Information Security News
Mirai, the botnet that threatened the Internet as we knew it last year with record-setting denial-of-service attacks, is facing an existential threat of its own: A competing botnet known as Hajime has infected at least 10,000 home routers, network-connected cameras, and other so-called Internet of Things devices.
Hajime uses a decentralized peer-to-peer network to issue commands and updates to infected devices. This design makes it more resistant to takedowns by ISPs and Internet backbone providers. Hajime uses the same list of user name and password combinations Mirai uses, with the addition of two more. It also takes steps to conceal its running processes and files, a feature that makes detecting infected systems more difficult. Most interesting of all: Hajime appears to be the brainchild of a grayhat hacker, as evidenced by a cryptographically signed message it displays every 10 minutes or so on terminals. The message reads:
Just a white hat, securing some systems.
Important messages will be signed like this!
Another sign Hajime is a vigilante-style project intended to disrupt Mirai and similar IoT botnets: It blocks access to four ports known to be vectors used to attack many IoT device. Hajime also lacks distributed denial-of-service capabilities or any other attacking code except for the propagation code that allows one infected device to seek out and infect other vulnerable devices.
by Sean Gallagher
Joel Abel Garcia, a 35-year-old from the Bronx, New York, became the third member of an alleged ring of automated teller machine "skimmers" to plead guilty today in the US District of New Jersey to the charge of conspiracy to commit bank fraud. Another member of the group—Victor Hanganu, a Romanian citizen living in Bayside, New York—pleaded guilty to the same charge on April 10. Eleven others have been charged in the conspiracy, which targeted PNC and Bank of America ATMs in New Jersey from March 2015 until June of 2016. Another Romanian, Radu Marin, pleaded guilty on March 29.
"According to admissions made in connection with the pleas, Garcia, Hanganu, and others sought to defraud financial institutions and their customers by illegally obtaining customer account information, including account numbers and personal identification numbers," a Department of Justice spokesperson said in a statement made on behalf of federal prosecutors in New Jersey. Garcia was found to be personally responsible for $132,805 in withdrawals using forged ATM cards out of a total of $428,581 over the 15-month period.
Garcia admitted as part of the plea that "he installed 'skimming' devices on the ATMs" belonging to PNC and Bank of America at multiple locations in New Jersey, "including pinhole cameras that recorded password entries and card-reading devices capable of recording customer information encoded on magnetic strips," according to the statement.
Smartphones know an awful lot about us. They know if we're in a car that's speeding, and they know when we're walking, running, or riding in a bus. They know how many calls we make and receive each day and the precise starting and ending time of each one. And of course, they know the personal identification numbers we use to unlock the devices or to log in to sites that are protected by two-factor authentication. Now, researchers have devised an attack that makes it possible for sneaky websites to surreptitiously collect much of that data, often with surprising accuracy.
The demonstrated keylogging attacks are most useful at guessing digits in four-digit PINs, with a 74-percent accuracy the first time it's entered and a 94-percent chance of success on the third try. The same technique could be used to infer other input, including the lock patterns many Android users rely on to lock their phones, although the accuracy rates would probably be different. The attacks require only that a user open a malicious webpage and enter the characters before closing it. The attack doesn't require the installation of any malicious apps.
Our reader Charlieforwarded us a somewhat interesting Apple phish. Apple is a big phishing target, and the phish itself wasnt all that special. It does a reasonable good jobemulating real Apple e-mails, but what is more interesting are the From width:300px" />
The From address was set to apple.ssl.com . For the uninitiated, this may look like a valid Apple domain. But instead, it is a subdomain of ssl.com. SSL.com is of course not the valid source of the e-mail. But why did this e-mail make it past SPF filters? ssl.com does define an SPF record:
v=spf1 ip4:188.8.131.52 ip4:184.108.40.206 include:amazonses.com include:mailanyone.net include:fusemail.net ~all
The record contains a common error: In the end, the ~ ahead of all indicates a soft fail. In essence, this may short-out the SPF definition. There is also no DMARC record for this domain. The ~ is often added to prevent false positives, for example, if companies are afraid that they didnt capture all the mail servers sending e-mail on their behalf. While this may be a good idea initially, it should be removed later.
Next, the link leads to apple1-id.com. The domain is not associated with Apple. The web page is still up (but blacklisted), and provides a good copy of the genuine Apple login page. width:300px" />
Interesting about this domain: It was registered back in January. So the bad guy put some work into this to avoid some recently registered domain filters.
So lessons learned: