Monthly Archives: January 2017

Why you need MFA now: Gmail phishing scheme prepends URL with working script data

Leo Lintang, Getty Images/iStockphoto
Imagine waking up one morning to discover your email address and current password have been plastered onto a billboard on the side of a major highway. It’s a bit improbable, I know, but play along.
For some of you, that would be the end. Anyone could paw through your email history, steal personal identifying information, run password resets for other sites, and generally wreak untold havoc.
But, for others of you, the billboard would be a mere annoyance. You’d pick a new password and go on with your day. Nobody would have gotten into your account, your identity information would be safe, and havoc would remain unwreaked.

What is the difference between these two scenarios? Why would some people with exposed email addresses and passwords be hacked, attacked, smacked, and wracked — and why would others just merely be annoyed?

Multi-factor. It’s not just a compound word. It’s a defense strategy. The idea is this: In addition to something you know (your email ID and password), logging in requires something you have, or something you are. Usually, that’s something like an authentication key generated by your phone, or a fingerprint.

When you use multi-factor authentication, you’re requiring an additional factor beyond user name and password.

With that, I’m going to tell you about a new way some bad guys are phishing for authentication information. These nasty folks are trying to trick users out of their user IDs and passwords. And, in a lot of cases, they’re succeeding. The trick is relatively subtle, so even the most aware users might be tricked into falling for the ruse.

Malware uses denial-of-service attack in attempt to crash Macs


Victims are asked to call a phony Apple support number in order to restore their machine.

A tech support scam is targeting Mac users with unusual malware which tries to crash the system then encourages the victim to call a phony Apple support number in order to get the system restored to normal.

Victims are infected with the malware via a malicious email or by visiting a specially registered scam website. Cybersecurity researchers at Malwarebytes warn that these websites are particularly dangerous for Mac users running Safari because simply visiting one of the domains can execute the attack.

Once the malicious code has been triggered, it will first of all check to see which version of OS X the victim is using and then attempt to trigger a a denial-of-service attack by repeatedly opens draft emails.

The DDoS continues drafting new emails in individual windows until so many windows are running that the system crashes due to lack of memory. The subject line of the emails tells the user a virus has been detected and to call the tech support number.

There are also instances of the malicious software opening up iTunes without any user prompting and displaying the fraudulent phone number there.

While users running the most up to date version of the Apple operating system – macOS Sierra 10.12.2 – don’t appear to be affected by the DDoS attack against the mail application, so users should patch their systems to ensure the most protection against the attacks

Cybersecurity Expert Links Taiwan And Europe ATM Hacks

Group-IB says both attacks were likely carried out by Cobalt group using malware “ATM spitter.”

Cybersecurity firm Group-IB has linked the July Taiwan ATM cyber heist to the ATM hacking spree in Europe last year, claiming the two were carried out by the same hacking group, dubbed Cobalt. Reuters reports that Group-IB’s conclusion is based on the fact that the hack technique used in both incidents match.

A group of 22 foreign nationals are alleged to be behind the First Commercial Bank ATM hack in Taiwan, of which three Eastern Europeans are in custody. Most of the stolen money was recovered and Taiwan authorities believe the bank network was breached at a London branch.

According to a Group-IB report, the hackers used malware “ATM spitter” in the Taiwan attack as well as in similar hacks carried out in Britain, Russia, Poland, Spain, Bulgaria, and many other European countries, Reuters adds.

This ransomware scheme is targeting schools, colleges and head teachers, warn police

  • Cybercriminals are pretending to be government officials as part of a ransomware scheme which is targeting schools and demanding payments of up to £8,000 to unencrypt the locked files.
  • Action Fraud, the UK’s fraud and cybercrime centre, and the City of London police, have issued a warning over the activity, which begins with criminals contacting the targeted schools with a phone call.
  • Claiming to be from ‘The Department of Education’, the caller asks for the email address of the head teacher which they claim they need in order to send them sensitive information which is unsuitable for the school’s general email address.
  • The scammers usually claim the documents contain guidance for the head teacher, ranging from exam guidance to advice on mental health assessments.
  • Once those carrying out the scheme have the contact details they need, they’ll send an email containing a ransomware infected .zip file – often disguised as an Excel or Word document – to the intended victim. If the file is opened, it will execute the ransomware, encrypting files and then demanding a ransom be paid in order to retrieve the files.
  • Ransom demands have been made for up to £8,000, although the police haven’t confirmed if these ransoms have been paid, what ransomware variant is used, or which schools have been targeted.
  • But educational establishments are far from the only UK public sector bodies being targeted by ransomware schemes; NHS hospitals have also been a target. One notable example isthe Northern Lincolnshire and Goole NHS Foundation Trust which saw a ransomware infection take three hospitals offline and the cancellation of 2,800 patient appointments.

Android-infecting Trojan malware uses your phone to attack your router

Switcher Trojan reroutes your DNS to hand attackers information about every activity which takes place on the infected router.

A new form of Android Trojan malware is capable of attacking the routers controlling the wireless networks of its victims, thus leaving them vulnerable to further cyberattacks, fraud and data theft.

Dubbed Switcher Trojan, the malware uses unsuspecting Android device users as tools to redirect all traffic from Wi-Fi connected devices on the network into the hands of cybercriminal attackers.

The researchers at Kaspersky Lab said this is the first time Android malware has been used to attack routers like this. The malware attempts to infiltrate the router’s admin interface by using a long, predefined list of password and login combinations – a task which is made easy if the router still uses easily crackable default credentials.

If the attack succeeds, Switcher alters the Domain Name Servers (DNS) settings of the router, making it possible to reroute DNS queries on the infected network onto a network controlled by the perpetrators.

This type of DNS-hijacking attack allows the perpetrators to monitor all traffic on the infected network, providing them with vast swathes of information which could be used to carry out other cybercriminal or malicious activities.

According to figures on the cybercriminals’ command and control servers – seemingly left open to view by accident – 1,280 Wi-Fi networks have been infiltrated using Switcher Trojan, putting traffic of all users on those networks at risk of being accessible to hackers and cyber fraudsters. The bad news is, even if the attack is detected, it can be difficult to remove the infection, thanks to the backup servers.

“A successful attack can be hard to detect and even harder to shift: the new settings can survive a router reboot, and even if the rogue DNS is disabled, the secondary DNS server is on hand to carry on,” says Kaspersky Lab cybersecurity researcher Nikita Buchka.

Switcher Trojan currently appears to be mainly restricted to targeting internet users in China, spreading itself in two different ways.

The first uses a modified URL to disguise itself as a mobile client for the Chinese search engine Baidu, while a second technique is based around a fake version of a popular Chinese mobile application for sharing information about networks between users.

One of the key methods users can use to avoid becoming victim to this sort of attack is to change the default login and password your network router. Google had not responded to a request for comment at the time of publication.

Ending Of The Year With A 650Gbps DDoS Attack

It seems that 2016 has been the year of immense DDoS attacks, many coming from Mirai. This seems to be a newcomer though ending the year with a 650Gbps DDoS attack.

Ending The Year With A 650Gbps DDoS Attack

The Dyn DNS DDoS attack that some speculated reached over 1Tbps was probably the biggest, but this isn’t that far behind and it’s bigger than the previously largest recorded at 620Gbps.

As the end of the year approaches, it’s natural to contemplate the future and look for signs of things to come. Sometimes, however, you don’t have to search too hard. Sometimes, these “signs” hit you like a ton of bricks.

This is how it was for us when, just ten days before the year’s end, we found ourselves mitigating a 650 Gbps (Gigabit per second) DDoS attack—the largest on record for our network.

This was a fitting end to a year of huge DDoS assault, nasty new malware types and massive IoT botnets. What’s more, it showed exactly where things are heading next on the DDoS front.

The attack began around 10:55 AM on December 21, targeting several anycasted IPs on the Imperva Incapsula network.

It’s hard to say why this attack didn’t focus on a specific customer. Most likely, it was the result of the offender not being able to resolve the IP address of his actual victim, which was masked by Incapsula proxies. And so, lacking any better option, the offender turned his attention to the service that stood between him and his target.

The attacks seems to have started out as an attack on an Incapsula customer and when failing with that, they moved onto attacking the service protecting them directly.

They mitigated the attack very well with minimal impact and it seems no downtime or customer impact.

The first DDoS burst lasted roughly 20 minutes, peaking at 400 Gbps. Failing to make a dent, the offender regrouped and came back for a second round. This time enough botnet “muscle” to generate a 650 Gbps DDoS flood of more than 150 million packets per second (Mpps).

This second burst lasted about 17 minutes and was just as easily countered by our service. Out of options, the offender wised up and ceased his assault.

Both attack bursts originated from spoofed IPs, making it impossible to trace the botnet’s actual geo-location or learn anything about the nature of the attacking devices.

The attack traffic was generated by two different SYN payloads:

  1. Regular-sized SYN packets, ranging from 44 to 60 bytes in size
  2. Abnormally large SYN packets, ranging from 799 to 936 bytes in size

The former was used to achieve high Mpps packet rates, while the latter was employed to scale up the attack’s capacity to 650 Gbps.

Whilst a pretty large attack, it’s certainly not the most persistent with the attacker giving up fairly easily and only using a few limited methods.

Either that, or they were just probing the Incapsula network to see what it could handle and didn’t want to expose their full hand.

Source: Incapsula Blog

US government subcontractor leaks confidential military personnel data

A Pentagon subcontractor has exposed reams of highly sensitive details belonging to active military healthcare professionals online, some of which hold top-secret security clearances.

Potomac Healthcare Solutions, a subcontractor brought on board to supply healthcare professionals to the US government and military organizations through its Washington, DC.-based contractor Booz Allen Hamilton, was the source of the data leak.

Chris Vickery, lead security researcher of the MacKeeper Security Center, who found the data, told ZDNet in an email that Potomac’s own insecure server was the source of the leak.

Samples of the leaked data provided by Vickery and also reviewed by ZDNet revealed that the personal data of US military personnel was open for all eyes to see, with little in the way to prevent it from being abused.

Many of the victims involved in the data leak are part of the US Special Operations Command (SOCOM), which includes those both formerly employed by US military branches, such as the Army, Navy, and Air Force, and those presumably still on active deployment.

The bulk of the data is made up of military personnel files and lists of physical and mental health support staff, including nurses, doctors, and mental health professionals.

Names, contract types, Social Security numbers, and duty start dates — dating back to 1998 — as well as billet numbers that detail the living quarters for when staff are not on active duty, are all included in the information leak.

Unit assignments and places of work, which include military bases and their postings worldwide, were also in the documents.

Many of those named in the leaked personnel files are linked to SOCOM’s Preservation of the Force and Families (POTFF) program, a scheme that aims to ease the psychological and physical burdens often placed on military personnel and their families through unit-specific teams of healthcare professionals and counsellors.

The files include names of social workers, physical therapists, nurses and assistants, doctors, and psychologists, which alongside detail the states of their residency, pay scales, contract start and term dates, units and work locations.

Meanwhile, a spokesperson for the Dept. for Defense did not respond to a request for comment at the time of writing.

The realization that US military files have been left for all to see could make those in the forces who need help but do not want it to become public knowledge reluctant to seek assistance in the fear that the next military data breach will include their own case details.

As bad, given the job roles of individuals in the leak, it’s hardly difficult to imagine the files being used as an avenue to find, contact, blackmail and coerce military healthcare professionals into giving over insider information on the US military and employees.

Today’s terrorist activities and nation-state adversaries mean it’s trivial for data leaks to be utilized to personally target military personnel and their families.


Chrome will soon mark some HTTP pages as ‘non-secure’

Google plans to start the new year with a security message.

(Image: Google)

Beginning next month, the company will tag web pages that include login or credit card fields with the message “Not Secure” if the page is not served using HTTPS, the secure version of the internet protocol.

The company on Tuesday began sending messages through its Google Search Console, a tool for webmasters, warning them of the changes that take place starting in January 2017.

The changes are supported in version 56 or later of the Chrome browser.

The move is a first step in a long-term plan to clearly mark as non-secure all HTTP sites regardless of their content. In upcoming releases of Chrome, for example, Google will label HTTP pages as “not secure” in Incognito mode.

There is no timeline for when webmasters are required to switch all their pages to HTTPS.

Googles plans go along with on-going efforts to motivate consumers and G Suite users to adopt more secure login methods.

HTTPS is designed to protect the integrity and the confidentiality of data as it moves between an end-user computer and a website. The protocol protects personal and other sensitive information such as login credentials.

The transmission is secured by the Transport Layer Security (TLS) protocol, which provides encryption, data integrity and authentication. The authentication piece, among other reasons, is designed to combat man-in-the-middle attacks and promote end-user trust in a website.

In a blog updated a few weeks ago, Google noted that it “recently hit a milestone with more than half of Chrome desktop page loads now served over HTTPS. In addition, since the time we released our HTTPS report in February, 12 more of the top 100 websites have changed their serving default from HTTP to HTTPS.”

Converting pages from HTTP to HTTPS comes with a few common pitfalls, such as not keeping certificates or TLS libraries up to date. Converts also may see temporary fluctuations in their site rankings.

Google wrote on its Google + page: “Enabling HTTPS on your whole site is important, but if your site collects passwords, payment info, or any other personal information, it’s critical to use HTTPS. Without HTTPS, bad actors can steal this confidential data. #NoHacked.”