Information Technology

Security researchers have detected a new strain of Android malware being currently distributed in the wild, primarily targeting users located in Southeast Asia.

Discovered by security firm Check Point, this new malware is named WAPDropper and is currently spread via malicious apps hosted on third-party app stores.
Check Point said that once the malware infects a user, it starts signing them up for premium phone numbers that charge large fees for various types of services.
The end result is that all infected users would receive large phone bills each month until they unsubscribed from the premium number or reported the issue to their mobile provider.
This type of tactic, known as “WAP fraud,” was very popular in the late 2000s and early 2010s, died out with the rise of smartphones, but made a comeback in the late 2010s as malware authors realized that many modern phones and telcos still supported the older WAP standard.
WAPDropper gang most likely based in SE Asia
Check Point says that based on the premium phone numbers used in this scheme, the malware authors are most likely based or collaborating with someone in Thailand or Malaysia.
“In this and similar schemes, the hackers and the owners of the premium rate numbers are either co-operating or could even be the same group of people,” the company said today in a report.

“It’s simply a numbers game: the more calls made using the premium-rate services, the more revenue is generated for those behind the services. Everybody wins, except the unfortunate victims of the scam.”
As for the malware itself, Check Point says WAPDropper operated using two different modules. The first was known as a dropper, while the second module was the component that performed the actual WAP fraud.
The first module was the only one packed inside the malicious apps, primarily to reduce the size and fingerprint of any malicious code inside them. Once the apps were downloaded and installed on a device, this module would download the second component and start defrauding victims.
But Check Point also wants to raise a sign of alarm about this particular piece of malware.
“Right now, this malware drops a premium dialer, but in the future this payload can change to drop whatever the attacker wants,” Aviran Hazum, Manager of Mobile Research at Check Point, told ZDNet.
“This type of multi-function ‘dropper,’ which stealthily installs onto a user’s phone and then downloads further malware, has been a key mobile infection trend we’ve seen in 2020. These ‘dropper’ trojans represented nearly half of all mobile malware attacks between January and July 2020, with combined infections in the hundreds of millions globally.
“I expect the trend to continue as we turn the new year,” Hazum added.
The Check Point researcher encouraged users to download apps only from the official Google Play Store.
The Check Point team also told ZDNet that for the time being, they found the WAPDropper malware inside apps named “af,” “dolok,” an email app called “Email,” and a kids game named “Awesome Polar Fishing.” Users who installed any of these apps from outside the Play Store are advised to remove them from their devices as soon as possible. More

The Federal Bureau of Investigation (FBI) is warning the public to avoid internet domains designed to look similar to its own main official website www.fbi.gov. 
The warning concerns dozens of websites that could be used to target people seeking information about the FBI’s activities or news announcements. 

More on privacy

“The FBI observed unattributed cyber actors registering numerous domains spoofing legitimate FBI websites, indicating the potential for future operational activity,” it said in the public service announcement (PSA) on Monday.   
SEE: Network security policy (TechRepublic Premium)
The FBI is concerned that the spoofed FBI-related domains could be used as part of future attacks aimed at stealing credentials or spreading disinformation to the public. 
It urged the public to “critically evaluate the websites they visit, and the messages sent to their personal and business email accounts, to seek out reliable and verifiable FBI information.” 
Hackers and criminals can use spoofed domains and email accounts to: disseminate false information; gather valid usernames, passwords, and email addresses; collect personally identifiable information; and spread malware, leading to further compromises and potential financial losses, the FBI notes. 

While the FBI has not attributed the spoofed FBI domains to any specific country or cyber actors, it has provided dozens of examples of recently registered domains that could be used to trick members of the public. 
“Cyber actors create spoofed domains with slightly altered characteristics of legitimate domains,” the FBI said. 
“A spoofed domain may feature an alternate spelling of a word, or use an alternative top-level domain, such as a “[.]com” version of a legitimate “[.]gov” website. Members of the public could unknowingly visit spoofed domains while seeking information regarding the FBI’s mission, services, or news coverage. Additionally, cyber actors may use seemingly legitimate email accounts to entice the public into clicking on malicious files or links.” More

The US Securities and Exchange Commission (SEC) has charged e-commerce startup Benja and its CEO for allegedly defrauding investors.

According to charges made public on Monday, the US agency believes the San Francisco-based firm — together with its co-founder and chief executive Andrew Chapin — fabricated an e-commerce empire by “misleading investors about purported contracts with well-known consumer brands.”
SEC’s complaint alleges that from 2018 to the present year, 32-year-old Chapin told investors that the startup had secured deals with popular clothing retailers and brands including Nike and Patagonia. To give these claims weight, the executive allegedly enlisted others to impersonate these ‘customers’ and their representatives.
“In reality, Benja never did business with the companies,” the agency says.  
One of the individuals involved in the scheme apparently also pretended to be a founder of a venture capital fund that made a “large” investment in the startup. 
See also: Former Amazon finance manager and family charged with $1.4m insider trading scheme
Investors were told that Benja “generated millions of dollars in revenue” from these sources, according to SEC. 

Forged contracts and bank statements that had been tampered with were also allegedly waved under venture capitalist investor noses to back up claims of $6.2 million in generated revenue in 2018 and $13.2 million in 2019.  
It has been alleged that misrepresentation extended to banks, too, in which a line of credit was secured — growing from $1 million to $5 million. 
“Bank records from 2018 to 2020 indicate that Benja was generating almost no revenue from its purported ad placement business and almost all the customers Chapin claimed Benja had were lies,” US regulators say. “Chapin used almost the full $5 million line of credit to pay off other creditors and investors, to pay Chapin’s credit cards and personal expenses, and to send funds to a personal cryptocurrency exchange account.”
CNET: Best Android VPNs for 2020
The complaint, filed in the US District Court for the Northern District of California, seeks permanent injunctions, civil penalties, and disgorgement. Investors were allegedly scammed out of at least $1 million in funding and $100,000 in purchased securities due to Benja’s misrepresentations. 
“We allege that Chapin violated the federal securities laws by deceiving investors about the most fundamental aspects of Benja’s business by falsely portraying it as a successful e-commerce technology company that in a short period of time had generated significant revenue from several high-profile clients,” said Erin Schneider, Director of the SEC’s San Francisco Regional Office. “We will continue to pursue companies and executives who mislead investors.”
TechRepublic: Malicious Google Play apps caught masquerading as Minecraft mods
Separately, the US Attorney’s Office for the Northern District of California has filed criminal charges against Benja’s CEO. The office is charging Chapin with bank fraud, wire fraud, and securities fraud. 
US Attorney Anderson said that tech financing cannot become a “lemon’s market,” and so charging figures like Chapin who allegedly defraud investors will ensure future investors will have “confidence in the truthfulness of startup representations.”
Chapin is due to appear in court on Tuesday before US Magistrate Judge Jacqueline Corley.
ZDNet has reached out to Benja and will update when we hear back. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A hacker has leaked this month the data of more than 4.2 million users registered on Peatix, an event organizing platform, currently ranked among the Alexa Top 3,500 most popular sites on the internet.

The site’s user data was made available through ads posted via Instagram stories, on Telegram channels, and on several different hacking forums.
According to samples of the Peatix data seen by ZDNet, the leaked information included full names, usernames, emails, and salted and hashed passwords.
Most of the leaked user data belonged to persons with Asian names, which is consistent with the evolution of the Peatix startup, which first launched in Japan in 2011 and later expanded to Singapore in 2013, before opening to the US and other parts of the world.
ZDNet notified Peatix of a possible breach earlier this month, but we never heard back from the company. Nonetheless, Peatix went public and admitted its breach this week through a message posted on its website [PDF, archived].
The company said it has investigated the reports, identified the point of entry, and blocked the intruders from re-accessing its systems.
Peatix reassured users that no financial data was involved as all payments were handled through third-party platforms, and nothing was stored inside its database.

“In addition, based on our investigation to date, we have no reason to believe that any historical data of events in which users participated, any data obtained through our questionnaire function or users’ addresses or phone numbers were accessed,” the company said.
ZDNet also reached out to the hacker who shared Peatix’s data online, on one of the multiple hacking forums. This individual told us that they are not the persons who breached the company but that they were only leaking the data to sabotage a rival data breach broker.

Image: ZDNet
Peatix is currently notifying all impacted users via email and requesting that they change account passwords. More

China has pledged to collaborate in global efforts to drive digital development and build a “shared cyberspace” community. It has underscored the importance of the internet and international cooperation, as economies worldwide look to battle the COVID-19 pandemic. 
Chinese President Xi Jinping said China was “ready to work with other countries” to tap the opportunities “presented by the information revolution” and drive growth through innovation as well as open up new grounds in digital cooperation. 
Efforts also would be made to create a new paradigm for cybersecurity and to build a community with a “shared future in cyberspace”, creating a brighter future for humanity, Xi said in a letter he sent and was read at the 2020 World Internet Conference in Wuzhen, China. 

Blocking China can lead to fragmented 5G market
With China-US trade relations still tense, efforts to cut out Chinese vendors such as Huawei from 5G implementations may create separate ecosystems and consumers could lose out on benefits from the wide adoption of global standards, as demonstrated with 4G.
Read More

Pointing to the role the internet played in driving economic recovery, he said telemedicine, e-learning, as well as online collaborative platforms and tools had been widely used when the COVID-19 outbreak surfaced, according to a report by state-run media China Daily.
Speaking via video link at the forum, United Nations’s Under-Secretary-General for Economic and Social Affairs Liu Zhenmin added that the need for global cooperation was especially critical now that the world had embraced digital transformation. 
China’s digital economy, alone, hit 35.8 trillion yuan ($5.45 trillion) in 2019, accounting for 36.2% of its total GDP, according to a report by the Chinese Academy of Cyberspace Studies, which was released at the conference this week.
The research said the digital economy played a key role in mitigating the impact of the COVID-19 outbreak and would help reshape the local economy. 

Pointing to the country’s network rollout, it noted that there were 5.44 million 4G base stations across China in 2019, with the local mobile population leading the world’s consumption at 122 billion GB in data traffic. More than 480,000 5G base stations also had been deployed in the county, as of September this year. 
Local e-commerce transactions climbed 6.7% year-on-year to clock 34.81 trillion yuan ($5.29 trillion) in 2019. 
At this year’s November 11 shopping festival, Alibaba Group raked in more than 372.3 billion yuan ($56.58 billion) in gross merchandise volume just 30 minutes into the start of the annual event, with the number of orders peaking at 583,000 orders per second. 
China has had tense relations with several nations over the past couple of years, including the US, India, and Australia, which have implemented bans on various Chinese apps and technologies. 
In its most recent move, the outgoing Trump administration in August expanded restrictions to further curb Huawei Technologies’ access to core components, barring the Chinese tech giant from purchasing chips made by foreign manufacturers using US technology. It also added another 38 affiliates of Huawei to the Entity List, including Huawei Cloud Singapore and Huawei Cloud France.  
RELATED COVERAGE More

A Californian grand jury has issued indictments against Apple’s head of global security, Thomas Moyer, for allegedly bribing two Santa Clara County policemen to obtain four concealed firearms licences.
The charges arose following a two-year investigation by the District Attorney’s Office, which found that the two policemen, Rick Sung and James Jensen, allegedly held up the issuance of these licences and refused to release them to Moyer until he provided something of value.
“Undersheriff Sung and Captain Jensen treated CCW licences as commodities and found willing buyers. Bribe seekers should be reported to the District Attorney’s Office, not rewarded with compliance,” district attorney Jeff Rosen said.
In the indictment [PDF], the District Attorney’s Office accuses Moyer of entering into a deal with the policemen to “donate” 200 iPads to the Santa Clara County Sheriff’s Office in exchange for the licences. 
The iPads had a total value of around $70,000, the District Attorney’s Office said.
Under state law, applicants of the carrying a concealed weapon (CCW) licence must demonstrate “good cause” for the licence, in addition to completing a firearms course and having good moral character, but the sheriff ultimately has broad discretion in determining who should qualify, the District Attorney’s Office explained.
Despite Moyer and the two policemen allegedly coming to an agreement, the bribery transaction was eventually cancelled when the accused parties realised the District Attorney’s Office had submitted a search warrant to seize the sheriff department’s concealed firearms licences records.

Moyer has worked at Apple for 15 years and has been the company’s head of global security since November 2018, according to his LinkedIn profile. 
The indictments follow four former eBay employees being charged for cyberstalking a married Massachusetts couple in September. The charged individuals, in that case, were formerly in eBay’s security and intelligence teams.
RELATED COVERAGE
Former Uber CSO charged for 2016 hack cover-up
DOJ officials say former Uber CSO Joe Sullivan lied to management about the security breach and paid hush money to the hackers.
US charges five hackers from Chinese state-sponsored group APT41
US says APT41 orchestrated intrusions at more than 100 companies across the world, ranging from software vendors, video gaming companies, telcos, and more.
Court stops Apple from taking away Epic’s developer access, Unreal Engine protected
Updated: However, Fortnite will remain absent from the App Store, for now.
US district court blocks Trump’s WeChat ban
The presiding judge granted the motion to block the ban as there is ‘scant little evidence’ that it effectively addresses national security concerns.
Former IT director gets jail time for selling government’s Cisco gear on eBay
Former Horry County IT security director sentenced to two years in federal prison. More

Image: Tesla Motors
A Belgian security researcher has discovered a method to overwrite and hijack the firmware of Tesla Model X key fobs, allowing him to steal any car that isn’t running on the latest software update.
The attack, which only takes a few minutes to execute and requires inexpensive gear, was put together by Lennert Wouters, a PhD student at the Computer Security and Industrial Cryptography (COSIC) group at the Catholic University of Leuven (KU Leuven) in Belgium.
This is Wouters’ third Tesla hack in as many years, with the researcher publishing two other Tesla attacks in 2018 and 2019, respectively.
Attack exploits bug in key fob update system
According to a report published today, Wouters said this third attack works because of a flaw in the firmware update process of Tesla Model X key fobs.
The flaw can be exploited using an electronic control unit (ECU) salvaged from an older Model X vehicle, which can be easily acquired online on sites like eBay or any stores or forums selling used Tesla car parts.
Wouters said attackers can modify the older ECU to trick a victim’s key fob into believing the ECU belonged to its paired vehicle and then push a malicious firmware update to the key fob via the BLE (Bluetooth Low Energy) protocol.
“As this update mechanism was not properly secured, we were able to wirelessly compromise a key fob and take full control over it,” Wouters said. “Subsequently we could obtain valid unlock messages to unlock the car later on.”

The steps of the attack are detailed below:
Attacker approaches the owner of Tesla Model X vehicle. The attacker needs to get as close as 5 meters to the victim in order to allow the older modified ECU to wake up and ensnare the victim’s key fob.
The attacker then pushes the malicious firmware update to the victim’s key fob. This part requires around 1.5 minutes to execute, but the range also goes up to 30 meters, allowing the attacker to distance themselves from the targeted Tesla owner.
Once a key fob has been hacked, the attacker extracts car unlock messages from the key fob.
The attacker uses these unlock messages to enter the victim’s car.
The attacker connects the older ECU to the hacked Tesla car’s diagnostics connector — normally used by Tesla technicians to service the car.
The attacker uses this connector to pair their own key fob to the car, which they later use to start the vehicle and drive away. This part also takes a few minutes to execute.
The only downside of this attack is the relatively bulky attack rig, which would be easy to spot unless concealed inside a backpack, bag, or another car.
Nonetheless, the attack rig isn’t expensive, requiring a Raspberry Pi computer ($35) with a CAN shield ($30), a modified key fob, an older ECU from a salvaged vehicle ($100 on eBay, and a LiPo battery ($30).
Below is also a video of the entire attack steps and the attack rig.
[embedded content]
Wouters said he discovered the bug earlier this summer and reported it to Tesla’s security team in mid-August.
The researcher has published his findings today after Tesla began rolling out an over-the-air software update to all its Model X cars this week. The software update where this bug has been fixed is 2020.48, according to Wouters. More

After suffering the most severe cyberattack ever orchestrated against a Brazilian public sector institution, the Superior Electoral Court (STJ, in the Portuguese acronym) has managed to get its systems back up and running, after more than two weeks facing disruption.
After the ransomware attack, which took place in November 3, the STJ’s systems were totally unavailable for 26 hours, so that the Federal Police could gather the evidence. The investigation process, which also involves he federal data processing service Serpro, and the Army’s cyberdefence unit, is still ongoing. The Court then had to operate with limited functionality for urgent cases until the systems were fully re-established in November 20.

According to the president of the STJ, minister Henrique Martins, the event was “the worst-ever” cyberattack that a Brazilian government body has suffered, both in terms of the dimension and complexity involved.
“Up until that point, our team had not experienced anything similar, and, despite the fact we were ready, we were led towards transformations, which will enhance the way in which the Court deals with information security”, the minister said in a statement.
According to the STJ, the work around the re-establishment of the access to the network, systems and backups, as well as the enhanced cybersecurity set-up, involved a team of over 50 IT professionals from its own team.
In addition, another 50 professionals from eight technology companies including Atos, Microsoft and Redbelt Security were involved in the process, also supported the recovery project.
However, the STJ minister pointed out that there are challenges that still need to be overcome, including the revision of policies, technology architecture and an adaptation to the General Data Protection Regulations, which went live in September. The process of restructuring and improving data security at the STJ “will be constantly improved,” the statement noted.

“There is unconditional support from [STJ’s] management to raise the level of information security that we offer. This is an institutional asset, which we will not give up”, the statement from the minister noted. More