Archive for January 31, 2021

‘Android Worm’ Malware is Spreading Via WhatsApp User Contact List

 

Security expert Lucas Stefanko unearthed the malware known as ‘Android Worm’. Threat actors are using this malware as a weapon to send malicious messages to WhatsApp users and extract critical information or shutting their accounts entirely. ‘Android Worm’ make an entrance into a user phone as a disguised message and then corrupts the victim’s contact list without the victim being aware of it.

Lucas Stefanko shared a video detailing the android worm malware – “Android WhatsApp Worm? Malware spreads via victim’s WhatsApp by automatically replying to any received WhatsApp message notification with a link to malicious Huawei Mobile app. The message is sent only once per hour to the same contact. It looks to be adware or subscription scam”.

The malware enters a user phone via message and then uploads adware onto a users’ device and expands by sending WhatsApp messages to the victim’s contact list and keeping the victim in a dark. As per the reports of The Sun, initially, the victim gets a message from a contact or an anonymous number by asking the him to download a link to win a free smartphone. Then after tapping on the link, the victim will be taken into the confidence that a Huawei mobile application is being downloaded into the victim’s device, and to make the message trustworthy, a fake Google page will also be shown. Then, once the victim taps on the install button the victim will end up installing the Android worm into his/her device. 

After that, every hour the malicious link will be further sent to some of the user’s contact list and the user will not know if the victim doesn’t check his/her device after every frequent interval. According to the ESET blog “this malware could possibly distribute more dangerous threats since the message text and link to the malicious app are received from the attacker’s server. It could simply distribute banking trojans, ransomware or spyware”.

Google Researcher Groß Identifies the BlastDoor Device in Apple iOS 14

 

Last year, Apple rolled out iOS 14 with many new features, tighter privacy laws, and elements that make the iPhone smarter, introducing to the iPhone and iPad versions a new safety mechanism primarily for the detection of malware attacks from the iMessage network. The BlastDoor Security Sandbox tool was launched in an upgrade to the iOS 14 in September 2020 and discovered that the MacOS 11.1 was running on the M1 powered Mac Mini after reverse engineering and is meant to protect parsing of untrusted data from messaging client iMessage. The service is claimed to be written in swift, a standard memory-safe language that is "significantly harder" for introducing classic vulnerabilities to memory manipulation into the codebase — in this iMessage.

The BlastDoor device, concealed inside iOS 14, has been identified by Samuel Groß, a security researcher with the Project Zero team of Google. The prosecutor wrote a blog post on the scope of the current framework to protect consumers from bad actors.

The main function of BlastDoor is to unpack and process incoming messages in a secure and isolated environment where any malicious code embedded in a message cannot communicate with, disrupt, or recover user data on the underlying operating system. The BlastDoor service only functions for iMessage, so it reads all the obtained data as a connection. When a link is submitted via iMessage, a sample of a webpage will first be made of the sending system and metadata (such as title and page descriptor) gathered until the link is bundled into a folder. This archive is then encrypted and directly submitted to iCloud servers with a temporary key. Once the connection is received, the keys sent to the receiver will be decoded. All this exists inside the operation BlastDoor. 

Since several security analysts had previously found out that the iMessage service did an inadequate job of sanitizing incoming user data, the need for a service such as BlastDoor was evident. In the last three years, several incidents have occurred in which security researchers or real-world attackers have discovered and exploited iMessage Remote Code Execution (RCE) problems to hack them by transmitting a simple email, picture, or video to a computer. 

In 2019, Groß and his fellow security researcher Natalie Silvanovich discovered "zero interaction" faults in iMessage, which could allow attackers to read the contents of iPhone files without any note or message. The BlastDoor device is likely to fix these problems.

Furthermoore, Groß stated in the blog post, "Overall, these changes are probably very close to the best that could've been done given the need for backwards compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole."

Perl.com, the Official Site for Perl Programming Language Hijacked

 

The domain Perl.com was made in 1994 and was the official site for the Perl programming language, it is enlisted with the registrar key-systems(.)net. An admonition went up on the perl.org foundation weblog overnight telling clients that perl.com was now directed to a parking site and exhorted against visiting "as there are some signals that it may be related to sites that have distributed malware in the past." 

“The perl.com domain was hijacked this morning and is currently pointing to a parking site. Work is ongoing to attempt to recover it.” reads the announcement published on the Perl NOC on 27th January 2021.

The hijack seems to have followed the deeply rooted way of an assailant jumping on a compromised account and swiping the domain instead of a simple expiration. The assailants changed the IP address from 151.101.2.132 to 35.186.238[.]10. After the hackers took control over the site, it was showing a clear page whose HTML contains GoDaddy parked domain scripts. 

Posting on Reddit, Brian Foy, editor on the site and writer of a few books on Perl, said: "It looks like there was an account hack. I don't know how long that would take to rewind. We're looking for people who have actual experience dealing with that situation so we can dispute the transfer." Perl.org was unaffected by the swipe. 

A look at the domain records shows the contact data is currently "REDACTED FOR PRIVACY". Gordon Lawrie – self-announced cyberlaw, trademark, and domain nerd – said that before the change Tom Christiansen was listed as the domain administrative contact. While the Perl group still can't seem to react to the solicitation for a remark, the hijacking of Christiansen's record appears to be a possibility. The expiry likewise seems to have been extended out to 26 January 2031.

Not long after the hijacking, the domain perl.com turned up as accessible to purchase for $190k on afternic.com, presently recorded as a name server in the domain record at the time of writing. The listing included other expensive domains, including piracy.com for a simple $125k, from client drawmaster. Afternic is an essential part of the GoDaddy association and, not long after when it was approached, the perl.com listing was pulled.

Perl.com, the Official Site for Perl Programming Language Hijacked

 

The domain Perl.com was made in 1994 and was the official site for the Perl programming language, it is enlisted with the registrar key-systems(.)net. An admonition went up on the perl.org foundation weblog overnight telling clients that perl.com was now directed to a parking site and exhorted against visiting "as there are some signals that it may be related to sites that have distributed malware in the past." 

“The perl.com domain was hijacked this morning and is currently pointing to a parking site. Work is ongoing to attempt to recover it.” reads the announcement published on the Perl NOC on 27th January 2021.

The hijack seems to have followed the deeply rooted way of an assailant jumping on a compromised account and swiping the domain instead of a simple expiration. The assailants changed the IP address from 151.101.2.132 to 35.186.238[.]10. After the hackers took control over the site, it was showing a clear page whose HTML contains GoDaddy parked domain scripts. 

Posting on Reddit, Brian Foy, editor on the site and writer of a few books on Perl, said: "It looks like there was an account hack. I don't know how long that would take to rewind. We're looking for people who have actual experience dealing with that situation so we can dispute the transfer." Perl.org was unaffected by the swipe. 

A look at the domain records shows the contact data is currently "REDACTED FOR PRIVACY". Gordon Lawrie – self-announced cyberlaw, trademark, and domain nerd – said that before the change Tom Christiansen was listed as the domain administrative contact. While the Perl group still can't seem to react to the solicitation for a remark, the hijacking of Christiansen's record appears to be a possibility. The expiry likewise seems to have been extended out to 26 January 2031.

Not long after the hijacking, the domain perl.com turned up as accessible to purchase for $190k on afternic.com, presently recorded as a name server in the domain record at the time of writing. The listing included other expensive domains, including piracy.com for a simple $125k, from client drawmaster. Afternic is an essential part of the GoDaddy association and, not long after when it was approached, the perl.com listing was pulled.

Sberbank is the most targeted organization in Europe by hackers, says Herman Gref

 At the moment, Sberbank is more often than other institutions in Europe is subjected to hacker attacks, but successfully repels them, said the head of the credit institution Herman Gref speaking at a plenary session in the Federation Council with a presentation on artificial intelligence (AI).

“We are the most attacked institution in Europe. Every day, artificial intelligence inside our Cyber ​​Security Center analyzes billions of events. During this entire period of time, we did not allow a single penetration into our systems,” said Mr. Gref.

Gref stressed that the AI protects not only the credit institution itself but also its customers. According to the banker, citizens who use the services of Sberbank are protected in 97% of cases: the systems recognize that a person is trying to transfer funds to a fraudster.

"In 97% of cases, our algorithms recognize fraud, stop these transactions, contact the person, the person confirms that he made this transaction, and we tell him that it was a fraudster," added Gref.

According to the head of Sberbank, in cyber attacks, scammers use artificial intelligence technologies, in particular, deepfake technologies, which allow simulating the face and voice of the client.

"Scammers can call from your phone that belongs to you, speak with your voice. And this is a gigantic threat. It is extremely difficult for a normal person to fight this, and therefore powerful systems for protecting a person from such fakes should come to the rescue,” noted Gref.

According to the Bank of Russia, in the first nine months of 2020, fraudsters stole about 6.5 billion rubles from bank customers from their cards and accounts. Sberbank estimates that since the beginning of 2020, fraudsters have called customers about 15 million times. Sberbank recorded more than 3.4 million customer complaints about phone fraud in the first half of the year, which is 30 times more than in 2017 and more than twice as much as in 2019.

"The number of fraudulent calls in Russia reaches 100 thousand per day", said Stanislav Kuznetsov, deputy chairman of the bank.

Earlier, E Hacking News reported that according to Sberbank cyber criminals are using Artificial Intelligence in banking Trojan which is quite difficult to recognize.