Home   Blog   Twitter   Database  

Chapter Preview: It All Starts with Your Personal Data Lake

Once, not long ago, data was nestled in paper files or stored on isolated computer networks, housed in glassed-off, air-conditioned rooms. Now, data is digital, moves effortlessly, and gets accessed from devices and places around the world at breakneck speeds. This makes it possible for businesses, organizations, and even individuals to collect and analyze this data for a whole host of purposes, such as advertising, insurance proposals, and scientific research, to name but a few. The data they are collecting and accessing about you is part of your personal data lake.

Data lake is a term that technologists typically use, but for us, using the term paints a strong visual for an important concept—how we create an extraordinary amount of data simply by going online and using connected devices. Your online interactions create drops of data that collect into streams, and pool together to form an ever-deepening lake of data over time. It stands to reason that the more time you spend online, connecting devices in your home and accessing a growing number of applications on your smartphone, the more quickly your personal data lake grows.

As you can imagine, your privacy and security are what’s at stake as you go about your digital life. Ultimately, the more data you share, either knowingly or unknowingly, the more that data potentially puts you at risk. This is true for you and your family members. The stakes get even higher because some of our own behavior can put us at risk. The internet is a platform with a global reach and a forever memory. What you say, do, and post can have a lifetime of implications. As a family, each member has a personal responsibility to look after themselves and each other. This unwritten contract extends to the internet because our actions there can impact our personal and professional lives, not to mention the lives of others. This book is laden with examples of how people get passed over for jobs, ruin romantic relationships, and end up doing actual physical harm to others because of what they say, do, or post online, ranging from sharing a picture of someone passed out at a party because it seemed funny at the time, to something calculated and intentionally injurious, like cyberbullying.

With people admitting that they increasingly spend more time online while connecting more and more devices in our homes, it’s time to understand the permanence of those behaviors and how they can impact all aspects of your life. As you go through the book you’ll better understand how your personal data lake is constantly growing, while laying out useful tips you can use to better manage your information.

Gary Davis’ book, Is Your Digital Front Door Unlocked?, is available September 5, 2019 and can be ordered at amazon.com.

The post Chapter Preview: It All Starts with Your Personal Data Lake appeared first on McAfee Blogs.

Posted: 19 Sep 2019 | 3:00 am

No surprises in the top 25 most dangerous software errors

An in-depth study of reported bugs has produced a list of the top 25 bug categories in software today - with some old familiar names topping the list.

Posted: 19 Sep 2019 | 1:58 am

IT now stands for Intermediate Targets: Tech providers pwned by snoops eyeing up customers – report

Symantec says Tortoiseshell crew ransacked suppliers

Miscreants are hacking into Saudi Arabian IT providers in an attempt to compromise their real targets: said providers' customers, according to Symantec.…

Posted: 18 Sep 2019 | 10:55 pm

Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites

We discovered a series of incidents where the credit card skimming attack Magecart was used to hit the booking websites of chain-brand hotels — the second time we’ve seen a Magecart threat actor directly hit ecommerce service providers instead of going for individual stores or third-party supply chains. Back in May, we discovered a new Magecart-using group called “Mirrorthief,” which compromised an ecommerce service provider used by American and Canadian universities.

In early September, we found two hotel websites (from different hotel chains) that were being injected with a JavaScript code to load a remote script on their payment page since August 9. When we first checked the script’s link, it downloaded a normal JavaScript code. However, we found that the same link could also download a different script when we requested it from mobile devices like Android or iOS phones. The downloaded script for mobile devices is a credit card skimmer which can steal the information entered on the hotel booking page and send it to a remote server.

We found both of the affected hotel websites were developed by Roomleader, a company from Spain that helps hotels build their online booking websites. The malicious code wasn’t injected directly into the website but rather into the script of Roomleader’s module called “viewedHotels” that was provided to its clients and subsequently used for two websites of two different hotel chains. Despite the seemingly small number of affected sites, we still consider the attack significant given that one of the brands has 107 hotels in 14 countries while the other has 73 hotels in 14 countries. Note that we have reached out to Roomleader regarding this issue.

The script injected into the hotel booking website

 Figure 1. Infection chain of the Magecart skimming attack on the online hotel booking websites

Figure 1. Infection chain of the Magecart skimming attack on the online hotel booking websites

As mentioned, the injection was done on a JavaScript library of Roomleader’s “viewedHotels” module located at hxxps://[hotel website]/modulos/viewedHotels/templates/public/js/history_setter[.]js. This library is used for saving the viewed hotel information in the visitor’s browser cookies. The attacker injected the malicious code in the middle of the original script.

The injected code first checks if an HTML element containing the ID “customerBookingForm” is present on the webpage to make sure it is running on the hotel’s booking page. If the injected code is found to not be running on the page, it will go to sleep for one second and check repeatedly thereafter. However, if the code detects the booking page, it will check if the browser debugger is closed and then load another JavaScript from the URL hxxps://googletrackmanager[.]com/gtm[.]js — which is where the card skimmer code is actually located. It’s worth noting that the style of the URL is meant to emulate the legitimate URL used by Google Tag Manager.

Figure 2. The injected script (highlighted) in the JavaScript library used by hotel websites

Figure 2. The injected script (highlighted) in the JavaScript library used by hotel websites

Analysis of the credit card skimmer

 When we first connected to the skimmer URL, it returned normal JavaScript code copied from the GitHub project detect-mobile-browser. However, we suspected it was not the real payload because the code isn’t actually used by the affected websites.

Upon further testing of the URL, we found that it downloaded a different script when we made a request using an HTTP User-Agent from a mobile device. This script turned out to be a credit card skimmer. Although we found the skimmer to work on both PC and mobile browsers, it seems the attacker only targeted mobile users. This is most likely because the threat actor behind it wants to avoid detection from PC-based security software. The skimmer is not a new one — we’ve seen instances where it was used by other groups. Most likely, it is a general skimmer that is shared via underground forums.

 Figure 3. The different scripts downloaded from the skimmer URL for desktop and mobile

Figure 3. The different scripts downloaded from the skimmer URL for desktop and mobile

The credit card skimmer is designed to steal data from payment forms. The skimmer hooks its function to the JavaScript events “submit” and “click,” which are usually triggered when people submit a payment or a booking. When the hooked event is triggered, the skimmer will check if the browser debugger is closed. Then it copies the name and value from any “input” or “select” HTML element on the booking page. In this case, the gathered information includes names, email addresses, telephone numbers, hotel room preferences, and credit card details.

The copied information is encrypted using RC4 with a hardcoded key: “F8C5Pe4Q”. Next, the skimmer will generate a random string to encode the encrypted data again using XOR. The data will then be sent via HTTP POST to the remote URL “https://googletrackmanager[.]com/gtm.php?id=” that uses generated random string appended at the end. Upon receipt of the information, the attacker can then decrypt the data and collect the credit card information.

 Figure 4. Credit card skimmer code to steal information from hotel booking page

Figure 4. Credit card skimmer code to steal information from hotel booking page

Magecart replaces the original booking page with a fake one

Although the skimmer itself is not unique, we found that it removes the original credit card form on the booking page and injects another one prepared by the threat actor. We theorize two possible reasons for this. The first is that some hotels don’t ask customers to make online payments but instead ask them to pay at the hotel upon arrival. In cases like this, the booking form will ask for credit card information but without the CVC number. To ensure that all credit card information are captured, the attacker replaces the original form with one that contains the CVC number column.

The second possible reason is that, sometimes, the booking page will host the credit card form in a different domain using an HTML iframe element to make it more secure. In this scenario, a regular JavaScript skimmer will not be able to copy the data inside the secure iframe. Therefore, the attacker removes the iframe of the secured credit card form and injects his own form so the skimmer can copy the information.

Figure 5. The original credit card form (above) from the hotel website and the injected form (below) from the skimmer

Figure 5. The original credit card form (above) from the hotel website and the injected form (below) from the skimmer

Figure 5. The original credit card form (above) from the hotel website and the injected form (below) from the skimmer

 Figure 6. The skimmer script used to remove the original form from the booking page and replace it with the fake one

Figure 6. The skimmer script used to remove the original form from the booking page and replace it with the fake one

To make it seem more legitimate, the attacker also prepared credit card forms in eight languages: English, Spanish, Italian, French, German, Portuguese, Russian, and Dutch. These languages match the languages supported by the targeted hotel websites. The skimmer will check which language the customer is using for the website and inject the corresponding fake credit card form into the page.

Figure 7. The eight languages of the fake credit card form inside the skimmer

Figure 7. The eight languages of the fake credit card form inside the skimmer

We were unable to find any strong connections to previous Magecart groups based on the network infrastructure or the malicious code used in this attack. However, it’s possible that the threat actor behind this campaign was also involved in previous campaigns.

Conclusion

Recent incidents involving credit card skimmers like Magecart emphasize the need for businesses to secure their websites from potential compromise by implementing security best practices, which include regularly updating software to the latest versions and segregating networks to ensure that as little customer data as possible is exposed.

Furthermore, users can consider using payment systems such as Apple Pay and Google Pay, which offer additional authentication methods — minimizing the chance that attackers will be able to use the credit card even if they manage to collect the card’s details.

The following Trend Micro solutions protect users and businesses by blocking the scripts and preventing access to the malicious domains:

Indicators of Compromise (IoCs)

SHA-256 Hash/ URL File Name Details Detection name
ac58602d149305bd2331d555c15e6292bd5d09c34ade9e5eebb81e9ef1e7b312 gtm.js Credit card skimmer TrojanSpy.JS.MAGECART.B
googletrackmanager[.]com Magecart Domain

With special thanks to our colleagues at abuse.ch and The Shadowserver Foundation for helping to take down the Magecart domain

The post Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites appeared first on .

Posted: 18 Sep 2019 | 4:52 am

Measuring up to the NIST Cybersecurity Framework: A Q&A with Matt Barrett

Read the Q&A with Matt Barrett, Chief Operating Officer of CyberESI, published on JUNTO by eRiskHub. Exchanging ideas on cyber risk & privacy liability

First introduced in 2014, the National Institute of Standards and Technology (NIST) CyberSecurity Framework (CSF) has since become a widely held best practice far beyond the commerce industry. To get some perspective on the framework and how it’s evolved over the past five years, we talked to Matt Barrett, who was the program manager for CSF. (Note: Barrett currently serves as COO for Cyber Engineering Services Inc (CyberESI), a cyber risk management firm.)

The post Measuring up to the NIST Cybersecurity Framework: A Q&A with Matt Barrett appeared first on CyberESI.

Posted: 28 Jun 2019 | 10:29 am

HiddenWasp Linux malware backdoor samples



Here are Hidden Wasp Linux backdoor samples. 

Enjoy



Reference




Intezer HiddenWasp Malware Stings Targeted Linux Systems 




Download





Download. Email me if you need the password (see in my profile)




File informatio


8914fd1cfade5059e626be90f18972ec963bbed75101c7fbf4a88a6da2bc671b
8f1c51c4963c0bad6cf04444feb411d7
 shell

f321685342fa373c33eb9479176a086a1c56c90a1826a0aef3450809ffc01e5d
52137157fdf019145d7f524d1da884d7
elf

f38ab11c28e944536e00ca14954df5f4d08c1222811fef49baded5009bbbc9a2
ba02a964d08c2afe41963bf897d385e7
shell

e9e2e84ed423bfc8e82eb434cede5c9568ab44e7af410a85e5d5eb24b1e622e3
cbcda5c0dba07faced5f4641aab1e2cd
 elf shared-lib

d66bbbccd19587e67632585d0ac944e34e4d5fa2b9f3bb3f900f517c7bbf518b
2b13e6f7d9fafd2eca809bba4b5ea9a6
64bits elf shared-lib

2ea291aeb0905c31716fe5e39ff111724a3c461e3029830d2bfa77c1b3656fc0
568d1ebd8b6fb17744d3c70837e801b9
shell

8e3b92e49447a67ed32b3afadbc24c51975ff22acbd0cf8090b078c0a4a7b53d
33c3f807caea64293add29719596f156
 shell

609bbf4ccc2cb0fcbe0d5891eea7d97a05a0b29431c468bf3badd83fc4414578
71d78c97eb0735ec6152a6ff6725b9b2
tar-bundle gzip contains-elf

d596acc70426a16760a2b2cc78ca2cc65c5a23bb79316627c0b2e16489bf86c0
6d1cd68384de9839357a8be27894182b
 tar-bundle gzip

0fe1248ecab199bee383cef69f2de77d33b269ad1664127b366a4e745b1199c8
5b134e0a1a89a6c85f13e08e82ea35c3
64bits elf 

Posted: 3 Jun 2019 | 9:31 pm

Introducing Reneo

Reneo is a Windows tool to help incident responders, forensics specialists, and security researchers analyze and reverse engineer malicious and obfuscated scripts and other content. This tool can convert from/to various formats, transform, deobfuscate, encode/decode, encrypt/decrypt, and hash strings. The … Continue reading

Posted: 27 Jun 2018 | 8:14 am

Freedome VPN For Mac OS X

Take a look at this:

F-Secure Freedome Mac OS X

F-Secure Freedome for OS X (freshly installed on a Labs Mac Team MacBook).

Mac_Team_Test_Machines

The beta is now open for everyone to try for 60 days at no cost.

Download or share.

On 24/04/15 At 12:37 PM

Posted: 24 Apr 2015 | 1:37 am