CatPhishing: Hamas targets the hearts of Israeli forces

Hamas is targeting the hearts of Israeli soldiers using social engineering attacks that are triggered with a simple friend request.

Israel Defense Forces reported the group is scrolling through Facebook for Israeli soldiers to “catfish” using fake accounts created from photos and identities stolen from attractive unsuspecting users, according to a blog post.

Hamas operatives will then add the Israeli soldiers on social media and chat with them before sending a few pictures, in an effort to disarm suspicious and prove they are real before inviting them to a video chat using an app sent to the soldier from the operative.

The app is actually a trojan capable of gleaning contacts, locations, apps, pictures, and any files as well as access the camera and microphone.

Soldiers are advised to not accept friend requests from strangers, keep GPS features off when not in use, and to not side load apps to their device.

SOURCE: Robert Abel | SC Magazine

Advertisements

Twitter & Facebook revokes Geofeedia’s access.

Image result for social mediaA recent post by the American Civil Liberties Union (ACLU) has drawn the attention of the public to a social media aggregation platform being used by law enforcement agencies to monitor protesters and activists. The platform ‘Geofeedia’ serves a wide variety of public private and public sector clients with over 500 law enforcement and public safety agencies across the US. Geofeedia offers real time monitoring of posts, photos, and live broadcast on Facebook, Twitter, Instagram, Vine and other social media sites, and sort them by location.

Although this platform is essential and profitable for law enforcement and public safety especially in times of crisis, there are worries as expressed by civil liberties advocates that such services could be misused to disrupt legal protests and possibly create a documentation on protesters.

In response to this revelations and request from ACLU, Facebook terminated Geofeedia’s access to Facebook’s Topic Feed API and the Instragrams API on September 19 and Twitter also suspended Geofeedia’s commercial access to Twitter data but Geofeedia is not the only platform for such monitoring.

ACLU is therefore requesting social media companies to do these:

  • Not provide data access to developers who have law enforcement clients and allow their product to be used for surveillance,
  • Adopt clear, public, and transparent policies to prohibit developers from exploiting user data for surveillance purposes, and
  • Institute human and technical auditing mechanisms to identify potential violations of this policy and take swift action when they do.

154 million US voter records exposed online

data-breachMacKeeper security researcher Chris Vickery has discovered a database of US voter profiles of US citizens on the web available for viewing by potentially anyone on the internet.

The database contained the name, address, phone number, age, gender, marital status, estimated income, political party, congressional and state senate district affiliation of 154 million voters. Some of the records included additional information.

The data was originally collected by a L2, a data brokerage company. Chris contacted them and three hours later, the database was taken down.

$1 Million Penalty for Morgan Stanley

data-breachGlobal Financial Giant, Morgan Stanley has been fined for $1 million by the US Securities and Exchange commission for failure to protect information of it’s clients. According to the SEC, the bank “failed to adopt written policies and procedures reasonably designed to protect customer data.” This made it possible for an employee to transfer clients’ data to a private server from which the data is believed to have been breached.

The employee at the time, Galen J. Marsh, was criminally convicted for his actions in 2015 and received 36 months of probation and ordered to pay $600,000 in restitution.

Considering the amount of attacks suffered by organizations in recent times, organizations cannot afford to neglect policies and procedures that will enhance the security of their information and information systems any longer.

Morgan Stanley has agreed to pay the fine.

VK.com breach – over 100million accounts for sale

Over 100 million Russian social network vk.com users’ data is being offered for sale on the darkweb by a seller who goes by the name Tessa88@exploit.im. Each record is expected to contain an email address, first and last name, a location, phone number and clear text password.

It is apparent that the social network stored the passwords in plaintext, Helpnetsecurity noted. According to Helpnetsecurity, the most used passwords in the list were ‘123456’ followed by ‘123456789’, then ‘qwerty’ and a host of other very common and predictable passwords.

VK users can check the Leaked Source database to know if their account is among the stolen data.

 

Tumblr users’ login credentials on dark web

tumblrThe same person “peace_of_mind” who offered LinkedIn users’ data for sale recently has offered 65 million email addresses along with hashed and salted passwords of Tumblr users for sale on the dark web.

Earlier this month, Tumblr had issued a breach warning to its users: “We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password,”

Peace is offering the data for less than half a bitcoin, which is around $150.

Warning! Keyloggers disguised as USB chargers

The FBI has issued a warning that keyloggers designed to look like and also work as USB device chargers have been found to be in distribution. The device, called KeySweeper was created by whitehat hacker Samy Kamkar.  According to Samy,  “KeySweeper is a stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity.

All keystrokes are logged online and locally. SMS alerts are sent upon trigger words, usernames or URLs, exposing passwords. If unplugged, KeySweeper continues to operate using its internal battery and auto-recharges upon repowering. A web based tool allows live keystroke monitoring.”

Samy shared a detailed video of how KeySweeper is designed on his website. It is suspected that someone has gone ahead to use that description.

The security risk of having such a device in an office environment is highly inestimable. The FBI offered advice to companies and office workers on how to mitigate the KeySweeper threat, and they include using wired keyboards, wireless keyboards with strong encryption, or keyboards using Bluetooth (with additional precautions to protect against a similar type of data-harvesting attack).

They also advise workers to keep an eye for suspicious chargers plugged into office outlets and remove them