Tag Archive for: Hiding

Ex-Uber security chief convicted of hiding hack from federal regulators

/in


Ex-Uber security chief convicted of hiding hack from federal regulators

On Wednesday, a jury found former Uber security chief Joe Sullivan guilty of hiding a massive data breach from federal regulators who were already investigating the ride-share company for a different breach. With that verdict, Sullivan has likely become the first executive to be criminally prosecuted over a hack, The New York Times reported.

A jury of six men and six women started deliberating last Friday. After 19 hours, they decided that Sullivan was guilty on one count of obstructing the Federal Trade Commission’s investigation and “one count of misprision, or acting to conceal a felony from authorities,” according to the Times.

Sullivan’s legal team did not immediately provide comment for Ars, but one of his lawyers, David Angeli, told NYT how Sullivan received the verdict. “While we obviously disagree with the jury’s verdict, we appreciate their dedication and effort in this case,” Angeli told the paper. “Mr. Sullivan’s sole focus—in this incident and throughout his distinguished career—has been ensuring the safety of people’s personal data on the Internet.”

When Sullivan first learned of the second data breach, he disguised the illegal activity by paying the hackers through Uber’s bug bounty program. Uber had just announced the program in March 2016 in coordination with HackerOne, a widely used security firm whose company values urge executives like Sullivan to “default to disclosure” and ask “why keep this private?” instead of “why make this public?” It took less than a year for Sullivan to use HackerOne’s bug bounty program as a way to avoid disclosing a hack.

HackerOne did not immediately respond to Ars’ request for comment. [Update: A HackerOne spokesperson told Ars, “HackerOne has made the executive decision not to comment.”]

The Times report suggested that Sullivan’s conviction could change how all companies manage data breaches in the future.

Uber did not provide comment to NYT or Ars. Previously, an Uber spokesperson directed Ars to a blog post in which Uber CEO Dara Khosrowshahi discussed how the…

Source…

Hackers may be hiding in plain sight on your favorite website

/in


Security researchers have detailed how domain shadowing is becoming increasingly popular for cybercriminals.

As reported by Bleeping Computer, analysts from Palo Alto Networks (Unit 42) revealed how they came across over 12,000 such incidents over just a three-month period (April to June, 2022).

A depiction of a hacked computer sitting in an office full of PCs.
Getty Images

An offshoot of DNS hijacking, domain shadowing provides the ability to create malicious subdomains by infiltrating legitimate domains. As such, shadowed domains won’t have any impact on the parent domain, which naturally makes them difficult to detect.

Cybercriminals can subsequently use these subdomains to their advantage for various purposes, including phishing, malware distribution, and command and control (C2) operations.

“We conclude from these results that domain shadowing is an active threat to the enterprise, and it is hard to detect without leveraging automated machine learning algorithms that can analyze large amounts of DNS logs,” Unit 42 stated.

Once access has been obtained by threat actors, they could opt to breach the main domain itself and its owners, as well as target users from that website. However, they’ve had success by luring in individuals via the subdomains instead, in addition to the fact that the attackers remain undetected for much longer by relying on this method.

Due to the subtle nature of domain shadowing, Unit 42 mentioned how detecting actual incidents and compromised domains is difficult.

In fact, the VirusTotal platform identified just 200 malicious domains out of the 12,197 domains mentioned in the report. The majority of these cases are connected to an individual phishing campaign that uses a network of 649 shadowed domains via 16 compromised websites.

A system hacked warning alert being displayed on a computer screen.
Getty Images

The phishing campaign revealed how the aforementioned subdomains displayed fake login pages or redirected users to phishing pages, which can essentially circumvent email security filters.

When the subdomain is visited by a user, credentials are requested for a Microsoft account. Even though the URL itself isn’t from an official source, internet security tools aren’t capable of differentiating between a legitimate and fake login page as no warnings are presented.

One of…

Source…

FBI: Beware Residential IPs Hiding Credential Stuffing

/in


Cyber-criminals are increasingly hijacking home IP addresses to hide credential stuffing activity and increase their chances of success, the FBI has warned.

Credential stuffing is a popular method of account takeover whereby attackers use large lists of breached username/password ‘combos’ and try them across numerous sites and apps simultaneously to see if they work. As many individuals reuse their credentials, they often do.

Working credentials can then be sold to others for initial access. The FBI and Australian Federal Police claim to have found two websites containing over 300,000 unique sets of credentials obtained via credential stuffing. The sites had over 175,000 registered customers and made over $400,000 in sales, the FBI said.

However, website owners can detect this suspicious activity if they know what to look for. This is where residential proxies come in. By compromising home routers or other connected technology, attackers can route their efforts through benign-looking IPs to trick network defenders.

“In executing successful credential stuffing attacks, cyber-criminals have relied extensively on the use of residential proxies, which are connected to residential internet connections and therefore are less likely to be identified as abnormal,” the FBI said in its Private Industry Notification.

“Existing security protocols do not block or flag residential proxies as often as proxies associated with datacenters.”

As well as combo lists, malicious actors buy configurations, or ‘configs,’ and other tools on underground sites to help improve success rates.

“The config may include the website address to target, how to form the HTTP request, how to differentiate between a successful vs unsuccessful login attempt, whether proxies are needed, etc,” the notice explained.

“In addition, cracking tutorial videos available via social media platforms and hacker forums make it relatively easy to learn how to crack accounts using credential stuffing and other techniques.”

The FBI recommended a multi-layered approach to mitigate the threat of credential stuffing.

A report from May last year claimed there were 193 billion credential stuffing attempts during…

Source…

13 cleaner apps caught hiding malware on the Google Play Store

/in


Between thousands of photos, shared videos and information-intensive applications, your mobile phone’s internal storage can fill up quickly. And if you aren’t sure what is using up the most space, it often involves sifting through the settings to find the culprits.

However, there are a few apps that can do that for you. They scan all the folders, browser cache, system files and games to determine where you can free up some real estate. Many of these apps are helpful, but some only pretend to clean up your device.

Read on for 13 dangerous apps recently found to be hiding malware.

Here’s the backstory

McAfee’s Mobile Research Team found several apps on the Google Play Store that aren’t what they seem. The apps promote themselves as mobile cleaners, promising to remove junk and unused files so your Android device can run smoother.

But instead of doing that, the apps hide malware and continuously show advertisements on the infected device. Furthermore, you don’t need to open the app for the malicious code to start working, as simply downloading it to your phone is enough to trigger it.

According to McAfee, some of the apps hide on the infected device by changing their icon and name to something familiar. The built-in automatic advertising is so aggressive that it pops up every time you install, uninstall, or update apps.

Here’s a list of the malicious apps grouped into the number of downloads:

  • Junk Cleaner (1 million downloads)
  • Keep Clean
  • Full Clean – Clean Cache
  • Quick Cleaner
  • Power Doctor (500,000 downloads)
  • Windy Clean
  • Cool Clean
  • Super Clean
  • Fingertip Cleaner
  • Strong Clean
  • EasyCleaner (100,000 downloads)
  • Carpet Clean
  • Meteor Clean

What you can do about it

In most cases, Google quickly acts when malicious applications appear on the Play Store, removing them before spreading too wide. But don’t leave cybersecurity up to Big Tech. You also need to take precautions on your own.

Here are some tips on how to stay safe:

  • Before downloading an app, check the reviews to see what others say about it. If it has a relatively low…

Source…