**PRESS RELEASE**

**SANTA CLARA, Calif.,Oct. 25, 2023/PRNewswire/ --** Malwarebytes, a global leader in real-time cyber protection, today launched an essential new consumer solution, Identity Theft Protection. The new service helps individuals secure their digital identities and defend against identity and online threats. Malwarebytes Identity Theft Protection includes real-time identity monitoring and alerts, robust credit protection and reporting and live agent-supported identity recovery and resolution services – backed by up to a $2 million identity theft insurance policy. The new service, paired with Malwarebytes' award-winning antivirus and VPN software, helps prevent criminals from stealing or using personal information to drain financial accounts, hack or impersonate social media accounts, damage a user's reputation or other online and identity-based attacks.

Today's digital life is complex and sometimes deceptive. According to new research from Malwarebytes, identity theft ranks as people's third biggest concern when it comes to online security, just behind fear of financial accounts and personal data being breached – both of which play into identity theft. Of those surveyed 64% agree that identity theft protection is important, but only 13% have it. Consumers are also increasingly fearful of new technology. Malwarebytes gives consumers protection they can trust, alerting them when we see their information has been stolen and providing live agent support to restore their identity and replace lost items.

"Even as we spend more and more of our lives online, we all know that the internet today can't be trusted," said Mark Beare, GM of Consumer Business Unit, Malwarebytes. "Consumers need a tool that not only blocks threats like malware and phishing, but that also monitors and protects their digital identity, be that social media profiles, bank accounts or email. With Malwarebytes Identity Theft Protection, we provide a robust and exhaustive suite of services so individuals and families can rest easy knowing that we are actively working to keep them safe and protect their digital identity."

Malwarebytes Identity Theft Protection is available globally through a variety of tiered offerings that provide protection via computers and mobile devices across multiple operating systems including Windows, macOS, Android and iOS.

**Key features include:**

*   Identity Monitoring & Alerts**:** Continuously scours a multitude of websites and data sources, including the Dark Web, to alert if personal information is being illegally traded or sold. Recommends actions to take to protect yourself.
*   Credit Monitoring and Protection**:** Ongoing tracking of credit for critical changes, such as new accounts or inquiries and applications for new lines of credit. A credit freeze also can be activated\*.
*   Breach IQ**:** Provides a safety score and alerts if personal information is part of a known breach\*.
*   Identity Recovery & Resolution**:** Assistance in the event of an identity theft incident, including guided steps to report the crime, dispute fraudulent charges, restore identity and recuperate financial losses incurred. Includes up to a $2 million insurance policy.

To read more about the latest threats and cyber protection strategies, visit our blog, or follow us on Facebook, Instagram, LinkedIn, TikTok and Twitter.

_\*U.S. only_

**About Malwarebytes**

Malwarebytes believes that when people and organizations are free from threats, they are free to thrive. Founded in 2008, Malwarebytes CEO Marcin Kleczynski had one mission: to rid the world of malware. Today, Malwarebytes' award-winning endpoint protection, privacy and threat prevention solutions along with a world-class team of threat researchers protect millions of individuals and thousands of businesses across the globe daily. Malwarebytes solutions are consistently recognized by independent tests including AVLAB and AV-TEST. The company is headquartered in California with offices in Europe and Asia. For more information and career opportunities, visit https://www.malwarebytes.com.

Malwarebytes Announces Consumer Identity Theft Protection Solution

With Google's announcement of seven years of support, other smartphone makers risk falling behind.

Consumers want their devices to be secure and need to be supported for longer, according to Omdia's new survey of 1,578 consumers across 13 major countries in the Americas, Asia & Oceania, and Europe in September 2023. Google and Fairphone are pushing this forward, but governments are also stepping in to ensure security is taken seriously —  benefiting consumer safety and the environment.

**The Need for Security Updates**

While every effort can be put in place by a device manufacturer to ensure the device is "secure by design" or even certified to regulatory or standardized requirements, vulnerabilities are constantly evolving. Updates are key to ensure that new vulnerabilities are found and remediated in a timely manner.

This is happening as consumers increasingly use their mobile phones for sensitive activities such as online banking, identity verification and even relying on services such as Apple or Google Pay.

The update support period is therefore crucial, as well as the frequency of updates and the ability for security-specific updates to be rolled out independent of wider software updates — which is now offered by many of the leading smartphones.

**How Much Support Do Consumers Need?**

Security update periods and replacement cycle rates are frequently a topic of discussion among those pushing for sustainable tech. There's also skepticism as to how long devices should realistically be updated for, with some questioning the usefulness of five-year+ support.

However, shedding light on the actual usage of mobile devices makes it clear that the longer the support, the better — for both security and sustainability. As such, we asked consumers how long they are using their smartphones.

Security updates for many phones under $500 only last two years, yet 56% of consumers used their previous phone for longer. While premium phones typically have five years' support, more than 5% reported that they kept their previous phone longer — beyond the support of any phone available at the time. This also doesn't take into account how late after release the consumer is buying it; if you bought a Samsung Galaxy S22 Ultra now, you'd get a little over three years of support. If you bought a refurbished iPhone 11, you'd get under 1 year. This is effectively stifling a growing second-hand phone market — and leaving those devices potentially vulnerable.

Currently the only phones to offer more than five years of guaranteed security updates are the Google Pixel 8 and Pixel 8 Pro (seven years) and the Fairphone 5 (eight years). Longer updates can help to slow replacement and production rates, effectively keeping working phones in consumers' hands for longer. By reducing phone production, it drastically reduces the environmental impacts of the smartphone industry.

    

Source: Omdia

**Who's Responsible?**

Fifty percent of consumers believe it should be the operating system developer (either Apple or Google) that is responsible for the security of their smartphone. However, how long a phone is supported is primarily down to the device maker and its negotiations with the chipset maker.

Apple and Google are in the unique position of making their own chip, device, and operating system. They are, therefore, their own arbiters. This is likely how Google can commit to seven years — but for Samsung and other Android brands, it would be a more complex process.

Ultimately, regulatory pressure, discussed below, will put mandatory security requirements on device manufacturers, and in some cases importers and distributors, to ensure device update transparency.

    

Source: Omdia

**Security Is a Key Purchase-Driver**

Consumers have security top-of-mind when considering their next phone. Forty-six percent confirmed better security features would be a purchase driver, while just 7% said no.

Sixty-nine percent of survey respondents said good security features were critical or important when deciding which smartphone to purchase, although this is second to key hardware specs such as long battery life, durability, and processor speed. When comparing two similar phones, security and brand trust could become the most important and deciding factor.

**Governments, Policymakers and Standards Bodies Must Step In**

There has historically been a lack of standardization and transparency from equipment manufacturers on security measures for their devices. As a result, governments and standards bodies are developing standards to define baseline requirements, defining product labels to increase consumer visibility and choice, and eventually mandating minimum security requirements.

For example, while Apple has historically given five years of support, it's not transparent at launch; if you just bought a new iPhone 15, you have no official commitment from Apple that it will be supported for two years or five. But with the UK's Product Security and Telecommunications Infrastructure (PSTI) Act, the support period must be stated at the point of sale, from April 2024.

The UK PSTI is just one example, with guidance and legislation being proposed in the US, EU, China, Japan, Korea, and more. While mobile devices are sometimes out of the scope of IoT legislation and government guidance, the proposed EU Cyber Resilience Act will include operating systems for mobile devices — mandating security updates for at least five years, among other requirements.

All manufacturers of connected devices should prioritize and adopt standards and guidance such as the widely referenced ETSI EN 303 645 (Cybersecurity for Consumer IoT) or TS 103 732 (Consumer Mobile Device Protection Profile) to future-proof for upcoming regulation. Further, although at the current time labelling is voluntary, device makers can and should ensure and empower consumer choice by opting in to labelling and certification schemes.

Longer Support Periods Raise the Bar for Mobile Security

The Android Client application, when enrolled to the AppHub server,connects to an MQTT broker without enforcing any server authentication. 


This issue allows an attacker to force the Android Client application to connect to a malicious MQTT broker, enabling it to send fake messages to the HMI device

**Advisory Information**

*   **Advisory ID:** BOSCH-SA-175607
*   **CVE Numbers and CVSS v3.1 Scores:**
    *   CVE-2023-41255
        *   Base Score: 8.8 (High)
    *   CVE-2023-41372
        *   Base Score: 7.8 (High)
    *   CVE-2023-41960
        *   Base Score: 7.1 (High)
    *   CVE-2023-43488
        *   Base Score: 7.9 (High)
    *   CVE-2023-45220
        *   Base Score: 8.8 (High)
    *   CVE-2023-45321
        *   Base Score: 8.3 (High)
    *   CVE-2023-45844
        *   Base Score: 7.3 (High)
    *   CVE-2023-45851
        *   Base Score: 8.8 (High)
    *   CVE-2023-46102
        *   Base Score: 8.8 (High)
*   **Published:** 20 Oct 2023
*   **Last Updated:** 25 Oct 2023

**Summary**

The operating system of the ctrlX WR21 HMI has several vulnerabilities when the Kiosk mode is used in conjunction with Google Chrome. In worst case, an attacker with physical access to the device might gain full root access without prior authentication by combining the exploitation of those vulnerabilities.

Furthermore, the "Android Agent" application which is shipped with the ctrlX WR21 HMI contains multiple flaws, which in a worst case scenario might allow an attacker to execute arbitrary commands on the device.

**Affected Products**

Vendor Name

Product Name

Affected versions

Bosch Rexroth AG

ctrlX HMI Web Panel - WR21 (WR2107)

all

Bosch Rexroth AG

ctrlX HMI Web Panel - WR21 (WR2110)

all

Bosch Rexroth AG

ctrlX HMI Web Panel - WR21 (WR2115)

all

**Solution and Mitigations****Solution**

An updated firmware version will be published soon. This version prevents that an attacker with physical access to the device might gain root access.

Furthermore, the application "Android Agent" will be removed entirely.

This advisory will be updated as soon as the new version becomes available. Users are strongly advised to upgrade to the new version.

**Mitigation**

Until the updated version becomes available, users are strongly advised not to use Google Chrome for the Kiosk mode. As an alternative, the WebStation app may be used for this purpose.

Android Agent should not be used at all.

**Vulnerability Details****CVE-2023-41255**

CVE description: The vulnerability allows an unprivileged user with access to the subnet of the TPC-110W device to gain a root shell on the device itself abusing the lack of authentication of the ‘su’ binary file installed on the device that can be accessed through the ADB (Android Debug Bridge) protocol exposed on the network.

*   Problem Type:
    *   CWE-306 Missing Authentication for Critical Function
*   CVSS Vector String: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    *   Base Score: 8.8 (High)

**CVE-2023-41372**

CVE description: The vulnerability allows an unprivileged (untrusted) third- party application to arbitrary modify the server settings of the Android Client application, inducing it to connect to an attacker - controlled malicious server.This is possible by forging a valid broadcast intent encrypted with a hardcoded RSA key pair

*   Problem Type:
    *   CWE-798 Use of Hard-coded Credentials
*   CVSS Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    *   Base Score: 7.8 (High)

**CVE-2023-41960**

CVE description: The vulnerability allows an unprivileged(untrusted) third-party application to interact with a content-provider unsafely exposed by the Android Agent application, potentially modifying sensitive settings of the Android Client application itself.

*   Problem Type:
    *   CWE-926 Improper Export of Android Application Components
*   CVSS Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
    *   Base Score: 7.1 (High)

**CVE-2023-43488**

CVE description: The vulnerability allows a low privileged (untrusted) application to modify a critical system property that should be denied, in order to enable the ADB (Android Debug Bridge) protocol to be exposed on the network, exploiting it to gain a privileged shell on the device without requiring the physical access through USB.

*   Problem Type:
    *   CWE-862 Missing Authorization
*   CVSS Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
    *   Base Score: 7.9 (High)

**CVE-2023-45220**

CVE description: The Android Client application, when enrolled with the define method 1(the user manually inserts the server IP address), use HTTP protocol to retrieve sensitive information (IP address and credentials to connect to a remote MQTT broker entity) instead of HTTPS and this feature is not configurable by the user.

*   Problem Type:
    *   CWE-306 Missing Authentication for Critical Function
*   CVSS Vector String: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    *   Base Score: 8.8 (High)

**CVE-2023-45321**

CVE description: The Android Client application, when enrolled with the define method 1 (the user manually inserts the server IP address), use HTTP protocol to retrieve sensitive information (IP address and credentials to connect to a remote MQTT broker entity) instead of HTTPS and this feature is not configurable by the user. Due to the lack of encryption of HTTP,this issue allows an attacker placed in the same subnet network of the HMI device to intercept username and password necessary to authenticate to the MQTT server responsible to implement the remote management protocol.

*   Problem Type:
    *   CWE-319 Cleartext Transmission of Sensitive Information
*   CVSS Vector String: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
    *   Base Score: 8.3 (High)

**CVE-2023-45844**

CVE description: The vulnerability allows a low privileged user that have access to the device when locked in Kiosk mode to install an arbitrary Android application and leverage it to have access to critical device settings such as the device power management or eventually the device secure settings (ADB debug).

*   Problem Type:
    *   CWE-284 Improper Access Control
*   CVSS Vector String: CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
    *   Base Score: 7.3 (High)

**CVE-2023-45851**

CVE description: The Android Client application, when enrolled to the AppHub server,connects to an MQTT broker without enforcing any server authentication.

This issue allows an attacker to force the Android Client application to connect to a malicious MQTT broker, enabling it to send fake messages to the HMI device

*   Problem Type:
    *   CWE-306 Missing Authentication for Critical Function
*   CVSS Vector String: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    *   Base Score: 8.8 (High)

**CVE-2023-46102**

CVE description: The Android Client application, when enrolled to the AppHub server, connects to an MQTT broker to exchange messages and receive commands to execute on the HMI device. The protocol builds on top of MQTT to implement the remote management of the device is encrypted with a hard-coded DES symmetric key, that can be retrieved reversing both the Android Client application and the server-side web application.

This issue allows an attacker able to control a malicious MQTT broker on the same subnet network of the device, to craft malicious messages and send them to the HMI device, executing arbitrary commands on the device itself.

*   Problem Type:
    *   CWE-798 Use of Hard-coded Credentials
*   CVSS Vector String: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    *   Base Score: 8.8 (High)

**Remarks****Acknowledgement**

**These vulnerabilities have been uncovered and disclosed responsibly by Diego Giubertoni from Nozomi Networks. We thank him for making a responsible disclosure with us.**

**Security Update Information**

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

**CVSS Scoring**

Vulnerability classification has been performed using the CVSS v3.0 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

**Additional Resources**

*   \[1\] Bosch Rexroth Advisory: https://www.boschrexroth.com/en/dc/product-security/security-advisories/

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

**Revision History**

*   25 Oct 2023: Added CVE list
*   20 Oct 2023: Initial Publication

CVE-2023-45851: Multiple vulnerabilities on ctrlX HMI Web Panel - WR21

Categories: Threat Intelligence
Tags: malvertising

Tags: ads

Tags: hong kong

Tags: malware

Tags: whatsapp

Tags: telegram

Ads on Google for popular communication apps are used as a lure to compromise the devices of people from Hong Kong.



(Read more...)




The post Hong Kong residents targeted in malvertising campaigns for WhatsApp, Telegram appeared first on Malwarebytes Labs.

Malvertising is a powerful malware or scam delivery mechanism that makes it easy to target specific geographies or even users. A recent article from the South China Morning Post discussed an increase in malicious webpages for the popular WhatsApp communication tool, driven via malicious Google ads. The paper described how these ads appeared to be exclusively targeted at people from Hong Kong and have caused losses of about USD$300K last month.

We started investigating this situation and were able to identify what may be a similar campaign. The decoy sites we saw used a similar page than the web version of WhatsApp to trick victims into scanning a QR code to link their new device. Instead, it wasn't the user's device that was added to the WhatsApp account, but rather the threat actor's.

We also found another campaign using an ad for messaging tool Telegram, to lure victims into downloading a malicious version of the program. Again, this attack was targeted at residents of Hong Kong.

We have reported the malicious ads to Google and worked with partners to take down the infrastructure used in these campaigns.

**Malicious WhatsApp ad leads to QR code page**

Just like the South China Morning Post stated that users were seeing malicious ads for WhatsApp, we were able to find one immediately after switching our online profile to use a Hong Kong IP address:

The text of the ad reads as follows (translated from Chinese):

_WhatsApp New Version - WhatsApp Official Authorization_

_We are constantly updating and launching various fun and interesting functions as well as safe and reliable communication applications. Welcome to download and experience it. The cross-platform application brings you a reliable experience, and you can send private messages to your friends at any time._

Clicking on the ad leads to a convincing lookalike site in Chinese that pretends to be WhatsApp Web:

What's interesting, and works well as a lure, is the fact that WhatsApp is not just a mobile phone app, but does indeed have a web version for computers as well. The real domain for it is hosted at web.whatsapp.com and also uses a QR code to add a linked device to your account. What this means is that you can use WhatsApp on your PC or Mac after you scan the QR code and authorize that new device from your phone.

The issue here is that the QR code you are scanning is from a malicious site that has nothing to do with WhatsApp:

The domain used to generate those QR codes (lawrencework\[.\]com) was registered just two days ago. A search on urlscan.io reveals that it is associated with several other fake WhatsApp pages. We tested the QR code by adding it from a burner phone with a brand new WhatsApp account without any previous linked devices. A few seconds later, we saw a new device was added (Google Chrome running on Mac OS):

While we could not get more information (IP address, geolocation) about this new device, we knew it was not ours. When you link a new device to your WhatsApp account, the saved chat history is synced to it. This means that an attacker can essentially read your entire past and future conversations and has access to your saved contacts.

**Telegram ad links to malware**

The second ad we saw related to this campaign was using Telegram as a lure. We know it is related to the above WhatsApp attack because the ad is from the same advertiser.

The text of the ad reads as follows (translated from Chinese):

_telegram official website – telegram Chinese version – telegram download Telegram Chinese version is a Telegram client specially developed for Chinese users. Welcome to the Chinese channel, a new era of information, delivering more exciting information_

It links to a Google Docs page pretending to be a download site:

_Telegram instant messaging - simple, fast, secure and syncs across all your devices. It is one of the most downloaded apps in the world, with over 500 million active users. The latest official Telegram Chinese computer version TG-Chinese version: Click to download TG-PC: Click to download_

The two links (identical) download an MSI installer from the following URL:

kolunite.oss-ap-southeast-7.aliyuncs\[.\]com/HIP-THH-19-1.msi

This installer has been injected with malware, which we can see once we execute it:

**Targeted malvertising and motives**

These two campaigns abusing the WhatsApp and Telegram brands could be used for a variety of reasons. We did not investigate further what the ultimate ploy was, although both lead to data theft, impersonation and malware. The threat actor could use any private information from past conversations, phish the victim's contacts and much more.

This was our first foray into malvertising attacks targeted at Hong Kong. Given that this special administrative region of the People's Republic of China has a long history of tensions with Beijing, we could not help but think that malvertising campaigns such as these could be used for political reasons, although we saw no evidence of it.

Linking additional devices via QR code is a useful feature but it can also easily be abused. It's important to be cautious when scanning QR codes by verifying which site is issuing those. It's a good idea to periodically check which devices have access to your accounts, and revoke any that you don't recognize.

_Thanks to Nathan Collier for the assist with the QR code scanning on Android._

**Indicators of Compromise**

Malicious WhatsApp domains

uaa.vvg2rt\[.\]top  
wss.f8ddcc\[.\]com

QR code hostname

119srv\[.\]lawrencework\[.\]com

Telegram MSI URL

kolunite.oss-ap-southeast-7.aliyuncs\[.\]com/HIP-THH-19-1.msi

Telegram MSI

36d11b18d3345ff743f7b003d10a0820c8c1661dd7dc279434e436de798c3a4b

Hong Kong residents targeted in malvertising campaigns for WhatsApp, Telegram

By Owais Sultan
Looking for a SaaS SEO consultant? We’ve rounded up the top 15 SaaS SEO experts you need to…
This is a post from HackRead.com Read the original post: 15 Best SaaS SEO Experts That Will Help You Dominate Online

15 Best SaaS SEO Experts That Will Help You Dominate Online

Hundreds of millions of users of Grammarly, Vidio, and the Indonesian e-commerce giant Bukalapak are at risk for financial fraud and credential theft due to OAuth misfires — and other online services likely have the same problems.

Flaws in the implementation of the Open Authorization (OAuth) standard across three prominent online services could have allowed attackers to take over hundreds of millions of user accounts on dozens of websites, exposing people to credential theft, financial fraud, and other cybercriminal activity. 

Researchers from Salt Labs discovered critical API misconfigurations on the sites of several online companies — artificial intelligence (AI)-powered writing tool Grammarly, online streaming platform Vidio, and Indonesian e-commerce site Bukalapak — that lead them to believe that dozens of other sites are likely compromised in the same way, they revealed in a report published Oct. 24.

OAuth is a widely implemented standard for allowing for cross-platform authentication, familiar to most as the option to log in to an online site with another social media account, such as "Log in with Facebook" or "Log in with Google." 

The recently-discovered implementation flaws are among a series of issues in OAuth that the researchers have discovered in recent months, stretching across prominent online platforms that put users at risk. Salt researchers already had discovered similar OAuth flaws in the Booking.com website and Expo — an open source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase — that could have allowed account takeover and full visibility into user personal or payment-card data. The Booking.com flaw also could have allowed log-in access to the website's sister platform, Kayak.com.

The researchers refer broadly to the latest issue found in Vidio, Grammarly, and Bukalapak as a "Pass-The-Token" flaw, in which an attacker may use a token — the unique, secret site identifier used to verify the handoff — from a third party site typically owned by the attacker himself to login to another service.

"For example, if a user logged in to a site called mytimeplanner.com, which is owned by the attacker, the attacker could then use the users token and log in on his behalf to other sites, like Grammarly for instance," Yaniv Balmas, vice president of research at Salt, explains to Dark Reading.

The researchers found the latest issues in Vidio, Bukalapak, and Grammarly between February and April, respectively, and notified the three companies in turn, which all responded in a timely way. The misconfigurations all have since been resolved in these particular services, but that's not the end of the story. 

"Just these three sites are enough for us to prove our point, and we decided to not look for additional targets," according to the report, "but we expect that thousands of other websites are vulnerable to the attack we detail in this post, putting billions of additional Internet users at risk every day,"

**Various Ways to Misconfigure OAuth**

The issue manifests itself uniquely on each of the three sites. On Vidio, an online streaming platform with 100 million monthly active users, the researchers found that when logging into the site through Facebook, the site did not verify the token — which the website developers and not OAuth must do. Because of this, an attacker could manipulate the API calls to insert an access token generated for a different application, the researchers found.

"This alternate token/AppID combination allowed the Salt Labs research team to impersonate a user on the Vidio site, which would have allowed massive account takeover on thousands of accounts," the researchers wrote in the report.

Like Vidio, Bukalapak — which has more than 150 million monthly users — also didn't verify the access token when users registered using a social login. In a similar way, the researchers could insert a token from another website to access a user's credentials and completely take over that user's account.

The OAuth issue discovered on Grammarly — which helps more than 30 million daily users improve their writing by offering grammar, punctuation, spelling checks, and other writing tips — manifested itself slightly differently.

The researchers found that by doing reconnaissance on the API calls and learning the terminology the Grammarly site uses to send the code, they could manipulate the API exchange to insert code used to verify users on a different site and, again, obtain the credentials of a user's account and achieve full account takeover.

**Secure OAuth From the Start**

OAuth itself is well-designed, and the major OAuth providers such as Google and Facebook have secure servers protecting them on the back end. However, those developing the services and sites that leverage the standard to perform the authentication handoff often create issues that render the exchange inherently insecure even if the site appears to function properly, Balmas says.

"It is very easy for anyone to add social-login functionality to his website … and everything will actually work quite fine," he says. "However, without the proper knowledge and awareness, it is very easy to leave cracks that the attacker will be able to abuse and achieve very serious impact on all the website users."

For this reason, it's essential to the security of sites and services that leverage OAuth to be secure from an implementation standpoint, which may require that developers do some homework before building the standard into the site.

"Web services who wish to implement social login or any other OAuth-related functionalities should make sure they have a solid understanding of how OAuth works and common pitfalls that may have potential for being abused," he says.

Developers can also use third-party tools that monitor for anomalies and deviations from typical behavior and which may identify as-yet unknown attacks, providing a safety net for the site and thus all of its users, Balmas adds.

'Log in with...' Feature Allows Full Online Account Takeover for Millions

Spanish law enforcement officials have announced the arrest of 34 members of a criminal group that carried out various online scams, netting the gang about €3 million ($3.2 million) in illegal profits.
Authorities conducted searches across 16 locations Madrid, Malaga, Huelva, Alicante, and Murcia, seizing two simulated firearms, a katana sword, a baseball bat, €80,000 in cash, four high-end

Cyber Fraud / Cyber Crime

Spanish law enforcement officials have announced the arrest of 34 members of a criminal group that carried out various online scams, netting the gang about €3 million ($3.2 million) in illegal profits.

Authorities conducted searches across 16 locations Madrid, Malaga, Huelva, Alicante, and Murcia, seizing two simulated firearms, a katana sword, a baseball bat, €80,000 in cash, four high-end vehicles, and computer and electronic material worth thousands of euros.

The operation also uncovered a database with cross-referenced information on four million people that was collated after infiltrating databases belonging to financial and credit institutions.

The scams, which were conducted via email, SMS, and phone calls, entailed the threat actors masquerading as banks and electricity supply companies to defraud victims, in some cases even perpetrating "son in distress" calls and manipulating delivery notes from technology firms.

In one instance, the miscreants reportedly took advantage of a member's position in a multinational technology firm to divert computer and electronic products from suppliers to the criminal entity.

In another scam, the fraudsters gained unauthorized access to customer databases at financial institutions, added funds to customer accounts, and then contacted them to inform them of a supposed erroneous deposit, which they had to pay back by clicking on a bogus link that captured their credentials.

The cybercrime network is also alleged to have made money from offering for sale fake websites of banks, mass message programs, and collected information through specialized forums.

"The leaders of the network used false documentation, made use of spoofing techniques to hide their identity and invested their profits in crypto assets," the agency said.

The development comes months after the Spanish National Police arrested 55 individuals of a Barcelona-based group known as the Black Panthers, who were accused of taking over bank accounts by SIM swapping, stealing about €250,000 from nearly 100 people.

It also follows the discovery of a new money laundering scheme in which China-based scammers are using a combination of counterfeit instant loan apps and India's Unified Payments Interface (UPI) to deceive victims into parting with their funds, according to CloudSEK.

The scam involves creating instant loan Android apps that when installed by victims, seek out their personal and financial information, not to mention coerce them into granting intrusive permissions to extract sensitive data stored in the devices.

"UPI service providers currently operate without coverage under the Prevention of Money Laundering Act (PMLA)," security researchers Sparsh Kulshrestha and Bhavik Malhotra said. "Scammers manipulate mobile numbers associated with victim accounts to initiate illegal transactions."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

34 Cybercriminals Arrested in Spain for Multi-Million Dollar Online Scams

Despite warnings that sending one-time passwords via text messages is a flawed security measure, companies continue to roll out the approach, especially in consumer-facing applications.

Following a spate of attacks targeting independent developers on its Steam game-distribution platform, game maker Valve last week said that it will require developers to provide their phone numbers so the company can use SMS for two-factor authentication (2FA) starting Oct. 24. 

"As part of a security update, any Steamworks account setting that builds live on the default/public branch of a released app will need to have a phone number associated with their account, so that Steam can text you a confirmation code before continuing," the company stated in its notification. "We also plan on adding this requirement for other Steamworks actions in the future."

But since SMS-based two-factor authentication can be circumvented by persistent attackers using a variety of methods, the move raises the question: Why are consumer-facing online services still making SMS the go-to second factor, both internally and for customers?

**SMS-Based 2FA: Not Really Secure**

Getting around SMS two-factor authentication has become a priority among attackers, and indeed, it has been defeated using everything from machine-in-the-middle attacks to social engineering — including, in the infamous Uber breach case, through 2FA fatigue attacks. 

In 2022, for example, a banking Trojan known as Xenomorph compromised more than 50,000 Android devices after the cybercriminal group behind the malware disguised it as a performance utility, according to Tony Anscombe, chief security evangelist for digital security firm ESET.

"In reality, it was stealing the user’s login credentials for banking, payment, social media, cryptocurrency and other apps that have valuable personal information," he says. "The malware abused more than 50 apps, including PayPal and Coinbase, and included the ability to intercept messages and notifications, giving the cybercriminal the ability to bypass two-factor authentication codes.

But even the low-tech approach of just walking into a cellular store (SIM-swapping) or finding a corrupt technician works well, says David Richardson, vice president of endpoint and threat intelligence at cloud security platform Lookout. All an attacker has to do is know the targeted individual's phone number to attack the channel.

"The whole system is basically built on an assumption of trust — I could walk into any store and easily cancel my contract and port my phone number ... to pretty much any carrier," he says. "Basically \[an attacker could\] take over any phone number and start to receive the phone calls and, most importantly in these cases, the SMS messages that are that are going to those to those numbers."

And cellphone numbers are some of the most commonly leaked information on the Internet. The recent compromises of MGM Resorts and Caesars Entertainment, for example, exposed millions of records of business professionals and individual consumers, including phone numbers, which could be used by attackers for further attacks. 

**2FA Is Better Than Nothing**

SMS-based 2FA persists in the face of the insecurity for the simple reason that it's a relatively painless security mechanism for end users: A company merely needs to know is the customer's phone number to text a one-time passcode for authentication. For consumer-facing companies, reducing friction is the name of the game.

At the same time, making attackers' jobs even just a little bit more difficult helps protect developers — and the players of their games.

"Any MFA is better than no MFA — like, vastly superior," Lookout's Richardson says. "You're 10 times harder to hack if you've got an SMS-based MFA, so ... you're way better off having some form of multifactor authentication versus no form of multifactor authentication."

An SMS code could have protected Benoît Freslon, the independent developer behind the game NanoWar: Cells VS Virus, for example. Freslon fell prey to a social engineering scam, apparently when cybercriminals posing as another developer sent him a direct message with malicious content, according to a statement posted on Steam's Community forums.

"I was hacked, all my social networks accounts including Discord and Steam were compromised ... \[t\]he hacker uploaded a malware with \[sic\] my account," a developer stated on Steam's forums. "Be careful when a friend ask you to test his game on private message on Discord. ... It was the most stressfull days \[sic\] of my indie developer life."

Valve removed the game from Steam on Aug. 25, a day after the group behind the hacks published the infected version from the developer's account. The game developer stressed that a safe version of the game has been available since Sept. 15, uploaded from a "totally clean machine."

**SMS: A Good First Step, but...**

Companies focused on consumers and worried that the additional friction posed by 2FA security could use app-based factors that are already widely adopted, such as Google's or Microsoft's authenticators, says ESET's Anscombe.

"Many consumer-focused companies already provide the option to use either Microsoft or Google authenticator apps, this reduces the barrier to adoption as consumers may already have these apps installed," he says. 

"An app is not subject to SIM cloning nor malware that uses the operating systems permissions system to read SMS messages," he says. "The app itself should be protected by a passkey or biometrics adding an additional layer of security."

Boosting security has become important for game companies, as users have more digital in-game assets stored in online accounts that cybercriminals aim to monetize, and while cheaters look to access other gamers' accounts to gain advantage. Steam expects to roll out more security measures in the future to better protect, not only the developers but its customers and reputation.

Valve's 2FA Mandate for Game Developers Shows SMS Stickiness

IBM Security Verify Governance 10.0 does not encrypt sensitive or critical information before storage or transmission.  IBM X-Force ID:  256020.

CVE-2023-33837: Security Bulletin: IBM Security Verify Governance is affected by multiple vulnerabilities

A spoofed version of an Israeli rocket-attack alerting app is targeting Android devices, in a campaign that shows how cyber-espionage attacks are shifting to individual, everyday citizens.

Using a trending item as a malicious lure is relatively common; to do it in a period of military conflict and deliberately target users in the affected region is a different step.

Recently, a genuine app — RedAlert - Rocket Alerts — has been popular among users in the Israel and Gaza region, since it allows individuals to receive timely and precise alerts about incoming airstrikes. However, a malicious, spoofed version of the app was detected last week, which collected personal information including access to contacts, call logs, SMS, account information, and an overview of other installed apps.

This and the discovery of a similar incident indicates that unfortunately, the Israel-Hamas conflict's cybercrimes will extend beyond nation-state attacks on critical infrastructure — and into the palm of the user's hand.

**The Initial Malicious App**

According to the discovery by Cloudflare, the website hosting the malicious file was created on Oct. 12, and it has been taken offline since. Only those users who installed the Android version of the app are impacted, and they are urgently advised to delete the app.

A statement from Cloudflare said it became aware of a website hosting a Google Android Application that impersonated the legitimate RedAlert - Rocket Alerts application. "Given the current climate in Israel, this application is heavily relied upon by individuals living in the country to be notified when it is critical to seek safety," it said.

The creation of a malicious app spoofing a known brand is common, according to a recent report from Arctic Wolf, which said malicious apps found in official app stores are often disguised with the use of names, images, or descriptions similar to popular or malware-free apps. They also may have fake reviews to help increase the malicious app's rating and to make them look more realistic.

But in this case, the malicious application mimicked a widely used app to steal data, in what Cloudflare called "a time of distress" where services such as this are replied upon, adding that this is "another example of threat attackers leveraging authenticity to carry out impactful attacks."

Casey Ellis, founder and CTO of Bugcrowd, says he does expect to see more cases like this where the Gaza conflict is used as a malware lure — both regionally and globally.

"Attackers are always on the lookout for events that create fear, uncertainty, and a volatile information environment, and the Israel-Hamas conflict definitely meets these criteria," he says.

Cloudflare was unable to add attribution to whoever was behind this malicious app, and there is no evidence that this was even a threat actor from the Middle East. So this could be the work of an unrelated cybercriminal looking to use the conflict for their malicious gain.

**More Than One Incident**

In a separate detection, Cloudflare said the pro-Palestinian hacktivist group AnonGhost exploited a vulnerability in another application, Red Alert: Israel. This allowed the group to intercept requests, expose servers and APIs, and send fake alerts to some app users, including a message that a nuclear bomb strike was imminent.

In its detection of that incident, Group-IB Threat Intelligence said this shows that the actions of attackers can be diverse, as hacktivists are generally associated with conducting small-scale DDoS attacks and defacement. But as the ongoing conflict shows, sometimes their actions can be far more devastating and costly, and "it's essential to map and properly mitigate the risk of hacktivism as part of a threat intelligence program."

Krishna Vishnubhotla, vice president of product strategy at Zimperium, says spoofing mobile apps is easy, as many app teams are inadvertently giving threat actors a blueprint for abuse.

He says, "App teams focus on code optimization and speed to market, but never ensure sufficient threat visibility and protection for their apps once they are published. Threat actors know this and use reverse engineering to truly understand an app's inner workings."

Vishnubhotla adds, "Knowing an application's architecture, data flow, and security mechanisms allows a hacker to easily create spoofed apps."

**Be Careful With Clicks**

The advice to avoid becoming victimized by these types of attacks is fairly straightforward. Arctic Wolf recommend checking the app's developers and reviews, restricting permissions when necessary; users should download apps only from reputable developers and look for mentions of scams or malicious activity mentioned in reviews by other users.

The advice from Group-IB was for organizations to carefully examine and fortify all Web-facing applications, as "it's not uncommon for hacktivists to exploit web and mobile APIs, often perceived as softer targets compared to the principal product APIs."

Ellis admits his advice on protection from malicious apps — saying users should trust, but verify — is nothing groundbreaking, but it persists for a reason.

"Double-check before you trust anything that offers to assist you in issues of personal safety, and triple-check before you share it with others," he says. He acknowledges that in this case, the malicious apps were downloaded by people in a state of concern and potentially without the due consideration they would usually give to vetting them.

Tag

#android