Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for July 2016

Liverpool Teen Arrested for Computer-Related Extortion

Liverpool Teen Arrested for Computer-Related Extortion

English law enforcement has arrested a 16-year-old boy in Liverpool on suspicion of computer hacking, blackmail and fraud.

Detectives from Titan, the Northwest’s regional organized crime unit, and officers from Merseyside Police executed a Computer Misuse Act warrant in the case, which involves the hacking of an Instagram account. The teen allegedly took control and then tried to blackmail the victim into paying a ransom. The profile had “many thousands of followers,” according to detectives.

The cybercrime investigators suspect that the boy might also be behind the hijacking of an online shopping account, which resulted in electronic goods being re-directed and stolen.

Computer equipment and other electronic devices were seized from the house in Croxteth, Liverpool, and will be analyzed by specialist officers from Titan.

“At Titan we have the capabilities and expertise to investigate this kind of crime in conjunction with other law enforcement agencies and my message to cybercriminals is that you may think you can hide on the Internet and remain anonymous but the reality is that you can’t,” Detective Chief Superintendent Chris Green, the head of Titan, told the local paper.

The 16-year-old remains in police custody while the investigation continues.

 “This investigation shows the importance of people making sure they take the right precautions to protect themselves while using the Internet,” Green said. “People sometimes don’t use strong passwords or don’t change them as regularly as they should which makes it easier for cyber-criminals to gain access to accounts.”

He added, “It’s also important to make sure that phones, tablets and computers are all using the most up-to-date operating software and the latest antivirus software. These are simple things that we can all do to make it more difficult for cyber-criminals to hack into our social media and banking accounts to commit crime.”

Photo © grafvision

Source: Information Security Magazine

Highly Organized Chinese 'Yingmob' Rakes in $300K Monthly from Mobile Malware

Highly Organized Chinese 'Yingmob' Rakes in $300K Monthly from Mobile Malware

A persistent Android malware infection called Hummingbad has been found to control 85 million devices globally, generating an estimated $300,000 per month in fraudulent ad revenue for the criminals behind it.

First discovered by Check Point in February 2016, HummingBad is a tool used by Yingmob, a group of Chinese cyber-criminals. HummingBad establishes a persistent rootkit on Android devices to generate fraudulent ad revenue, and installs additional fraudulent apps to increase the revenue stream for the fraudster.

Interestingly, Yingmob runs alongside a legitimate Chinese advertising analytics company, sharing its resources and technology. The group is highly organized with 25 employees staffing four separate groups responsible for developing HummingBad’s malicious components.

Other research firms have associated Yingmob with the malware targeting Apple iOS called Yispecter. Yispecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 server.

Check Point researchers said in a report that they have confirmed that the same group is also behind HummingBad.

To wit: Yispecter uses Yingmob’s enterprise certificates to install itself on devices; HummingBad and Yispecter share C&C server addresses; HummingBad repositories contain QVOD documentation, an iOS porn player targeted by Yispecter; and both install fraudulent apps to gain revenue.

The steady stream of cash from the two malwares, coupled with a focused organizational structure, proves cyber-criminals can easily be financially self-sufficient, Check Point researchers noted. But the ad revenue isn’t the only line of business that this gambit offers.

As the infected Android devices have been rooted, the criminals have access to the devices for other purposes, such as pooling device resources to create powerful botnets, creating databases of devices to conduct highly-targeted attacks, or selling access to devices under their control to the highest bidder. Any data on infected devices is at risk, including enterprise data for users whose devices serve dual personal and work purposes. 

“Without the ability to detect and stop suspicious behavior, these millions of Android devices and the data on them remain exposed,” Check Point researchers noted.

Photo © Mathias Rosenthal

Source: Information Security Magazine

Meet Hummer, the No.1 Mobile Trojan in the World

Meet Hummer, the No.1 Mobile Trojan in the World

A newly found mobile trojan family has quickly become the No. 1 Android malware in the world. As of the end of June, the average number of Hummer-infected phones stands at almost 2 billion, which is a larger install base than any other mobile phone trojan.

Hummer infected nearly 1.4 million devices per day during the first half of 2016, according to data collected by Cheetah Mobile Security Research Lab. In China alone, where it originated, there were up to 63,000 infections daily. But the Hummer trojan is spreading throughout the world, and India, Indonesia and Turkey now see the largest number of infections.

Its footprint makes it a lucrative enterprise: Based on Cheetah Mobile’s estimation, if the virus developer were able to make $0.50 (the average paid for a new installation) every time the virus installed an application on a smartphone, the Hummer group would be able to make more than $500,000 daily.

When a mobile phone is infected with the Hummer trojan, it will root the device to obtain administrator privileges of the system. It then continually pops up ads on victims’ phones, which is extremely annoying—but it doesn’t stop there. It also pushes mobile phone games and silently installs porn applications in the background. Unwanted apps will appear on these devices, and they’re reinstalled shortly after users uninstall them.

“Cheetah Mobile Security Research Lab made a test with the Hummer trojan, and the findings were astonishing: In several hours, the trojan accessed the network over 10,000 times and downloaded over 200 APKs, consuming 2 GB of network traffic,” the firm noted in an analysis.

As for where it came from, Cheetah Mobile uncovered that it has something to do with the underground industry chain in China. After analyzing the samples, it became clear that the group behind Hummer is using 12 domain names to update the trojan and issue promotion orders. Through the Whois history information, researchers found that several of the domains are linked to an email account on mainland China.

Unfortunately, since the Hummer trojan can gain the highest control over the phone system, ordinary antivirus tools are not able to clear the trojan thoroughly—even performing a factory reset on the device won’t get rid of it.

The threat is also wide, with numerous Hummer variants. For instance, among the top 10 trojans affecting most users in India, the second and third are members of the Hummer trojan family, and the sixth is a trojan that’s promoted by Hummer.

“The Hummer trojan family members are embedded with a root module, and the latest variant has as many as 18 different root methods. Again, once a phone is infected, the trojan gains root privilege, which makes it very difficult to delete,” Cheetah Mobile said.

As ever, the best defense against being buzzed by Hummer is to install only trusted apps from a trusted app store, like Google Play.

Photo © StockPhotosLV/

Source: Information Security Magazine

Mobile Ransomware Soars Four-Fold in a Year

Mobile Ransomware Soars Four-Fold in a Year

Mobile ransomware has soared globally, increasing nearly four-fold over the past year, according to new figures released by Kaspersky Lab.

The Russian AV vendor claimed in a new report on the malware epidemic that its Android security tools protected 35,413 users from mobile ransomware between April 2014 and March 2015.

However, this figure had risen to 136,532 users a year later.

The report added:

“The share of users attacked with ransomware as a proportion of users attacked with any kind of malware also increased: from 2.04% in 2014-2015 to 4.63% in 2015-2016. The growth curve may be less that that seen for PC ransomware, but it is still significant enough to confirm a worrying trend.”

The top 10 countries suffering mobile ransomware attacks also changed significantly over the period.

Previously dominated by the United States, Kazakhstan and Ukraine, the list was topped over the past year by Germany where nearly 23% of all users encountering malware were hit by mobile ransomware, followed by Canada (19.6%) and the UK (16%).

Kaspersky Lab had the following explanation:

“It is hard to say precisely why this is the case, but we can assume that in countries that feature at the top of the mobile ransomware list, mobile and e-payment infrastructure is much more developed and has deeper penetration than in countries that are at the bottom of the list or not on it at all. Criminals like to get as close to their victim’s money as possible and attacking a user who can transfer the ransom in couple of taps or clicks is likely to have the most appeal.”

Pletor, Fusob, Svpeng and Small were the main malware families in the 2014-15 period, although Pletor and Fusob dropped off significantly in terms of activity the following year.

The report explained that when it comes to mobile ransomware variants usually employ screen blocking technology rather than more sophisticated encryption.

This is because Android security features limit the ability of third party apps to get unlimited access to user data and because data is often backed-up to the cloud automatically.

Blockers work much more effectively on a phone than a PC because the user can’t simply remove the hard drive and attach to another device to remove the malicious files, as can be done in the case of a PC

“It is almost impossible to do the same with a mobile device as its hardware is impossible to remove easily and analyze with the help of an extraneous device,” the report concluded.

Source: Information Security Magazine

Oculus Founder Has Twitter Account Hacked

Oculus Founder Has Twitter Account Hacked

Brendan Iribe, co-founder of virtual reality firm Oculus, is the latest big name Silicon Valley CEO to have his social media account hacked.

The mischief-maker used the opportunity to announce a new CEO in a now deleted message:

“We here @oculus are very excited to announced our new CEO @Lid ! :)”

The alleged hacker told TechCrunch that they got the password via the massive MySpace data dump last month. This most likely means Iribe was sharing credentials between his social accounts.

The same hacker claimed that they would also have been able to crack the Oculus CEO’s email account had he not had two-factor authentication enabled.

Iribe joins a long list of Silicon Valley bosses to have had their social media accounts hijacked in this way.

Google’s Sundar Pichai, Facebook’s Mark Zuckerberg and former Twitter man Dick Costolo are just some of the names left red-faced in recent weeks, although Iribe’s hacker seems not to hail from the same group that claimed responsibility for these hacks.

The offending tweets on Iribe’s account have now been removed and normal service resumed.

Twitter account hacks are nothing new, and expose the frailties of password-based authentication systems.

The embarrassment for Iribe and some of his Silicon Valley counterparts is that the micro-blogging site rolled out two-factor authentication more than two years ago.

For those who don’t enable it there are increasing threats from cyberspace.

Earlier this month a Russian hacker going by the handle Tessa88 was found to be selling a cache of 32 million Twitter account credentials for 10 Bitcoin ($6802).

The same hacker claimed that they have a total of 374 million records, although Twitter hit back that it was not breached.

“The explanation for this is that 10s of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter,” it said at the time.

The incident nevertheless reinforces the need for 2FA, or at least for users to stop password reuse across accounts.

Source: Information Security Magazine

Large Orgs Likely to Have at Least One Malware-Infected Device

Large Orgs Likely to Have at Least One Malware-Infected Device

Large organizations – defined as enterprises or agencies with more than 200 iOS or Android mobile devices – are almost guaranteed to have at least one malware-infected device, according to data from mobile threat defense firm Skycure.

The company’s third Mobile Threat Intelligence Report found that 4% of all mobile devices have malware installed regardless of whether they are managed by an enterprise or an individual, with Android devices being twice as likely to be infected compared to iOS devices.

What’s more, Android devices have a greater variety of malware, consisting of 76% of unique varieties, whilst only 22% of all installed iOS malware was unique. Further, nearly one in five (19%) enterprise Android devices allow app installation from third-party stores, notorious for being more likely to deliver malware.

“Malware absolutely exists on enterprise mobile devices and standardizing on iOS doesn’t make you safe,” said Yair Amit, CTO of Skycure. “Unlike the nuisance malware of the past that targeted only consumers, today’s malware is smarter, and often more focused on businesses. We have seen recent attacks that have been specifically designed to circumvent two-factor authentication. Smartphones make excellent reconnaissance tools because they are able to track a user’s conversations and movements twenty-four seven. That means malware can target specific individuals for access to valuable personal and corporate information.”

However, Skycure was also quick to point out that malware is only one of the mobile threats companies face, stating that network incidents happen five-times more often than malware incidents. Of the network incidents the firm assessed, man in the middle attacks were noted as posing the biggest threat whilst content manipulation attacks, in which hackers alter data to cause a victim to perform desired actions through a manipulated interface or in a third-party system, came in second. 

Source: Information Security Magazine

Dating Site Muslim Match Suffers Data Breach

Dating Site Muslim Match Suffers Data Breach

Dating site Muslim Match has been breached and 150,000 log-ins posted online alongside hundreds of thousands of private messages between users, according to reports.

Motherboard confirmed that the email addresses it checked from the full dataset, made available by TheCthulhu are genuine and linked to real accounts on the site.

Profile information apparently also includes marital status and whether the individual would consider polygamy. The cache contains 790,000 private messages sent between users of the site – some of which contain even more private info including Skype handles, the report claimed.

“I feel disappointed but the site didn't seem to be secure in the first place. They never used https,” one user called Zaheer told Motherboard.

Brian Spector, CEO of authentication firm Miracl, said dating sites have long been a target for hackers, with the likes of Ashley Madison, Plenty of Fish and all falling victim in the past.

“What’s worrying is that Muslim Match doesn’t seem to have been encrypted, which would be the most effective way to keep information free from the prying eyes of hackers,” he added. “And with data such as personal messages being available to the attackers, we could see a similar scenario to that of Ashley Madison, where users who sent sensitive messages are blackmailed.”

AlienVault security advocate, Javvad Malik, explained that smaller sites often have fewer resources to devote to security.

“However, no online company is ‘too small’ or unimportant to be targeted by attackers, especially when user data is involved,” he added.

Malik also claimed the religious and cultural taboos at play in this instance could make blackmail a very real possibility.

“Where possible, people should consider information on websites to be publicly available,” he argued. “Therefore, they should consider what photos and information they post and share and the potential impact if the content is shared broadly.”

Source: Information Security Magazine