of potential targets if they find a way to exploit one of these flaws.

WordPress continues to be the most hacked CMS. According to data from web security firm Sucuri, of all the hacked websites monitored by the company, nearly three-quarters ran WordPress.

A recent study conducted by RIPS Technologies has showed that more than 8,800 of the roughly 48,000 plugins available in the official WordPress plugins directory are affected by at least one vulnerability.
On 22:47 by Vismit Rakhecha   No comments
If you have a Netflix account you might be at risk of falling prey to a new phishing scam that targets Netflix users through emails. These emails contain a fake login screen of Netflix and ask for the login information. If the user enters the login information, the scammers ask for the credit card details.
Fake Netflix login page
This particular campaign has been discovered by FireEye Labs. The company maintains that this phishing campaign is aimed at obtaining personal and financial information of Netflix’s customers. The scammers have used some different tactics of malware and encryption, which make this campaign different from other phishing scams. These tactics help the campaign prevent detection from spam stopping applications and phishing filters and easily deceives and trap innocent users. FireEye researchers also state that the domains they identified to be used in this campaign are not active anymore, which means that the scammers also keep changing domains to prevent their origins from being traced.

According to FireEye Labs’ Mohammed Mohsin Dalla, “the phishing websites we observed were no longer active.” While the Aroostook County Sheriff’s Office in Maine released a summation asking Netflix users in the US to be cautious while opening and viewing emails that ask for Netflix credentials.
The scam involves sending emails to Netflix users asking them to update their membership information by firstly entering their login details. In this regard, scammers have created a genuine-looking, but fake, Netflix login page where the option to log in via Facebook is also available. Once entered, the request for more information continues as the users are asked to enter a home address and then fill a form in which their credit card information is required. After the user has provided all the information, their real Netflix profile page appears.
Screenshot of a form that asks users to put their credit card data
This scam is unique in various respects; such as it uses pages that were on web servers and were infected to host this campaign, the pages looked genuine and the information from the victims was encrypted using AES encryption, which is why it was difficult to detect this scam and lastly, the hacked pages were IP-filtered and would show in a hand-in internet security like Google. Such services will receive a 404 error. The attackers obtain the information through a PHP-based email system.

If you receive an email where a sender is asking you to download a file or click on a link we recommend simply ignoring and deleting that email. Never download/click on any file that comes from an unknown sender. Happy browsing.
On 22:43 by Vismit Rakhecha   No comments
A malware developer from Great Falls, Virginia created a keylogger having the capability of recording every single keystroke on a computer and sold it to over 3,000 people. As a result, around 16,000 systems were infected.

The US Department of Justice released a press release revealing that the 21-year old hacker Zachary Shames was arrested and has now pleaded guilty to developing and selling customized spyware to record keystrokes on a targeted computer.

Read More: Hacker arrested for Jamming 911 Emergency Call System with DDoS Attack
Shames is currently a student at James Madison University. According to the press release, Shames developed the first version of the spyware in 2013, when he was just a high school student. He then continued to improvise the software and also distributed the product from his “college dorm room.” Shames’ LinkedIn profile states that he was also an intern from May 2015 until August 2016 for Northrop Grumman, a defense contractor.


Currently, the feds have released basic information on this case and nothing about the criminal complaint, or the indictment is posted online. The only publicly available document is the one in which Shames is accused of aiding and abetting computer intrusions through marketing and selling his “malicious keylogger software,” with full knowledge and awareness about the way this software was going to cause damage to computer systems.
Screenshot from HackForums thread
The spyware has been referred to as “malicious keylogger software,” but it was actually dubbed as the “Limitless Keylogger Pro,” according to a security researcher’s findings. This software was being marketed on Hack Forums since 14th March 2013 by someone using the username Mephobia. The seller asked for a $35-lifetime subscription and payment was requested via PayPal and bitcoins.


Reportedly, Shames is due to receive a sentence on June 16th and expects to get a maximum sentence of 10 years in jail.

This is not the first time when HackForums has been in the news for wrong reasons. About three months ago, the forum had to shut down their (SST) Server Stress Testing section because it is suspected to have offered paid distributed denial-of-service (DDoS) attacks on Dyn.
On 22:40 by Vismit Rakhecha   No comments
WhatsApp has lately become the prime target of malicious threat actors and scammer probably due to the widespread global following that the platform enjoys. Eset Security researchers are unearthing one scam after another that is making use of WhatsApp. On the other hand, scammers are coming up with innovative new strategies to lure victims towards their schemes.

The latest scam campaign involves WhatsApp yet again. In this new campaign, the scammers promise the victim free internet service without even using WiFi. Now, this sort of offer should raise alarm by default since it is virtually impossible to get free internet without WiFi. However, unsuspecting innocent users probably are unaware of the technical side of the internet and fall prey to the trap.


The victims are told that they can navigate with their mobile phone without using WiFi or mobile data from the carrier. This lucrative offer is being distributed as a random WhatsApp message. This message is spread through different groups on the popular messaging app and often comes from one of your contacts who recommend the service. The message contains a link that is supposed to guide the victim to the page that is giving away such an excellent offer of free internet.

giving away such an excellent offer of free internet.
Image 1 / Source: We Live Security (Eset)
However, as it happens with scams like these, the link leads to a page that firstly detects the language of the device and then shows some images to make the scheme look legitimate. The victim is required to share this message with 13 of his contacts on WhatsApp in order to avail the offer. This obviously is an attempt to keep the scam spreading.

When the victim shares the link with 13 others, they expect to receive free internet however, they only get redirected to other sites which ask for subscription or offer costly SMS services. Some also offer third party apps. No matter what service the victim chooses to utilize, the scammer will be the one making money. Needless to say that the victim won’t ever get the free internet package as promised.
The images that the link shows also contain Facebook profile comments from supposed previous users of this service, most of which state that the scheme does work. All of this is a trap because the comments are made from fake profiles since none of them can be found on Facebook.
Image 2 / Source: We Live Security (Eset)
To generate maximum revenue, this scam is being distributed in various languages; when you click on the link, you will be redirected to the page in your default language, which occurs after analyzing the victim’s browser settings.

You can easily avoid getting victimized through such scams by choosing not to click on suspicious links or to get tempted to avail such unrealistic schemes no matter how genuine it may seem. If you have become the victim of this scam then it is high time you notify your other contacts so that they are prevented. You may also report the fraud by flagging it in your browser.

Thursday, 12 January 2017

On 09:07 by Vismit Rakhecha   No comments
Cybercriminals are now using new techniques to infect users with ransomware in order to make easy money. That is exactly what happened with Los Angeles Valley College (LAVC) who recently had their computer systems infected. In return, the college was forced to pay the whopping sum of $28,000 (£22,500, €25,936) in Bitcoin.
It all started on 30th December 2016 when the college found out their servers was infected with ransomware encrypting all their files and blocking the officials from their work. The malicious activity disrupted computers, email and voice mail systems.
For the next 6 days, the administration tried to solve the situation, but the criminals behind this scheme were not there to negotiate. Thousands of students were also about to arrive at the campus for the new semester.
Hence after consulting with authorities and cyber security experts the college decided to pay the ransom. Which they did. The cyber criminals then simply handed a decryption key to the administration.
In a statement from Dr. Erika A. Rndrijonas of LAVC, it was revealed that:
“After payment was made, a ‘key’ was delivered to open access to our computer systems. The process to ‘unlock’ hundreds of thousands of files will be a lengthy one, but so far, the key has worked in every attempt that has been made,” said Dr. Rndrijonas.
The statement also said that currently, the experts didn’t find any data breach, but that the investigation is ongoing. Since the payment was made in Bitcoin it would seem that catching the perpetrators will be difficult. Everyone knows that each time a ransom is paid it only serves to encourage these activities. Although it seems strange that the authorities would tell victims to pay since No More Ransom portal unlocks encrypted files for free.
However, this is not the first time when authorities have told the victim to simply pay ransom money. In fact, even the FBI wants victims to pay the ransom and feed cyber criminals. As far as LAVC is concerned, the college can consider itself lucky to get the right key at the right time but not everyone is as lucky as them. In 2015, the encrypted email service provider ProtonMail suffered a series of non-stop DDoS attacks where the attackers demanded 15 bitcoins ($6000) which were then paid by ProtonMail. But the attacks continued nonetheless.

Tuesday, 10 January 2017

On 23:46 by Vismit Rakhecha   No comments
Earlier today, the official Twitter account of Brazilian government portal @PortalBrasil sent out an alert tweet to its 502,000 followers that “National Force will remain in the State of Rio Grande do Norte for 60 days,” but along with the tweet, came a Google Drive link which upon clicking took users to an excel file containing a list of links, emails and passwords for the social media accounts of Planalto Palace, another government portal responsible for bringing news and updates about the activities of the Presidency of Brazil.

The social media accounts that were on the list included the profile/page link, email/username and plain text password of Planalto Palace verified Twitter account (@Planalto), Gmail, Google Plus, YouTube, verified Instagram, verified Facebook, & profile Slideshare, Tumblr, Flickr, Soundcloud, ThingLink, and Snapchat account.

The tweet came as a mistake and apparently it was a copy + paste problem. The social media “specialist” behind this tweet might have copied the Google Drive link for some other purpose but ended up pasting it with the tweet thinking that they have sent a Tweet along with the news link. 

The tweet was deleted after few minutes but those keeping an eye on the social media activities of Brazilian government were quick enough to grab the file and post it all over the Internet. Here is a preview of the login credentials file tweeted by @PortalBrasil.

This is not the first time when Brazilian officials have done something this awful. In 2014, during FIFA world cup in the country, the event’s security team accidentally shared its Wi-Fi password while one of its team members took a picture of himself nearby the screen that was displaying the password.
Come on Brazil, you can do better since you guys are one of the largest Internet users in the world.
On 23:42 by Vismit Rakhecha   No comments
The online hacktivist group Anonymous has conducted yet another cyber attack on Thailand‘s government over the recently passed cyber-scrutiny law. This time the group has targeted the Thai government job portal by leaking personal and sensitive details of officials and job seekers.

The data which has been leaked on the dark web has been divided into several links and upon scanning HackRead found it to be legit and never been leaked on the Internet before. The data includes website’s databases, names, surnames, names of companies where the job seeker has applied to, payment details, phone numbers, bank account numbers, emails and encrypted passwords.

The domain targeted by Anonymous is job.*.go.th assigned to each government department with their respective sub-domain. In this case, the data has been stolen from Revenue Department, The Administrative Court, Fine Arts Department, Department of Cooperative Auditing, e Provincial waterworks authority, Public Debt Management Office, Department of National Parks, Wildlife and Plant Conservation, Ministry of information and communications technology, Ministry of Foreign affairs and several other departments of Thai government.
Screen from the dark web domain where Anonymous has dumped the data.
Screenshot from the leaked data.
The total number of leaked accounts goes in thousands but at the moment HackRead can’t verify exactly how many accounts have been leaked however it must be noted that leaked data is only 1% of total files stolen from the portal. It should also be noticed that Anonymous refrained from leaking contact and family details of job seekers, for instance, HackRead was told that the group has not leaked job seekers’ ID numbers, addresses and names of their parents.

The reason given by Anonymous for not leaking the aforementioned details was that the group wants to fight the “Thai Regime” not the citizens.

“We have fought for human, animal and green rights. We have tried to increase public awareness. People have to fight for their rights. We haven’t hacked and fought for ourselves to be famous or to get attention on ourselves. We have done that to get attention on all kind issues. We invite people to fight for their rights. They can be late if they don’t start fighting for their rights “now,” said Anonymous.

Remember, Anonymous has been conducting cyber attacks on Thai government since 2015 under operation OpSingleGateway to fight the Internet surveillance law. Since then, the group has successfully hacked Thai Police, government Telecom firm, Thai LA consulate, Royal Navy and ministry of foreign affairs.

Ref : https://www.flickr.com