Hackers | Message Mirroring Apps

Can Hackers use Message Mirroring Apps to Bypass Security?

Forty years ago, the world was a safer, and slower place. The internet was still in its infancy, and the need for online security would have featured low on a business’s to-do list. Fast forward to 2021, where online security, data storage and protection are now a priority and message mirroring apps another security concern altogether.

passwords vs 2FA

Most businesses make use of passwords as a means of protection but in this digitised environment a single password security system is all too easy to bypass.

Almost 80% of hacking-related breaches are attributed to weak and compromised credentials. Thus, the need for two-factor authentication (2FA) which provides an extra layer of security, which works in conjunction with your username and password.

However, as with everything internet related would-be hackers aren’t thwarted for long. Any hacker worth his weight in technical exploitation can develop ways of bypassing 2FA via the single access codes sent by SMS to a smartphone.

attack of the androids’

Hackers can also bypass SMS-based 2FA remotely by gaining access to the users email and password combination connected to a Google account. They then install a readily available message mirroring app onto the phone via Google Play.

This form of attack is made easy as people tend to be creatures of habit, using the same login details and passwords for many of their online services. Unfortunately, this type of online behaviour increases the risk of being hacked.

Once the message mirroring app is installed, the attacker reverts to good old-fashioned trickery and, posing as the service provider, influences the victim to grant the relevant app permissions. The hacker now has full access to their communications and SMS one-time passcodes used for 2FA.

Although there are several conditions to be fulfilled if this kind of attack is to work, it demonstrates that SMS -based 2FA methods do have their weaknesses. This form of attack doesn’t require much more than an above average knowledge of how apps work coupled with a bit of social engineering.

Imagine how real the threat if a trusted person with access to your smartphone orchestrated this type of attack.

how can you protect yourself from message mirroring apps?

  • Utilise a Password Manager – This makes your username /password more secure
  • Limit the use of SMS as a 2FA method – Use app-based one-time codes generated in apps such as Google Authenticator
  • Use dedicated hardware devices such as YubiKey– USB devices that enable 2FA across different services

Aside from using password managers and implementing alternative authentication methods, make sure that your data is backed up and stored securely in the cloud.

Spotify Users Taken for a Song by Credential Stuffing Op

If you’re a Spotify user and have experienced some disruption with your account access, you may have been taken for a song by credential stuffing op that was recently in full swing.

Not too long ago, a research team stumbled across an open Elasticsearch database jam-packed with more than 72GB of data containing over 380 million records of individuals’ sensitive information. The login information and user data found on this particular database was actively being verified on Spotify when it was found. The reality of the situation is that an unscrupulous hacker was using the database to store Spotify login in credentials that were obtained illegally from other sources through a hacking process known as “credential stuffing”.

using the same password can lead to credential stuffing

At this point, the question begs to be asked; what on earth is “credential stuffing”?

Credential stuffing is a cyberattack used to steal the user names, emails and passwords of user accounts through large-scale automated login requests. This type of attack is aimed at people who use the same password for multiple services and accounts.

Typically, the hacker will obtain the ID and password from one source. In most instances, it is from a data breach on a company website. The hacker then uses that user name and password to gain access to other accounts used by the individual by using automated scripts. One big brand that has fallen victim to such a hacking attack is North Face.

spotify’s action against the credential stuffing attack

When the research team who found the database with stored credentials on it approached Spotify, it was discovered that the database belonged to a group or individual who was using it to defraud Spotify.

The company had to act quickly to protect its users and render the stored information on the illegal database useless and so they rolled out a company-wide (and user-wide) password reset. Up to as many as 350 000 users of Spotify were impacted by the attack which is considered a minor impact when you take into account that nearly 300 million users make use of the service on a monthly basis.

what is the real risk to you?

If you are thinking that a credential stuffing attack doesn’t really affect you, think again. You might not be a Spotify user, but perhaps you use a variety of other online services. Are your user names and passwords unique for each of those accounts? If not, you are at risk.

Statistics show us that credential stuffing used in conjunction with automated attacks (referred to as account takeover attacks) have increased by a massive 72% in the last 12 months alone. Why? Because it works for the hacker and because many people don’t take the risk and warning seriously until it directly impacts them. Don’t wait to become a victim! Take action now.

what to do

The first step is to make a list of all of your online accounts and services along with their user names and passwords. If any of them are using the same combinations of user names and passwords, change them! You must use a strong and unique password on each and every one of your online services and accounts.

Activating multi-factor authentication is also a really good step in the right direction.

last word

If you are a Spotify user, it’s a good safety precaution to change your password as soon as possible. Also, spend some time reviewing your current passwords and commit to changing them regularly.

Have you been impacted by a credential stuffing attack before? Let’s us know – we would love to hear about your personal experiences!

The Experian Experience data breach & New Protection Laws

The recent Experian expeirence data breach is no secret. The cat is out of the bag! Over a million South Africans were notified of the data breach which took place on July 2020. On the 19th of August 2020, SABRIC announced that Experian’s data breach put the personal data of 24 million South Africans and over 790,000 businesses in jeopardy.

How Did it Happen?

It turns out that Experian unwittingly provided financial details to a South African individual fraudulently acting as a representative of one of their legitimate financial customers. The company then provided the individual with sensitive information in May 2020. In July 2020, the fraud was brought to light and the company took immediate preventative action and will be taking legal action too.

How Things Played Out

The real question is whether or not Experian has been downplaying the situation.

The company’s latest statement informed the public that Experian was not hacked as many had presumed. They also advised that no financial information had been compromised.

Data that the fraudster may have gained access to includes email addresses, ID numbers, home addresses, work information, and full names. While financial information was not provided, a fraudster could still use this information for identity theft purposes giving them deeper access to financial data.

The Legalities

According to the new Protection of Personal Information Act (POPI) recently instated, Experian was required to notify the information regular as soon as they became aware of the fraud.  The company is also meant to notify any individual whose personal information has been compromised. Experian failed on both of these fronts.

The new POPI act sets in place a series of rules and guidelines that assist companies to adopt a swift data breach response plan so that they can quickly determine what information has been lost, where that data sits and who has been affected. As soon as a company experiences a breach, as part of a POPI compliance exercise they should act immediately and to the letter.

Unfortunately, even though South Africa has the POPI act, there is currently no regulatory law in the country concerning cybercrime. The Cybercrimes Bill which was passed in July still awaits Cyril Ramaphosa’s approval. This new Bill will impose stricter laws on reporting data breaches when they happen.

The Conclusion

While the Experian data breach dust settles, we hope that we are not simply waiting to see who will be next! Hopefully, the hackers will give South African people and businesses a break for a while – let’s work together by following regulations to keep them at bay, and encrypting and backing up our data so that it’s not an easy target.

Garmin Goes Down in ransomware attack

Just a few weeks ago, the news hit disgruntled Garmin users that Garmin Connect was “down”.  The attack against wearable device maker, Garmin, which happened on the 23rd of July 2020, affected the company’s online services including website functionality, customer support services, client apps, and the company’s communication channels.

Garmin has a product line that includes GPS navigation with wearable technology for the outdoor, fitness, marine and aviation markets. The result of the hack was a lot of Garmin users without access to their regular services.

How did Garmin go down?

Garmin was hit by an Evil Corp’s WastedLocker ransomware attack. Many people have been hit by similar ransomware attacks in their personal capacity. Unfortunately, cybercriminals have found targeting individuals fruitless and so have started targeting large corporations where there’s limited time to tinker around trying to find a solution.

Garmin was a hot target and the hackers got it right. They set about encrypting a large portion of the company’s systems and services resulting in Garmin being offline for several days. Enough time for people to notice and start complaining.

The Good News for Garmin Users

Garmin users seem to have struck it lucky as their user data and personal particulars don’t seem to have been affected. And now that Garmin services and functions have been restored, all services seem to be up and running as before.

The Big Question: How Did Garmin Solve the Problem?

The big question that needs to be asked is how Garmin went about solving the problem. The ransomware attack was no different from others before it. Systems and data were encrypted, and a ransom was demanded in exchange for the return of systems to normal.

So, just what did Garmin do to get its data back? The jury is still out on that one!

With no official word from Garmin, rumours abound, including the source of the attack, and it is believed that Garmin did indeed pay the ransom using cyber response firm, Arete IR to enable the decryption key that was used to restore services.

It is also alleged that Garmin first approached another cyber response firm to help settle the ransom but was turned away because the company behind the WastedLocker attack, Evil Corp (Russian hackers) is currently on a US sanction list. This means that it is forbidden to make transactions to this company, regardless of the reasons.

While Sky News gave both Garmin and Arete the opportunity to confirm or deny that payment was in fact made to Evil Corp, both have declined to do so. Instead, Arete is on record disputing the fact WastedLocker is Evil Corp but was rather only developed by Evil Corp and that the evidence regarding that is actually inconclusive.

If Garmin Paid the Ransom…the precedent is Set!

All eyes are on Garmin to make a statement.

Paying a ransom, especially to a company on a US sanction list, is setting a poor precedent with ransomware hackers which can only serve to encourage cybercriminals.

As the days tick by, Garmin is under more pressure to present answers. As a listed company, their responsibility is to make public exactly how they handled the situation. Right now, we all just have to wait and see.

As a large tech company with many IT resources, Garmin still fell victim to a ransomware attack that ended up with them paying the ransom. If it can happen to Garmin, it can certainly happen to you too, and probably far easier.

What can you do?

Backup, backup, backup. Ensure that your employees are all properly trained and that you have all the necessary software on all of your devices. Don’t wait until you are a victim of a ransomware attack – do it now!

 

Pillow Talk – The Side-Channel Attack

It’s an accepted fact that no one would hand over their sensitive information and data to a stranger or criminal knowingly. But what if you’re doing just that each time you use your computer and are simply unaware of what information it’s spewing out, behind your back (or behind the scenes!)?

Let’s talk about what it is exactly that your computer might be doing behind the scenes, that may (in fact it will) lead to a side-channel attack.

What is a “Side-Channel Attack”?

A side-channel attack is quite simply your computer’s inability to keep a secret. Your computer might be giving away just a little too much information which to the average human would prove uneventful, but to a cybercriminal, is gold!

Side-channel attacks are quite smart in that a hacker can learn to read and make use of the little ‘tells’ and patterns in the information given off by every device.

Take for example the electric emissions on your computer’s hard drive and monitor. Different emissions are given off depending on what information is being processed by the hard drive or displayed on the screen in the way of time, power, sound. A side-channel attack by a clever hacker exploits these physical effects to gain the secrets in the inputs and outputs of the algorithms.

Consider the burglar who uses a stethoscope to open a safe by listening for the telltale clues in the dial clicks. The unintentional tactile and acoustic clues given off by the safe’s mechanical physics are the same as a side-channel in your computer. Each uses different techniques to process and learn the secrets within.

The Modern Hacker is Smarter Than We Think!

Many people see online criminals as dodgy individuals who send out poorly worded emails complete with bad spelling, simply taking a chance and preying on the weak.

In reality, the modern hacker and online criminals are far smarter than that… in fact, they’re incredibly sophisticated these days.

Remember all those years of study that you put in to become an expert in your field and in preparation for your career? Well, a cybercriminal is constantly analysing and refining his ‘skills’, searching for new techniques to decrypt and steal data. This means that they are always getting better at getting what they want – which is usually your personal information and your hard-earned money!

Any information that is accidentally leaked can be used for evil deeds by a skilled hacker and this unintended information is being sent back and forth constantly. If the simple sound of a person typing in their banking particulars on a computer keyboard can reveal an inner layer, imagine how much more information can be acquired if a hacker gains access to your mobile phone microphone or camera.

How to Avoid Side-Channel Attacks

There are several ways that cybersecurity experts can help you to avoid a side-channel attack. In most instances, randomisation is used to ensure the order of operations on data is constantly changing. Pre-charging registers and buses to minimise the generation of power-leakage signatures is also often used. Some companies go as far as processing regular dummy operations to reduce the effectiveness of cybercriminals when it comes to signal-to-noise ratio attacks.

It’s a good idea to ensure that you don’t actively store sensitive data on your device just in case a cyber-criminal gains access to it. Encrypted data backups can help with this. You should also make sure that your passwords are regularly changed and that you activate two-factor authentication, to ensure an extra wall of defence is in place.

Ready to start protecting your data and take the required steps to do so? Contact us at Soteria Cloud today.

Joburgers say “We Will Not Pay”, as City Uncovers Hacking Details

“We don’t negotiate with terrorists” is the type of thing you expect to hear on a fast-paced, action movie. This, however, is the very same stance that the City of Johannesburg took with the “Shadow Kill Hackers” who demanded 4 bitcoins (amounting to approximately half a million rand) from the City in October.

This is not the first time that the City of Johannesburg has been in the spotlight for security breaches; in fact, we covered news of a prior ransomware attack on Johannesburg back in August of 2019. If you live in the Johannesburg area, you might have been affected by this as the city shut down its website, all e-services, and call centre, as a precautionary measure after being alerted to the breach.

What happened in the Jo’burg City Hacking?

The self-named Shadow Kill Hackers contacted the City of Johannesburg and made their demands – 4 Bitcoins to be paid over to them by 5pm on 28th of October. The demands went on to say that if payment wasn’t made they would release all the data they had managed to retrieve from the City’s server on to the internet.

This is undoubtedly a valuable lesson to the City of Johannesburg, and all other municipalities about encryption.

The City of Joburg did not comply with the demands. They had another strategy in mind which involved investigation, improvement in system security, and following the letter of the law by letting the public know of the breach.

A great precedent was set by the response of the City, not only in the fact that it refused to concede to the ransom demand but also because it immediately set to work calling in experts to restore services and find out who was responsible for the disruption.

What’s the Final Solution?

Quite simply – the IT experts need to implement new, reliable systems. Major-General Sibiya, Head of Forensics, said that the Hawks have the case in hand and are making progress in interviewing various witnesses.

He also stated that the City is now aware of how the attack was executed when it was carried out, and where. They are now properly aware of the vulnerabilities that the City of Joburg’s servers have, with experts working on upgrading the systems. In short; the City of Johannesburg has it under control!

How Can You Protect Yourself?

If you hear that one of your online service providers or digital service providers has been hacked or has suffered a breach, that’s your cue to take action. Make sure that your accounts are either deleted and reinstated or that you change all of your passwords to something completely dissimilar to the one that you had.

You would also be well advised to do a few credit checks in the months to follow, just to ensure that no fake identity has been created using your details, and racking up a huge bill! You also need to get in touch with the service provider to ascertain the severity of the attack and to confirm the status of the threat. If the service provider is dedicated to customer care and your safety, they will also provide you with a list of “next steps” for you to follow.

While a big congrats goes to the City of Johannesburg for handling the situation as best they could, this recent hacking still serves as a valuable lesson to businesses as well as the man on the street.

No one is ever completely safe from hacking

If it can happen to the City of Johannesburg, it can most certainly happen to you! Take the necessary precautions to protect yourself and your data and be sure that it is backed up regularly to the cloud.

Facebook accuses 2 Ukrainians of violating the Computer Fraud and Abuse Act

Two Ukrainian quiz makers using malware plugins to steal user data via Facebook and insert advertising into newsfeeds have recently been sued by Facebook!

Gleb Sluchevsky and Andrey Gorbachov, the two accused, have apparently been running their hacking setup for more than just a few years. In fact, between 2017 and 2018, they successfully targeted 63 000 Facebook users by offering them a horoscope or character popularity test in exchange for installing their browser plugins. Of course, these plugins were malicious.

It might seem harmless for a hacker to use such access to insert adverts on your newsfeed, but the risk comes when adverts that aren’t Facebook approved make their way onto your newsfeed. Most users intrinsically believe that an advert that they see on their Facebook feed is trustworthy and that it is approved by Facebook, when in fact, many of the ads are scams.

Just last year, 81 000 private user messages on Facebook were sold and it appears that these same two Ukranian hackers have been linked to the crime.

If you have ever done seemingly harmless Facebook tests similar to the following, you too could have been a victim to malicious plugins:

  • Who is your doppelganger from the past? ( illustrated with a picture of Stalin and Lenin).
  • What is your intellectual age? ( illustrated with an image of Einstein).
  • What animal are you?
  • What is the colour of your aura?
  • Do you have royal blood?
  • Do people love you for your intelligence or your beauty?

Facebook users who completed these tests were promised that only limited data was being collected when in reality, the browser plugins and extensions were used to gain access to their Facebook accounts and other social media platform accounts.

How the hackers got it right

In order for these hackers to use Facebook’s login feature for their elaborate scam, they would have to have been registered, approved developers. It was found after investigations that the hackers had opened developer accounts between 2016 and 2018 under the fake names of Amanda Pitt and Elena Stelmah.

These accounts and any associated fake accounts have since been removed by the Facebook team.

Facebook takes action!

After the Cambridge Analytica saga, Facebook seems to be taking a harder stance against breaches and security irregularities. The company spent a whopping $ 75 000 investigating this particular breach and has brought the following charges and accusations up against Gorbachov and Sluchevsky.

  • Accessing data without express authorisation from Facebook and users
  • Fraud
  • Breach of contract due to misrepresentation as authorised Facebook developers.

Think twice before playing Facebook quiz games

The best way to protect yourself from becoming a victim is to avoid playing online quiz games, especially those that require you to log in via Facebook or another social media platform. Always be cautious about how and with who you share your sensitive data and personal information.

Have you ever played an online quiz game? Now is the time to change your passwords, remove unnecessary browser extensions and plugins and start taking your personal data security more seriously by ensuring that your data is encrypted and backed up to the cloud. Ask us how. Our team of experts will be happy to advise you.

Infamous hacker in SA shuts down government website – Again!

Ever heard of @VirusSec on Twitter? If you haven’t, the account is owned by a notorious hacker who has once again targeted a government website to deliver a message.

What was the message? According to News24 who had direct contact from the hacker, the underlying point of the hack was to say that “the current South African government is greedy and it needs to change”.

@VirusSec made contact with News24 informing them of their decision to shut down a government website and what the point behind it was. Moments later, it was done!

Which website was targeted?

Ironically, it was cybersecurityhub.gov.za that the hacker attacked. This government website is designed to protect online South African businesses and citizens. While @VirusSec is not a South African, he/she/they (no one really knows!) claimed to have knowledge of the greedy government in South Africa.

Luckily for local South Africans, the general public is not the target, and so personal and sensitive information of individuals have not been leaked.

@VirusSec’s Prior Offenses in South Africa

This is not the first time that @VirusSec has hacked a government website in South Africa. The very same hacker has also hacked the following websites:

  • Department of Environmental Affairs (August 2018).
  • The Presidency’s website (June 2018) – this hack was linked to distaste at the government’s involvement in Lion bone trade and for allowing rhino horn auctions.

Cyber Security Hub’s View

According to News24, when cybersecurityhub.gov.za was contacted for comment, they intimated that the website was in working order and would only be available for comment once things had been confirmed with their hosting partner.

What do you think about the notorious hacker targeting South African government websites? Do you think that hackers have a role to play in getting the attention of the general population and the government if it doesn’t affect the security of the masses? We’d love to hear your thoughts.