CatPhishing: Hamas targets the hearts of Israeli forces

Hamas is targeting the hearts of Israeli soldiers using social engineering attacks that are triggered with a simple friend request.

Israel Defense Forces reported the group is scrolling through Facebook for Israeli soldiers to “catfish” using fake accounts created from photos and identities stolen from attractive unsuspecting users, according to a blog post.

Hamas operatives will then add the Israeli soldiers on social media and chat with them before sending a few pictures, in an effort to disarm suspicious and prove they are real before inviting them to a video chat using an app sent to the soldier from the operative.

The app is actually a trojan capable of gleaning contacts, locations, apps, pictures, and any files as well as access the camera and microphone.

Soldiers are advised to not accept friend requests from strangers, keep GPS features off when not in use, and to not side load apps to their device.

SOURCE: Robert Abel | SC Magazine

Airplane boarding display leaks passenger data

Symantec researcher Candid Wueest spotted Airport boarding gate displays putting passengers at risk by leaking booking codes.

Wueest followed an IP address from a boarding gate display to access a landing page listing debug information listing databases containing information about the next flights which could be used to hack into passenger accounts, according to a Jan. 10 blog post.

An attacker would only need to guess a passenger’s last name and their booking reference codes, also known as passenger name record (PNR) locators, to access details about the flight and other passengers on the same booking including full names, email addresses, telephone numbers, frequent flyer numbers, postal addresses and, for intercontinental flights, passport details and dates of birth.

Wueest said the information was available to anyone that knew about the publicly accessible server. The airline has since patched the flaw.

SOURCE: Robert Abel | SCMagazine

Merry Christmas Ransomware

Nine days after Christmas, a new ransomware named “Merry Christmas” was discovered operating in the wild and later a new variant was found which transmitted the DiamondFox malware as a secondary infection. DiamondFox malware is a versatile malware that includes modules that recruit bots for distributed  denial of service attacks, steal credit card data from POS systems, pilfer browser passwords, open remote desktop connections and others.

The malware generates its ransom note as a file named “YOUR FILES ARE DEAD.hta” and inserts it in every folder wherein documents are encrypted. The note contains instructions directing victims to contact the criminals through telegram or email. The ransomware also communicates with the command-and-control server from the infected machine and transfers information including username, computer name, running processes, installed programs, local time and hardware information.

Palo Alto Networks and three other researchers are credited with discovering two variants of the Merry Christmas malware. MalwareHunterTeam discovered the DiamondFox secondary infection by the ransomware.

Educative Koovla Ransomware variant found

cryptoransomware-encryption-300x205Self-styled ransomware hunter, Michael Gillespie has discovered an unusual Koovla ransomware variant which offers decryption keys for a read up of two articles on how to stay secured from malware.

The ransomware once downloaded states:
“In order for me to decrypt your files you must read the two articles below. Once you have click the ‘Get My Decryption Key’ button.

Then enter in your decryption key and click the ‘Decrypt My Files’ button. Eventually all of your files will be decrypted 🙂

If the timer reaches zero then all of your personal files will be deleted because you were too lazy to read two articles.

So User do you want to play a game?”

One of the security articles is from Google’s security team on how to stay safe online while the other is from Bleeping Computer explaining the Jigsaw variant.

KillDisk variant, a new Ransomware found

what-is-malware-as-a-serviceResearchers at CyberX have found a new variant of the KillDisk program. This was the program used to attack Ukrainian energy utilities. The new variant is an evolution into a ransomware that may the targeting industrial control networks according to the researchers.

CyberX reports that the ransomware is distributed through malicious Office attachments and displays a pop-up demanding 222 Bitcoins, equivalently $206,000. It uses a mix of RSA 1028 public key and AES shared key algorithms to encrypt files and folders that are shared between organizations.

SEMTA Caught in ransomware attack

cryptoransomware-encryption-300x205The San Francisco Municipal Transportation Agency (SEMTA) was infected with a HDDCryptor ransomware over the weekend. Employee computers were presented with the message “You Hacked, ALL Data Encrypted. Contact For Key (cryptom27@yandex.com) ID:681, Enter”.

The attack was made using Mamba which rewrites a computer’s Master Boot Record. Local reports indicates that critical assets like payroll, a MySQL database and email servers, as well as employees’ personal computers may have been compromised in the attack.

The attack is estimated to cost the agency US$559,000 each day until resolved.