Hamas is targeting the hearts of Israeli soldiers using social engineering attacks that are triggered with a simple friend request.
Israel Defense Forces reported the group is scrolling through Facebook for Israeli soldiers to “catfish” using fake accounts created from photos and identities stolen from attractive unsuspecting users, according to a blog post.
Hamas operatives will then add the Israeli soldiers on social media and chat with them before sending a few pictures, in an effort to disarm suspicious and prove they are real before inviting them to a video chat using an app sent to the soldier from the operative.
The app is actually a trojan capable of gleaning contacts, locations, apps, pictures, and any files as well as access the camera and microphone.
Soldiers are advised to not accept friend requests from strangers, keep GPS features off when not in use, and to not side load apps to their device.
SOURCE: Robert Abel | SC Magazine
Symantec researcher Candid Wueest spotted Airport boarding gate displays putting passengers at risk by leaking booking codes.
Wueest followed an IP address from a boarding gate display to access a landing page listing debug information listing databases containing information about the next flights which could be used to hack into passenger accounts, according to a Jan. 10 blog post.
An attacker would only need to guess a passenger’s last name and their booking reference codes, also known as passenger name record (PNR) locators, to access details about the flight and other passengers on the same booking including full names, email addresses, telephone numbers, frequent flyer numbers, postal addresses and, for intercontinental flights, passport details and dates of birth.
Wueest said the information was available to anyone that knew about the publicly accessible server. The airline has since patched the flaw.
SOURCE: Robert Abel | SCMagazine
Nine days after Christmas, a new ransomware named “Merry Christmas” was discovered operating in the wild and later a new variant was found which transmitted the DiamondFox malware as a secondary infection. DiamondFox malware is a versatile malware that includes modules that recruit bots for distributed denial of service attacks, steal credit card data from POS systems, pilfer browser passwords, open remote desktop connections and others.
The malware generates its ransom note as a file named “YOUR FILES ARE DEAD.hta” and inserts it in every folder wherein documents are encrypted. The note contains instructions directing victims to contact the criminals through telegram or email. The ransomware also communicates with the command-and-control server from the infected machine and transfers information including username, computer name, running processes, installed programs, local time and hardware information.
Palo Alto Networks and three other researchers are credited with discovering two variants of the Merry Christmas malware. MalwareHunterTeam discovered the DiamondFox secondary infection by the ransomware.
Self-styled ransomware hunter, Michael Gillespie has discovered an unusual Koovla ransomware variant which offers decryption keys for a read up of two articles on how to stay secured from malware.
The ransomware once downloaded states:
“In order for me to decrypt your files you must read the two articles below. Once you have click the ‘Get My Decryption Key’ button.
Then enter in your decryption key and click the ‘Decrypt My Files’ button. Eventually all of your files will be decrypted 🙂
If the timer reaches zero then all of your personal files will be deleted because you were too lazy to read two articles.
So User do you want to play a game?”
One of the security articles is from Google’s security team on how to stay safe online while the other is from Bleeping Computer explaining the Jigsaw variant.
Researchers at CyberX have found a new variant of the KillDisk program. This was the program used to attack Ukrainian energy utilities. The new variant is an evolution into a ransomware that may the targeting industrial control networks according to the researchers.
CyberX reports that the ransomware is distributed through malicious Office attachments and displays a pop-up demanding 222 Bitcoins, equivalently $206,000. It uses a mix of RSA 1028 public key and AES shared key algorithms to encrypt files and folders that are shared between organizations.
The web portal of a Medical Marijuana facility in Nevada was breached compromising employee information.
What type of information? Social security numbers and dates of birth of individuals with medical marijuana agent cards, such as employees and owners of medical marijuana establishments
What happened? A flaw in the state’s website portal made the data accessible on the site.
What was the response? The entire portal has been taken down by the state’s Division of Public Behavioural Health (DPBH) and the DPBH IT staff are working with State IT staff to investigate the breach. Those affected are being contacted and advised on appropriate further action.
Research by Proofpoint has identified a phishing attack on twitter targeting brand managers and influencers. The attack is carried out by means of a legitimate twitter ad offering account verification.
The ads are from @SupportForAll6 account and uses twitter branding, logos and colours making it look authentic. Users who follow the link are directed to a domain twitterhelp[.]info where users are required to provide their twitter username, email address, phone number and account password in a form. In the next step, the user is asked to provide a credit card number and security code for “verification purposes”
User education and technical processes like ad blocking are a must in the fight against phishing and other cyber attacks.