How the fake-jobs industry scams Indians

Have you ever wondered if a job is real or a scam? Sometimes, it can be hard to tell the difference. This video will help you to identify fake job offers and avoid job scams.

Here is google drive link https://drive.google.com/drive/folder...

Bottom Line
DO verify before you trust! Taking the time to run through the steps which will not only save you the time and energy it takes to apply for a job, which is time wasted in this case, but it can also save your bank account, identity, credit rating, and much more that you value highly. Yes, it's a tough job market, and being unemployed is very unpleasant. But being scammed at the same time you are struggling with a job search is additional stress no one needs.

Read More

Hackers Exploit 'Telegram Messenger' Zero-Day Flaw to Spread Malware

A zero-day vulnerability has been discovered in the desktop version for end-to-end encrypted Telegram messaging app that was being exploited in the wild in order to spread malware that mines cryptocurrencies such as Monero and ZCash.

The Telegram vulnerability was uncovered by security researcher Alexey Firsh from Kaspersky Lab last October and affects only the Windows client of Telegram messaging software.

The flaw has actively been exploited in the wild since at least March 2017 by attackers who tricked victims into downloading malicious software onto their PCs that used their CPU power to mine cryptocurrencies or serve as a backdoor for attackers to remotely control the affected machine, according to a blogpost on Securelist.

Here's How Telegram Vulnerability Works

The vulnerability resides in the way Telegram Windows client handles the RLO (right-to-left override) Unicode character (U+202E), which is used for coding languages that are written from right to left, like Arabic or Hebrew.

According to Kaspersky Lab, the malware creators used a hidden RLO Unicode character in the file name that reversed the order of the characters, thus renaming the file itself, and send it to Telegram users.

For example, when an attacker sends a file named "photo_high_re*U+202E*gnp.js" in a message to a Telegram user, the file's name rendered on the users' screen flipping the last part.

Therefore, the Telegram user will see an incoming PNG image file (as shown in the below image) instead of a JavaScript file, misleading into downloading malicious files disguised as the image.

"As a result, users downloaded hidden malware which was then installed on their computers," Kaspersky says in its press release published today.

Kaspersky Lab reported the vulnerability to Telegram and the company has since patched the vulnerability in its products, as the Russian security firm said: "at the time of publication, the zero-day flaw has not since been observed in messenger's products."

Hackers Used Telegram to Infect PCs with Cryptocurrency Miners

  During the analysis, Kaspersky researchers found several scenarios of zero-day exploitation in the wild by threat actors. Primarily, the flaw was actively exploited to deliver cryptocurrency mining malware, which uses the victim's PC computing power to mine different types of cryptocurrency including Monero, Zcash, Fantomcoin, and others.

While analyzing the servers of malicious actors, the researchers also found archives containing a Telegram's local cache that had been stolen from victims.

In another case, cybercriminals successfully exploited the vulnerability to install a backdoor trojan that used the Telegram API as a command and control protocol, allowing hackers to gain remote access to the victim’s computer.

"After installation, it started to operate in a silent mode, which allowed the threat actor to remain unnoticed in the network and execute different commands including the further installation of spyware tools," the firm added.

Firsh believes the zero-day vulnerability was exploited only by Russian cybercriminals, as "all the exploitation cases that [the researchers] detected occurring in Russia," and a lot of artifacts pointed towards Russian cybercriminals.

The best way to protect yourself from such attacks is not to download or open files from unknown or untrusted sources.

The security firm also recommended users to avoid sharing any sensitive personal information in messaging apps and make sure to have a good antivirus software from reliable company installed on your systems.

Read More

Meltdown/Specter-based Malware Coming Soon to Devices Near You, Are You Ready?

It has been few weeks since the details of the Spectre, and Meltdown processor vulnerabilities came out in public and researchers have discovered more than 130 malware samples trying to exploit these chip flaws.

Spectre and Meltdown are security vulnerabilities disclosed by security researchers earlier this month in many processors from Intel, ARM and AMD used in modern PCs, servers and smartphones, among other devices.

These CPU vulnerabilities could enable attackers to bypass memory isolation mechanisms and access everything, including memory allocated for the kernel containing sensitive data like passwords, encryption keys and other private information.

Researchers from independent antivirus testing firm AV-TEST detected at least 139 malware samples, as of today, which are related to these CPU vulnerabilities, as shown in the growth graph.

You can find SHA256 hashes for all malware samples here.

Meanwhile, cybersecurity firm Fortinet also tracked and analyzed many malware samples 'trying to exploit' recently disclosed CPU vulnerabilities, most of which includes re-compiled or extended version of the JavaScript-based proof-of-concept (PoC) exploit released last month.

"The rate at which the cybercriminal community is targeting known vulnerabilities is clearly accelerating, with the WannaCry and NotPetya exploits serving as perfect examples of the need to patch vulnerable systems as soon as possible," Fortinet said.

"Which is why our concerns were raised when we recently learned about some of the largest vulnerabilities ever reported—ones that affect virtually every processor developed since 1995 by chip manufacturers Intel, AMD, and ARM."

Another news makes this situation, even more, worse—Intel halted all its CPU firmware patches for the Meltdown and Spectre flaws last week after it caused issues like spontaneous reboots and other 'unpredictable' system behaviour on affected PCs.

So, until Intel and other vendors do not come up with stable security patches for the Meltdown and Spectre attacks that don’t cause systems to break, users are recommended to keep their operating system, web browsers, antivirus and other software up-to-date. 
 

Read More

Heat Map Released by Fitness Tracker Reveals Location of Secret Military Bases

Every one of us now has at least one internet-connected smart device, which makes this question even more prominent —how much does your smart device know about you?

Over the weekend, the popular fitness tracking app Strava proudly published a "2017 heat map" showing activities from its users around the world, but unfortunately, the map revealed what it shouldn't—locations of the United States military bases worldwide.

Strava which markets itself as a "social-networking app for athletes" publicly made available the global heat map, showing the location of all the rides, runs, swims, and downhills taken by its users, as collected by their smartphones and wearable devices like Fitbit.

Since Strava has been designed to track users’ routes and locations, IUCA analyst Nathan Ruser revealed that the app might have unintentionally mapped out the location of some of the military forces around the world, especially some secret ones from the United States.

With a total of one billion activities logged on the Strava's activity map, it is a whole lot of useful data from all over the world.

Although Strava's publicly available activity map was live as of November 2017, Ruser recently noticed that the map includes the fitness routes of army soldiers and agents in secret base locations, including U.S. military bases in Afghanistan and Syria, a suspected CIA base in Somalia and even Area 51.

Besides American military bases, the map also revealed the UK's RAF Mount Pleasant airbase in the Falkland Islands, Lake Macphee and Gull Island Pond, among others. Russian bases have also been showed up by the Strava data.

What's more? Security experts on Twitter have also discovered potentially sensitive American military bases in Somalia, Afghanistan and Syria; secret Russian military bases in Ukraine; a secret missile base in Taiwan, as well as an NSA base in Hawaii.

Ruser said that the map allowed him to find out regular jogging routes for military personnel, which is bad news for security, as it establishes reliable "pattern of life" information that would otherwise be secret from the rest of the world.

"If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn't be able to establish any Pattern of life info from this far away," Ruser tweeted.

Should Strava be blamed entirely for this revelation?

Strava said its heat map is based only on publically available data, and the company does offer a private mode that allows its users to turn off data sharing outside of the app.

However, it appears that many American and foreign military personnel using the app were sharing the confidential information publicly—perhaps without the knowledge or realising the implication, which is terrible.

What's even worse?

A security researcher told the Washington Post that this publically available data could even help enemy forces plan an "attack or ambush U.S. troops in or around the bases."

To make things even worse, some experts have also found ways to deanonymize the Strava heatmap, identifying individuals and their location where they have been exercising.

Strava has reminded its users that they could turn off location services for the app and that the map does not include private activities or areas deemed private.

"Our global heat map represents an aggregated and anonymised view of over a billion activities uploaded to our platform," Strava said in a statement. "It excludes activities that have been marked as private and user-defined privacy zones. We are committed to helping people better understand our settings to give them control over what they share."

The incident is a great reminder for people, especially for those working in or around sensitive locations, to turn off location sharing services for everything.

Moreover, militaries should also consider limiting smartphones and wearables use in sensitive areas as well as educate their soldiers on the importance of privacy.  

Read More

OnePlus confirms up to 40,000 customers affected by Credit Card Breach

OnePlus has finally confirmed that its online payment system was breached, following several complaints of fraudulent credit card transactions from its customers who made purchases on the company's official website.
In a statement released today, Chinese smartphone manufacturer admitted that credit card information belonging to up to 40,000 customers was stolen by an unknown hacker between mid-November 2017 and January 11, 2018.
According to the company, the attacker targeted one of its systems and injected a malicious script into the payment page code in an effort to sniff out credit card information while it was being entered by the users on the site for making payments.
The malicious script was able to capture full credit card information, including their card numbers, expiry dates, and security codes, directly from a customer’s browser window.

"The malicious script operated intermittently, capturing and sending data directly from the user's browser. It has since been eliminated," OnePlus said on its official forum. "We have quarantined the infected server and reinforced all relevant system structures."

However, the company believes users who shopped on its website using their saved credit card, PayPal account or the "Credit Card via PayPal" method are not affected by the breach.

OnePlus is still investigating the incident and committed to conducting an in-depth security audit to identify how hackers successfully managed to inject the malicious script into its servers.

Meanwhile, credit card payments will remain disabled on the OnePlus.net store until the investigation is complete as a precaution, though users can make purchases through PayPal.

  "We are eternally grateful to have such a vigilant and informed the community, and it pains us to let you down. We are in contact with potentially affected customers. We are working with our providers and local authorities to address the incident better," OnePlus says.

OnePlus is notifying all possibly affected OnePlus customers via an email and advises them to keep a close eye on their bank account statements for any fraudulent charges or look into cancelling their payment card.

The company is also looking into offering a one-year subscription of credit monitoring service for free to all affected customers.

Read More

This New Android Malware Can Physically Damage Your Phone

Due to the recent surge in cryptocurrency prices, not only hackers but also legitimate website administrators are increasingly using JavaScript-based cryptocurrency miners to monetize by levying the CPU power of your PC to mine Bitcoin or other cryptocurrencies.

Just last week, researchers from AdGuard discovered that some popular video streaming and ripper sites including openload, Streamango, Rapidvideo, and OnlineVideoConverter hijacks CPU cycles from their over hundreds of millions of visitors for mining Monero cryptocurrency.

Now, researchers from Moscow-based cyber security firm Kaspersky Lab have uncovered a new strain of Android malware lurking in fake anti-virus and porn applications, which is capable of performing a plethora of nefarious activities—from mining cryptocurrencies to launching Distributed Denial of Service (DDoS) attacks.

Dubbed Loapi, the new Android Trojan can perform so many more malicious activities at a time that can exploit a handset to the extent that within just two days of infection it can cause the phone's battery to bulge out of its cover.

Described as a "jack-of-all-trades" by the researchers, Loapi has a modular architecture that lets it conduct a variety of malicious activities, including mining the Monero cryptocurrency, launching DDoS attacks, bombarding infected users with constant ads, redirecting web traffic, sending text messages, and downloading and installing other apps.

Loapi Destroyed An Android Phone In Just 2 Days

 

When analyzed a Loapi sample, Kaspersky's researchers discovered that the malware mines the Monero cryptocurrency so intensely that it destroyed an Android phone after two days of testing, causing the battery to bulge and deforming the phone cover.

According to researchers, the cybercriminals behind Loapi are the same responsible for the 2015 Android malware Podec. They are distributing the malware through third-party app stores and online advertisements that pose as apps for "popular antivirus solutions and even a famous porn site."

A screenshot in the Kaspersky blog suggests that Loapi impersonates as at least 20 variations of adult-content apps and legitimate antivirus software from AVG, Psafe DFNDR, Kaspersky Lab, Norton, Avira, Dr. Web and CM Security, among others.

Upon installation, Loapi forces the user to grant it 'device administrator' permissions by looping a pop-up until a victim clicks yes, which gives the malicious app the same power over your smartphone that you have.

 This highest level privilege on a device would also make the Loapi malware ideal for user espionage, though this capability is not yet present in the malware, the Kaspersky researchers think this can be included in the future.

Loapi Malware Aggressively Fights to Protect Itself

Researchers also said the malware "aggressively fights any attempts to revoke device manager permissions" by locking the screen and closing phone windows by itself.

Loapi communicates with the module-specific command and control (C&C) servers, including advertisement module, SMS module and mining module, web crawler, and proxy module, for different functions to be performed on the infected device.

By connecting with one of the above-mentioned C&C servers, Loapi sends a list of legitimate antivirus apps that pose it danger and claims the real app as malware and urges the user to delete it by showing the pop-up in a loop until the user finally deletes the app.

"Loapi is an interesting representative from the world of malicious Android apps. It’s creators have implemented almost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services, send SMS messages to any number, generate traffic and make money from showing advertisements, use the computing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet on behalf of the user/device," the researchers concluded.

Fortunately, Loapi failed to make its ways to Google Play Store, so users who stick to downloads from the official app store are not affected by the malware. But you are advised to remain vigilant even when downloading apps from Play Store as malware often makes its ways to infect Android users.

Read More

Firefox 58 to Block Canvas Browser Fingerprinting By Default to Stop Online Tracking

Do you know? Thousands of websites use HTML5 Canvas—a method supported by all major browsers that allow websites to dynamically draw graphics on web pages—to track and potentially identify users across the websites by secretly fingerprinting their web browsers.

Over three years ago, the concern surrounding browser fingerprinting was highlighted by computer security experts from Princeton University and KU Leuven University in Belgium.

In 2014, the researchers demonstrated how browser's native Canvas element can be used to draw unique images to assign each user's device a number (a fingerprint) that uniquely identifies them.

These fingerprints are then used to detect when that specific user visits affiliated websites and create a profile of the user's web browsing habits, which is then shared among advertising partners for targeted advertisements.

Since then many third-party plugins and add-ons (ex. Canvas Defender) emerged online to help users identify and block Canvas fingerprinting, but no web browser except Tor browser by default blocks Canvas fingerprinting.

Good news—the wait is over.

Mozilla is testing a new feature in the upcoming version of its Firefox web browser that will grant users the ability to block canvas fingerprinting.

The browser will now explicitly ask user permission if any website or service attempts to use HTML5 Canvas Image Data in Firefox, according to a discussion on the Firefox bug tracking forum.

The permission prompt that Firefox displays reads:

"Will you allow [site] to use your HTML5 canvas image data? This may be used to uniquely identify your computer."

Once you get this message, it's up to you whether you want to allow access to canvas fingerprinting or just block it. You can also check the "always remember my decision" box to remember your choice on future visits as well.

Starting with Firefox 58, this feature would be made available for every Firefox user from January 2018, but those who want to try it early can install the latest pre-release version of the browser, i.e. Firefox Nightly.

Besides providing users control over canvas fingerprinting, Firefox 58 will also remove the controversial WoSign and its subsidiary StartCom root certificates from Mozilla's root store.

With the release of Firefox 52, Mozilla already stopped allowing websites to access the Battery Status API and the information about the website visitor’s device, and also implemented protection against system font fingerprinting. 

Read More

Bad Rabbit Ransomware Uses Leaked 'EternalRomance' NSA Exploit to Spread

A new widespread ransomware worm, known as "Bad Rabbit," that hit over 200 major organisations, primarily in Russia and Ukraine this week leverages a stolen NSA exploit released by the Shadow Brokers this April to spread across victims' networks.

Earlier it was reported that this week's crypto-ransomware outbreak did not use any National Security Agency-developed exploits, neither EternalRomance nor EternalBlue, but a recent report from Cisco's Talos Security Intelligence revealed that the Bad Rabbit ransomware did use EternalRomance exploit.

NotPetya ransomware (also known as ExPetr and Nyetya) that infected tens of thousands of systems back in June also leveraged the EternalRomance exploit, along with another NSA's leaked Windows hacking exploit EternalBlue, which was used in the WannaCry ransomware outbreak.

Bad Rabbit Uses EternalRomance SMB RCE Exploit

Bad Rabbit does not use EternalBlue but does leverage EternalRomance RCE exploit to spread across victims' networks.

Microsoft and F-Secure have also confirmed the presence of the exploit in the Bad Rabbit ransomware.

EternalRomance is one of many hacking tools allegedly belonged to the NSA's elite hacking team called Equation Group that were leaked by the infamous hacking group calling itself Shadow Brokers in April this year.

EternalRomance is a remote code execution exploit that takes advantage of a flaw (CVE-2017-0145) in Microsoft's Windows Server Message Block (SMB), a protocol for transferring data between connected Windows computers, to bypass security over file-sharing connections, thereby enabling remote code execution on Windows clients and servers.

Along with EternalChampion, EternalBlue, EternalSynergy and other NSA exploits released by the Shadow Brokers, the EternalRomance vulnerability was also patched by Microsoft this March with the release of a security bulletin (MS17-010).

Bad Rabbit was reportedly distributed via drive-by download attacks via compromised Russian media sites, using fake Adobe Flash players installer to lure victims' into install malware unwittingly and demanding 0.05 bitcoin (~ $285) from victims to unlock their systems.

How Bad Rabbit Ransomware Spreads In a Network

According to the researchers, Bad Rabbit first scans the internal network for open SMB shares, tries a hardcoded list of commonly used credentials to drop malware, and also uses Mimikatz post-exploitation tool to extract credentials from the affected systems.

Bad Rabbit can also exploit the Windows Management Instrumentation Command-line (WMIC) scripting interface in an attempt to execute code on other Windows systems on the network remotely, noted EndGame.

However, according to Cisco's Talos, Bad Rabbit also carries a code that uses EternalRomance, which allows remote hackers to propagate from an infected computer to other targets more efficiently.

"We can be fairly confident that BadRabbit includes an EternalRomance implementation used to overwrite a kernel’s session security context to enable it to launch remote services, while in Nyetya it was used to install the DoublePulsar backdoor," Talos researchers wrote.

"Both actions are possible due to the fact that EternalRomance allows the attacker to read/write arbitrary data into the kernel memory space."

Is Same Hacking Group Behind Bad Rabbit and NotPetya?

Since both Bad Rabbit and NotPetya uses the commercial DiskCryptor code to encrypt the victim's hard drive and "wiper" code that could erase hard drives attached to the infected system, the researchers believe it is "highly likely" the attackers behind both the ransomware outbreaks are same.

 

"It is highly likely that the same group of hackers was behind BadRabbit ransomware attack on October the 25th, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017," Russian security firm Group IB noted.

"Research revealed that the BadRabbit code was compiled from NotPetya sources. BadRabbit has same functions for computing hashes, network distribution logic and logs removal process, etc."

NotPetya has previously been linked to the Russian hacking group known as BlackEnergy and Sandworm Team, but since Bad Rabbit is primarily targeting Russia as well, not everyone seems convinced with the above assumptions.

How to Protect Yourself from Ransomware Attacks?

In order to protect yourself from Bad Rabbit, users are advised to disable WMI service to prevent the malware from spreading over your network.

Also, make sure to update your systems regularly and keep a good and effective anti-virus security suite on your system.

Since most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs, you should always exercise caution before falling for any of these.

Most importantly, to always have a tight grip on your valuable data, keep a good backup routine in place that makes and saves copies of your files to an external storage device that isn't always connected to your PC.

Read More

Kaspersky Opens Antivirus Source Code for Independent Review to Rebuild Trust

Kaspersky Lab — We have nothing to hide!

Russia-based Antivirus firm hits back with what it calls a "comprehensive transparency initiative," to allow independent third-party review of its source code and internal processes to win back the trust of customers and infosec community.

Kaspersky launches this initiative days after it was accused of helping, knowingly or unknowingly, Russian government hackers to steal classified material from a computer belonging to an NSA contractor.

Earlier this month another story published by the New York Times claimed that Israeli government hackers hacked into Kaspersky’s network in 2015 and caught Russian hackers red-handed hacking US government with the help of Kaspersky.

US officials have long been suspicious that Kaspersky antivirus firm may have ties to Russian intelligence agencies.

Back in July, the company offered to turn over the source code for the U.S. government to audit.

However, the offer did not stop U.S. Department of Homeland Security (DHS) from banning and removing Kaspersky software from all of the government computers.

In a blog post today the company published a four-point plan:

• Kaspersky will submit its source code for independent review by internationally recognised authorities, starting in Q1 2018.
• Kaspersky also announced an independent review of its business practices to assure the integrity of its solutions and internal processes.
• Kaspersky will establish three transparency centres in next three years, "enabling clients, government bodies & concerned organisations to review source code, update code and threat detection rules."
• Kaspersky will pay up to $100,000 in bug bounty rewards for finding and reporting vulnerabilities in its products.

"With these actions, we will be able to overcome mistrust and support our commitment to protecting people in any country on our planet." Kaspersky's CEO Eugene said.

However, infosec experts' twitter commentary shows that the damage has already been done.

"Code review is absolutely meaningless. All Russian intelligence need is an access to KSN, Kaspersky's data lake which is a treasure trove of data. Even open sourcing the entire product won't reveal or even help with revealing that." Amit Serper, the security researcher at Cybereason, tweeted.

Now it is important to see whether these actions will be enough to restore the confidence of US government agencies in Kaspersky or the company will be forced to move its base out of Russia.

Read More

Passwords For 540,000 Car Tracking Devices Leaked Online

Another day, another news about a data breach, though this is something disconcerting.

Login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking have leaked online, potentially exposing the personal data and vehicle details of drivers and businesses using its service.

Just two days ago, Viacom was found exposing the keys to its kingdom on an unsecured Amazon S3 server, and this data breach is yet another example of storing sensitive data on a misconfigured cloud server.

The Kromtech Security Center was first to discover a wide-open, public-facing misconfigured Amazon Web Server (AWS) S3 cloud storage bucket containing a cache belonging to SVR that was left publicly accessible for an unknown period.

Stands for Stolen Vehicle Records, the SVR Tracking service allows its customers to track their vehicles in real time by attaching a physical tracking device to vehicles in a discreet location, so their customers can monitor and recover them in case their vehicles are stolen.

The leaked cache contained details of roughly 540,000 SVR accounts, including email addresses and passwords, as well as users' vehicle data, like VIN (vehicle identification number), IMEI numbers of GPS devices.

Since the leaked passwords were stored using SHA-1, a 20-years-old weak cryptographic hash function that was designed by the US National Security Agency (NSA), which can be cracked with ease.

The leaked database also exposed 339 logs that contained photographs and data about vehicle status and maintenance records, along with a document with information on the 427 dealerships that use SVR's tracking services.

Interestingly, the exposed database also contained information where exactly in the car the physical tracking unit was hidden.

According to Kromtech, the total number of devices exposed "could be much larger given the fact that many of the resellers or clients had large numbers of devices for tracking."

Since SVR's car tracking device monitors a vehicle everywhere for the past 120 days, anyone with access to SVR users' login credentials could both track a vehicle in real time and create a detailed log of every location the vehicle has visited using any internet connected device like a desktop, laptop, mobile phone or tablet.

Eventually, the attacker could outright steal the vehicle or even rob a home when they know a car's owner is out.

Kromtech responsible alerted the company of the misconfigured AWS S3 cloud storage bucket, which has since been secured. However, It is unclear whether the publically accessible data was possibly accessed by hackers or not.  

Read More

APT33: Researchers Expose Iranian Hacking Group Linked to Destructive Malware

Security researchers have recently uncovered a cyber espionage group targeting aerospace, defence and energy organisations in the United States, Saudi Arabia and South Korea.
According to the latest research published Wednesday by US security firm FireEye, an Iranian hacking group that it calls Advanced Persistent Threat 33 (or APT33) has been targeting critical infrastructure, energy and military sectors since at least 2013 as part of a massive cyber-espionage operation to gather intelligence and steal trade secrets.
The security firm also says it has evidence that APT33 works on behalf of Iran's government.

FireEye researchers have spotted cyber attacks aimed by APT33 since at least May 2016 and found that the group has successfully targeted aviation sector—both military and commercial—as well as organisations in the energy sector with a link to petrochemical.

The APT33 victims include a U.S. firm in the aerospace sector, a Saudi Arabian business conglomerate with aviation holdings, and a South Korean company involved in oil refining and petrochemicals.

Most recently, in May 2017, APT33 targeted employees of a Saudi organisation and a South Korean business conglomerate using a malicious file that attempted to entice them with job vacancies for a Saudi Arabian petrochemical company.

"We believe the targeting of the Saudi organisation may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies may be due to South Korea’s recent partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi petrochemical companies," the FireEye report reads.

APT33 targets organisations by sending spear phishing emails with malicious HTML links to infect targets' computers with malware. The malware used by the espionage group includes DROPSHOT (dropper), SHAPESHIFT (wiper) and TURNEDUP (custom backdoor, which is the final payload).

 However, in previous research published by Kaspersky, DROPSHOT was tracked by its researchers as StoneDrill, which targeted petroleum company in Europe and believed to be an updated version of Shamoon 2 malware.

"Although we have only directly observed APT33 use DROPSHOT to deliver the TURNEDUP backdoor, we have identified multiple DROPSHOT samples in the wild that drop SHAPESHIFT," the report reads.

The SHAPESHIFT malware can wipe disks, erase volumes and delete files, depending on its configuration.

According to FireEye, APT 33 sent hundreds of spear phishing emails last year from several domains, which masqueraded as Saudi aviation companies and international organisations, including Boeing, Alsalam Aircraft Company and Northrop Grumman Aviation Arabia.

The security firm also believes APT 33 is linked to Nasr Institute, an Iranian government organisation that conducts cyber warfare operations.

In July, researchers at Trend Micro and Israeli firm ClearSky uncovered another Iranian espionage group, dubbed Rocket Kittens, that was also active since 2013 and targeted organisations and individuals, including diplomats and researchers, in Israel, Saudi Arabia, Turkey, the United States, Jordan and Germany.

However, FireEye report does not show any links between both the hacking group. For more technical details about the APT33 operations, you can head on to FireEye's official blog post.

Read More

Red Alert 2.0: New Android Banking Trojan for Sale on Hacking Forums

The Recent discoveries of dangerous variants of the Android banking Trojan families, including Faketoken, Svpeng, and BankBot, present a significant threat to online users who may have their login credentials and valuable personal data stolen.

Security researchers from SfyLabs have now discovered a new Android banking Trojan that is being rented on many dark websites for $500 per month, SfyLabs' researcher Han Sahin told The Hacker News.

Dubbed Red Alert 2.0, the Android banking malware has been fully written from scratch, unlike other banking trojans, such as BankBot and ExoBot, which were evolved from the leaked source code of older trojans.

The Red Alert banking malware has been distributed via many online hacking forums since last few months, and its creators have continuously been updating the malware to add new functionalities in an effort to make it a dangerous threat to potential victims.

Malware Blocks Incoming Calls from Banks

Like most other Android banking trojans, Red Alert has a large number of capabilities such as stealing login credentials, hijacking SMS messages, displaying an overlay on the top of legitimate apps, contact list harvesting, among others.

Besides this, Red Alert actors have also added an interesting functionality to its malware, like blocking and logging all incoming calls associated with banks and financial associations.

This would potentially allow the Red Alert malware to prevent warnings of a compromised account to be received by the victims from their associated banks.

Malware Uses Twitter As Backup C&C Infrastructure

 

Another most interesting thing about Red Alert 2.0 is that it uses Twitter to prevent losing bots when its command and control server is knocked offline.

"When the bot fails to connect to the hardcoded C2 it will retrieve a new C2 from a Twitter account," SfyLabs researchers said in a blog post. 

"This is something we have seen in the desktop banking malware world before, but the first time we see it happening in an Android banking trojan."

The Red Alert 2.0 is currently targeting victims from more than 60 banks and social media apps across the world and works on Android 6.0 (Marshmallow) and previous versions.

Here's How the Red Alert 2.0 Trojan Works:

Once installed on victim's phone via the third-party app store, the malware waits for the victim to open a banking or social media app, whose interface it can simulate, and once detected, the Trojan immediately overlays the original app with a fake user interface.

 

The fake interface then informs the victim that there is an error while logging the user in and requests the user to re-authenticate his/her account.

As soon as the user enters the credentials into the fake user interface, Red Alert records them and sends them to the attacker-controlled command and control (C&C) server to be used by the attackers to hijack the account.

In case of banking apps, the recorded information is being used by attackers to initiate fraudulent transactions and drain the victim's bank account.

Since Red Alert 2.0 can also intercept SMS text messages received by the infected smartphone, the trojan could work around two-factor authentication techniques that otherwise are designed to throttle such attacks.

Ways to Protect Yourself Against Such Android Banking Trojans

The easiest way to prevent yourself from being a victim of one such mobile banking Trojan is to avoid downloading apps via third-party app stores or links provided in SMS messages or emails.

Just to be on the safer side, go to Settings → Security and make sure "Unknown sources" option is turned off on your Android device that blocks installation of apps from unknown sources.

Most importantly, verify app permissions before installing any app, even from official Google Play Store, and if you find any application asking more than what it is meant for, just do not install it.

It is always a good idea to install an anti-virus app from a reputed vendor that can detect and block such Trojan before it can infect your device.

Also, always keep your system and apps up-to-date.

Read More

Windows 10 to Give More Control Over App-level Permissions

Microsoft has been gradually changing its privacy settings in Windows 10 with the Fall Creators Update to give its users more controls over their data.

In April, Microsoft addressed some initial privacy concerns in the Windows 10 Creators Update with simplified data collection levels—Security, Basic, Enhanced, and Full—and eventually revealed its data collection practices.

Now, the software giant is making another privacy-related change with the upcoming Windows 10 Fall Creators Update, which is due for release in October 2017, giving you much more control over what apps can do with your device.

Just like apps on your smartphone's app store, apps on Windows Store also require permission to access your computer's critical functionalities like camera, microphone, calendar, contacts, and music, pictures and video libraries.

While Android and iOS allow you to limit an app's permissions to access these sensitive things, these permissions have currently been provided to all apps implicitly in the Fall Creators Update, except for access to location data that needs an explicit user permit.

But that's going to be changed.

For each new app installed on the Windows 10 Fall Creators Update, the operating system will prompt users for access to their device's camera, microphone, contacts, calendar, and images and other information, requiring an explicit opt-in for each app.

"Starting with the Fall Creators Update, we’re extending this experience to other device capabilities for apps you install through the Windows Store," Microsoft wrote in a post detailing the privacy improvements.

"You will be prompted to provide permission before an app can access key device capabilities or information such as your camera, microphone, contacts, and calendar, among others. This way you can choose which apps can access information from specific features on your device."

However, when users install the Fall Creators Update, existing applications on their device will retain their permissions, but new apps installed from the official Windows Store will require their access to be enabled explicitly.

In order to review and manage your existing app permissions, head on to Start → Settings → Privacy. To learn more about Windows app permissions, head on to this link.

Microsoft is set to test these privacy changes with Windows Insiders shortly. The Windows 10 Fall Creators Update will be released on October 17th. 

Read More

WireX DDoS Botnet: An Army of Thousands of Hacked Android SmartPhones

Do you believe that just because you have downloaded an app from the official app store, you're safe from malware?

Think twice before believing it.

A team of security researchers from several security firms have uncovered a new, widespread botnet that consists of tens of thousands of hacked Android smartphones.

Dubbed WireX, detected as "Android Clicker," the botnet network primarily includes infected Android devices running one of the hundreds of malicious apps installed from Google Play Store and is designed to conduct massive application layer DDoS attacks.

Researchers from different Internet technology and security companies—which includes Akamai, CloudFlare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru—spotted a series of cyber attacks earlier this month, and they collaborated to combat it.

Although Android malware campaigns are quite common these days and this newly discovered campaign is also not that much sophisticated, I am quite impressed with the way multiple security firms—where half of them are competitors—came together and shared information to take down a botnet.

WireX botnet was used to launch minor DDoS attacks earlier this month, but after mid-August, the attacks began to escalate.

The "WireX" botnet had already infected over 120,000 Android smartphones at its peak earlier this month, and on 17th August, researchers noticed a massive DDoS attack (primarily HTTP GET requests) originated from more than 70,000 infected mobile devices from over 100 countries.

If your website has been DDoSed, look for the following pattern of User-Agent strings to check if it was WireX botnet:

  

After further investigation, security researchers identified more than 300 malicious apps on Google’s official Play Store, many of which purported to be media, video players, ringtones, or tools for storage managers and app stores, which include the malicious WireX code.

Just like many malicious apps, WireX apps do not act maliciously immediately after the installation in order to evade detection and make their ways to Google Play Store.

Instead, WireX apps wait patiently for commands from its command and control servers located at multiple subdomains of "axclick.store."

Google has identified and already blocked most of 300 WireX apps, which were mostly downloaded by users in Russia, China, and other Asian countries, although the WireX botnet is still active on a small scale.

   

If your device is running a newer version of the Android operating system that includes Google's Play Protect feature, the company will automatically remove WireX apps from your device, if you have one installed.

Play Protect is Google's newly launched security feature that uses machine learning and app usage analysis to remove (uninstall) malicious apps from users Android smartphones to prevent further harm.

Also, it is highly recommended to install apps from reputed and verified developers, even when downloading from Google official Play Store and avoid installing unnecessary apps.

Additionally, you are strongly advised to always keep a good antivirus app on your mobile device that can detect and block malicious apps before they can infect your device, and always keep your device and apps up-to-date.

Android malware continues to evolve with more sophisticated and never-seen-before attack vectors and capabilities with every passing day.

Just at the beginning of this week, Google removed over 500 Android apps utilising the rogue SDK—that secretly distribute spyware to users—from its Play Store marketplace.

Last month, we also saw first Android malware with code injecting capabilities making rounds on Google Play Store.

A few days after that, researchers discovered another malicious Android SDK ads library, dubbed "Xavier," found installed on more than 800 different apps that had been downloaded millions of times from Google Play Store. 

Read More

Easy-to-Use Apps Allow Anyone to Create Android Ransomware Within Seconds

"Ransomware" threat is on the rise, and cyber criminals are making millions of dollars by victimizing as many people as they can—with WannaCry, NotPetya and LeakerLocker being the ransomware threats that made headlines recently.

What's BAD? Hacker even started selling ransomware-as-a-service (RaaS) kits in an attempt to spread this creepy threat more easily, so that even a non-tech user can create their own ransomware and distribute the threat to a wider audience.

The WORSE—You could see a massive increase in the number of ransomware campaigns during the next several months—thanks to new Android apps available for anyone to download that let them quickly and easily create Android ransomware with their own devices.

Security researchers at Antivirus firm Symantec have spotted some Android apps available on hacking forums and through advertisements on a social networking messaging service popular in China, which let any wannabe hacker download and use Trojan Development Kits (TDKs).

How to Create Your Own Android Ransomware

With an easy-to-use interface, these apps are no different from any other Android app apart from the fact that it allows users to create their custom mobile malware with little to no programming knowledge.

To create customized ransomware, users can download one such app (for an obvious reason i am not sharing the links), install and open it, where it offers to choose from the following options, which are displayed on the app's on-screen form:

The message that is to be shown on the locked screen of the infected device

• The key to be used to unlock that infected device
• The icon to be used by their malware
• Custom mathematical operations to randomize the code
• Type of animation to be displayed on the infected device

Once all of the information has been filled in, users just require hitting the "Create" button.

If the user hasn't before, the app will prompt him/her to subscribe to the service before proceeding. The app allows the user to start an online chat with its developer where he/she can arrange a one-time payment.

After the payment has been made, the "malware is created and stored in the external storage in ready-to-ship condition," and then the user can continue with the process, making as many as victims as the user can.

"Anyone unlucky enough to be tricked into installing the malware will end up with a locked device held to ransom," Symantec researchers say. 

"The malware created using this automation process follows the typical Lockdroid behavior of locking the device’s screen with a SYSTEM_ALERT_WINDOW and displaying a text field for the victim to enter the unlock code."

The Lockdroid ransomware has the ability to lock the infected device, change the device PIN, and delete all of its user data through a factory reset, and even prevent the user from uninstalling the malware.

Such apps allow anyone interested in hacking and criminal activities to develop a ready-to-use piece of ransomware malware just by using their smartphones without any need to write a single line of code.

"However, these apps are not just useful for aspiring and inexperienced cyber criminals as even hardened malware authors could find these easy-to-use kits an efficient alternative to putting the work in themselves," the researchers say.

So, get ready to expect an increase in mobile ransomware variants in coming months.

How to Protect Your Android Devices from Ransomware Attacks

In order to protect against such threats on mobile devices, you are recommended to:

• Always keep regular backups of your important data.
• Make sure that you run an active anti-virus security suite of tools on your machine.
• Avoid downloading apps from unknown sites and third-party app stores.
• Always pay close attention to the permissions requested by an app, even if it is downloaded from an official app store.
• Do not open any email attachments from unknown sources.
• Finally, browse the Internet safely.

 

Read More

Beware of Windows/MacOS/Linux Virus Spreading Through Facebook Messenger

If you came across any Facebook message with a video link sent by anyone, even your friend — just don’t click on it.

Security researchers at Kaspersky Lab have spotted an ongoing cross-platform campaign on Facebook Messenger, where users receive a video link that redirects them to a fake website, luring them to install malicious software.

Although it is still unclear how the malware spreads, researchers believe spammers are using compromised accounts, hijacked browsers, or clickjacking techniques to spread the malicious link.

The attackers make use of social engineering to trick users into clicking the video link, which purports to be from one of their Facebook friends, with the message that reads "< your friend name > Video" followed by a bit.ly link, as shown.

Here's How this Cross-Platform Malware Works:

The URL redirects victims to a Google doc that displays a dynamically generated video thumbnail, like a playable movie, based on the sender's images, which if clicked, further redirects users to another customised landing page depending upon their browser and operating system.

For example, Mozilla Firefox users on Windows are redirected to a website displaying a fake Flash Player Update notice, and then offered a Windows executable, which is flagged as adware software.

  

Google Chrome users are redirected to a website that masquerades as YouTube with similar YouTube logo, which displays a fake error message popup, tricking victims into downloading a malicious Chrome extension from the Google Web Store.

  

The extension actually is a downloader that downloads a file of attacker's choice to the victim's computer.

"At the time of writing, the file which should have been downloaded was not available," David Jacoby, a chief security researcher from Kaspersky Lab, writes in a blog post published today.

"One interesting finding is that the Chrome Extension has log files from the developers displaying usernames. It is unclear if this is related to the campaign, but it is still an amusing piece of information."

Users of Apple Mac OS X Safari ends up on a web page similar to when using Firefox, but it was customised for MacOS users with a fake update for Flash Media Player, which if clicked, downloads an OSX executable .dmg file, which is also adware.

Same in case of Linux, user redirects to another landing page designed for Linux users.

The attackers behind the campaign are not actually infecting users of all platform with any banking Trojan or exploit kits, but with adware to make a lot of money by generating revenue from ads.

Spam campaigns on Facebook are quite common. A few years ago, researchers found cyber criminals using boobytrapped .JPG image files to hide their malware in order to infect Facebook users with variants of the Locky ransomware, which encrypts all files on the infected PC until a ransom is paid.

To keep yourself safe, you are advised not to get curious to look at images or video links sent by anyone, even your friend, without verifying it with them, and always keep your antivirus software up-to-date.  

Read More

New Snowden Doc Exposes How NSA's Facility in Australia Aids Drone Strikes

The new documents leaked by former NSA contractor Edward Snowden has exposed a United States secretive facility located near a remote town in Australia's Northern Territory for covertly monitoring wireless communications and aiding US military missions.

The leaked documents have come from the massive trove of classified material stolen by Snowden from the US National Security Agency (NSA) in 2013 that exposed the extent of the US government's global surveillance programs.

The newly released classified documents, obtained by The Intercept, contained references to a secretive facility, which was codenamed "Rainfall," but is officially known as the Joint Defence Facility Pine Gap.

The documents reveal that the Joint Defence Facility Pine Gap, located outside Alice Springs, deployed cutting-edge satellite technology for detailed geolocation intelligence that helps the US military locate targets for special forces and drone strikes.

The use of unmanned air vehicles, generally known as drones, by the U.S. military has previously been blamed for hundreds of civilian deaths in countries like Pakistan, Afghanistan, Yemen, Syria, and Somalia.

As outlined in a secret intelligence document, Pine Gap's aim is to "support the national security of both the U.S. and Australia. The [facility] contributes to verifying arms control and disarmament agreements and monitoring military developments."

However, in reality, Pine Gap has a far broader mission with powerful capabilities than the Australian or U.S. government has ever publicly acknowledged.

Pine Gap finds Targets for U.S. Drone Strikes

The satellites used by the Pine Gap are described as being "geosynchronous"—likely positioned high in orbit at over 20,000 miles above the earth's surface—which are equipped with powerful surveillance technology to monitor wireless communications on the ground, like those sent and received by mobile phones, radios, and satellite uplinks.

According to the leaked documents, these satellites collect "strategic and tactical military, scientific, political, and economic communications signals," and also keep eyes on any missile or weapon tests in targeted countries, steal intel from foreign military data systems, and provide surveillance support to United States forces.

One of the secret NSA documents analysed by the Australian Broadcasting Corporation (ABC) suggests that the facility's role is not only to collect signals, but also to analyse them, as it "detects, collects, records, processes, analyses and reports" on almost everything—from surface-to-air missiles to anti-aircraft artillery and fighter aircraft.

One mission even pilfered communications from the former Soviet Union, China, East Asia, South Asia, the Middle East, Eastern Europe, and territories in the Atlantic Ocean.

In 2013, the Sydney Morning Herald reported that Pine Gap played a major role in controversial U.S. drone strikes, which had also resulted in the deaths of hundreds of innocent civilians.

Trump Administration Doubled the Drone Strikes

Richard Tanter, the University of Melbourne’s professor who has previously studied Pine Gap, told the publication that "Pine Gap will be contributing hugely in real-time to those operations, as well as in preparation for them."

"So whether or not the Australian government thinks that an attack on North Korea is either justified or a wise and sensible move, we will be part of that. We'll be culpable in terms of the consequences," Tanter asserted.

Under Trump administration, drone strikes and special operations raids have doubled, while simultaneously loosening battlefield rules to prevent civilian deaths in such air attacks.

However, David Rosenberg, who worked inside Pine Gap as a team leader of weapon signals analysis for at least 18 years until 2008, confirms the facility's geolocation capability, claiming that preventing civilian casualties is a high priority.

"One thing I can certainly tell you the governments of Australia, and the United States would, of course, want to minimise all civilian casualties," Rosenberg says. "Pine Gap does help to provide limitation of civilian casualties by providing accurate intelligence."

It is not at all surprising to see Australia working closely with its U.S. counterparts to help conduct global surveillance since it is a key member of the "Five Eyes" alliance—alongside the US, UK, New Zealand and Canada—all openly shares secret intelligence reports.  

Read More