security breaches

Auto Added by WPeMatico

Meet EventBot, a new Android malware that steals banking passwords and two-factor codes

Security researchers are sounding the alarm over a newly discovered Android malware that targets banking apps and cryptocurrency wallets.

The malware, which researchers at security firm Cybereason recently discovered and called EventBot, masquerades as a legitimate Android app — like Adobe Flash or Microsoft Word for Android — which abuses Android’s in-built accessibility features to obtain deep access to the device’s operating system.

Once installed — either by an unsuspecting user or by a malicious person with access to a victim’s phone — the EventBot-infected fake app quietly siphons off passwords for more than 200 banking and cryptocurrency apps — including PayPal, Coinbase, CapitalOne and HSBC — and intercepts and two-factor authentication text message codes.

With a victim’s password and two-factor code, the hackers can break into bank accounts, apps and wallets, and steal a victim’s funds.

“The developer behind Eventbot has invested a lot of time and resources into creating the code, and the level of sophistication and capabilities is really high,” Assaf Dahan, head of threat research at Cybereason, told TechCrunch.

The malware quietly records every tap and key press, and can read notifications from other installed apps, giving the hackers a window into what’s happening on a victim’s device.

Over time, the malware siphons off banking and cryptocurrency app passwords back to the hackers’ server.

The researchers said that EventBot remains a work in progress. Over a period of several weeks since its discovery in March, the researchers saw the malware iteratively update every few days to include new malicious features. At one point the malware’s creators improved the encryption scheme it uses to communicate with the hackers’ server, and included a new feature that can grab a user’s device lock code, likely to allow the malware to grant itself higher privileges to the victim’s device like payments and system settings.

But while the researchers are stumped as to who is behind the campaign, their research suggests the malware is brand new.

“Thus far, we haven’t observed clear cases of copy-paste or code reuse from other malware and it seems to have been written from scratch,” said Dahan.

Android malware is not new, but it’s on the rise. Hackers and malware operators have increasingly targeted mobile users because many device owners have their banking apps, social media, and other sensitive services on their device. Google has improved Android security in recent years by screening apps in its app store and proactively blocking third-party apps to cut down on malware — with mixed results. Many malicious apps have evaded Google’s detection.

Cybereason said it has not yet seen EventBot on Android’s app store or in active use in malware campaigns, limiting the exposure to potential victims — for now.

But the researchers said users should avoid untrusted apps from third-party sites and stores, many of which don’t screen their apps for malware.

Hackers are targeting other hackers by infecting their tools with malware

A newly discovered malware campaign suggests that hackers have themselves become the targets of other hackers, who are infecting and repackaging popular hacking tools with malware.

Cybereason’s Amit Serper found that the attackers in this years-long campaign are taking existing hacking tools — some of which are designed to exfiltrate data from a database through to cracks and product key generators that unlock full versions of trial software — and injecting a powerful remote-access trojan. When the tools are opened, the hackers gain full access to the target’s computer.

Serper said the attackers are “baiting” other hackers by posting the repackaged tools on hacking forums.

But it’s not just a case of hackers targeting other hackers, Serper told TechCrunch. These maliciously repackaged tools are not only opening a backdoor to the hacker’s systems, but also any system that the hacker has already breached.

“If hackers are targeting you or your business and they are using these trojanized tools it means that whoever is hacking the hackers will have access to your assets as well,” Serper said.

That includes offensive security researchers working on red team engagements, he said.

Serper found that these as-yet-unknown attackers are injecting and repackaging the hacking tools with njRat, a powerful trojan, which gives the attacker full access to the target’s desktop, including files, passwords, and even access to their webcam and microphone. The trojan dates back to at least 2013 when it was used frequently against targets in the Middle East. njRat often spreads through phishing emails and infected flash drives, but more recently hackers have injected the malware on dormant or insecure websites in an effort to evade detection. In 2017, hackers used this same tactic to host malware on the website for the so-called Islamic State’s propaganda unit.

Serper found the attackers were using that same website-hacking technique to host njRat in this most recent campaign.

According to his findings, the attackers compromised several websites — unbeknownst to their owners — to host hundreds of njRat malware samples, as well as the infrastructure used by the attackers to command and control the malware. Serper said that the process of injecting the njRat trojan into the hacking tools occurs almost daily and may be automated, suggesting that the attacks are run largely without direct human interaction.

It’s unclear for what reason this campaign exists or who is behind it.

Web host Hostinger says data breach may affect 14 million customers

Hostinger said it has reset user passwords as a “precautionary measure” after it detected unauthorized access to a database containing information on millions of its customers.

The breach is said to have happened on Thursday. The company said in a blog post it received an alert that one of its servers was improperly accessed. Using an access token found on the server, which can give access to systems without needing a username or a password, the hacker gained further access to the company’s systems, including an API database. That database contained customer usernames, email addresses, and passwords scrambled with the SHA-1 algorithm, which has been deprecated in favor of stronger algorithms after researchers found SHA-1 was vulnerable to spoofing. The company has since upgraded its password hashing to the stronger SHA-2 algorithm.

Hostinger said the API database stored about 14 million customers records. The company has more than 29 million customers on its books.

The company said it was “in contact with the respective authorities.”

hostinger

An email from Hostinger explaining the data breach. (Image: supplied)

News of the breach broke overnight. According to the company’s status page, affected customers have already received an email to reset their passwords.

The company said that financial data was not compromised, nor was customer website files or data affected.

But one customer who was affected by the breach accused the company of being potentially “misleading” about the scope of the breach.

A chat log seen by TechCrunch shows a customer support representative telling the customer it was “correct” that customers’ financial data can be retrieved by the API but that the company does “not store any payment data.” Hostinger uses multiple payment processors, the representative told the customer, but did not name them.

Chief executive Balys Kriksciunas told TechCrunch that the remarks made by the customer support representative were “misleading” and denied any customer financial data was compromised. A company investigation into the breach, however, remains under way.

Updated with remarks from Hostinger.

Related stories:

Capital One’s breach was inevitable, because we did nothing after Equifax

Another day, another massive data breach.

This time it’s the financial giant and credit card issuer Capital One, which revealed on Monday a credit file breach affecting 100 million Americans and 6 million Canadians. Consumers and small businesses affected are those who obtained one of the company’s credit cards dating back to 2005.

That includes names, addresses, phone numbers, dates of birth, self-reported income and more credit card application data — including over 140,000 Social Security numbers in the U.S., and more than a million in Canada.

The FBI already has a suspect in custody. Seattle resident and software developer Paige A. Thompson, 33, was arrested and detained pending trial. She’s been accused of stealing data by breaching a web application firewall, which was supposed to protect it.

Sound familiar? It should. Just last week, credit rating giant Equifax settled for more than $575 million over a date breach it had — and hid from the public for several months — two years prior.

Why should we be surprised? Equifax faced zero fallout until its eventual fine. All talk, much bluster, but otherwise little action.

Equifax’s chief executive Richard Smith “retired” before he was fired, allowing him to keep his substantial pension packet. Lawmakers grilled the company but nothing happened. An investigation launched by the former head of the Consumer Financial Protection Bureau, the governmental body responsible for protecting consumers from fraud, declined to pursue the company. The FTC took its sweet time to issue its fine — which amounted to about 20% of the company’s annual revenue for 2018. For one of the most damaging breaches to the U.S. population since the breach of classified vetting files at the Office of Personnel Management in 2015, Equifax got off lightly.

Legislatively, nothing has changed. Equifax remains as much of a “victim” in the eyes of the law as it was before — technically, but much to the ire of the millions affected who were forced to freeze their credit as a result.

Mark Warner, a Democratic senator serving Virginia, along with his colleague since turned presidential candidate Elizabeth Warren, was tough on the company, calling for it to do more to protect consumer data. With his colleagues, he called on the credit agencies to face penalties to the top brass and extortionate fines to hold the companies accountable — and to send a message to others that they can’t play fast and loose with our data again.

But Congress didn’t bite. Warner told TechCrunch at the time that there was “a failure of the company, but also of lawmakers” for not taking action.

Lo and behold, it happened again. Without a congressional intervention, Capital One is likely to face largely the same rigmarole as Equifax did.

Blame the lawmakers all you want. They had their part to play in this. But fool us twice, shame on the credit companies for not properly taking action in the first place.

The Equifax incident should have sparked a fire under the credit giants. The breach was the canary in the coal mine. We watched and waited to see what would happen as the canary’s lifeless body emerged — but, much to the American public’s chagrin, no action came of it. The companies continued on with the mentality that “it could happen to us, but probably won’t.” It was always going to happen again unless there was something to force the companies to act.

Companies continue to vacuum up our data — knowingly and otherwise — and don’t do enough to protect it. As much as we can have laws to protect consumers from this happening again, these breaches will continue so long as the companies continue to collect our data and not take their data security responsibilities seriously.

We had an opportunity to stop these kinds of breaches from happening again, yet in the two years passed we’ve barely grappled with the basic concepts of internet security. All we have to show for it is a meager fine.

Thompson faces five years in prison and a fine of up to $250,000.

Everyone else faces just another major intrusion into their personal lives. Not at the hands of the hacker per se, but the companies that collect our data — with our consent and often without — and take far too many liberties with it.