Tag Archive for: credentials

GoldDigger Disguises as Fake Android App To Steal Banking Credentials

/in


GoldDigger Disguises as Fake Android App To Steal Banking Credentials

GoldDigger, a new Android Trojan, imitates a fraudulent Android application and has been discovered to spoof both a Vietnamese government portal and a local energy provider.

Since at least June 2023, this specific Trojan has been active. Stealing banking credentials is its major objective.

It takes advantage of the Accessibility Service to steal personal data, intercept SMS traffic, and carry out other tasks for the user. The Trojan may be accessed remotely as well. 

Researchers from Group-IB’s Threat Intelligence team discovered this Android Trojan targeting Vietnamese financial institutions. Three Android Trojans, including GoldDigger, are now operating in the Asia Pacific.

Document

FREE Demo

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware


Tactics Of The GoldDigger Trojan

Implementing a sophisticated protection system is one of GoldDigger’s key characteristics. The Trojan can greatly restrict static and dynamic malware analysis and elude detection due to Virbox Protector, a powerful protection solution for applications.

Banking Trojans’ primary objective is to infect as many devices as they can and access user accounts.

GoldDigger’s TTP
GoldDigger’s TTP

The “Install from Unknown Sources” feature is disabled by default on all Android devices, preventing the installation of apps from unofficial sources. APKs can be installed from sources other than the Google Play Store if the “Install from Unknown Sources” feature is enabled.

To download and install GoldDigger, the “Install from Unknown Sources” feature must be turned on on the victim’s device.

Fake website distributing GoldDigger
Fake website distributing GoldDigger

The GoldDigger Trojan prompts the user to enable Accessibility Service when it is run. The accessibility features offered by Android are designed to make using mobile devices easier for people with impairments. 

These services include speech-to-text,…

Source…

Salesforce Zero-Day Exploited to Phish Facebook Credentials

/in


Attackers were recently spotted exploiting a zero-day flaw in Salesforce’s email and SMTP services in a sophisticated phishing campaign aimed at stealing credentials from Facebook users.

Guardio researchers detected cyberattackers sending targeted phishing emails with @salesforce.com addresses using the legitimate Salesforce infrastructure. An investigation revealed that they were able to exploit a Salesforce email-validation flaw to hide behind the domain’s trusted status with users and email protections alike.

The sender of the emails claimed to be “Meta Platforms,” and the messages included legitimate links to the Facebook platform, further bolstering legitimacy.

“It’s a no-brainer why we’ve seen this email slipping through traditional anti-spam and anti-phishing mechanisms,” Guardio Labs’ Oleg Zaytsey and Nati Tal noted in the post. “It includes legit links (to facebook.com) and is sent from a legit email address of @salesforce.com, one of the world’s leading CRM providers.”

The messages directed recipients via a button to a legitimate Facebook domain, apps.facebook.com, where content has been altered to inform them that they’d violated Facebook’s terms of service. From there, another button led to a phishing page that collected personal details, including full name, account name, email address, phone number, and password.

Nonetheless, “there is no evidence of impact to customer data,” Salesforce told Guardio. The flaw, meanwhile, has been fixed.

Abuse of Discontinued Facebook Games

On the Facebook side, attackers abused apps.facebook.com by creating a Web app game, which allows customized canvases. Facebook has discontinued the ability to create legacy game canvases, but existing games that were developed prior to the end of the feature were grandfathered in. It appears that malicious actors abused access to these accounts, the researchers said.

In doing this, they could “insert malicious domain content directly into the Facebook platform — presenting a phishing kit designed specifically to steal Facebook accounts including two-factor authentication (2FA) mechanism bypasses,” the researchers said, adding that Facebook parent Meta “quickly removed the…

Source…

S’pore police: Don’t download files from unknown sources on phones, risks of losing private pics & vids, banking & social media credentials real – Mothership.SG

/in


Follow us on Telegram for the latest updates: https://t.me/mothershipsg

The Singapore police and the Cyber Security Agency of Singapore (CSA) has issued an advisory to remind the public of the dangers of downloading files from unknown sources that can lead to malware installation on victims’ mobile devices.

This may result in confidential and sensitive data, such as banking credentials, being stolen.

Don’t download things from sketchy sources

The advisory said malware may infect mobile devices through various means, including through the downloading of free software from unknown sources, opening of unknown email attachments and visiting of malicious websites.

Users should also be wary if they are asked to download unknown or suspicious Android Package Kit (APK) files onto their mobile devices.

This files may appear with seemingly genuine naming conventions, such as GooglePlay23Update.apk or GooglePlay.apkUpdate.apk.

These are not official APK files released by Google even though they contain the references to “GooglePlay”, the advisory warned.

Plenty of risks

Upon installation of the mobile malware, users’ mobile devices may be exposed to the following risks:

• Significant decline in the mobile devices’ performance

• Unauthorised access to the mobile devices’ systems/ data that allow attackers to remotely control infected mobile devices, possibly resulting in loss of user control

• Unauthorised installation or uninstallation of applications

• Interception of SMSes

• Receipt of unwanted push notifications or warnings

• Exfiltration of confidential and sensitive data stored in infected mobile devices such as banking credentials, stored credit card numbers, social media account credentials, private photos and/ or videos, among other information.

Attackers can use such information to gain unauthorised access to users’ social media accounts to perpetrate impersonation scams or perform fraudulent financial transactions that results in reputational and monetary losses.

Prevention methods

Members of the public are advised to take the following steps to ensure that their mobile devices are adequately protected against malware:

• Only download and install…

Source…

Credentials theft behind high-profile Medibank hack – Security

/in


Australia’s largest health insurer Medibank was breached thanks to credentials thefts by hackers who used the login details to access its network.

In an ASX filing for its 2023 half year results, the insurer said [pdf] that its systems were accessed through a stolen Medibank username and password.

That login was used by an unnamed third-party IT services provider for Medibank.

With the stolen credentials in hand, the hacker got through to Medibank’s network through a misconfigured firewall appliance, which “did not require an additional digital security certificate,” the insurer said.

Inside the network, the hacker was able to move laterally and capture further user credentials to freely access more of Medibanks systems.

The insurer discovered the hack within 24 hours of it taking place, but was powerless to stop the copied-over data from being leaked on the internet.

Ransomware raiders REvil, linked to Russia, are thought to be behind the hack which saw 9.7 million current and former Medibank customers’ sensitive information being breached after the insurer refused to pay the extortionists.

Australia’s prime minister Anthony Albanese is a Medibank customer, although it is unclear whether his data was included in the breach.

In its half year 2023 results, Medibank attributed a cost of $26.2 million to the cyber crime attack.

Medibank said that it has now made sure that firewall authenticaiton is configured properly across its entire network.

Existing monitoring, detection and forensics capability have been bolstered, along with Operation Safeguard testing of customer-facing platforms done with security experts from Microsoft.

Medibank contact centres have also introduced two-factor authentication (2FA) to improve security for customers calling for support.

The insurer is being investigated by the Office of the Australian Information Commissioner, and Medibank has commissioned professional services company Deloitte to conduct an external review that is ongoing currently.

Source…