—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains
Author: admin
APP Fraud Dominates as Scams Hit All-Time High
—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains
The SEC’s 2023 final rules on cybersecurity disclosures
—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains
Long Analysis of the M-209
Really interesting analysis of the American M-209 encryption device and its security.
—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains
Security Researcher Sued for Disproving Government Statements
This story seems straightforward. A city is the victim of a ransomware attack. They repeatedly lie to the media about the severity of the breach. A security researcher repeatedly proves their statements to be lies. The city gets mad and sues the researcher.
Let’s hope the judge throws the case out, but—still—it will serve as a warning to others.
—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains
New Android SpyAgent Campaign Steals Crypto Credentials via Image Recognition
Authored by SangRyol Ryu
Recently, McAfee’s Mobile Research Team uncovered a new type of mobile malware that targets mnemonic keys by scanning for images on your device that might contain them. A mnemonic key is essentially a 12-word phrase that helps you recover your cryptocurrency wallets. It’s much simpler to remember than the typical complex “private key” it stands for.
This Android malware cleverly disguises itself as various trustworthy apps, ranging from banking and government services to TV streaming and utilities. However, once installed, these fake apps secretly gather and send your text messages, contacts, and all stored images to remote servers. They often distract users with endless loading screens, unexpected redirects, or brief blank screens to hide their true activities.
McAfee has identified over 280 fake applications involved in this scheme, which have been actively targeting users in Korea since January 2024. Thankfully, McAfee Mobile Security products are already on the lookout for this threat, known as SpyAgent, and are helping to keep your device safe from these deceptive tactics.
Figure 1 Timeline of this campaign
Distribution Mechanism
Mobile malware that targets users in Korea is mainly spread through clever phishing campaigns. These campaigns use text messages or direct messages on social media to send out harmful links. The attackers behind these messages often pretend to be organizations or people you trust, tricking you into clicking on their links. Once clicked, these links take you to fake websites that look incredibly real, mimicking the appearance of legitimate sites. These deceptive sites usually prompt you to download an app, which is how the malware gets installed on your device. Be cautious and always verify the authenticity of any message or link before clicking.
Figure 2 Fake Websites
When a user clicks on the download link, they are prompted to download an APK (Android Package Kit) file. Although this file appears to be a legitimate app, it is actually malicious software. Once the APK is downloaded, the user is asked to install the app. During installation, the app requests permission to access sensitive information such as SMS messages, contacts, and storage, and to run in the background. These permissions are often presented as necessary for the app to function properly, but in reality, they are used to compromise the user’s privacy and security.
Figure 3 App installation and requesting permissions
Malware Capabilities and Behavior
Once the app is installed and launched, it begins its main function of stealing sensitive information from the user and sending it to a remote server controlled by the attackers. The types of data it targets include:
- Contacts: The malware pulls the user’s entire contact list, which could be used for further deceptive practices or to spread the malware even further.
- SMS Messages: It captures and sends out all incoming SMS messages, which might include private codes used for two-factor authentication or other important information.
- Photos: The app uploads any images stored on the device to the attackers’ server. These could be personal photos or other sensitive images.
- Device Information: It gathers details about the device itself, like the operating system version and phone numbers. This information helps the attackers customize their malicious activities to be more effective.
The malware functions like an agent, capable of receiving and carrying out instructions from the remote server. These commands include:
- ‘ack_contact’: A confirmation signal that the server has received the contacts list.
- ‘ack_sms’: A confirmation signal that the server has received SMS messages.
- ‘ack_image’: A confirmation signal that the server has received images.
- ‘sound_mode_update’: A command that changes the sound settings of the device.
- ‘send_sms’: A command that enables the malware to send SMS messages from the device, which could be used to distribute phishing texts.
Command and Control Servers Investigation
During the investigation, the team discovered several key insights:
Insecure Command and Control Server: Several C2 servers were found to have weak security configurations, which allowed unauthorized access to specific index pages and files without needing credentials. This security lapse provided a deeper insight into the server’s functions and the types of data being gathered.
Upon examination, it was noted that the server’s root directory included multiple folders, each organized for different facets of the operation, such as mimicking banking institutions or postal services.
Figure 4 Exposed Indexing page of the root prior to the site being taken down
Due to the server’s misconfiguration, not only were its internal components unintentionally exposed, but the sensitive personal data of victims, which had been compromised, also became publicly accessible. In the ‘uploads’ directory, individual folders were found, each containing photos collected from the victims, highlighting the severity of the data breach.
Figure 5 Leaked images list from one of the victims of the ‘aepost’ campaign prior to the site being taken down
Admin Pages: Navigating from the exposed index pages led to admin pages designed for managing victims. These pages displayed a list of devices, complete with device information and various controllable actions. As the number of victims rises, the list of devices on these pages will expand accordingly.
Figure 6 Admin control panel
Targeting Cryptocurrency Wallets: Upon examining the page, it became clear that a primary goal of the attackers was to obtain the mnemonic recovery phrases for cryptocurrency wallets. This suggests a major emphasis on gaining entry to and possibly depleting the crypto assets of victims.
Figure 7 OCR details on Admin page
Data Processing and Management: This threat utilizes Python and Javascript on the server-side to process the stolen data. Specifically, images are converted to text using optical character recognition (OCR) techniques, which are then organized and managed through an administrative panel. This process suggests a high level of sophistication in handling and utilizing the stolen information.
Figure 8 Server-side OCR code
Evolution
Originally, the malware communicated with its command and control (C2) server via simple HTTP requests. While this method was effective, it was also relatively easy for security tools to track and block. In a significant tactical shift, the malware has now adopted WebSocket connections for its communications. This upgrade allows for more efficient, real-time, two-way interactions with the C2 server and helps it avoid detection by traditional HTTP-based network monitoring tools. This change also makes it more challenging for security researchers to analyze traffic and intercept malicious communications.
The malware has also seen substantial improvements in its obfuscation techniques, which further complicates detection efforts by security software and researchers. APK obfuscation now conceals malicious code using strategies like string encoding, the insertion of irrelevant code, and the renaming of functions and variables to confuse analysts. These methods not only create confusion but also delay the detection process, effectively masking the malware’s true operations.
Moreover, the malware’s application and targeting strategies have evolved. Recent observations indicate that the malware has adapted and begun to spread within the UK. This development is significant as it shows that the threat actors are expanding their focus both demographically and geographically. The move into the UK points to a deliberate attempt by the attackers to broaden their operations, likely aiming at new user groups with localized versions of the malware.
Conclusion
The continuous evolution of this malware highlights the ever-changing and sophisticated nature of cyber threats today. Initially masquerading as apps for money loans or government services, it has now adapted to exploit personal emotions by mimicking obituary notices. The research team has discovered that the perpetrators are utilizing OCR technology to analyze and misuse the stolen data for financial benefits. As the malware advances, employing more intricate methods, forecasting its next moves becomes increasingly challenging. Cybercriminals are constantly enhancing their tactics to better infiltrate and manipulate user environments, escalating the danger posed by these threats over time.
Although this malware is not widely prevalent, its impact intensifies when it leverages a victim’s contacts to send deceptive SMS messages. These phishing messages, seemingly sent by a familiar contact, are more likely to be trusted and acted upon by recipients. For instance, an obituary notice appearing to come from a friend’s number could be perceived as authentic, greatly raising the likelihood of the recipient engaging with the scam, especially compared to phishing attempts from unknown sources. This strategy introduces a deceptive layer that significantly enhances the effectiveness and stealthiness of the attack. Early detection of such malware is critical to prevent its proliferation, minimize potential harm, and curb further escalation. In response, the team has taken proactive steps by reporting the active URLs to the relevant content providers, who have promptly removed them.
The discovery of an item labeled “iPhone” in the admin panel indicates that the next stage of this malware’s development might target iOS users. While no direct evidence of an iOS-compatible version has been found yet, the possibility of its existence is genuine. Our team has previously documented data-stealing activities affecting both Android and iOS platforms, suggesting that the threat actors might be working on an iOS variant. This is particularly alarming because, despite iOS’s reputation for security, there are still methods for installing malicious apps outside of the App Store, such as through enterprise certificates and tools like Scalet. This potential shift to iOS highlights the need for vigilance across all mobile platforms.
In such a landscape, it is crucial for users to be cautious about their actions, like installing apps and granting permissions. It is advisable to keep important information securely stored and isolated from devices. Security software has become not just a recommendation but a necessity for protecting devices. The McAfee Mobile Research team continues to stay alert, implementing robust security measures to counter these advanced threats. McAfee Mobile Security products are designed to detect and defend against not only malware but also other unwanted software. For further details, please visit our McAfee Mobile Security website.
Indicators of Compromise
SHA256 Hash(es):
- 5b634ac2eecc2bb83c0403edba30a42cc4b564a3b5f7777fe9dada3cd87fd761
- 4cf35835637e3a16da8e285c1b531b3f56e1cc1d8f6586a7e6d26dd333b89fcf
- 3d69eab1d8ce85d405c194b30ac9cc01f093a0d5a6098fe47e82ec99509f930d
- 789374c325b1c687c42c8a2ac64186c31755bfbdd2f247995d3aa2d4b6c1190a
- 34c2a314dcbb5230bf79e85beaf03c8cee1db2b784adf77237ec425a533ec634
- f7c4c6ecbad94af8638b0b350faff54cb7345cf06716797769c3c8da8babaaeb
- 94aea07f38e5dfe861c28d005d019edd69887bc30dcc3387b7ded76938827528
- 1d9afa23f9d2ab95e3c2aecbb6ce431980da50ab9dea0d7698799b177192c798
- 19060263a9d3401e6f537b5d9e6991af637e1acb5684dbb9e55d2d9de66450f2
- 0ca26d6ed1505712b454719cb062c7fbdc5ae626191112eb306240d705e9ed23
- d340829ed4fe3c5b9e0b998b8a1afda92ca257732266e3ca91ef4f4b4dc719f8
- 149bd232175659434bbeed9f12c8dd369d888b22afaf2faabc684c8ff2096f8c
- f9509e5e48744ccef5bfd805938bf900128af4e03aeb7ec21c1e5a78943c72e7
- 26d761fac1bd819a609654910bfe6537f42f646df5fc9a06a186bbf685eef05b
- 0e778b6d334e8d114e959227b4424efe5bc7ffe5e943c71bce8aa577e2ab7cdb
- 8bbcfe8555d61a9c033811892c563f250480ee6809856933121a3e475dd50c18
- 373e5a2ee916a13ff3fc192fb59dcd1d4e84567475311f05f83ad6d0313c1b3b
- 7d346bc965d45764a95c43e616658d487a042d4573b2fdae2be32a0b114ecee6
- 1bff1823805d95a517863854dd26bbeaa7f7f83c423454e9abd74612899c4484
- 020c51ca238439080ec12f7d4bc4ddbdcf79664428cd0fb5e7f75337eff11d8a
Domain(s):
- lat
- org
- lat
- org
- top
- me
- top
- top
- top
- xyz
- info
- info
- info
- org
- info
- online
- info
The post New Android SpyAgent Campaign Steals Crypto Credentials via Image Recognition appeared first on McAfee Blog.
—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains
The Top 5 Scariest Mobile Threats
Scary movies are great. Scary mobile threats, not so much.
Ghosts, killer clowns, and the creatures can stir up all sorts of heebie-jeebies. The fun kind. Yet mobile threats like spyware, living dead apps, and botnets can conjure up all kinds of trouble.
Let’s get a rundown on the top mobile threats — then look at how you can banish them from your phone.
“I Know What You Did Because of Spyware”
Spyware is a type of malware that lurks in the shadows of your trusted device, collecting information around your browsing habits, personal information and more. Your private information is then sent to third parties, without your knowledge. Spooky stuff.
“Dawn of the Dead Apps”
Think haunted graveyards only exist in horror movies? Think again! Old apps lying dormant on your phones are like app graveyards, Many of these older apps may no longer be supported by Google or Apple stores. Lying there un-updated, these apps might harbor vulnerabilities. And that can infect your device with malware or leak your data to a third party.
“Bone Chilling Botnets”
Think “Invasion of the Body Snatchers,” but on your mobile device. What is a botnet you ask? When malware infiltrates a mobile device (like through a sketchy app) the device becomes a “bot.” This bot becomes one in an army of thousands of infected internet-connected devices. From there, they spread viruses, generate spam, and commit sorts of cybercrime. Most mobile device users aren’t even aware that their gadgets are compromised, which is why protecting your device before an attack is so important.
“Malicious Click or Treat”
Clicking links and mobile devices go together like Frankenstein and his bride. Which is why ad and click fraud through mobile devices is becoming more prevalent for cybercriminals. Whether through a phishing campaign or malicious apps, hackers can gain access to your device and your private information. Always remember to click with caution.
“IoT Follows”
The Internet of Things (IoT) has quickly become a staple in our everyday lives, and hackers are always ready to target easy prey. Most IoT devices connect to mobile devices, so if a hacker can gain access to your smartphone, they can infiltrate your connected devices as well. Or vice versa.
Six steps for a safer smartphone
1) Avoid third-party app stores. Unlike Google Play and Apple’s App Store, which have measures in place to review and vet apps to help ensure that they are safe and secure, third-party sites may very well not. Further, some third-party sites may intentionally host malicious apps as part of a broader scam.
Granted, hackers have found ways to work around Google and Apple’s review process, yet the chances of downloading a safe app from them are far greater than anywhere else. Further, both Google and Apple are quick to remove malicious apps once discovered, making their stores that much safer.
2) Review with a critical eye. As with so many attacks, hackers rely on people clicking links or tapping “download” without a second thought. Before you download, take time to do some quick research. That may uncover some signs that the app is malicious. Check out the developer—have they published several other apps with many downloads and good reviews? A legit app typically has quite a few reviews, whereas malicious apps may have only a handful of (phony) five-star reviews.
Lastly, look for typos and poor grammar in both the app description and screenshots. They could be a sign that a hacker slapped the app together and quickly deployed it.
3) Go with a strong recommendation. Yet better than combing through user reviews yourself is getting a recommendation from a trusted source, like a well-known publication or from app store editors themselves. In this case, much of the vetting work has been done for you by an established reviewer. A quick online search like “best fitness apps” or “best apps for travelers” should turn up articles from legitimate sites that can suggest good options and describe them in detail before you download.
4) Keep an eye on app permissions. Another way hackers weasel their way into your device is by getting permission to access things like your location, contacts, and photos—and they’ll use sketchy apps to do it. (Consider the long-running free flashlight app scams mentioned above that requested up to more than 70 different permissions, such as the right to record audio, and video, and access contacts.
So check and see what permissions the app is requesting. If it’s asking for way more than you bargained for, like a simple game wanting access to your camera or microphone, it may be a scam. Delete the app and find a legitimate one that doesn’t ask for invasive permissions like that. If you’re curious about permissions for apps that are already on your phone, iPhone users can learn how to allow or revoke app permission here, and Android can do the same here.
5) Get scam protection. Plenty of scams find your phone by way of sketchy links sent in texts, messages, and emails. Our Text Scam Detector can block them before they do you any harm. And if you tap that link by mistake, Scam Protection still blocks it.
6) Protect your smartphone with security software. With all that we do on our phones, it’s important to get security software installed on them, just like we install it on our computers and laptops. Whether you go with comprehensive security software that protects all of your devices or pick up an app in Google Play or Apple’s App Store, you’ll have malware, web, and device security that’ll help you stay safe on your phone.
The post The Top 5 Scariest Mobile Threats appeared first on McAfee Blog.
—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains
Civil Rights Groups Call For Spyware Controls
—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains
Rapid Growth of Password Reset Attacks Boosts Fraud and Account Takeovers
—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains
Active Ransomware Groups Surge by 56% in 2024
—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains