By Owais Sultan
E-commerce is a lucrative business, but it requires hard work and robust cybersecurity.
This is a post from HackRead.com Read the original post: Fortify Your Online Business – Security Tips for Starting an e-Commerce Website

From installing firewalls to choosing secure hosting, every aspect is crucial in online business.

Are you in the process of creating an e-commerce website? Many entrepreneurs choose to open online businesses because they can save a lot of money on overhead costs. But if you don’t have the proper security in place, it may cost you thousands of dollars to recover after a website breach. 

Every day, cybercriminals are finding new ways to hack into people’s business accounts to steal information and money. To help safeguard your online store, we’ve provided a guide on how to build a secure e-commerce website to protect your business from potential threats. 

****Choose a Trustworthy Platform to Build Your Website****

For people to buy your products and services, you must create a website where customers can order and pay for what they need. The top website builders will have a plethora of features to help you build a secure website for your customers, such as drag-and-drop tools and customizable templates. 

On the other hand, web builders must guarantee the safety of your customer’s information. The builder you choose must not steal information and sell it to third-party organizations. You should also choose a website builder with hosting services so your site loads faster. 

Choose a dedicated web hosting service that is more secure compared to sharing a server with other websites on the internet. 

****Utilize HTTPS for Your Site** **

Hypertext Transfer Protocol Secure (HTTPS) provides a secure and encrypted connection between a user’s browser and the website server. The encryption ensures that sensitive data like bank account details, credit card information, and addresses are protected from cybercriminals.  

What’s more, websites that have HTTPS addresses are recognized as being more trustworthy. It provides a padlock icon on your website’s URL that shows the user the site is secure and protected from threats. 

Using HTTPS can also boost your page ranking on search engines like Google because they prioritize sites with these credentials. 

Lastly, HTTPS requires a Secure Socket Layer Certificate (SSL) to transfer data securely. If your online business accepts card payments, then you must have an SSL certificate to remain compliant with Payment Card Industry Data Security Standards. 

****Utilize Web Application Firewalls****

E-commerce websites rely heavily on complex web applications such as SQL injections and cross-site scripting. However, these applications can have vulnerabilities. A Web Application Firewall (WAF) can give your website an extra layer of protection by detecting and blocking these threats to prevent breaches.  

When there are potential threats, you may have to temporarily shut down the website to protect your customers. This can be a costly exercise. But a Web Application Firewall can prevent website downtimes by filtering out malicious traffic that can cause your website to shut down.  

****Strong Password Policies** **

When you create your e-commerce website, you must administrate strong password policies for both your staff and customers. Encourage customers to create strong passwords that are at least 8 to 10 characters long using numbers, special characters, and capital letters. 

Furthermore, you should allow your customers to set up two-factor authentication so they can be notified if someone is trying to gain access to their accounts. Advise your customers not to use their names, ID numbers, or cell phone numbers to sign into the website. 

You can prevent users from creating weak passwords by not allowing them to go to the next stage of the sign-up process unless they meet the password policies. Or you can have a password generator on the site so users can automatically create secure passwords.  

****Update Your Website Regularly** **

Another way you can prevent cyber threats when creating an e-commerce website is to update your site and plugins regularly. There will be regular security patches that can address new vulnerabilities. These updates can include enhanced security measures to strengthen your website’s defences. 

Updating your website and plugins will ensure that your e-commerce business stays compliant with industry standards. It can also improve your website’s overall performance by fixing bugs and enhancing certain functionalities. This will improve the user’s experience whenever they visit your website. 

With a fast and secure website, your customers and visitors will feel more at ease, and it will provide a level of credibility to your online business. 

****Final Thoughts** **

Creating a professional e-commerce website is a long and complex process. If you’re not careful, you’ll create a site that’s easy for hackers to gain access to. 

But with the right tools, strategies, and knowledge, you can create a secure site that customers feel comfortable signing in to. Use the tips in this article to build a successful website that’s secure and trustworthy. 

****_RELATED ARTICLES_****

1.  **The Advantages of a More Secure and Safer Blockchain**
2.  **How To Make Drupal Migration Successful: 6 Useful Tips** 
3.  **How to Install Microsoft Exchange Updates with Reliability**
4.  **Casio’s Data Breach: Database Security a Major Challenge!**
5.  **PDF Security – How To Keep Sensitive Data Secure in a PDF File**

Fortify Your Online Business – Security Tips for Starting an e-Commerce Website

By Deeba Ahmed
The budget tablet, advertised for kids on Amazon, is highly popular among children.
This is a post from HackRead.com Read the original post: Popular Dragon Touch Tablet for Kids Infected with Corejava Malware

The Dragon Touch KidzPad Y88X 10 tablet on Amazon, analyzed by EFF researchers, also comes with preinstalled riskware and an outdated parental control app called KIDOZ.

Retailers like Amazon have played a significant role in popularizing low-cost Android devices for children. However, based on research conducted by the Electronic Frontier Foundation (EFF) on such devices, there is a possibility that they may contain malware.

EFF’s researchers examined the Dragon Touch KidzPad Y88X 10 tablet from Amazon and discovered not only malware but also preinstalled riskware, along with an outdated parental control app called KIDOZ. Following the EFF’s investigations, Amazon removed the product from the platform. However, other Y88X models are still being sold on the site.

Dragon Touch KidzPad Y88X 10 tablet

It is worth noting here that Amazon devices frequently face criticism due to the presence of preinstalled malware. In January 2023, the company gained attention for selling a T95 Android TV box that harboured sophisticated, persistent, and preinstalled malware embedded in its firmware.

Despite awareness of the issue, Amazon continued to sell these compromised devices until February 2023. In both instances, the devices were also infected by the same Corejava malware.

The Android Open Source Project (AOSP) is Google’s open-sourced Android operating system. Consequently, most Android devices available for purchase come equipped with AOSP, featuring multiple customization layers, commonly referred to as AOSP’s ‘skinned’ version.

In addition to beneficial features, these customized versions can facilitate the inclusion of undesired apps or bloatware. For instance, in 2019, Samsung pre-installed the Facebook app on its phones, allowing users only the option to disable it; however, it was later revealed to be a placeholder app. Nevertheless, in more malicious instances, customized versions can come with preinstalled malware.

That is precisely the case with the Dragon Touch Tablet. Researchers discovered that it harboured the notorious Corejava malware, as evidenced by the presence of directories such as “/data/system/Corejava” and “/data/system/Corejava/node” in the tablet’s firmware. These directories indicated the active presence of Corejava on the device. Another red flag was the inclusion of links to other manufacturers and unusual requests originating from the tablet.

Researchers initially powered on the tablet after the C2 servers of Corejava were taken down to prevent any attempts to download malicious payloads. However, the absence of any noticeable activity suggested a residual remnant of the malware, resembling a ‘copied homework,’ possibly a result of hurried production or left for potential future activities.

Moreover, this tablet was preloaded with Adups, which serve as “firmware over the air” (FOTA) update software and is also found on Android TV boxes. It was incorporated into the system under the name “Wireless Update.”

Adups is classified as malware, although there are supposedly “clean versions,” and one such version was present on this tablet. Adups comes preinstalled with the Dragon Touch OEM, and even after a factory reset, the application reappears, making it impossible to uninstall or disable.

Researchers also noted a significant correlation between Android TV box sellers and the Dragon Touch tablet. The group had registered multiple brands and shared an address with the tablet on Walmart. This led to the conclusion that all devices associated with this seller should undergo thorough scrutiny.

The Dragon Touch tablet is equipped with an outdated KIDOZ app that is apparently adware. Despite being COPPA Certified, this app functions as a mini operating system. Notably, its referrer, Tablet Express, is no longer operational.

This suggests that Dragon Touch has repurposed an old version of the app, which continues to collect and send data to Kidoz.net. The information includes details such as device model, brand, country, screen size, timezone, click events, view events, logtime of events, and the unique KID ID.

Furthermore, researchers discovered that the app Kids Paint FREE transmits precise GPS coordinates to an ad server, even though the server itself does not exist. This raises concerns about the privacy and security implications of the tablet’s preinstalled applications.

“This leakage of device-specific information over primarily HTTP (insecure) web requests can be targeted by bad actors who want to siphon information either on the device or by obtaining these defunct domains,” EFF blog post read.

Despite Amazon’s efforts to combat fake reviews, the marketplace giant needs to do more to address the escalating cybersecurity concerns, particularly when the targets are vulnerable children.

****_RELATED ARTICLES_****

1.  **Malware duo pre-installed on cheap Android phones**
2.  **Researcher finds pre-installed keylogger in HP laptops**
3.  **Pre-installed Android malware made $115k revenue in 10 days**
4.  **There is a Pre-Installed Backdoor in OnePlus 5, 3 and 3T Devices**
5.  **Amazon, a safe haven for Android Tablets with pre-installed malware**

Popular Dragon Touch Tablet for Kids Infected with Corejava Malware

By Deeba Ahmed
Scammers taking advantage of a humanitarian crisis? Well, who saw that coming...
This is a post from HackRead.com Read the original post: Crypto Scammers Exploit Gaza Crisis, Deceiving Users in Donation Scam

Cybersecurity researchers reveal a new crypto donation scam manipulating the humanitarian crisis in Gaza, with scammers preying on sympathy for Palestinian children to solicit funds – Over 200 individuals and numerous organizations have fallen victim to the elaborate scheme.

Cybersecurity researchers at Abnormal Security have uncovered a deceptive new crypto donation scam exploiting the humanitarian crisis in Gaza where scammers trick users by generating sympathy for Palestinian children to request donations. Around 212 individuals across 88 organizations have become targets of this charity attack.

Threat actors like to capitalize on geopolitical events as trapping people and gaining sympathy becomes easier. We witnessed the same in the case of the missing Malaysian flight MH370, how scammers propagated fake videos and images, falsely claiming that the missing jet was found in the Bermuda Triangle. In reality, they exploited the incident to spread malicious links.

In the latest fraud campaign, scammers send emails that are apparently sent by a group called “help-palestinecom.” The sender urges the recipients to contribute to their campaign to support Palestinian families.

It is worth noting that scammers ask for donations in cryptocurrency ranging from $100 to $5000 and include cryptocurrency wallet addresses for Bitcoin, Ethereum, and Litecoin to avoid being tracked.

Unsuspecting users fall for the lure and donate, thinking that this money would help provide Palestinian children with basic needs such as medical care, clean water, and internet access. 

To enhance the email’s legitimacy, the scammers have included links to three of the latest news articles on the impact of the conflict on children. Moreover, they have strategically used emotionally stirring language to emphasize the challenges of children in Palestine.

For instance, they used “children in Palestine face unimaginable challenges daily,” “a lifeline for these children caught in the crossfire,” and “the children in Palestine are dying.” To avoid detection, scammers have used multiple tactics, including spoofing the email address of an Indian stock brokerage firm Goodwill Wealth Management and creating a fake domain.

According to Abnormal Security’s CISO and advisory author, Mike Britton, legacy secure email gateways (SEGs) fail to detect this scam because of social engineering techniques used by scammers and the absence of apparent indicators such as grammatical errors or payloads. Britton emphasized the need for AI-based email security solutions that could distinguish between malicious and genuine content.

“AI-powered email security platform is trained to identify social engineering tactics, it recognizes that this email is attempting to leverage emotional manipulation to convince the target to bypass rational thinking and quickly transfer funds. It can also detect and flag the mismatch between the sender’s email and the reply-to address, as this is a common attack tactic,” Britton explained.

The scam email sent by scammers for a crypto donation scam (Credit: Abnormal Security)

The scam is the latest to join the manipulative attacks exploiting ongoing geopolitical crises. The FBI issued warnings on 6 and 14 November 2023 to alert users about fraudsters attempting to exploit the war in Gaza.

The bureau highlighted that fraudsters can use emails, social media, cold calls, crowdfunding sites, and charities/fundraisers to solicit payments. FBI warnings noted that apart from opportunistic cybercriminals, terrorist organizations can also establish fake charities to “subsidize their operations.”

Users are, therefore, advised to exercise caution and verify the legitimacy of the sender and their claims before donating.

****_RELATED ARTICLES_****

1.  **Scammers using fake WHO Bitcoin wallet to steal donation**
2.  **Ransomware group donates $20,000 in BTC to two charities**
3.  **US disrupts 3 cryptocurrency campaigns run by terror groups**
4.  **Black Lives Matter movement exploited to spread Trickbot malware**
5.  **Indian PM Modi’s Twitter handle hacked to ask for Bitcoin donations**

Crypto Scammers Exploit Gaza Crisis, Deceiving Users in Donation Scam

By Deeba Ahmed
Czech Republic Police Expose 'Fake Bankers' Gang in $8.7 Million Vishing Operation.
This is a post from HackRead.com Read the original post: Multimillion-Dollar Vishing Scam Busted: Czech-Ukrainian Gang Arrested

Europol Warns of Growing Vishing Trend as Criminals Exploit Phone Calls for Massive Financial Gains

Ukrainian and Czech police under the supervision of Europol have dismantled a criminal gang that stole millions of dollars from bank customers in Czechia through vishing scams. According to Europol’s press release, the police also arrested ten suspects (aged 18-29) in connection with the multimillion-dollar fraud ring.

A joint investigation was initiated by Europol that led to the arrest of four individuals in Czechia and six in Ukraine in April 2023. Those arrested from Ukraine were later extradited to Czechia.

During the crackdown, investigators seized SIM cards, mobile phones, and computer equipment from the suspects’ vehicles, call centers, residences, and offices located in Czechia (Domazlice, Rokycany, and Plzen) and Ukraine (Dnipropetrovsk). Some of the suspects had a history of drug offences, violent crimes, and document forgery.

The criminal organization, based in Ukraine, conducted vishing attacks against Czech victims. They operated from call centers in Ukraine and called bank customers using spoofed phone numbers, posing as bank security officers. This scamming method is called vishing (created by combining voice and phishing).

The targets were told that their bank account was hacked and lured into revealing their banking data, such as credit card numbers, login credentials, and other details. Scammers also made phone calls pretending to be a police official to confirm the hacking.

After gaining trust, the scammers persuaded their victims to transfer funds from their “compromised” bank accounts to “safe” bank accounts, which the scammers owned. Through these scams, the fraudsters made approximately $8.7 million (€8 million) from victims in Czechia alone.

The Czech Republic police uncovered this scam. In November 2021, they contacted Eurojust to launch an investigation. Europol then formed a joint investigation team in June 2022, comprising Europol’s European Cybercrime Centre (EC3) officials and the Czech and Ukrainian investigators. The agency organized five meetings to facilitate judicial cooperation between the authorities.

The police called the gang’s activities one of the **“most extensive series of frauds committed through fake bankers.”** Currently, Europol is conducting analytical work and providing digital forensic support for the confiscated equipment.

Image via Czech Republic police

Vishing fraud has become more widespread and popular lately. It usually involves someone pretending to be from a reputable organization, institution, or government agency and deceiving people into disclosing confidential, personal data.

The severity of vishing scams is highlighted by the September 2023 incident when the notorious ALPHV (BlackCat) ransomware gang exploited vishing to deceive an MGM Resorts employee, enabling them to breach the company’s security and compromise its network.

To protect yourself from such scams, always be cautious of unsolicited phone calls, note the caller’s phone number, and tell them you will call back and quickly verify their identity by calling the organization.

Don’t believe any caller if they have basic information about you because it could be taken from social media. Lastly, keep your credit/ debit card PIN or online banking password private because bank representatives would never ask for this information.

****_RELATED ARTICLES_****

1.  **Police Dismantle SIM Swapping Gang in Spain**
2.  **48 DDoS-hiring Services Busted by FBI in Major Sweep**
3.  **Cisco Breach – Employee’s Google Account was Hacked**
4.  **The Types of Phishing Attacks and How to Dodge All of Them**
5.  **SpyNote Spyware Using SMS Phishing Against Banking Customers**

Multimillion-Dollar Vishing Scam Busted: Czech-Ukrainian Gang Arrested

By Deeba Ahmed
Intel CPU Vulnerability Impacts Multi-Tenant Virtualized Environments.
This is a post from HackRead.com Read the original post: Google Reveals ‘Reptar’ Vulnerability Threatening Intel Processors

Google has discovered a new security vulnerability in Intel CPUs that could let attackers execute code on vulnerable systems. The vulnerability has been named “Reptar” by Google and affects numerous Intel CPUs, including those utilized in cloud computing environments.

****What is Reptar Vulnerability?****

Reptar is a side-channel vulnerability tracked as CVE-2023-23583. It allows attackers to leak information from a vulnerable system and use it to steal sensitive data such as credit card numbers, passwords, etc.

The vulnerability was discovered by Google’s Information Security Engineering team, which notified Intel and industry partners about the issue, and mitigations were rolled out before its public disclosure.

****How Was Reptar Discovered?****

According to Google’s blog post, a company’s security researcher discovered it in the way the CPU interprets redundant prefixes, and if successfully exploited, it allows attackers to bypass the CPU’s security boundaries.

For your information, prefixes allow users to change how instructions behave by disabling/enabling different features. Those prefixes that don’t make sense or conflict with other prefixes are called redundant prefixes. Such prefixes are generally ignored.

****How does Reptar work?****

Reptar works by exploiting an issue in the way speculative execution is handled by Intel CPUs. Speculative execution is a technique that allows CPUs to execute instructions before being fully validated. Although this technique is time-saving, it can make CPUs vulnerable to side-channel attacks.

The Reptar vulnerability is a serious risk to multi-tenant virtualized environments, where the exploit causes the host machine to crash on a guest machine, resulting in a denial of service to other guest machines connected to the same host. In addition, it could lead to privilege escalation or information disclosure.

In a multi-tenant virtualized environment, multiple tenants share the same physical hardware, so if one tenant is infected with Reptar, the attacker has access to the other tenants’ data through the same vulnerability.

Aubrey Perin, Lead Threat Intelligence Analyst at Qualys, a Foster City, Calif.-based provider of disruptive cloud-based IT, security and compliance solutions commented on the issue stating, “Unmitigated, this bug could be serious as an attacker could start testing to see if there is any order to the seemingly random outputs. As it stands, it sounds more like an oddity that could be used to take systems down.”

Mr Perin further explained that “Without reviewing the catalogue of patches, it’s hard to say that it’s atypical of the bugs usually found. In this case, where it can cause crashes, security teams should definitely prioritize the patch implementation to eliminate the risk of failure.”

“Researchers do find vulnerabilities all the time, often for bounty, and it benefits users when responsible disclosure practices are followed. Google is a very good practitioner of responsible disclosure, and you can often find references to the researcher or organization who disclosed the vulnerability in the notes associated with patches,” he added.

****Intel’s Response****

Intel has released an advisory to confirm the issue, explaining that the issue was discovered in some Intel processors caused by an error in the CPU’s handling of redundant prefixes. The company has released a patch for the issue. It was assigned a CVSS score of 8.8 and declared a High-security vulnerability.

This CPU vulnerability impacts several Intel desktop, mobile, and server CPUs., including 10th Generation Intel® Core™ Processor Family, 3rd Generation Intel® Xeon® Processor Scalable Family, Intel® Xeon® D Processor, and 11th Generation Intel® Core Processor Family, and CPUs used in cloud computing environments, etc.

The company is working on a long-term fix. In the meantime, it is advising users to patch their devices immediately.

****_RELATED ARTICLES_****

1.  **Intel Responds to ‘Downfall’ Attack with Firmware Updates**
2.  **Plundervolt: A new attack on Intel processors threatening SGX data**
3.  **High severity Intel chip flaw left cars, medical, IoT devices vulnerable**

Google Reveals ‘Reptar’ Vulnerability Threatening Intel Processors

By Deeba Ahmed
The Ddostf Botnet was initially identified in 2016.
This is a post from HackRead.com Read the original post: Ddostf Botnet Resurfaces in DDoS Attacks Against MySQL and Docker Hosts

Researchers claim that the Chinese Ddostf botnet is specifically designed for launching DDoS attacks and that the threat actors are operating a DDoS-for-hire service.

AhnLab Security Emergency Response Center (ASEC) researchers have shared alarming **details** of a new campaign targeting MySQL servers and Docker hosts with DDoS malware.

AhnLab noted that attacks targeting MySQL servers on Windows systems have increased sharply, and vulnerable servers are infected with the Chinese botnet Ddostf, **discovered** in 2016.

Researchers claim that this malware is specifically designed for launching DDoS attacks and that the threat actor is operating a **DDoS-for-hire service**.

According to the AESC blog post, threat actors scan for exploitable MySQL servers. After compromising the servers, threat actors install the Ddostf DDoS botnet to launch distributed denial-of-service (DDoS) attacks against other servers.

**MySQL servers** are a common target in such campaigns because of their widespread use in Windows and Linux environments. Although MS-SQL is a preferred database service for Windows users, MySQL servers are also commonly used on Windows, which makes the systems running them a prime target for cybercriminals.

Based on data from AhnLab’s Smart Defense (ASD) logs, most malware targeting vulnerable MySQL servers were **Gh0st RAT** variants, but instances of **AsyncRAT** were also observed and recently, there’s been an uptick in the use of the Ddostf botnet.

Ddostf is a powerful malware that copies itself with a random name in the %SystemRoot% directory and registers as a service before decrypting the encrypted C2 server URL string to connect to the attackers’ server. It can collect system data and transfer it to the C2 server. Then it waits for specific commands (e.g., SYN, UDP, and HTTP GET/POST floods) to launch the **DDoS attacks**.

The botnet is unique because it can connect to a new address from the C2 server and execute commands there for a limited time. This helps the Ddostf botnet operator to infect multiple systems and sell DDoS attacks as a service. Ddostf can target Linux and Windows systems because of supports both ELF and PE formats and can achieve persistence. 

Attackers first scan for publicly accessible systems using port 3306/TCP and after accessing the server (those with known vulnerabilities or weak credentials), they use brute-force or dictionary attacks on the system.

If the system has signs of poor credential management, attackers can gain access to administrator account credentials. If the system runs an **unpatched version with vulnerabilities**, attackers can exploit them to execute commands without needing these processes. Unlike MS-SQL, which entails direct OS command execution methods, MySQL relies on UDFs (User-Defined Functions) that can allow threat actors to execute commands.

They can also install malicious UDF DLLS on infected MySQL servers and execute commands. Like CLR Stored Procedure WebShell work, these DLLs can provide threat actors complete control of the infected system. In the case of the Ddostf DDoS bot, attackers use the UDF malware as a tool to install it on poorly managed MySQL servers.

Database servers get frequently targeted because of poorly managed account credentials. Administrators must use strong passwords apart from applying the latest patches to protect their servers. Firewalls can be used to restrict access to external actors, and a DDoS mitigation service can help protect against **large-scale attacks**.

****_RELATED ARTICLES_****

1.  **Who Killed the Mozi IoT Zombie Botnet – India or China?**
2.  **Chinese APT Posing as Cloud Services to Spy on Cambodia**
3.  **Dark.IoT & Custom Botnets Exploit Zyxel Flaw in DDoS Attacks**
4.  **How Chinese Hackers Stole Signing Key to Breach Outlook Accounts**
5.  **Chinese Scammers Exploit Cloned Websites in Vast Gambling Network**

Ddostf Botnet Resurfaces in DDoS Attacks Against MySQL and Docker Hosts

By Deeba Ahmed
Yet another day, another instance of a Google service being exploited for spreading malware infections.
This is a post from HackRead.com Read the original post: ALPHV (BlackCat) Ransomware Gang Uses Google Ads for Targeted Victims

According to eSentire, the ALPHV ransomware gang is employing the Nitrogen malware in the ongoing attacks.

Cybersecurity experts at eSentire, a leading global cybersecurity solutions provider, have published details of an ongoing attack campaign from Russian-speaking affiliates of the notorious **ALPHV (aka BlackCat)** ransomware gang.

According to eSentire’s Threat Response Unit (TRU) researchers, key targets in this campaign are public entities and corporations in the Americas and Europe. Over the last three weeks, these affiliates have breached a manufacturer, a law firm, and a warehouse provider within eSentire’s customer network, apart from other firms. However, eSentire’s security research team thwarted and neutralized these attacks.

Researchers noted that ALPHV/BlackCat threat actors gain initial access to their target’s IT networks through three methods. These include exploiting stolen or compromised login credentials to gain unauthorized access, exploiting vulnerabilities in remote management/monitoring tools to access IT systems, and browser-based attacks in which users are tricked into visiting malicious websites that deliver malware or malicious links in emails or social media posts.

Furthermore, they observed that BlackCat affiliates have expanded their attack tactics substantially to include malvertising. In this campaign, the attackers place **deceptive Google ads** promoting popular software like Advanced IP Scanner, WinSCP, Slack, or Cisco AnyConnect to trick business professionals into visiting certain websites.

In reality, these attacker-controlled websites deliver Nitrogen malware under the guise of authentic software. They lure users by placing malicious ads at the top of search results for keywords relevant to businesses, for instance, ‘ **cloud backup solutions**.’

They can also use the name of a fictional company to lure their targets into clicking on the ads. These cyberattacks seem to be part of a larger campaign involving malicious ads for WinSCP placed on both Google and Bing search results by ALPHV/BlackCat affiliates.

“The malvertising attacks they shut down in the past three weeks on behalf of the law firm and manufacturer are a continuation of a June 2023 campaign, where an affiliate of the ALPHV/BlackCat Ransomware gang was observed using malicious ads to distribute the Nitrogen malware, which led to the ALPHV/BlackCat ransomware” eSentire’s **blog post** revealed. 

Nitrogen is an initial-access malware **discovered** in June 2023. It uses obfuscated Python libraries and DLL sideloading to evade detection and hide its attack path after infection.

After getting installed, it lets attackers gain a foothold in the targeted entity’s IT environment. Attackers can then infiltrate deeper and launch malware of their choice. In the ongoing campaign, victims are typically infected with ALPHV/BlackCat ransomware, eSentire TRU’s senior threat intelligence researcher Keegan Keplinger noted.

For your information, the ALPHV/BlackCat ransomware gang is known for its $100 million **MGM Resorts breach**. Its attack tactics have evolved from experienced ransomware operators such as the Colonial Pipeline attack fame **DarkSide**, REvil, and BlackMatter. Some of its prominent affiliates include Scatted Spider, FIN7, and UNC2565. 

The BlackCat/ALPHV ransomware presents a significant threat to businesses and unsuspecting users. The severity is underscored by the FBI’s release of Indicators of Compromise (IoC) **last year** (PDF).

Considering that ransomware operators are now exploiting **social media and Google Ads** to reach a wider audience, business owners should remain cautious of unexpected ads or too-good-to-be-true offers.

Always verify the legitimacy of the company offering the ad before clicking on it. Never download software from unknown/unverified sources, and use a reputable anti-malware program.

****_RELATED ARTICLES_****

1.  **Hackers use Google Ads to steal $50 million of Bitcoin**
2.  **Google Ads Malware Wipes NFT Influencer’s Crypto Wallet**
3.  **Malicious Ads Infiltrate Bing AI Chatbot in Malvertising Attack**
4.  **Fake Brave browser website dropped malware, thanks to Google Ads**
5.  **Ad-blocker Chrome extension AllBlock injected ads in Google searches**

ALPHV (BlackCat) Ransomware Gang Uses Google Ads for Targeted Victims

By Waqas
Apart from displaying these messages, the packages performed no other actions. This indicates that these aren't malicious per se.
This is a post from HackRead.com Read the original post: New Protestware Uses npm Packages to Call for Peace in Gaza and Ukraine

Protestware is a controversial form of activism. Some people believe that it is a necessary evil to draw attention to important issues. Others believe that it is a harmful and unethical practice.

Cybersecurity researchers at ReversingLabs, a prominent software supply chain security provider, have discovered a new wave of Protestware involving **npm packages** hiding scripts that bring attention to the humanitarian crisis in two conflict-ridden regions- Ukraine and the Gaza Strip.

Reversing Labs’ cyber content lead and blog author, Peter Roberts explained that protestware is a unique kind of cyberactivism in which the actor utilizes the ‘open-source software ecosystem’ to record protests against social or political issues. They embed code into the software, which, when installed or used, triggers a message or other action that draws attention to the protestware developer’s cause.

“Application developers conceal political messages inside open source code, often designing it to display to the user after an application is installed or when it is executed,” the **blog post** read.

The same method has been used to call attention to the wars in Ukraine and Gaza. Protestware developers have created software that displays messages condemning the violence. 

In the latest campaign, two different protestware samples were found by researchers. The first one used a popular Node.js package manager npm version, **e2eakarev npm package**, version 7.1.0, published in late October 2023, by an npm user, ‘~updater.downloader.’ It claims to be a ‘free Palestine protest package,’ and has been downloaded eight times so far.

ReversingLabs researcher Lucija Valentić discovered that after installation, this package triggers a postinstall script (index.js) that first checks the location where it is launched. If it is Israel, the package displays an English-language message in the terminal, urging the reader to raise awareness for the ‘Palestinian struggle,’ support the “Boycott, Divest, Sanction (BDS) movement,” and donate to humanitarian aid. The message bears the sign “The Anonymous Protestor.” 

Another package, dubbed “@snyk/sweater-comb”, was discovered, version 2.1.1. This npm package was released in August 2023 by Snyk and included a common JavaScript library module called “es5-ext” (already used in many other applications, including Signal Messenger’s installation executable for Windows). The protestware feature was added to this package in early March 2022, as per Checkmarx’s **report**.

Screenshot: ReversingLabs

When installed, the module executes a postinstall script ‘\_postinstall.js’ that first checks the host device’s geolocation. If it is Russia, a message in the Russian language is displayed urging for peace in Ukraine. 

Tomislav Peričin, Chief Software Architect at ReversingLabs, expressed concern over the rising vulnerabilities and software supply chain attacks, stressing that political messages could escalate over time.

> _“The risks that developers and software consumers face have never been higher, including political messages. Having software perform random acts of political activism does little for the specific cause. But it does decrease the private sector’s already shaky trust in software.”_
> 
> Tomislav Peričin

Referring to the worldwide condemnation of the **Russian invasion of Ukraine**, and the resulting sanctions imposed on Russia, the message encourages readers to download the Tor browser or visit a webpage to circumvent censorship. 

Apart from displaying these messages, the packages performed no other actions. This indicates that these aren’t malicious per se.

Protestware may appear similar to ethical hacking, but it does highlight the persistent nature of risks associated with the open-source software ecosystem. Threat actors can easily manipulate users by exploiting popular applications in the name of protestware.

****_RELATED ARTICLES_****

1.  **Does Hacktivism Really Equal Terrorism?**
2.  **Anonymous hacked Russian TV with Ukraine war footage**
3.  **Anonymous sent 7m texts to Russians, hacked 400 security cams**
4.  **Ukrainian Hacktivists Trick Russian Military Wives for Personal Info**
5.  **Hackers Send Fake Rocket Alerts to Israelis via Hacked Red Alert App**

New Protestware Uses npm Packages to Call for Peace in Gaza and Ukraine

By Waqas
The data breach does not include passwords or financial data.
This is a post from HackRead.com Read the original post: Samsung Data Breach: Hackers Steal Data of UK Customers

As per Samsung, the data breach was a result of a vulnerability in a third-party business application.

Samsung has notified its customers in the United Kingdom that a data breach has exposed the personal information of thousands of individuals. The breach impacted customers who made purchases on the company’s UK online store between July 1, 2019, and June 30, 2020.

The company discovered the breach on November 13, 2023, and determined that an unauthorized individual exploited a vulnerability in a third-party business application to access customer data. Samsung has not disclosed the identity of the hacker.

The affected personal information may include names, addresses, phone numbers, and email addresses. Samsung has assured its customers that financial information and passwords were not accessed in this breach.

The email from Samsung to the impacted user said, “On 13 November 2023, it was determined that an unauthorized individual exploited a vulnerability in a third-party business application we use and that some personal information of certain customers who made purchases on SEUK’s eCommerce site between July 1, 2019, and June 20, 2020, was affected.”

Email sent by Samsung to UK customers – Screenshot: Michael Valentine @KwyjiboUK – via X (Twitter).

It’s worth noting that Samsung confirmed to Hackread.com that only its UK customer base was affected by the data breach. Users in the United States, Canada, South Korea, and elsewhere have no cause for concern.

Samsung has reported the incident to authorities, including the UK’s Information Commissioner’s Office, responsible for enforcing the UK General Data Protection Regulation (UK GDPR).

This data breach is separate from the one that Samsung announced in September 2022, impacting only the company’s US customers. The incident resulted in the breach of private user data, including names, dates of birth, product registration data, demographic information, and contact numbers.

The latest announcement is not an isolated incident. Samsung has a history of being targeted by hackers due to its large-scale customer base, with over 992.4 million active Samsung smartphone owners in 2020. Previously, the South Korean technology giant was hacked by Lapsus$ hackers, who leaked the company’s source code online in March 2022.

Nevertheless, the latest Samsung data breach announcement is a reminder of the importance of protecting personal information. Consumers should take steps to protect themselves from identity theft and fraud, such as using strong passwords, avoiding phishing scams, and regularly reviewing their financial statements.

****_RELATED ARTICLES_****

1.  **Research claims Samsung Galaxy Store apps spread malware**
2.  **Hackers can hijack Samsung phones by knowing phone number**
3.  **Hackers used Samsung website to access Sprint’s customer data**

Samsung Data Breach: Hackers Steal Data of UK Customers

By Deeba Ahmed
The vulnerabilities were discovered by cybersecurity researchers at Bitdefender.
This is a post from HackRead.com Read the original post: Google Workspace Vulnerabilities Lead to Network-Wide Breaches

Bitdefender informed Google of validated attack methods, but the tech giant won’t address them, citing misalignment with its threat model and confidence in existing security measures.

Bitdefender Labs, a Native XDR platform, has released its findings on novel attack techniques exploiting Google Workspace (formerly G Suite). According to Bitdefender’s technical report authored by Martin Zugec, threat actors can escalate a single compromised machine into a network-wide breach using previously unknown methods, leading to the deployment of ransomware or data exfiltration.

Researchers found the issues when developing their XDR sensor for Google Cloud Platform (GCP) and Google Workspace. The report, published on 15 November 2023 and shared with Hackread.com ahead of publication, highlights different pathways to achieve this escalation.

Researchers noted that from a single compromised machine, attackers could move laterally to multiple cloned machines with Google Credential Provider for Windows (GCPW) installed, evade multi-factor authentication mechanisms, and access the cloud platform with custom permissions. They can even decrypt locally stored credentials used to recover passwords to expand their attack scope beyond the Google platform.

For your information, GCPW enables remote Windows device management features without requiring a VPN connection or domain registration. It allows SSO (single-sign-on) authentication to Windows OS with Google Workspace credentials.

The GCPW uses a local ‘Gaia’ service account to authenticate users with Google Workspace credentials. This account is created when GCPW is getting installed and has escalated privileges.

The feature integrates a Credential Provider into the Local Security Authority Subsystem Service (LSASS) that performs authentication in Windows OS. This Credential Provider verifies user credentials when they unlock or log into their devices.

When a new user authenticates with GCPW, the created ‘Gaia’ account creates a new local user account for them, which is linked with their Workspace account. The user logs in using this local profile, and a refresh token is stored in their profile to prevent multiple authentication prompts.

Let’s examine the attack methods Bitdefender researchers have identified in their blog post.

****Method 1: Moving to other cloned machines with GCPW installed****

It is worth noting that the ‘Gaia’ account is created with a random password, and therefore, despite existing on all machines, each will have a unique password for ‘Gaia.’ But if a machine is created by cloning another one on which GCPW is already installed, the password would also get cloned. So, if one knows the password of a local account and all local accounts linked with the devices share the same password, one will know passwords to all these devices.

****Method 2: Gaining access to the cloud platform with custom permissions****

An adversary can exploit a vulnerability in GCPW to access the GCP with custom permissions by using the ‘Gaia’ service account and creating a service account key with custom permissions. They can use the key to authenticate with GCP.

****Method 3: Decrypting locally stored passwords****

Attackers can use the ‘Gaia’ service account to decrypt locally stored passwords using the account’s access to the Windows Credential Manager. They can use the stored credentials to authenticate with other services or applications.

These attack methods allow escalation of compromise from a single endpoint to an entire network.

Bitdefender notified Google, and the search engine giant confirmed that their discovered attack methods were valid. However, the company does not intend to address them at the moment because they do not fall into its predetermined threat model, and security measures should be enough to counter them.

Bitdefender has included detections for the attacks in GravityZone XDR to help the security community address them.

****_RELATED ARTICLES_****

1.  **Google Account Sync Vulnerability Exploited to Steal $15M**
2.  **Google Indexed Trove of Bard AI User Chats in Search Results**
3.  **Hive Ransomware is now as Hunters International, Bitdefender**
4.  **Phishers Exploiting Google Docs to Harvest Crypto Credentials**
5.  **Fantom Foundation Suffers Wallet Hack Via Google Chrome Flaw**