Android Gets New Anti-Spoofing Feature to Make Biometric Authentication Secure

Google just announced its plan to introduce a new anti-spoofing feature for its Android operating system that makes its biometric authentication mechanisms more secure than ever.

Biometric authentications, like the fingerprint, IRIS, or face recognition technologies, smoothen the process of unlocking devices and applications by making it notably faster and secure.

Although biometric systems also have some pitfalls that are not hidden from anyone, as it has been proven multiple times in the past that most biometric scanners are vulnerable to spoofing attacks, and in most cases fooling them is quite easy.

Google announced today a better model to improve biometric security, which will be available from Android P, allowing mobile app developers to integrate an enhanced mechanism within their apps to keep users’ data safe.

New Biometric Metrics to Identify Spoofing and Imposter Attacks

Currently, the Android biometric authentication system uses two metrics—False Accept Rate (FAR) and False Reject Rate (FRR)—in combination with machine learning techniques to measure accuracy and precision of the user’s input.

In brief, ‘False Accept Rate’ defines how often the biometric model accidentally classifies an incorrect input as belonging to the targeted user, while ‘False Reject Rate’ records how often a biometric model accidentally classifies the user’s biometric as incorrect.

However, Google says none of the given metrics is capable enough to precisely identify if biometric data entered by a user is an attempt by an attacker to make unauthorized access using any spoofing or impostor attack.

In an attempt to resolve this issue, in addition to FAR and FRR, Google has now introduced two new metrics—Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR)—that explicitly account for an attacker in the threat model.

“As their names suggest, these metrics measure how easily an attacker can bypass a biometric authentication scheme,” Vishwath Mohan, a security engineer with Google Android team, says.

“Spoofing refers to the use of a known-good recording (e.g., replaying a voice recording or using a face or fingerprint picture), while impostor acceptance means a successful mimicking of another user’s biometric (e.g., trying to sound or look like a target user).”

Google to Enforce Strong Biometric Authentication Policies

Based upon user’s biometric input, the values of SAR/IAR metrics define if it is a “strong biometric” (for values lower than or equal to 7%), or a “weak biometric” authentication (for values higher than 7%).

While unlocking your device or an application, if these values fall under weak biometric, Android P will enforce strict authentication policies on users, as given below:

  • It will prompt the user to re-enter their primary PIN, pattern, password or a strong biometric if the device is inactive for at least 4 hours (such as when left at a desk or charging).
  • In case, you left your device unattended for 72-hours, the system will enforce policy mentioned above for both weak and strong biometrics.
  • For additional safety, users authenticated with weak biometric would not be able to make payments or participate in other transactions that involve a KeyStore auth-bound key.

Besides this, Google will also offer a new easy-to-use BiometricPrompt API that developers can use to set up a robust authentication mechanism in their apps to ensure maximum security of their users by completely blocking weak biometric authentication detected by two newly added metrics.

“BiometricPrompt only exposes strong modalities, so developers can be assured of a consistent level of security across all devices their application runs on,” Mohan said.

“A support library is also provided for devices running Android O and earlier, allowing applications to utilize the advantages of this API across more devices.”

The new feature would positively prevent unauthorized access to devices from thieves, spies and law enforcement agencies as well by locking it down to cripple known methods to bypass biometric scanners.

Go to Source

Popular Flight Tracker Flightradar24 Suffers Data Breach

One of the world’s most popular flight tracking services Flightradar24, which shows real-time aircraft flight information on a map, has suffered a massive data breach that may have compromised email addresses and hashed passwords for more than 230,000 customers.

Without revealing any information about the breach publically via their blog or social media accounts, Flightradar24 started sending out emails earlier this week with a password reset link, asking them to change their passwords.

The incomplete reference to suddenly announced data breach incident via emails and providing a unique password reset link to each user caused some customers to suspect that they have been a target of a phishing attack.


However, later the company confirmed the breach while responding to its customers’ queries on the official forum and Twitter, saying that the breach notifications they have received via emails are legitimate and that neither payment nor personal information has been compromised.

“The security breach may have compromised the email addresses and hashed passwords for a small subset of Flightradar24 users (those who registered prior to March 16, 2016),” the company said.

“We have already invalidated your old password and the link in the email will allow you to create a new password.”

The Swedish-based company also confirmed that the security breach was limited to only one of its servers, which has been shut down immediately after the intrusion was detected late last week.

The company claimed that the breached passwords were hashed, though it did not specify the hashing algorithm or if they were protected using a salt, which adds an extra layer of security to your hashed passwords.

To protect accounts of its customers, in case hackers manage to crack some passwords from the list, Flightradar24 has already expired previous passwords for the affected user, forcing them to set a new password before accessing their accounts.

However, it would also be a great idea to change your passwords on other online services and platforms as well, if you share the same credentials.

Go to Source

Magento Hackers Using Simple Evasion Trick to Reinfect Sites With Malware

Security researchers have been warning of a new trick that cybercriminals are leveraging to hide their malicious code designed to re-introduce the infection to steal confidential information from Magento based online e-commerce websites.

So, if you have already cleaned up your hacked Magento website, there are chances your website is still leaking login credentials and credit card details of your customers to hackers.

More than 250,000 online stores use open-source Magento e-commerce platform, which makes them an enticing target for hackers, and therefore the security of both your data and your customer data is of the utmost importance.

According to the researchers at Sucuri, who have previously spotted several Magento malware campaigns in the wild, cybercriminals are currently using a simple yet effective method to ensure that their malicious code is added back to a hacked website after it has been removed.

To achieve this, criminals are hiding their ‘credit card stealer reinfector’ code inside the default configuration file (config.php) of Magento website, which gets included on the main index.php and loads with every page view, eventually re-injecting the stealer code into multiple files of the website.

Since config.php file gets automatically configured while installing Magento CMS, usually it is not recommended for administrators or website owners to change the content of this file directly.

Here’s How Magento’s Reinfector Code Works


The reinfector code spotted by researchers is quite interesting as it has been written in a way that no security scanner can easily identify and detect it, as well as it hardly looks malicious for an untrained eye.

Hackers have added 54 extra lines of code in the default configuration file. Here below, I have explained the malicious reinfector code line-by-line, shown in the screenshots, written inside the default config.php file.

At line no. 27, attackers set error_reporting() function to false in an attempt to hide errors messages that could reveal the path of the malicious module to site admins.

From line no. 31 to 44, there’s a function called patch() that has been programmed to append the malicious code for stealing confidential information into legitimate Magento files.

This patch() function uses 4 arguments, values of which defines the path of a folder, name of a specific file resides in that path needs to be infected, file size required to check if it is necessary to reinfect the given file, a new file name to be created, and a remote URL from where the malicious code will be downloaded in real-time and injected into the targeted file.

From line 50 to 51, attackers have smartly split up the base64_decode() function in multiple parts in order to evade detection from security scanners.


The line 52 includes a base64 encoded value that converts to “” after getting decoded using the function defined in line 50-51.

The next four sets of variables from line 54 to 76 define the four values required to pass arguments to the patch() function mentioned above.

The last line of each set includes a random eight character value that concatenated with the link variable encoded in line 52, which eventually generates the final URL from where the patch() function will download the malicious code hosted on remote Pastebin website.

From line 78 to 81, attacker finally executes patch() function four times with different values defined in line 54-76 to reinfect website with the credit card stealer.

“As a rule of thumb, on every Magento installation where a compromise is suspected to have taken place, the /includes/config.php should be verified quickly,” researchers advise.

It should be noted that similar technique can also be used against websites based on other content management system platforms such as Joomla and WordPress to hide malicious code.

Since attackers mostly exploit known vulnerabilities to compromise websites at the very first place, users are always recommended to keep their website software and servers updated with the latest security patches.

Go to Source

Email Phishers Using A Simple Way to Bypass MS Office 365 Protection

Security researchers have been warning about a simple technique that cyber criminals and email scammers are using in the wild to bypass most AI-powered phishing detection mechanisms implemented by widely used email services and web security scanners.

Dubbed ZeroFont, the technique involves inserting hidden words with a font size of zero within the actual content of a phishing email, keeping its visual appearance same, but at the same time, making it non-malicious in the eyes of email security scanners.

According to cloud security company Avanan, Microsoft Office 365 also fails to detect such emails as malicious crafted using ZeroFont technique.

Like Microsoft Office 365, many emails and web security services use natural language processing and other artificial intelligence-based machine learning techniques to identify malicious or phishing emails faster.

The technology helps security companies to analyze, understand and derive meaning from unstructured text embedded in an email or web page by identifying text-based indicators, like email scams mimicking a popular company, phrases used to request for payments or password resets, and more.


However, by adding random zero font-size characters between the indicator texts present in a phishing email, cybercriminals can transform these indicators into an unstructured garbage text, hiding them from the natural language processing engine.

Therefore, the email looks normal to a human eye, but Microsoft reads the entire garbage text, even if some words are displayed with a font size of “0.”

“Microsoft can not identify this as a spoofing email because it cannot see the word ‘Microsoft’ in the un-emulated version,” reads Avanan’s blog post. “Essentially, the ZeroFont attack makes it possible to display one message to the anti-phishing filters and another to the end user.”

Besides the ZeroFont technique, Avanan also detected hackers using other similar tricks that involve Punycode, Unicode, or Hexadecimal Escape Characters in their phishing attacks.

Last month, researchers from the same company reported that cybercriminals had been splitting up the malicious URL in a way that the Safe Links security feature in Office 365 fails to identify and replace the partial hyperlink, eventually redirecting victims to the phishing site.

Go to Source

New ‘Lazy FP State Restore’ Vulnerability Found in All Modern Intel CPUs

Hell Yeah! Another security vulnerability has been discovered in Intel chips that affects the processor’s speculative execution technology—like Specter and Meltdown—and could potentially be exploited to access sensitive information, including encryption related data.

Dubbed Lazy FP State Restore, the vulnerability (CVE-2018-3665) within Intel Core and Xeon processors has just been confirmed by Intel, and vendors are now rushing to roll out security updates in order to fix the flaw and keep their customers protected.

The company has not yet released technical details about the vulnerability, but since the vulnerability resides in the CPU, the flaw affects all devices running Intel Core-based microprocessors regardless of the installed operating systems, except some modern versions of Windows and Linux distributions.

As the name suggests, the flaw leverages a system performance optimization feature, called Lazy FP state restore, embedded in modern processors, which is responsible for saving or restoring the FPU state of each running application ‘lazily’ when switching from one application to another, instead of doing it ‘eagerly.’

“System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch,” Intel says while describing the flaw.

“Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value.”

According to the Red Hat advisory, the numbers held in FPU registers could potentially be used to access sensitive information about the activity of other applications, including parts of cryptographic keys being used to secure data in the system.

All microprocessors starting with Sandy Bridge are affected by this designing blunder, which means lots of people again should gear them up to fix this vulnerability as soon as the patches are rolled out.

However, it should be noted that, unlike Spectre and Meltdown, the latest vulnerability does not reside in the hardware. So, the flaw can be fixed by pushing patches for various operating systems without requiring new CPU microcodes from Intel.

According to Intel, since the flaw is similar to Spectre Variant 3A (Rogue System Register Read), many operating systems and hypervisor software have already addressed it.

Red Hat is already working with its industry partners on a patch, which will be rolled out via its standard software release mechanism.

AMD processors are not affected by this issue.

Also, modern versions of Linux—from kernel version 4.9, released in 2016, and later are not affected by this flaw. Only if you are using an older Kernel, you are vulnerable to this vulnerability.

Moreover, modern versions of Windows, including Server 2016, and latest spins of OpenBSD and DragonflyBSD are not affected by this flaw.

Microsoft has also published a security advisory, offering guidance for the Lazy FP State Restore vulnerability and explaining that the company is already working on security updates, but they will not be released until the next Patch Tuesday in July.

Microsoft says that Lazy restore is enabled by default in Windows and cannot be disabled, adding that virtual machines, kernel, and processes are affected by this vulnerability. However, customers running virtual machines in Azure are not at risk.

Go to Source

Signature Validation Bug Let Malware Bypass Several Mac Security Products

A years-old vulnerability has been discovered in the way several security products for Mac implement Apple’s code-signing API that could make it easier for malicious programs to bypass the security check, potentially leaving millions of Apple users vulnerable to hackers.

Josh Pitts, a researcher from security firm Okta, discovered that several third-party security products for Mac—including Little Snitch, F-Secure xFence, VirusTotal, Google Santa, and Facebook OSQuery—could be tricked into believing that an unsigned malicious code is signed by Apple.

Code-signing mechanism is a vital weapon in the fight against malware, which helps users identify who has signed the app and also provides reasonable proof that it has not been altered.

However, Pitts found that the mechanism used by most products to check digital signatures is trivial to bypass, allowing malicious files bundle with a legitimate Apple-signed code to effectively make the malware look like it has been signed by Apple.

It should be noted that this issue is not a vulnerability in MacOS itself but a flaw in how third-party security tools implemented Apple’s code-signing APIs when dealing with Mac’s executable files called Universal/Fat files.

The exploitation of the vulnerability requires an attacker to use Universal or Fat binary format, which contains several Mach-O files (executable, dyld, or bundle) written for different CPU architectures (i386, x86_64, or PPC).

“This vulnerability exists in the difference between how the Mach-O loader loads signed code vs. how improperly used Code Signing APIs check signed code and is exploited via a malformed Universal/Fat Binary,” Pitts explained.

Pitts also created several malformed PoC Fat/Universal files for developers to use in order to test their products against this vulnerability.

Successful attacks exploiting this technique could allow attackers to gain access to personal data, financial details and even sensitive insider information, in some cases, claimed researchers.

Here’s the list of affected vendors, alongside associated security products and CVEs:

  • VirusTotal (CVE-2018-10408)
  • Google—Santa, molcodesignchecker (CVE-2018-10405)
  • Facebook—OSQuery (CVE-2018-6336)
  • Objective Development—LittleSnitch (CVE-2018-10470)
  • F-Secure—xFence and LittleFlocker (CVE-2018-10403)
  • Objective-See—WhatsYourSign, ProcInfo, KnockKnock, LuLu, TaskExplorer and others (CVE-2018-10404)
  • Yelp—OSXCollector (CVE-2018-10406)
  • Carbon Black—Cb Response (CVE-2018-10407)

The researcher first notified Apple of the vulnerability in March, but Apple stated that the company did not see it as a security issue that they should directly address.

“Apple stated that documentation could be updated and new features could be pushed out, but ‘third-party developers will need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result’,” Pitts said.

So, after hearing from Apple, Okta contacted CERT/CC and then notified all known affected third-party developers, who are working on security patches that will likely be released soon.

Google acknowledged and already released security update for its Santa in late April. So, users are recommended to upgrade to the latest Santa v0.9.25.

Facebook has also fixed this issue in the latest version of its OSquery, which is already available for download. F-Secure has also rolled out an automatic update to xFENCE users in order to patch the vulnerability.

If you are using one of the above-listed tools, you are advised to check for updates in the coming days and upgrade your software as soon as they are released to guard against attacks exploiting the vulnerability.

Go to Source

Banco de Chile ‘MBR Killler’ Reveals Hidden Nexus to Buhtrap Malware Kit Used to Target Financial Institutions, Payment Networks

Wiper malware that may have destroyed as many as 9,000 workstations and 500 servers inside the Banco de Chile in a late-May attack has similarities to the Buhtrap malware component known as MBR Killer, leaked to the underground in February 2016.

Analysts at Flashpoint reverse-engineered the identified malware linked to the May 24 attack against the country’s largest financial institution, and said the malware is a modified version of a MBR Killer module known as kill_os. MBR Killer infections render the local operating system and the Master Boot Record unreadable.

According to bank officials, however, the wiper malware was just cover for a deeper attack against endpoints handling sensitive transactions and messaging over the SWIFT network. The SWIFT banking network, or the Society for Worldwide Interbank Financial Telecommunication, is the primary means of secure, reliable communications and money transfers between financial institutions.

On Sunday, Banco de Chile general manager Eduardo Ebensperger said in a statement that customer accounts were not affected, but critical processes such as branch services and telephone banking were impacted, as were executive offices and cashier personnel. Ebensperger told Chilean media outlet Pulso that $10 million was stolen and the stolen funds were filtered to entities in Hong Kong. He added that a forensic analysis conducted by Microsoft concluded this was an “international attack” and attributed it to either Eastern European or Asian groups.

Buhtrap malware and its components, including MBR Killer, were previously used in attacks against multiple Russian financial institutions, resulting in losses of 97 million rubles, or $1.23 million USD. The attacks in Russia forced one bank to disconnect from the Russian electronic payment system.

The attack in Chile comes on the heels of incidents affecting several banks in Mexico that use its Sistema de Pagos Electrónicos Interbancarios (SPEI) interbank transfer system, resulting in approximately $15.4 million USD in losses. In January, Flashpoint was aware of a separate malware attack targeting Mexican financial institutions that followed a pattern similar to previous attacks, with possible attribution to North Korean malware. Flashpoint was not able to analyze the malware targeting Mexican financial institutions, though the FBI associated the attack with North Korean malware. A report from El Financiero, a Mexican financial publication, following the January incident identified the attack as “FALLCHILL,” a North Korean remote administration tool (RAT) targeting aerospace, telecommunications, and financial organizations.

At this time, there does not appear to be a connection between attacks against Mexico’s banking institutions and the purported attack on Banco de Chile because the tactics, techniques, and procedures (TTP) used by the threat actors differ.

The similarities between the malicious code used in Chile and the leaked code from 2016 are in the use of the same NSIS script, below, in both instances. NSIS, or Nullsoft Scriptable Install System, is an open source system used to build Windows installers.

The leaked Buhtrap code contains almost identical Nullsoft Scriptable Install System (NSIS) script as the unpacked Banco de Chile malware.

The leaked Buhtrap code contains almost identical Nullsoft Scriptable Install System (NSIS) script as the unpacked Banco de Chile malware.

By and large, the Buhtrap malware is complex and includes more than a dozen modules that give attackers the capability to install more malicious code, retain remote control over a compromised machine, and steal credentials among others. A list of available modules follows:

• “BHO”: a module designed to intercept and replace pages in the Internet Explorer browser.

• “kill_os”: a module designed to erase the MBR.

• “Loaders”: builders of NSIS scripts designed to install malware.

• “Mimimod”: a modified version of the “Mimikatz” program, used to obtain user credentials in the system.

• “ID”: an algorithm for obtaining the unique number of the infected machine.

• “BSShide”: a module designed to hide payment orders in the Business Support Systems (BSS). It modifies the page displayed to the user. SWIFT is part of the BSS.

• “Antidetekt”: a module designed to detect virtual environments and “sandboxes.”

• “UAC”: a module to bypass the User Account Control (UAC) protection.

• “RDP”: modifies the OS for the potential simultaneous operation of several users in the system.

• “VNC”: remote PC control with backconnect.

• “DLL Side-Loading”: used to install a keylogger and to provide communication with the control panel. Enables installation and operation of other modules in the system.

• “Control panel”: used to maintain visibility into infections and install additional modules to the infected host.

• “Builder”: a program designed to collect Trojan modules in one executable file.

• “MWI”: a collection of exploits, part of the “Microsoft Word Intruder” tool that was available on underground.

The Banco de Chile MBR Killer was also packed with VMProtect, meant to protect against forensic analysis and reverse engineering. Notably, the malware does not target victims based on locale or language; however, a Spanish language and locale check is present in the malware. The attribution behind the Banco de Chile attack remains uncertain; it is unclear if this code was simply reused by a copycat group or linked to the original group behind the Buhtrap malware. Originally, the kill_os module was leveraged to hide the evidence of successful bank network penetrations.

Banco De Chile: Malware Technical Analysis

The malware is packed with VMProtect/NSIS, and is executed via the System.dll in %TEMP%.

I. Main loop CreateFile API accessing \.PHYSICALDRIVE0:

Function main_loop_CreateFile
IntFmt $1 “\.PHYSICALDRIVE%D” $0
Push $0
StrCpy $0 $1
Pop $0

II. Master boot record setup:

‘(&i446, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i2) i’

III.MBR logical block addressing:

‘(&i446, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i4, &i4, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i4, &i4, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i4, &i4, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i1, &i4, &i4, &i2) i’

IV. Volume boot record NTFS:

‘(&i3, &i8, &i2, &i1, &i2, &i24, &i8, &i8, &i8, &i4) i’

V. Process NTFS boot:

Overwrite MBR
Overwrite Master File Table (MFT) mirror
Overwrite Volume Boot Record (VBR) mirror
Overwrite Extended Boot Record (EBR)
The following system API calls are used to overwrite the system:

${ForEach} $7 1 ${OVERWRITE_COUNT} + 1
System::Call “kernel32::SETFILEPOINTER(i, i, *p ,i) i (r2, r4, r3, ${FILE_BEGIN}) .r8”
${If} $8 <> -1
System::Call “kernel32::WRITEFILE(i, i, i, p, i) i (r2, r5, r9, r6, ${NULL})”
System::Call “kernel32::FlushFileBuffers(i) i (r2)”

VI. Process protection malware from shutdown:

System::Call “KERNEL32::GETMODULEHANDLE(t) p (‘ntdll.dll’) .r0”
${If} $0 <> ${NULL}
System::Call “KERNEL32::GETPROCADDRESS(p, t) p (r0, ‘ZwClose’) .r1”
${If} $1 <> ${NULL}
System::Call “KERNEL32::VIRTUALPROTECT(p, i, i, *i) i (r1, 6, ${PAGE_EXECUTE_READWRITE}, .r2) .r0”
${If} $0 <> 0
System::Alloc 6
pop $3
System::Call “NTDLL::MEMCPY(p, p ,i) i (r3, r1, 6)”
System::Call “NTDLL::MEMCPY(p, t, i) i (r1, t ‘1′, 6)”
System::Call “KERNEL32::CLOSEHANDLE(i) i (0x12345678) .r4”
System::Call “NTDLL::MEMCPY(p, p, i) i (r1, r3, 6)”
System::Free $3

VII. System shutdown instruction:

Push $1
Pop $1

Possible action:

As the MBR Killer codebase was identical with minor modification to the Buhtrap simple MBR Killer, reviewing any mitigation against the Buhtrap malware might assist with mitigation exposure to this threat.
Review and mitigate for any malware execution from %TEMP% directory specifically if it calls “System.dll.”

To download the MBR Killer indicators of compromise (IOCs), click here.

The post Banco de Chile ‘MBR Killler’ Reveals Hidden Nexus to Buhtrap Malware Kit Used to Target Financial Institutions, Payment Networks appeared first on Flashpoint.

Go to Source
Author: Flashpoint

Why Phishing Continues to Spear Victims

Cyber criminals still enjoy success deploying simple phishing techniques. Here’s what companies can do to improve their defenses

Defenders had their hands full fending off zero-day attacks in 2017, with the EternalBlue and EternalRomance exploits—part of the cyber toolset reportedly stolen from the U.S. government—fueling the spread of two massive ransomware campaigns, WannaCry and NotPetya.

Yet, the most serious threat to companies—targeted attacks—used a much simpler, and yet effective, technique: Spear phishing. And it remains a popular mode of attack. The latest edition of Symantec’s Internet Security Threat Report, which found that 71% of the targeted attacks detected by the company last year used spear phishing to nab the targeted user’s credentials.

“When we are talking about a targeted attack, and you want to go after a specific person, phishing really works well,” said Kevin Haley, director of product management for Symantec’s Security Technology and Response group. “So why go through the trouble of trying to use a zero day? Why try to set up a website? Why try to do something elaborate and expensive and difficult, when you can send an e-mail and it is going to work?”

While recent mass attacks have focused on distributing crypto-mining, ransomware and banking Trojans, the most serious ones are targeted with attackers generally seeking to gather intelligence or steal intellectual property from their victims. And they involve far fewer custom tools to carry out their campaigns.

Nine out of ten targeted attackers last year sought to gain intelligence on their victims, according to the ISTR. About 11% aimed to disrupt operations while 9% seemingly were after financial gain, the report found. The numbers add up to more than 100%, because 15 percent of attackers have more than one motive.

In addition, spear phishing was the attack vector of choice, with 71 percent using targeted phishing attacks as a way to gain credentials.

This Is Not Your Father’s Phishing Kit

Spear phishing is a different beast than mass phishing. Mass phishing attacks have largely gone the way of spam, becoming an ever-present annoyance. However, generally, they have a very low success rate. Similar to spamming, phishing attacks have a very low percentage chance of success and, with current Bayesian learning and other clustering algorithms, can be detected quite quickly.

While massive phishing campaigns still take place, they are not cost-effective for attackers. If a cyber criminal wants to gain access to a specific site, the preferred method is to buy a large database of usernames and passwords from the breach of another site and try every single one on the targeted service, according to Haley. Indeed, Symantec found that you can buy 500,000 account credentials—consisting of e-mail addresses and passwords—from a data breach for $90.

“All I have to do is spend that 90 bucks, use an easily available tool, and I’m going to get — in a certain percentage of cases — the log-in and password for the account,” Haley said. “It’s trivial, so why should I go through all the effort of setting up a phishing attack?”

In addition, mass phishing attacks have a very short lifecycle. Most are taken down within a day.

In contrast, spear phishing attacks are almost impossible to detect, said Guy-Vincent Jourdan, associate professor of electrical engineering and computer science at the University of Ottawa.

“The takedown time is really short,” he said. “If you get curious and click on a link in a phishing attack, chances are that Google is already blocking it. There is still a window of time, of course, but we are quite good at detecting those attacks.”

Fending Off Spear Phishers

Spear phishing sneaks under the digital radar by only targeting one person—or at most, a few people—with a tailored attack that uses personal information and legitimate business reasons to trick workers into opening attachments or logging into a fake website.

Companies should focus on hardening their infrastructure and workforce against social engineers, because attackers will continue to use the cheap and simple method. Here are four ways that companies can continue to prepare.

Keep Training Users

Security awareness training has taken off in the past five years, and while it is not foolproof, it continues to be a good investment. More educated workers can will not only be less likely to click on phishing e-mails, but can be an additional way of detecting suspicious e-mail messages.

“Organizations spent a lot of time training their users on identifying and reporting phishing attacks—keep at it, it is important,” Symantec’s Haley said. “While you are going to see less of them [phishing attacks] broadly attacking your users, when someone is specifically targeting you … those attacks are a lot more damaging then a random phishing attack that ends up in someone’s mailbox.”

In addition, research has found that workers who fall for one phishing attack are more likely to fall for future phishing attacks, so identifying these weak links in your security and providing additional training is important.

Use Tools to Scan E-mails for Signs of Maliciousness

It’s an axiom of security: Someone will always click. For that reason, companies also need to invest in tools to identify suspicious e-mails, University of Ottawa’s Jourdan said.

“Of course, education, education, education, but we need to be looking at the e-mails as well,” he said. Yet, spear phishing is not an easy problem to solve. “We are so good at detecting mass phishing because we have so much data. With spear phishing, we don’t have that.”

Machine learning and artificial intelligence can help. While educating human workers to treat e-mail with suspicion, machine pattern recognition can approach the problem much more rationally and be updated to account for the latest techniques, raising the defensive walls for all workers.

Use multi-factor authentication to reduce impact

Companies should also prepare for the worst and expect that users will give away their credentials. Adding an additional factor of authentication will make it that much harder for an attacker to use credentials to compromise an account, Jourdan said.

“The entire problem is that — if you provide information, like your bank account — it is over,” he said. “But it should not be. If you have two or three factors authentication, there should be a lot more protection, so that it should not be so easy, when you screw up once, to be able to access the account.”

Turn Off Unused Dual-Use Tools

Finally, companies should be aware of the most common techniques and payloads used on newly-compromised systems. Currently, attackers tend to “live off the land,” using tools already found on a compromised system rather than their installing their own to evade detection.

“For the attacker, it’s ‘Why should I create a piece of malware, when I can use PowerShell?'” Symantec’s Haley said. “It will be harder to detect and it will do exactly what I want.”

Companies that take a multi-faceted approach to not only try to prevent phishing attacks, but to detect and respond to attackers that get through their defenses, have the greatest chance to limit the damage from a successful attack.

Go to Source
Author: Robert Lemos

Powered by WPeMatico

Bad .Men at .Work. Please Don’t .Click

Web site names ending in new top-level domains (TLDs) like .men, .work and .click are some of the riskiest and spammy-est on the Internet, according to experts who track such concentrations of badness online. Not that there still aren’t a whole mess of nasty .com, .net and .biz domains out there, but relative to their size (i.e. overall number of domains) these newer TLDs are far dicier to visit than most online destinations.

There are many sources for measuring domain reputation online, but one of the newest is The 10 Most Abused Top Level Domains list, run by Currently at the #1 spot on the list (the worst) is .men: Spamhaus says of the 65,570 domains it has seen registered in the .men TLD, more than half (55 percent) were “bad.”

According to Spamhaus, a TLD may be “bad” because it is tied to spam or malware dissemination (or both). More specifically, the “badness” of a given TLD may be assigned in two ways:

“The ratio of bad to good domains may be higher than average, indicating that the registry could do a better job of enforcing policies and shunning abusers. Or, some TLDs with a high fraction of bad domains may be quite small, and their total number of bad domains could be relatively limited with respect to other, bigger TLDs. Their total “badness” to the Internet is limited by their small total size.”

More than 1,500 TLDs exist today, but hundreds of them were introduced in just the past few years. The nonprofit organization that runs the domain name space — the Internet Corporation for Assigned Names and Numbers (ICANN) — enabled the new TLDs in response to requests from advertisers and domain speculators — even though security experts warned that an onslaught of new, far cheaper TLDs would be a boon mainly to spammers and scammers.

And what a boon it has been. The newer TLDs are popular among spammers and scammers alike because domains in many of these TLDs can be had for pennies apiece. But not all of the TLDs on Spamhaus’ list are prized for being cheaper than generic TLDs (like .com, .net, etc.). The cheapest domains at half of Spamhaus’ top ten “baddest” TLDs go for prices between $6 and $14.50 per domain.

Still, domains in the remaining five Top Bad TLDs can be had for between 48 cents and a dollar each.

Security firm Symantec in March 2018 published its own Top 20 list of Shady TLDs:

Symantec’s “Top 20 Shady TLDs,” published in March 2018.

Spamhaus says TLD registries that allow registrars to sell high volumes of domains to professional spammers and malware operators in essence aid and abet the plague of abuse on the Internet.

“Some registrars and resellers knowingly sell high volumes of domains to these actors for profit, and many registries do not do enough to stop or limit this endless supply of domains,” Spamhaus’ World’s Most Abused TLDs page explains.

Namecheap, a Phoenix, Ariz. based domain name registrar that in Oct. 2017 was the fourth-largest registrar, currently offers by a wide margin the lowest registration prices for three out of 10 of Spamhaus’ baddest TLDs, selling most for less than 50 cents each.

Namecheap also is by far the cheapest registrar for 11 of Symantec’s Top 20 Shady New TLDs: Namecheap is easily the least expensive registrar to secure a domain in 11 of the Top 20, including .date, .trade, .review, .party, .loan, .kim, .bid, .win, .racing, .download and .stream.

I should preface the following analysis by saying the prices that domain registrars charge for various TLD name registrations vary frequently, as do the rankings in these Top Bad TLD lists. But I was curious if there was any useful data about new TLD abuse at — a comparison shopping page for domain registrars.

What I found is that although domains in almost all of the above-mentioned TLDs are sold by dozens of registrars, most of these registrars have priced themselves out of the market for the TLDs that are currently so-favored by spammers and scammers.

Not so with Namecheap. True to its name, when it is the cheapest Namecheap consistently offers the lowest price by approximately 98 percent off the average price that other registrars selling the same TLD charge per domain. The company appears to have specifically targeted these TLDs with price promotions that far undercut competitors.

Namecheap is by far the lowest-priced registrar for more than half of the 20 Top Bad TLDs tracked by Symantec earlier this year.

Here’s a look at the per-domain prices charged by the registrars for the TLDs named in Spamhaus’s top 10:

The lowest, highest, and average prices charged by registrars for the domains in Spamhaus’ Top 10 “Bad” TLDs. Click to enlarge.

This a price comparison for Symantec’s Top 20 list:

The lowest, highest, and average prices charged by registrars for the domains in Symantec’s Top 20 “Shady” TLDs. Click to enlarge.

I asked Namecheap’s CEO why the company’s name comes up so frequently in these lists, and if there was any strategy behind cornering the market for so many of the “bad” and “shady” TLDs.

“Our business model, as our name implies is to offer choice and value to everyone in the same way companies like Amazon or Walmart do,” Namecheap CEO Richard Kirkendall told KrebsOnSecurity. “Saying that because we offer low prices to all customers we somehow condone nefarious activity is an irresponsible assumption on your part. Our commitment to our millions of customers across the world is to continue to bring them the best value and choice whenever and wherever we can.”

Kirkendall said expecting retail registrars that compete on pricing to stop doing that is not realistic and would be the last place he would go to for change.

“On the other hand, if you do manage to secure higher pricing you will also in effect tax everyone for the bad actions of a few,” Kirkendall said. “Is this really the way to solve the problem? While a few dollars may not matter to you, there are plenty of less fortunate people out there where it does matter. They say the internet is the great equalizer, by making things cost more simply for the sake of creating barriers truly and indiscriminately creates barriers for everyone, not just for those you target.”

Incidentally, should you ever wish to block all domains from any given TLD, there are a number of tools available to do that. One of the easiest to use is Google’s OpenDNS, which includes up to 30 filters for managing traffic, content and Web sites on your computer and home network — including the ability to block entire TLDs if that’s something you want to do.

I’m often asked if blocking sites from loading when they’re served from specific TLDs or countries (like .ru) would be an effective way to block malware and phishing attacks. It’s important to note here that it’s not practical to assume you can block all traffic from given countries (that somehow blacklisting .ru is going to block all traffic from Russia). It also seems likely that the .com TLD space and US-based ISPs are bigger sources of the problem overall.

But that’s not to say blocking entire TLDs a horrible idea for individual users and home network owners. I’d wager there are whole a host of TLDs (including all of the above “bad” and “shady” TLDs) that most users could block across the board without forgoing anything they might otherwise want to have seen or visited. I mean seriously: When was the last time you intentionally visited a site registered in the TLD for Gabon (.ga)?

And while many people might never click on a .party or .men domain in a malicious or spammy email, these domains are often loaded only after the user clicks on a malicious or booby-trapped link that may not look so phishy — such as a .com or .org link.

Go to Source
Author: BrianKrebs

OnePlus 6 Flaw Allows to Boot Any Image Even With Locked Bootloader

Have you recently bought a OnePlus 6? Don’t leave your phone unattended.

A serious vulnerability has been discovered in the OnePlus 6 bootloader that makes it possible for someone to boot arbitrary or modified images to take full admin control of your phone—even if the bootloader is locked.

A bootloader is part of the phone’s built-in firmware and locking it down stops users from replacing or modifying the phone’s operating system with any uncertified third-party ROMs, ensuring the system boots into the right operating system.

Discovered by security researcher Jason Donenfeld of Edge Security, the bootloader on OnePlus 6 is not entirely locked, allowing anyone to flash any modified boot image on to the handset and take full control of your phone.

In a video demonstration, Donenfeld showed how it is possible for an attacker with physical access to OnePlus 6 to boot any malicious image using the ADB tool’s fastboot command, giving the attacker complete control over the device and its contents.

As you can see in the video, even USB debugging does not need to be turned on, which is usually required for messing around with smartphones. All an attacker needs to do is plug the target’s OnePlus 6 into their computer with a cable, restart the phone into Fastboot mode, and transfer over the modified boot image.

For this, the attacker requires physical and unsupervised access to the targeted OnePlus 6 device for only a few minutes.

OnePlus has acknowledged the issue and promised to release a software update shortly, providing the following statement:

“We take security seriously at OnePlus. We are in contact with the security researcher, and a software update will be rolling out shortly.”

So until the fix is rolled out, do not let your OnePlus 6 out of your sight. We will update this article as soon as we get more information on the security patch, which might be included in OxygenOS 5.1.7.

This isn’t the first time OnePlus has been caught in this situation. Late last year, a backdoor was discovered in OnePlus devices running OxygenOS that allowed anyone to obtain root access to the devices.

Go to Source