Information Technology

When Magecart attacks first began making the rounds, the attack vector — scripts covertly installed on websites to harvest customer payment card data — was considered to be the signature move of a specific hacking group. 

However, credit card-skimming scripts have now been adopted by numerous cyberattackers and the trend has evolved to classify these types of attacks under a broad ‘Magecart’ umbrella involving numerous groups, targets, and countries. 
Several years ago, domains belonging to high-profile names including British Airways and Ticketmaster were compromised via Magecart attacks, in which websites containing vulnerabilities were exploited to upload JavaScript code in payment portal pages. 
As customers made purchases and input their details, payment card information was quietly harvested and whisked off to a command-and-control (C2) server, to later be sold on or used to make fraudulent purchases.
Now, Magecart-style attacks are far more common and techniques used to deploy card-skimming code are under a constant state of evolution. 
See also: Credit card skimmers are now being buried in image file metadata on e-commerce websites
JavaScript code is either hosted directly on a compromised website or referenced and hosted on an attacker-controlled server. Malwarebytes has previously found Magecart code buried in image EXIF metadata, and in August, these image-related techniques evolved further to combine the Inter information collection framework, .ICO files, and so-called “homoglyph” attacks.
.ICO image requests on websites may now be changed to call up fraudulent .ICO images containing skimmer code, hosted on domains similar to legitimate domains but containing small spelling errors or differences to avoid detection. 
The issue with Magecart-style attacks is the relatively “low bar” to entry set by Inter for cybercriminals seeking to cash in on our cards, RiskIQ says.
The Inter kit, which includes sniffers, data extraction tools, different injection modes, and scripts compatible with multiple e-commerce CMS varieties has been tracked by cybersecurity researchers for a number of years. An earlier build of the toolkit, as described by Volexity in 2018, was named JS Sniffer/SniFall and was used against the Magento e-commerce platform. 
Further RiskIQ and Flashpoint research suggested that Inter first landed on underground forums in 2016 with a price tag of $5,000, but now, it appears that modern versions of Inter are on offer for $1,300 per license. This has now reduced to as little as $1,000 and a 30/70 revenue split option to entice even more attackers to the fold. 
CNET: Appeals court finds NSA’s bulk phone data collection was unlawful
In March, PerimeterX said Magecart-related groups had grown from a “handful to a few hundred,” likely due to the discounted licensing cost and Inter’s all-in-one criminal solution, which requires little technical knowledge to deploy. 
Inter, PerimeterX says, is well on its way to becoming a “Skimming-as-a-Service” option in underground forums. RiskIQ has carried on this research and says that over 1,500 websites at present are infected with the skimmer, with the kit becoming “one of today’s most common and widely used digital skimming solutions globally.”
“The Inter skimmer kit is a hot item on this market and comes prepackaged and ready-made to skim so that even cybercriminals with little technical expertise (but a little cash to burn) can use it,” the team says.
TechRepublic: Organizations facing nearly 1,200 phishing attacks each month
RiskIQ says the actor behind the kit, known by aliases including porter and Sochi, has made a number of recent improvements including the option to bolt-on additional obfuscation services; the ability to create fake payment forms using legitimate names such as PayPal; and automatic checks of stolen information to remove duplication. 
Inter has now also been connected to a variety of other cybercriminal campaigns, including ransomware deployment, Darkcloud and SandiFlux fast flux DNS services — DNS techniques used to maintain botnets — and domains likely connected to phishing and spam campaigns. 
“Since the Inter kit is licensed out to many different actors, we cannot say whether these activities are definitely connected to Sochi,” the researchers added. “Still, we do know that the Inter kit is part of an ever-growing web of malicious activity.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cisco has raised an alert for customers using its Jabber video and instant-messaging client to patch four security flaws, including one critical bug that’s wormable.
Without the latest patch, the Jabber for Windows client allows a remote attacker to exploit the flaw by sending rigged XML-based Extensible Messaging and Presence Protocol (XMPP) messages to the vulnerable Jabber client, according to Cisco. 

More on privacy

Such an attack also poses a threat to the Windows system the Jabber client is running on. 
SEE: Security Awareness and Training policy (TechRepublic Premium)
“A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, possibly resulting in arbitrary code execution,” Cisco notes. 
The bug only affects vulnerable versions of the Cisco Jabber client for Windows that have XMPP messaging services enabled. 
The flaw, tracked as CVE-2020-3495, has a severity rating of 9.9 out of 10 and should be patched immediately, given a report by Norwegian pen-tester Olav Sortland Thoresen of Watchcom, who discovered the flaws. 
He’s published a detailed account of the four flaws and the design of Jabber, which is based on the Chromium Embedded Framework (CEF). CEF allows developers to embed a natively sandboxed Chromium-based web browser in their applications.  
The one critical Jabber flaw allows an attacker to create a worm that spreads malware automatically between Jabber users without requiring user interaction, according to Thoresen. 
“Cisco Jabber is vulnerable to Cross Site Scripting (XSS) through XHTML-IM messages. The application does not properly sanitize incoming HTML messages and instead passes them through a flawed XSS filter,” he explains. 
“Cisco Jabber uses XHTML-IM by default for all messages. A malicious message can therefore easily be created by intercepting an XMPP message sent by the application and modifying it. Attackers can do this manually on their own machine or it can be automated to create a worm that spreads automatically.”
While the embedded browser is sandboxed to prevent access to files and performing system calls, he notes developers create ways to bypass the sandbox to add functionality, in this case to allow the client to open files received from other Cisco Jabber users. 
“Since Cisco Jabber supports file transfers, an attacker can initiate a file transfer containing a malicious .exe file and force the victim to accept it using an XSS attack,” explained Thoresen. 
“The attacker can then trigger a call to window.CallCppFunction, causing the malicious file to be executed on the victim’s machine.”
Thoresen says organizations using Cisco Jabber should consider disabling communication with external organizations through Cisco Jabber until all employees have installed the update. He’s also provided some indicators that security teams should be watchful for: 
XMPP messages with unusual HTML content
Invocations of CiscoJabber.exe with unusual flags
Unusual sub-processes of CiscoJabber.exe
Malicious files being sent through Cisco Jabber’s file-sharing feature More

The developers of the WordPress File Manager plugin have patched an actively-exploited security issue permitting full website hijacking.  

According to the Sucuri WordPress security team, the vulnerability emerged in version 6.4 of the software, which is used as an alternative to FTP in managing file transfers, copying, deletion, and uploads. 
File Manager accounts for over 700,000 active installations. 
In version 6.4, released on May 5, a file was renamed in the plugin for development and testing purposes. However, rather than being kept as a local change, the renamed file was accidentally added to the project. 
See also: KingComposer patches XSS flaw impacting 100,000 WordPress websites
The file in question was pulled by third-party dependency elFinder and used as a code reference. An extension added to the file, the rename of connector-minimal.php-dist to connector-minimal.php, was a small tweak — but was enough to trigger a critical vulnerability in the popular plugin. 
ElFinder’s script, as a file manager, grants users elevated privileges for modifying, uploading, and deleting files. As the system is focused on ease of use, to set the elFinder file manager up, it takes nothing more than changing the file’s extension from .php-dist to .php — and so the avenue for attacks was opened. 
While using the file as a reference may have helped the team locally test features, the researchers say that leaving such a script — intentionally designed to not check access permissions — in a public build causes a “catastrophic vulnerability if this file is left as-is on the deployment.”
“This change allowed any unauthenticated user to directly access this file and execute arbitrary commands to the library, including uploading and modifying files, ultimately leaving the website vulnerable to a complete takeover,” Sucuri says. 
The solution, included in version 6.9, is simple enough: simply delete the file — which was never part of the plugin’s functionality anyway — and other unused .php-dist files.
CNET: Appeals court finds NSA’s bulk phone data collection was unlawful
However, a week before the file was removed, a Proof-of-Concept (PoC) code was released on code repository GitHub, leading to a wave of attacks against websites before version 6.9 was made available. 
Sucuri says the exploit rapidly gained traction. The first attack was spotted on August 31, a day before a fixed version of the file manager was released. This ramped up to roughly 1,500 attacks per hour, and a day later, this increased to an average of 2,5000 attacks every 60 minutes. By September 2, the team saw roughly 10,000 attacks per hour.
In total, Sucuri has tracked “hundreds of thousands of requests from malicious actors attempting to exploit it.”
TechRepublic: Organizations facing nearly 1,200 phishing attacks each month
While the vulnerability has now been resolved, at the time of writing, only 6.8% of WordPress websites have updated to the new, patched version of the plugin, leaving many websites open to compromise. 
In July, a reflected XSS vulnerability was patched in KingComposer, a WordPress plugin for drag-and-drop page creation. The bug, CVE-2020-15299, was caused by a dormant Ajax function that could be abused to deploy malicious payloads. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

(Image: file photo)

A South Carolina man was sentenced this week to two years in federal prison for taking government-owned networking equipment and selling it on eBay.
The man, Terry Shawn Petrill, 48, of Myrtle Beach, worked as the IT Security Director for Horry County in South Carolina, the Department of Justice said in a press release on Tuesday.
According to court documents, “beginning on June 11, 2015, through August 23, 2018, Petrill ordered forty-one Cisco 3850 switches that were to be installed on the Horry County network.”
US authorities said that through the years, when the switches would arrive, Petrill would take custody of the devices and tell fellow IT staffers that he would handle the installation alone.
However, investigators said that “Petrill did not install the switches on the network and instead sold them to third parties and kept the proceeds for himself.”
FBI agents who investigated the case said they tracked nine of the 41 missing Cisco switches to ads on eBay, while the location of the rest remains unknown.
Nonetheless, this was enough to file charges against Petrill, which authorities arrested and indicted in November 2019.
Officials said Petrill “confessed his activity in a manner to attempt to assist authorities” and “fully accepted responsibility for his actions.”
Besides prison time, Petrill was also ordered to pay restitution in the amount of $345,265.57 to the Horry County Government.
This marks the second legal case over the past week where Cisco was involved. Last week, a former Cisco engineer also pleaded guilty to accessing his former employer’s network and wiping 456 virtual machines, which eventually led to disruption to over 16,000 Webex Teams accounts. More

The Australian government has released a voluntary code of practice for securing the Internet of Things (IoT) in Australia.
The voluntary Code of Practice: Securing the Internet of Things for Consumers [PDF] is intended to provide industry with a best-practice guide on how to design IoT devices with cybersecurity features.
It will apply to all IoT devices that connect to the internet to send and receive data in Australia, including “everyday devices such as smart fridges, smart televisions, baby monitors, and security cameras”.
“Internet-connected devices are increasingly part of Australian homes and businesses and many of these devices have poor security features that expose owners to compromise,” Minister for Home Affairs Peter Dutton said.
“Manufacturers should be developing these devices with security built in by design.
“Australians should be considering security features when purchasing these devices to protect themselves against unsolicited access by cybercriminals.”
The voluntary code of practice is based on 13 principles.
These principles include not duplicating default or weak passwords as well as using multi-factor authentication; implementing a vulnerability disclosure policy that includes a public point of contact so security researchers and others can report on any cybersecurity issues; keeping software securely updated; and securely storing credentials by avoiding hard-coded credentials within devices and software.
The code also states manufacturers should ensure personal data is protected according to data protection laws such as the Privacy Act 1988 and Australian Privacy Principles; minimise exposed attack surfaces; ensure communication security; ensure software integrity by verifying the software on IoT devices and use secure boost mechanisms; make systems resilient to outages; and monitor system telemetry data for security anomalies.
Additionally, while voluntary, the code of practice also encourages that IoT manufacturers make it easy for consumers to delete personal data when they dispose of the device; make installation and maintenance of devices easy; and ensure any data received via user interfaces, API, and network interfaces are validated.
Read also: Aussie Parliament’s sad cyber espionage saga is a salient lesson for others   
Alongside the code of practice, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has released a guide to help manufacturers implement the IoT code of practice.
Additionally, the ACSC has released an IoT guide for consumers and small and medium-sized businesses on how to protect themselves against cyber threats when buying, using, and disposing of IoT devices.
“Boosting the security and integrity of internet-connected devices is critical to ensuring that the benefits and conveniences they provide can be enjoyed without falling victim to cybercriminals,” Minister for Defence Linda Reynolds said.
Publishing the code of practice on Thursday follows on from the Australian government’s release of the draft version last November, and a nation-wide consultation with industry across various sectors, including cybersecurity, government, not-for-profit advocacy groups, critical infrastructure providers, and domestic and international consumers.
The code of practice is also a key deliverable of the government’s 2020 Cyber Security Strategy.
In July last year, Australia co-signed a statement of intent regarding the security of IoT with the Five Eyes nations in London. The voluntary code of practice, according to the government, “aligns and builds upon” the guidance provided by the UK and is consistent with “other international standards”.  
A similar code [PDF] has also been developed by the European Union.
RELATED COVERAGE More

The Indian Ministry of Electronics and Information Technology handed down a ban on 118 apps on Tuesday, claiming they are “stealing and surreptitiously transmitting” data of users to servers outside of India, and thereby undermining the sovereignty and defence of the nation.
“The compilation of these data, its mining and profiling by elements hostile to national security and defence of India, which ultimately impinges upon the sovereignty and integrity of India, is a matter of very deep and immediate concern which requires emergency measures,” the Ministry said in a statement.
Among the list of apps are a number of high-profile Chinese apps, including Baidu, WeChat, AliPay, PUBG, Sina News.
Tencent has had a number of its apps blocked — besides WeChat and PUBG, which it has an equity stake in — including its new VooV video conferencing tool, its Weiyun storage service, and its Watchlist app.
Earlier in the week, the Pakistan Telecommunication Authority (PTA) blocked access to five dating and live-streaming apps, namely Tinder, Tagged, Skout, Grindr, and SayHi.
“Keeping in view the negative effects of immoral/indecent content streaming through the above applications, PTA issued notices to the management of above mentioned platforms for the purpose of removing dating services and to moderate live streaming content in accordance with the local laws of Pakistan,” the Authority said in a statement.
“Since the platforms did not respond to the notices within the stipulated time therefore the Authority issued orders for blocking of the said applications.”
Since June, China and India have experienced rising tensions following a border clash between soldiers where they fought each other with rocks and clubs. The clash resulted in the death of 20 Indian soldiers, and more than 75 injured.
Also read: Despite brutal border clash between India and China, tech bonds will be very hard to break
Later that month, India banned 59 Chinese apps, including TikTok, UC Browser, Weibo, and WeChat.
On Tuesday the WeChat ban was extended to WeChat Work, WeChat reading, and Government WeChat.
The full list of 118 apps blocked by India are:
AFK Arena
Alipay
AlipayHK
Amour: video chat & call all over the world.
AppLock
AppLock Lite
APUS Flashlight: Free & Bright
APUS Launcher Pro: Theme, Live Wallpapers, Smart
APUS Launcher: Theme, Call Show, Wallpaper, HideApps
APUS Message Center: Intelligent management
APUS Security: Antivirus, Phone security, Cleaner
APUS Turbo Cleaner 2020: Junk Cleaner, Anti-Virus
Arena of Valor: 5v5 Arena Games
Art of Conquest: Dark Horizon
Baidu
Baidu Express Edition
Beauty Camera Plus: Sweet Camera & Face Selfie
Bike Racing: Moto Traffic Rider Bike Racing Games
Buy Cars: offer everything you need, special offers and low prices
CamCard: Business Card Reader
CamCard Business
CamCard for Salesforce
CamOCR
Carrom Friends: Carrom Board & Pool Game-
Chief Almighty: First Thunder BC
Chess Rush
Cleaner: Phone Booster
Creative Destruction NetEase Games
Crusaders of Light NetEase Games
Cut Cut: Cut Out & Photo Background Editor
Cyber Hunter
Cyber Hunter Lite
Dank Tanks
Dual Space: Multiple Accounts & App Cloner
Dawn of Isles
FaceU: Inspire your Beauty
Fighting Landlords: Free and happy Fighting Landlords
Gallery HD
Gallery Vault: Hide Pictures And Videos
Game of Sultans
GO SMS Pro: Messenger, Free Themes, Emoji
HD Camera: Beauty Cam with Filters & Panorama
HD Camera Pro & Selfie Camera
HD Camera Selfie Beauty Camera
Hide App: Hide Application Icon
Hi Meitu
HUYA LIVE: Game Live Stream
LifeAfter
InNote
iPick
Kitty Live: Live Streaming & Video Live Chat
Knives Out-No rules, just fight!
Lamour Love All Over The World
Learn Chinese AI-Super Chinese
Legend: Rising Empire NetEase Games
Little Q Album
LivU Meet new people & Video chat with strangers
Ludo All Star: Play Online Ludo Game & Board Games
Ludo World-Ludo Superstar
Mafia City Yotta Games
Malay Social Dating App to Date & Meet Singles
MARVEL Super War NetEase Games
Message Lock (SMS Lock)-Gallery Vault Developer Team
MICO Chat: New Friends Banaen aur Live Chat karen
Mobile Legends: Pocket
Mobile Taobao
Murderous Pursuits
Music: Mp3 Player
Music player: Audio Player
Music Player: Audio Player & 10 Bands Equalizer
Music Player: Bass Booster – Free Download
Music Player: MP3 Player & 10 Bands Equalizer
MV Master: Make Your Status Video & Community
MV Master: Best Video Maker & Photo Video Editor
Netease News
Onmyoji NetEase Games
Parallel Space Lite: Dual App
Penguin E-sports Live assistant
Penguin FM
Photo Gallery HD & Editor
Photo Gallery & Album
Pitu
PUBG MOBILE Nordic Map: Livik
PUBG MOBILE LITE
Rangers Of Oblivion: Online Action MMO RPG Game
Ride Out Heroes NetEase Games
Rise of Kingdoms: Lost Crusade
Road of Kings- Endless Glory
Rules of Survival
ShareSave by Xiaomi: Latest gadgets, amazing deals
Sina News
Small Q brush
Smart AppLock (App Protect)
Soul Hunters
Super Clean – Master of Cleaner, Phone Booster
Super Mecha Champions
Tantan – Date For Real
Tencent Watchlist (Tencent Technology)
Tencent Weiyun
Ulike – Define your selfie in trendy style
U-Dictionary: Oxford Dictionary Free Now Translate
Video Player All Format for Android
Video Player: All Format HD Video Player
VPN for TikTok
VPN for TikTok
VooV Meeting: Tencent Video Conferencing
Warpath
Web Browser: Fast, Privacy & Light Web Explorer
Web Browser: Secure Explorer
Web Browser & Fast Explorer
WeChat reading
Government WeChat
WeChat Work
Yimeng Jianghu-Chu Liuxiang has been fully upgraded
Youku
ZAKZAK Pro: Live chat & video chat online
ZAKZAK LIVE: live-streaming & video chat app
Z Camera: Photo Editor, Beauty Selfie, Collage
More from the subcontinent More

One of the images used to promote the malicious NEXTA LIVE app.

Google has removed this week an Android app from the Play Store that was used to collect personal information from Belarusians attending anti-government protests.
The app, named NEXTA LIVE (com.moonfair.wlkm), was available for almost three weeks on the official Android Play Store, and was downloaded thousands of times and received hundreds of reviews.
To get installs, NEXT LIVE claimed to be the official Android app for Nexta, an independent Belarusian news agency that gained popularity with anti-Lukashenko protesters after exposing abuses and police brutality during the country’s recent anti-government demonstrations.
However, in a statement published on Telegram last week, Nexta said the app was not associated with its service and was designed to collect data from users and de-anonymize protest-goers.

“Do not install under any circumstances. Warn your friends, maximum repost!,” Nexta staff wrote in their Telegram channel.
Nexta also asked users to immediately uninstall the app from their devices, give the app a bad rating and review, and then report it to Google staff.
App collected location data and device owner details
This mass-reporting strategy worked, and the app was removed earlier this week. However, for many users, the damage is already done.
According to a Belarusian security researcher — who we will call S. for his protection and privacy —, the app was designed for mass-harvesting purposes. In a summary analysis he shared with Nexta readers, S. said the app was designed to collect geolocation data, gather info on the device owner, and then upload the data to a remote server at regular intervals.
Android malware researcher Gabriel Cîrlig, who ZDNet asked earlier today to also look at NEXTA LIVE, said the app appears to communicate with a domain hosted on a Russian IP address, at arcpi.nextialive.roimaster[.]site (89.223.89[.]47).
Both the domain and IP address aren’t listed on any threat intelligence feeds, having no affiliations to previous malware campaigns, according to a search performed by ZDNet today.
However, the same IP address previously hosted other suspicious-looking domains (i.e., hackappnewcrmuzbekistan.roimaster[.]site), which suggests there is more to this server than meets the eye.
Nonetheless, a location-gathering feature has no place in a news-centered app, especially one that’s popular with anti-government protesters in a politically unstable country currently governed by an autocratic leader fighting to remain in power.
While there is no official link between the fake Nexta app and the Minsk government, this would hardly be the first time that a government would try to spy on its citizens in the midst of anti-government protests, in attempts to identify protest-goers.
Similar incidents happened in Venezuela and Iran in 2019, and even the US, earlier this year, during Black Lives Matter protests.
Further, Belarusians are right to be wary of the app and possible links to the local government after earlier this year Belarusian police raided the offices of ride-hailing companies Yandex and Uber, in what protesters described as an attempt to obtain ride location data in order to identify who participated in anti-government demonstrations. More

We love the personal service when shopping, but how much are we prepared to trade-off for that truly customized online experience? And which parts of our private data are we willing to share, and why?

San Francisco-based AI-powered personalization platform Formation.ai surveyed over 2,000 US customers in the first quarter of 2020 about their feelings toward brand loyalty.
Its report, Brand Loyalty: the Need for Hyper-Individualisation, shows that personalization is critical to earning consumer loyalty in today’s competitive market.
The majority of consumers only belong to between one and three loyalty programs, meaning a program must really deliver to make the cut for consumers.
Almost four out of five (79%) of consumers agree that the more personalization tactics a brand uses, the more loyal they are to that brand. But for 77% of consumers, businesses are not doing enough to earn that loyalty.
The report found that over four out of five (81%) of consumers are willing to share basic personal information for personalization and that 83% of consumers are more willing to share data if the brand is transparent about how it will be used.
But consumers want to receive something in return. And loyalty programs could be the key. These programs could be the key to unlocking greater data personalization and building long-term loyalty.
Four out of five (79%) consumers agree the more personalization tactics a brand uses, the more loyal they are to that brand.
Three out of four (73%) said they’re more likely to engage with a brand that offers a loyalty program compared to one that does not.
One out of five (20%) of consumers surveyed feels they receive marketing emails that “extremely frequently” feature content relevant to their specific lifestyle, interests, attitudes, or past purchases.
A similar percentage (18%) reported receiving marketing emails that contain content so unique to their needs that they feel it recognizes them as individuals “extremely frequently.”
But there is a trade-off between receiving hyper-personalized emails and privacy in some industries. In the healthcare sector, people are increasingly wary of losing their privacy.
San Francisco, CA-based marketing analytics platform W20’s Consumer Attitudes in Health Care Data Uses and Privacy surveyed over 1,000 consumers across the US before and during the COVID-19 pandemic. It wanted to understand if consumers were comfortable with certain types of data used in targeted advertising.
The study showed that consumers demand transparency and visibility on how their data is being used. Seven out of 10 (70%) of respondents said that health data should either not be shared, or shared only with their permission, and that they should have the ability to opt-out — not in.
W2O
Consumers also care most about the altruistic purposes of health data use. Half of those surveyed indicated that they would only want their health data shared if they knew it would be used to improve healthcare outcomes for others.
As a result, organizations should clearly outline how they are sharing and using health data, and how it can advance public health.
People are increasingly wary of losing their privacy and require more education on how their data is used.
Companies need to be more transparent with how they use your data — whatever it is — to avoid the ultra-targeted message that makes you convinced that you are being watched and targeted. More