Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for The Fakecalls bankin ...

 News

Cybercriminals are always coming up with ever more sophisticated malware. Last year, for example, saw the appearance of an unusual banking Trojan called Fakecalls. Besides the usual spying features, it has an interesting ability to talk with the victim in the guise of a bank employee. There is little information about   show more ...

Fakecalls online, so we decided to shed some light on its capabilities. Trojan in disguise Fakecalls mimics the mobile apps of popular Korean banks, among them KB (Kookmin Bank) and KakaoBank. Curiously, in addition to the usual logos, the Trojans creators display the support numbers of the respective banks on the Fakecalls screen. These phone numbers appear to be real — the number 1599-3333, for instance, can be found on the main page of the KakaoBank official website. The Trojan imitates the KB (left) and KakaoBank (right) banking apps When installed, the Trojan immediately requests a whole host of permissions, including access to contacts, microphone and camera, geolocation, call handling, and so on. Calling the bank Unlike other banking Trojans, Fakecalls can imitate phone conversations with customer support. If the victim calls the banks hotline, the Trojan discreetly breaks the connection and opens its own fake call screen instead of the regular calling app. The call appears to be normal, but in fact the attackers are now in control. The only thing that might give away the Trojan at this stage is the fake call screen. Fakecalls has only one interface language: Korean. This means that if another system language is selected on the phone — say, English — the victim will likely smell a rat. After the call is intercepted, there are two possible scenarios. In the first, Fakecalls connects the victim directly with the cybercriminals, since the app has permission to make outgoing calls. In the second, the Trojan plays prerecorded audio imitating the standard greeting from the bank. Fakecalls code fragment that plays prerecorded audio during an outgoing call So that the Trojan maintains a realistic dialogue with the victim, the cybercriminals have recorded several phrases (in Korean) typically uttered by voicemail or call-center employees. For example, the victim might hear something like this: Hello. Thank you for calling KakaoBank. Our call center is currently receiving an unusually large volume of calls. A consultant will speak to you as soon as possible. To improve the quality of the service, your conversation will be recorded. Or: Welcome to Kookmin Bank. Your conversation will be recorded. We will now connect you with an operator. After that, the attackers, under the guise of a bank employee, can try to coax payment data or other confidential information out of the victim. Besides outgoing calls, Fakecalls can spoof incoming calls as well. When the cybercriminals want to contact the victim, the Trojan displays its own screen over the system one. As a result, the user sees not the real number used by the cybercriminals, but the one shown by the Trojan, such as the phone number of the banks support service. Spyware toolkit In addition to mimicking telephone customer support, Fakecalls has features more typical of banking Trojans. For example, at the attackers command, the malware can turn on the victims phones microphone and send recordings from it to their server, as well as secretly broadcast audio and video from the phone in real time. Thats not all. Remember the permissions the Trojan asked for during installation? The cybercriminals can use them to determine the devices location, copy the contacts list or files (including photos and videos) from the phone to their server, and access the call and text message history. These permissions allow the malware not only to spy on the user, but to control their device to a certain extent, giving the Trojan the ability to drop incoming calls and delete them from the history. This allows the scammers, among other things, to block and hide real calls from banks. Kaspersky solutions detect this malware with the verdict Trojan-Banker.AndroidOS.Fakecalls, and safeguards the device. How to stay protected To prevent your personal data and money from falling into cybercriminal hands, follow these simple tips: Download apps only from official stores and do not allow installations from unknown sources. Official stores run checks on all programs, and even if malware still sneaks in, it usually gets promptly removed. Pay attention to what permissions apps ask for and whether they really need them. Dont be afraid to deny permissions, especially potentially dangerous ones like access to calls, text messages, accessibility and so on. Never give confidential information over the phone. Real bank employees will never ask for your online banking login credentials, PIN, card security code or confirmation codes from text messages. If in doubt, go to the banks official website and find out what employees can and cannot ask about. Install a robust solution that protects all your devices from banking Trojans and other malware.

image for Double-Your-Crypto S ...

 A Little Sunshine

Online scams that try to separate the unwary from their cryptocurrency are a dime a dozen, but a great many seemingly disparate crypto scam websites tend to rely on the same dodgy infrastructure providers to remain online in the face of massive fraud and abuse complaints from their erstwhile customers. Here’s a   show more ...

closer look at hundreds of phony crypto investment schemes that are all connected through a hosting provider which caters to people running crypto scams. A security researcher recently shared with KrebsOnSecurity an email he received from someone who said they foolishly invested an entire bitcoin (currently worth ~USD $43,000) at a website called ark-x2[.]org, which promised to double any cryptocurrency investment made with the site. The ark-x2[.]org site pretended to be a crypto giveaway website run by Cathie Wood, the founder and CEO of ARKinvest, an established Florida company that manages several exchange-traded investment funds. This is hardly the first time scammers have impersonated Wood or ARKinvest; a tweet from Wood in 2020 warned that the company would never use YouTube, Twitter, Instagram or any social media to solicit money. At the crux of these scams are well-orchestrated video productions published on YouTube and Facebook that claim to be a “live event” featuring famous billionaires. In reality, these videos just rehash older footage while peppering viewers with prompts to sign up at a scam investment site — one they claim has been endorsed by the celebrities. “I was watching a live video at YouTube where Elon Musk, Cathy Wood, and Jack Dorsey were talking about Crypto,” the victim told my security researcher friend. “An overlay on the video pointed to subscribing to the event at their website. I’ve been following Cathy Wood in her analysis on financial markets, so I was in a comfortable and trusted environment. The three of them are bitcoin maximalists in a sense, so it made perfect sense they were organizing a giveaway.” “Without any doubt (other than whether the transfer would go through), I sent them 1 BTC (~$42,800), and they were supposed to return 2 BTC back,” the victim continued. “In hindsight, this was an obvious scam. But the live video and the ARK Invest website is what produced the trusted environment to me. I realized a few minutes later, when the live video looped. It wasn’t actually live, but a replay of a video from 6 months ago.” Ark-x2[.]org is no longer online. But a look at the Internet address historically tied to this domain (186.2.171.79) shows the same address is used to host or park hundreds of other newly-minted crypto scam domains, including coinbase-x2[.]net (pictured below). The crypto scam site coinbase-x2[.]net, which snares unwary investors with promises of free money. Typical of crypto scam sites, Coinbase-x2 promises a chance to win 50,000 ETH (Ethereum virtual currency), plus a “welcome bonus” wherein they promise to double any crypto investment made with the platform. But everyone who falls for this greed trap soon discovers they won’t be getting anything in return, and that their “investment” is gone forever. There isn’t a lot of information about who bought these crypto scam domains, as most of them were registered in the past month at registrars that automatically redact the site’s WHOIS ownership records. However, several dozen of the domains are in the .us domain space, which is technically supposed to be reserved for entities physically based in the United States. Those Dot-us domains all contain the registrant name Sergei Orlovets from Moscow, the email address ulaninkirill52@gmail.com, and the phone number +7.9914500893. Unfortunately, each of these clues lead to a dead end, meaning they were likely picked and used solely for these scam sites. A dig into the Domain Name Server (DNS) records for Coinbase-x2[.]net shows it is hosted at a service called Cryptohost[.]to. Cryptohost also controls several other address ranges, including 194.31.98.X, which is currently home to even more crypto scam websites, many targeting lesser-known cryptocurrencies like Polkadot. An ad posted to the Russian-language hacking forum BHF last month touted Cryptohost as a “bulletproof hosting provider for all your projects,” i.e., it can be relied upon to ignore abuse complaints about its customers. “Why choose us? We don’t keep your logs!,” someone claiming to represent Cryptohost wrote to denizens of BHF. Cryptohost says its service is backstopped by DDoS-Guard, a Russian company that has featured here recently for providing services to the sanctioned terrorist group Hamas and to the conspiracy theory groups QAnon/8chan. A scam site at Cryptohost targeting Polkadot cryptocurrency holders. Cryptohost did not respond to requests for comment. Signing up as a customer at Cryptohost presents a control panel that includes the IP address 188.127.235.21, which belongs to a hosting provider in Moscow called SmartApe. SmartApe says its main advantage is unlimited disk space, “which allows you to host an unlimited number of sites for little money.” According to FinTelegram, a blog that bills itself as a crowdsourced financial intelligence service that covers investment scams, SmartApe is a “Russian-Israeli hosting company for cybercriminals.” SmartApe CEO Mark Tepterev declined to comment on the allegations from FinTelegram, but said the company has thousands of clients, some of whom have their own clients. Cryptohost’s customer panel, which points to an IP address at Russian hosting provider SmartApe. “Also we host other hostings that have their own thousands of customers,” Tepterev said. “Of course, there are clients who use our services in their dubious interests. We immediately block such clients upon receipt of justified complaints.” Much of the text used in these scam sites has been invoked verbatim in similar schemes dating back at least two years, and it’s likely that scam website templates are re-used so long as they continue to reel in new investors. Searching online for the phrase “During this unique event we will give you a chance to win” reveals many current and former sites tied to this scam. While it may seem incredible that people will fall for stuff like this, such scams reliably generate decent profits. When Twitter got hacked in July 2020 and some of the most-followed celebrity accounts on Twitter started tweeting double-your-crypto offers, 383 people sent more than $100,000 in a few hours. In Sept. 2021, the Bitcoin Foundation (bitcoin.org) was hacked, with the intruders placing a pop-up message on the site asking visitors to send money. The message said any sent funds would be doubled and returned, claiming that the Bitcoin Foundation had set up the program as a way of “giving back to the community.” The brief scam netted more than $17,000. According to the U.S. Federal Trade Commission, nearly 7,000 people lost more than $80 million in crypto scams from October 2020 through March 2021 based on consumer fraud reports. That’s a significant jump from the year prior, when the FTC tracked just 570 cryptocurrency investment scam complaints totaling $7.5 million. A recent report from blockchain analysis firm Chainalysis found that scammers stole approximately $14 billion worth of cryptocurrency in 2021 — nearly twice the $7.8 billion stolen by scammers in 2020, the report found. In March, Australia’s competition watchdog filed a lawsuit against Facebook owner Meta Platforms, alleging the social media giant failed to prevent scammers using its platform to promote fake ads featuring well-known people. The complaint alleges the advertisements, which endorsed investment in cryptocurrency or money-making schemes, could have misled Facebook users into believing they were promoted by famous Australians. In many ways, the crypto giveaway scam is a natural extension of perhaps the oldest cyber fraud in the book: Advanced-fee fraud. Most commonly associated with Nigerian Letter or “419” fraud and lottery/sweepstakes schemes, advanced fee scams promise a financial windfall if only the intended recipient will step up and claim what is rightfully theirs — and oh by the way just pay this small administrative fee and we’ll send the money. What makes these double-your-crypto sites successful is not just ignorance and avarice, but the idea held by many novice investors that cryptocurrencies are somehow magical money-minting machines, or perhaps virtual slot machines that will eventually pay off if one simply deposits enough coinage.

 Trends, Reports, Analysis

Supply chain attacks on global organizations increased by 51% between July and December 2021, with third-party risk emerging as a key priority, according to new research from the NCC Group.

 Identity Theft, Fraud, Scams

Hiya has detected the newest scam call tactic, the eavesdropping scam. The new scam aims to get users to call back by leaving vague voicemail messages where an unknown voice is heard talking about the potential victim.

 Malware and Vulnerabilities

Fakecalls mimics the mobile apps of popular Korean banks, among them KB (Kookmin Bank) and KakaoBank. Curiously, in addition to the usual logos, the Trojan’s creators display the support numbers of the respective banks on the Fakecalls screen.

 Trends, Reports, Analysis

Most organizations (71%) have been hit by ransomware in 2022, and most of those (63%) opted for paying the requested ransom, the 2022 Cyberthreat Defense Report (CDR) by the CyberEdge Group has shown.

 Incident Response, Learnings

The FBI announced taking down the Cyclops Blink botnet, which used to target firewall appliances and SOHO networking devices. It was under the control of the Russian Sandworm group. The operation's initial court authorization was given on March 18, the botnet infection was fully removed from all identified   show more ...

Watchguard devices. The FBI suggested adopting Watchguard's detection and remediation steps for remediating any infection by the malware.

 Identity Theft, Fraud, Scams

AridViper APT group was found targeting high-ranking Israeli officials in a cyberespionage campaign to spy and steal data by compromising their systems and mobile devices. The attackers have created various fake Facebook profiles with fabricated identities and stolen or AI-generated images of good-looking women.

 Breaches and Incidents

Avast laid bare an attack campaign abusing the new Parrot TDS, which has infected over 16,500 websites across different verticals, to deliver RATs via bogus browser update prompts. The campaign started in February, while the signs of Parrot activity have been traced back to October last year. Experts recommend using up-to-date internet security solutions while browsing the web for better protection.

 Feed

Ubuntu Security Notice 5374-1 - It was discovered that libarchive incorrectly handled certain archive files. An attacker could possibly use this issue to expose sensitive information.

 Feed

The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of the junctions it tries to link together. Attackers can leverage this vulnerability to plant a malicious   show more ...

DLL in a system directory and then trigger a UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITYSYSTEM user. Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it as CVE-2022-26904.

 Feed

Ubuntu Security Notice 5373-2 - USN-5373-1 fixed several vulnerabilities in Django. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. It was discovered that Django incorrectly handled certain certain column aliases in the QuerySet.annotate, aggregate, and extra methods. A remote attacker could possibly use this issue to perform an SQL injection attack.

 Feed

haveged is a daemon that feeds the /dev/random pool on Linux using an adaptation of the HArdware Volatile Entropy Gathering and Expansion algorithm invented at IRISA. The algorithm is self-tuning on machines with cpuid support, and has been tested in both 32-bit and 64-bit environments. The tarball uses the GNU build mechanism, and includes self test targets and a spec file for those who want to build an RPM.

 Feed

Red Hat Security Advisory 2022-1305-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.8.0. Issues addressed include denial of service, out of bounds write, and use-after-free vulnerabilities.

 Feed

Ubuntu Security Notice 5373-1 - It was discovered that Django incorrectly handled certain certain column aliases in the QuerySet.annotate, aggregate, and extra methods. A remote attacker could possibly use this issue to perform an SQL injection attack. It was discovered that Django incorrectly handled certain option   show more ...

names in the QuerySet.explain method. A remote attacker could possibly use this issue to perform an SQL injection attack. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 21.10.

 Feed

Red Hat Security Advisory 2022-1301-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.8.0. Issues addressed include denial of service, out of bounds write, and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2022-1303-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.8.0. Issues addressed include denial of service, out of bounds write, and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2022-1302-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.8.0. Issues addressed include denial of service, out of bounds write, and use-after-free vulnerabilities.

 Feed

Ubuntu Security Notice 5331-2 - USN-5331-1 fixed several vulnerabilities in tcpdump. This update provides the corresponding update for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that tcpdump incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service, or possibly execute arbitrary code.

 Feed

Red Hat Security Advisory 2022-1296-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and   show more ...

includes bug fixes and enhancements. Issues addressed include code execution, denial of service, deserialization, and remote SQL injection vulnerabilities.

 Feed

Red Hat Security Advisory 2022-1297-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and   show more ...

includes bug fixes and enhancements. Issues addressed include code execution, denial of service, deserialization, and remote SQL injection vulnerabilities.

 Feed

Red Hat Security Advisory 2022-1299-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and   show more ...

includes bug fixes and enhancements. Issues addressed include code execution, denial of service, deserialization, and remote SQL injection vulnerabilities.

 Feed

Red Hat Security Advisory 2022-1291-01 - Red Hat OpenShift Serverless Client kn 1.21.1 provides a CLI to interact with Red Hat OpenShift Serverless 1.21.1. The kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms. Issues addressed include a code execution vulnerability.

 Feed

Red Hat Security Advisory 2022-1162-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.10.8.

 Feed

Microsoft last week announced that it intends to make generally available a feature called Autopatch as part of Windows Enterprise E3 in July 2022. "This service will keep Windows and Office software on enrolled endpoints up-to-date automatically, at no additional cost," said Lior Bela, senior product marketing manager at Microsoft, in a post last week. "The second Tuesday of every month will be

 Feed

Cybersecurity researchers are warning of two different information-stealing malware, named FFDroider and Lightning Stealer, that are capable of siphoning data and launching further attacks. "Designed to send stolen credentials and cookies to a Command & Control server, FFDroider disguises itself on   show more ...

victim's machines to look like the instant messaging application 'Telegram,'" Zscaler ThreatLabz

2022-04
Aggregator history
Monday, April 11
FRI
SAT
SUN
MON
TUE
WED
THU
AprilMayJune