Tag: Plain | SpinSafe

This sneaky new Android malware can hide in plain sight – and it’s all thanks to virtualization

December 1, 2023/in Mobile Security

A sneaky new Android malware was recently discovered, using virtualization to avoid detection and make serious money for its operators.

It is called FjordPhantom and its goal is to steal money from people’s bank accounts. The malware was discovered by cybersecurity researchers Promon, who say it mostly targets users in Indonesia, Thailand, Vietnam, Singapore, and Malaysia.

FjordPhantom spreads via phishing emails, SMS messages, and chat apps.

Beating the Android Sandbox

The threat actors would impersonate a popular bank in the region and reach out to the victims in an attempt to get them to download an app. However, together with the legitimate app, the victims would get malicious code running in a virtual environment, allowing the operators to attack the real banking app.

The threat actors leveraged open-source projects to create virtual containers on the target endpoint, without the user’s knowledge or consent. When the user launches the downloaded APK, it runs the actual banking app in the same container with the malicious code, making malware part of the trusted process.

This is dangerous not only because victims might lose their data and money, but also because it breaks the “Android Sandbox” security concept, whose premise is that apps can’t access each other’s data.

Furthermore, as the banking app isn’t modified, code tampering detection doesn’t work, either. The malware is also capable of hampering root-related security checks, as well, the researchers said.

When it comes to the malware’s capabilities, it can perform on-device fraud and steal banking credentials. Promon says that one victim was able to lose $280,000, thanks to a mix of malware and social engineering (the threat actors impersonated the bank’s customer support).

The best way to protect against such threats is to use common sense and only download apps from trusted sources. Also, before downloading an app, make sure to check the number of downloads and reviews, as these could be good indicators of malware.

Via BleepingComputer

More from TechRadar Pro

Source…

Hackers may be hiding in plain sight on your favorite website

September 22, 2022/in Computer Security

Security researchers have detailed how domain shadowing is becoming increasingly popular for cybercriminals.

As reported by Bleeping Computer, analysts from Palo Alto Networks (Unit 42) revealed how they came across over 12,000 such incidents over just a three-month period (April to June, 2022).

A depiction of a hacked computer sitting in an office full of PCs. — Getty Images

An offshoot of DNS hijacking, domain shadowing provides the ability to create malicious subdomains by infiltrating legitimate domains. As such, shadowed domains won’t have any impact on the parent domain, which naturally makes them difficult to detect.

Cybercriminals can subsequently use these subdomains to their advantage for various purposes, including phishing, malware distribution, and command and control (C2) operations.

“We conclude from these results that domain shadowing is an active threat to the enterprise, and it is hard to detect without leveraging automated machine learning algorithms that can analyze large amounts of DNS logs,” Unit 42 stated.

Once access has been obtained by threat actors, they could opt to breach the main domain itself and its owners, as well as target users from that website. However, they’ve had success by luring in individuals via the subdomains instead, in addition to the fact that the attackers remain undetected for much longer by relying on this method.

Due to the subtle nature of domain shadowing, Unit 42 mentioned how detecting actual incidents and compromised domains is difficult.

In fact, the VirusTotal platform identified just 200 malicious domains out of the 12,197 domains mentioned in the report. The majority of these cases are connected to an individual phishing campaign that uses a network of 649 shadowed domains via 16 compromised websites.

A system hacked warning alert being displayed on a computer screen. — Getty Images

The phishing campaign revealed how the aforementioned subdomains displayed fake login pages or redirected users to phishing pages, which can essentially circumvent email security filters.

When the subdomain is visited by a user, credentials are requested for a Microsoft account. Even though the URL itself isn’t from an official source, internet security tools aren’t capable of differentiating between a legitimate and fake login page as no warnings are presented.

One of…

Source…

Companies Linked to Russian Ransomware Hide in Plain Sight

December 6, 2021/in Internet Security

MOSCOW — When cybersleuths traced the millions of dollars American companies, hospitals and city governments have paid to online extortionists in ransom money, they made a telling discovery: At least some of it passed through one of the most prestigious business addresses in Moscow.

The Biden administration has also zeroed in on the building, Federation Tower East, the tallest skyscraper in the Russian capital. The United States has targeted several companies in the tower as it seeks to penalize Russian ransomware gangs, which encrypt their victims’ digital data and then demand payments to unscramble it.

Those payments are typically made in cryptocurrencies, virtual currencies like Bitcoin, which the gangs then need to convert to standard currencies, like dollars, euros and rubles.

That this high-rise in Moscow’s financial district has emerged as an apparent hub of such money laundering has convinced many security experts that the Russian authorities tolerate ransomware operators. The targets are almost exclusively outside Russia, they point out, and in at least one case documented in a U.S. sanctions announcement, the suspect was assisting a Russian espionage agency.

“It says a lot,” said Dmitri Smilyanets, a threat intelligence expert with the Massachusetts-based cybersecurity firm Recorded Future. “Russian law enforcement usually has an answer: ‘There is no case open in Russian jurisdiction. There are no victims. How do you expect us to prosecute these honorable people?’”

Recorded Future has counted about 50 cryptocurrency exchanges in Moscow City, a financial district in the capital, that in its assessment are engaged in illicit activity. Other exchanges in the district are not suspected of accepting cryptocurrencies linked to crime.

Cybercrime is just one of many issues fueling tensions between Russia and the United States, along with the Russian military buildup near Ukraine and a recent migrant crisis on the Belarus-Polish border.

The Treasury Department has estimated that Americans have paid $1.6 billion in ransoms since 2011. One Russian ransomware strain, Ryuk, made an estimated $162 million last year encrypting the computer systems of American hospitals…

Source…

Tiny Open Hardware Linux SBC Hides In Plain Sight

November 2, 2021/in Computer Security

There was a time, not quite so long ago, when a computer was a beige box that sat on your desk. Before that, computers were big enough to double as desks, and even farther back, they took up a whole room. Today? Well today it’s complicated. Single-board computers (SBCs) like the Raspberry Pi put a full desktop experience in the palm of your hand, for a price that would have been unfathomable before the smartphone revolution increased demand for high-performance ARM chips.

But compared to the tiny open hardware Linux SBC that lives inside the WiFiWart, even the Raspberry Pi looks massive. Developed by [Walker] as a penetration testing tool, the custom computer is housed in an enclosure designed to make it look like a traditional (if a bit large) USB phone charger. In fact, it doesn’t just look like a USB charger, it actually is one. The internal power supply is not only capable of converting AC into the various DC voltages required to run the miniature Linux box, but also features a USB port where you can plug in your phone to charge it.

For the infosec folks in the audience, the applications for the WiFiWart are obvious. Just plug this thing in somewhere inconspicuous, and you’ve got a foot in the door. The dual WiFi interfaces mean you can connect to a target network on one card and use the second to spin up a fake access point or exfiltrate data. Plus with a quad-core Cortex-A7 ARM processor running at 1.2 GHz and a healthy 1 GB of DDR3, you’ll have enough power to run many security tools locally.

But of course, nothing keeps you from using the WiFiWart for non-security purposes. That’s what has us particularly excited, as you can never have enough open hardware Linux boards. Especially ones this tiny. Removed from its wall charger disguise, the brains of the WiFiWart could be used for all kinds of projects. Plus, not only is the final design open source, but [Walker] made sure to only use free and open source tools to create it. Keeping his entire workflow open means it will be easier for the community to utilize and improve upon his initial design, which in the end, is the whole idea behind the open hardware movement and efforts such as the Hackaday…

Source…

Tag Archive for: Plain