Android Trojan Virus: iBanking Malware ‘Qadars’ Targets Facebook Users via Webinjects

Cyber criminals have targeted millions of Facebook users through a sophisticated Android Trojan app that can bypass the two-factor authentication shield used by Facebook mobile users, says a Slovakian security firm.
ESET, an IT security firm, has identified a new variant of the banking Trojan ‘Qadars,’ which injects rogue JavaScript code into Facebook pages when accessed through an infected system’s browser.
The iBanking bot, when installed on a mobile phone, can easily spy on user’s communications, redirect incoming voice calls, and even capture audio using the device’s microphone.
It is able to bypass the mobile two-factor authentication, commonly called as mobile transaction authorization number, mTan or mToken, used by several financial institutions to verify and authorize banking transactions.
How it works:
Once the user logs into his Facebook account from a mobile phone, the malware tries to inject a fake facebook verification page leading to malicious android application, which seeks the user’s phone number and confirmation for using Android on the phone or tab.
Once the phone number is entered, the user is directed to an SMS verification step. The new SMS verification webpage also instructs the users to download the application from the link provided in case they did not receive any message from the Facebook.
Then, an installation guide directs the users to install the new application.
Once installed, the bot takes complete control over the mobile.
A detailed infographic about the malware is presented by the ESET security community.
Jean-Ian Boutin, an ESET malware researcher, says, “The Trojan is able to intercept a webpage downloaded from a webserver, inspect it and inject new content into the page before showing it to the user. In the webinject configuration file I received, one of the targets was the Facebook website.”
Challenges:
This application was on sale in underground forums with a detailed explanation of how it works, according to an independent researcher Kafeine
The website selling the bot lists its features as:

• Grabbing all information about the victim (Phone Number, ICCID, IMEI, IMSI, Model, OS)
• Interception of incoming SMS messages and sending them to the web-panel and the control room.
• Call forwarding to any number
• Grabbing all incoming and outgoing SM
• Grabbing all incoming and outgoing calls
• Grabbing books with contacts ( names and numbers )
• Record audio , sending it to the server ( know what is happening around)
• Sending SMS to any room without the owner’s knowledge
• The application can not be removed if the owner when installing given administrator rights .
• Function demolition system to the factory settings (if the admin rights ) Our coders with ease for you finalize your desired functionality. Easy Web Panel:
• Here is the socket to work with bots who wants to touch live , write, do a test account .
• http://www.tmn-security.pt/ris.JPG
• Just for you produced a manual on the bot :
• http://www.tmn-security.pt/manual.pdf

RSA, an IT security community, recently tracked a forum that leaked the iBanking mobile bot control panel source code. The leaked files also included a builder that can be used in various configurations and combinations by cyber criminals to create unique specific applications.
The security firm also noted that the web-based control panel of the bot provides its masters with complete control of the infected mobile device.
The researchers further note,

This highlights the need for stronger authentication solutions capable of validating users’ identities using multiple factors including biometric solutions. The latter will also assist in reducing the dependency on conscious human intervention making social engineering attempts void.”

Heartbleed has been termed as the biggest bug ever that has exposed as much as one-third of all websites to the vulnerabilities of data theft. Most of the big and main stream websites and service providers, such as Google, Facebook, Yahoo and Microsoft, took immediate action and provided patch as well as suggested that their users change their passwords immediately. However, as the Heartbleed bug’s impact has been huge, there are still a lot of websites out there which have not updated their security certificates. Changing passwords on these websites will not make you any safer as the security hole has not been closed yet and your data including password can be breached again. Following steps are suggested to protect your data.
Check if the bug has been fixed or not
First logical step that should be taken is to identify the websites and services that have or have not patched the bug. You can check it at the McAfee Heartbleed test website or use the Qualys scanner. All you will have to do is to enter the domain and the system will provide further details. Alternatively, a list is also maintained and updated here by Digital Trends.

After you identify the websites that have provided the patch, change your passwords. There is no point in changing passwords of those websites which have not plugged the hole. The password itself shall be chosen wisely and that is what is detailed next.
Two-factor authentication
Imagine if the service that you use asks for an additional authentication, such as a code, that is inaccessible to the hackers and you use it alongside your regular password to access the service if you try to login from an unfamiliar device. Even if the password is breached the hacker cannot get into the website that you use since it does not has access to the codes or any other form of additional verification. This is called two-factor authentication or 2AF. Normally, this second authentication is a one-time usage only code that is sent through SMS to the user. Although, it can be a little inconvenience but the additional layer of authentication protects you immensely and perhaps you do not use unfamiliar devices that often. However, not all service providers use it. Check which providers are using it and which are not through this website. The website also contains links to instructions on enabling it if a website uses 2AF.
Use password manager
No matter how hard you try, it is very difficult to create a unique and strong password for each service that you use, which is highly recommended, that is easily remember able for you as well. Thus, we need someone who (which) can remember all the passwords for us. In other words, we need a password manager. A password manager keeps track of all your unique passwords and assists you with automatic logins and if a big security issue arises then it is very manageable to change passwords using password managers. There are many good password managers out there but onlyLastPass, RoboForm, Norton Identity Safe, and 1Passwordare recommended as they are reliable.
However, taking all the above mentioned steps does not guarantee a 100% safety but it does provides a better shield in case of an attack. Hackers and their techniques are becoming sophisticated and our reliance on web-based services is ever increasing. Thus, the breaches in future could be more catastrophic than ever.
- See more at: http://hackersnewsbulletin.com/2014/04/learn-beat-heartbleed-bug-changing-password-enough.html#sthash.I85xBmvL.dpuf

Jailbroken iPhones are being targeted by an active malware campaign, stealing passwords

A malware campaign has been unearthed by security researcher Stefan Esser after many of the users of jailbroken iPhones and iPads posted on Reddit that their devices crashed repeatedly after installing unofficial tweaks through a third-party app store called ‘Cydia’ which serves the market of jailbroken  Apple devices.
According to Stefan Esser, the purpose of the malware is to get information about Apple ID from jailbroken iPhones and iPads. The malware campaign is being called “Unflod Baby Panda” and it originates from China. Stefan Esser reports the results in a blog post and writes the following:
“This malware appears to have Chinese origin and comes as a library called Unflod.dylib that hooks into all running processes of jailbroken iDevices and listens to outgoing SSL connections. From these connections it tries to steal the device’s Apple-ID and corresponding password and sends them in plaintext to servers with IP addresses in control of US hosting companies for apparently Chinese customers.”

The other name for this library is framework.dylib which is found in other infections. However, it is not clear how the malware ended up in the jailbroken iPhones and iPads. Rumors are that “Chinese piracy repositories are involvedare so far unverified,” reported the blog.
In an e-mail to Ars, Esser reveals that iPhone 5S/iPad Air or iPad mini 2G are safe from the malware as it can only attack 32-bit versions of iOS. “There is no ARM 64-bit version of the code in the copy of the library we got,” he wrote. The solution is to restore the device. After restoring the devices the users must also change their Apple ID passwords as soon as possible.
“That is why we recommend to restore the device,” Esser suggested Ars. “However, that means people will lose their jailbreak until a new one is released, and the majority of jailbreak users will not do that.”
Sophos, antivirus provider, researchers underplay that the threat came from Cydia directly and suggest there no need to panic.
“I will also again take this moment to point out to anyone concerned that the probability of this coming from a default [Cydia] repository is fairly low,” Cydia developer Jay Freeman, aka Saurik, wrote in one reddit comment. “I don’t recommend people go adding random URLs to Cydia and downloading random software from untrusted people any more than I recommend opening the .exe files you receive by e-mail on your desktop computer.”

Microsoft’s “Office Mix” Makes PowerPoint Interactive

Death by PowerPoint is something that many an employee has to go through, especially when attending seminars, meetings, and pitches. While there is no dearth of useful advice about how to make PowerPoint presentations that will not bore your audience to death, these resources don’t seem to have much of an impact – at least based on experience and stories I’ve heard.

Perhaps Microsoft has heard similar feedback, hence their new app called Office Mix. This application adds interactive elements to PowerPoint, and we all know interactive means better, yeah?
Office Mix is still in the testing stage, although you can already have a sneak peek via the Office Mix page. You can log in using your Microsoft account, Facebook, or Google. You’ll then get a secret passcode so you can see what the app is all about.
There is also a Knowledge Base section for Office Mix, where you can find out more details about the application. Personally, I think there are two questions that need answering the most.
One, what exactly does Office Mix do?
The answer, from the Knowledge Base:

Office Mix allows you to turn your PowerPoints into interactive online lessons or presentations. We install an add-in that gives you the ability to record audio, video, and handwriting, and insert interactive elements like quizzes and CK12 exercises. There’s even a screen capture tool so you can record anything on your PC.
Once your presentation is ready just click “Create Mix.” We work our magic to mix it into an interactive document complete with analytics, and place it in the cloud. From there, just share the link, and your students can watch it on just about any device with a web browser. You can then check student progress online and see who watched the presentation, and how they did on your quizzes.

That makes it pretty clear that – at least at this point – Office Mix is targetted at the education sector.
Two, how much will I have to pay for this?

It’s free! The website, data analytics, and add-in are all free.

Pretty cool, but obviously, you’ll need Office, which is not free, to use Office Mix. You can try out various Microsoft products and services for free here, though.
At the end of the day, the question is whether Office Mix will revolutionize PowerPoint. What do you think?

Hogwarts is Accepting Online Students – Enroll Now!

I have some very good news for all of you Harry Potter fans out there…and let’s face it – who isn’t a Harry Potter fan? If you thought your adventure with Hogwarts was all over when you finished reading Harry Potter And The Deathly Hallows for the seventh time or when you got back into your car after visiting the Wizarding World of Harry Potter, there is hope on the horizon for you.
If you’ve read the books, (and most of us have read the books…once or twice) than you know how easy it was to place yourself alongside Harry and Co. A testament to the prose skills of J.K. Rowling, it didn’t take many pages at all before you actually felt like you were sitting in class with Hermione, or soaring over the Quidditch field with Harry and the rest of the Gryffindor team. In short, we all felt like we were vicariously studying at Hogwarts as well. Well now, fans don’t have to live through Harry and his friends any longer, because they can enroll themselves into online classes at Hogwarts this very moment.

Enroll Now At Hogwarts!
Whoever is behind this website (it’s not J.K. Rowling or Warner Bros.) has done an amazing job of making Hogwarts look like a “real” online school. After you answer a few questions you get an official letter of acceptance signed by Professor McGonagall herself. Who wouldn’t want to frame that and put it on their wall?
Probably a disappointment to some, there is no sorting hat – you have to choose which house you want to belong to. And after you do that, you can sign up for your first year of classes. Here’s the neat part – your classes actually have assignments (essays) you have to complete which will be graded by someone and sent back to you.

While students won’t actually get to board the Hogwarts Express, this is just about the closest you can get to actually living out the books.
What do you think? Go ahead and check out the site here.

Fake Your Mood With AgencyGlass

We can fake a lot of things, as that old saying “fake it till you make it” didn’t just come out of nowhere – but it’s really hard to fake things with our eyes. Unfortunately, our eyes are often tell-tale signs of exactly how we’re feeling inside – if we’re happy, our eyes light up – if we’re annoyed, well, you know how people’s eyes look when they’re ticked off. Thankfully, someone has come up with a way for our eyes to look pleasant and happy no matter what emotions may be stirring inside.
Hirotaka Osawa, a Japanese student at Tsukuba University, came up with a wearable device that “tricks” those around you into always thinking you’re in a peaceful and pleasant mood. What he designed is resemblant of Google Glass, though completely different all at the same time; he calls his glasses AgencyGlass. (I’ll admit, unless I was a secret agent or something, I don’t think AgencyGlass sounds all that cool).

AFP PHOTO / UNIVERSITY OF TSUKUBA / HIROTAKA OSAWA

Let’s go ahead and point out the obvious – these “glasses” are more like goggles and they do look a bit off on someone’s face. But their features might outweigh any kind of design hiccups.
Using a built in bluetooth microcomputer, these glasses are able to do all kinds of neat tricks with your eyes. For example, if you nod your head back, AgencyGlass will give off the impression that you’re deep in thought about something. Using an external camera that fits in your shirt pocket, it will be able to tell when people are looking at you and will automatically make eye contact with them – no matter what your real eyes may be doing.
The best part may be that these glasses don’t mess with your normal vision at all and you can still read normally. (Though I’m not sure I’d want to read a book with these things on my head).
I like new technology, but sometimes I have to shake my head in wonder and ask, “What is the point of this?” This would be one of those times. What do you think? Is this a product you would use?

HeartBleed Bug Explained - 10 Most Frequently Asked Questions

Heartbleed – I think now it’s not a new name for you, as every informational website, Media and Security researchers are talking about probably the biggest Internet vulnerability in recent history. It is a critical bug in the OpenSSL's implementation of the TLS/DTLS heartbeat extension that allows attackers to read portions of the affected server’s memory, potentially revealing users data, that the server did not intend to reveal.

After the story broke online, websites around the world flooded with the heartbleed articles, explaining how it works, how to protect, and exactly what it is. Yet many didn’t get it right. So based on the queries of Internet users, we answered some frequently asked questions about the bug.

1.) IS HEARTBLEED A VIRUS?

Absolutely NO, It's not a virus. As described in our previous article, The Heartbleed bug is a vulnerability resided in TLS heartbeat mechanism built into certain versions of the popular open source encryption standard OpenSSL, a popular version of the Transport Layer Security (TLS) protocol.

2.) HOW IT WORKS?

For SSL to work, your computer needs to communicate to the server via sending 'heartbeats' that keep informing the server that client (computer) is online (alive).

Heartbleed attack allows an attacker to retrieve a block of memory of the server up to 64kb in response directly from the vulnerable server via sending the malicious heartbeat and there is no limit on the number of attacks that can be performed. [Technically Explained by Rahul Sasi on Garage4hackers]

It opens doors for the cyber criminals to extract sensitive data directly from the server's memory without leaving any traces.

xkcd comic http://xkcd.com/1354/

3.) HEARTBLEED ATTACK RELIES ON MAN-IN-THE-MIDDLE ATTACK?

No, it has nothing to deal with a Man-in-the-Middle (MitM) attack. But using Heartbleed attack, one can manage to obtain the private encryption key for an SSL/TLS certificate and could set up a fake website that passes the security verification.

An attacker could also decrypt the traffic passing between a client and a server i.e. Perfect man-in-the-middle attack on HTTPS connection.

4.) IS IT A CLIENT SIDE OR SERVER SIDE VULNERABILITY?

TLS heartbeats can be sent by either side of a TLS connection, so it can be used to attack clients as well as servers. An Attacker can obtain up to 64K memory from the server or client as well that uses an OpenSSL implementation vulnerable to Heartbleed (CVE-2014-0160).

Researcher estimated two-thirds of the world's servers i.e. half a million servers are affected by the Heartbleed Bug, including websites, email, and instant messaging services.

Video Explanation:

5.) HOW HEARTBLEED AFFECTS SMARTPHONES?

Smartphone is the best practical example of Client side attacks.

All versions of Android OS include outdated versions of OpenSSL library, but only Android 4.1.1 Jelly Bean has the vulnerable heartbeat feature enabled by default. Blackberry also confirmed that some of its products are vulnerable to Heartbleed bug, whereas Apple's iOS devices are not affected by OpenSSL flaw.

Google had patched the affected version Android 4.1.1, but it will take long time to deliver updated Android version to the end Smartphone users as updates to majority handsets are controlled by phone manufacturers and wireless carriers. Until users running the affected versions are vulnerable to the attacks, and hackers will definitely take advantage of this public disclosure.

6.) WHAT ELSE COULD BE VULNERABLE TO HEARTBLEED?

IP phones, Routers, Medical devices, Smart TV sets, embedded devices and millions of other devices that rely on the OpenSSL to provide secure communications could also be vulnerable to Heartbleed bug, as it is not expected for these devices to get the updates soon from Google’s Android partners.

Yesterday, Industrial Control Systems-CERT also warned the critical infrastructure organizations (like energy, utilities or financial services companies) to beef-up their systems in order to defend against the Heartbleed attacks.

7.) WHO IS RESPONSIBLE FOR HEARTBLEED?

We actually can't blame anyone developer, specially who are contributing to Open Source projects without money motivations. 

Dr. Robin Seggelmann, a 31-year-old German developer who actually introduced the Heartbeat concept to OpenSSL on New Year's Eve, 2011, says it was just a programming error in the code that unintentionally created the “Heartbleed” vulnerability.

"In one of the new features, unfortunately, I missed validating a variable containing a length", went undetected by the code reviewers and everyone else for over two years. He claimed 'I did so unintentionally'.

8.) WHO HAS EXPLOITED THIS BUG YET?

Bloomberg accused the National Security Agency (NSA) of knowing the Heartbleed bug for the last two years. Not even this, the report says the agency was using it continuously to gain information instead of disclosing it to the OpenSSL developers. But if it is so, then this would be one of the biggest developments in the history of wiretapping ever. However, the agency denied it saying NSA was not aware of Heartbleed until it was made public.

But when it comes to exploit any known vulnerability, then Hackers are most likely to be top on the list. As the flaw was so widely spread that it affected half a million websites worldwide, so after the public disclosure, the cybercriminals could reach the sites to steal credentials, passwords and other data, before the site operators apply the freely available patch.

There are multiple Proof-of-concept exploits available for the Heartbleed flaw:

• Python Script
• Metasploit Module
• C Code
• NMAP script
• Python Script by Rahul Sasi

9.) CHANGING ACCOUNT PASSWORDS CAN SOLVE THE ISSUE?

Not exactly, as Heartbleed attack has the ability to leak anything from the server including your passwords, credit card details or any kind of personal information. But, in order to protect your online accounts you should at least change your passwords immediately for the sites that resolved the issue and for the sites not affected by the bug as well, just to make sure that you are safe.

First of all check if the sites you use every day on an individual basis are vulnerable to Heartbleed bug or not using following services or apps:, and if you're given a red flag, avoid the site for now.

• http://filippo.io/Heartbleed/
• Provensec Scanner
• GlobalSign SSL Configuration Checker
• ADTsys Checker
• The easiest way to keep you safe is to use a new add-on to the Chrome browser, Chromebleed, created by security researcher, Jamie Hoyle.
• To check whether your Android devices are safe or not, you can install the Bluebox Heartbleed Scanner available on the Google Play Store. The Bluebox Heartbleed Scanner looks for apps installed on your device that have bundled their own version of OpenSSL and the scanner also checks the version of the library and whether heartbeat is enabled or not.

Well, nobody is sure at this point, because Heartbleed is stealthy as it leaves no traces behind and here the matter goes worse.

You may never know if you have been hacked using the flaw or not. This means that there is no way to tell if your information was stolen previously from a site or a service that has now fixed it.

But if you haven't change the password to the popular sites yet, then yes, your password and financial information are still widely open to cybercriminals and other spying agencies.

10.) WHAT SHOULD I DO TO PROTECT MYSELF?

First of all DON'T PANIC. You have to change your password everywhere, assuming that it was all vulnerable before, just to make sure that you are now safe. But hold on... If some sites are still affected by the flaw then your every effort is useless, as it’s up to the site to first fix the vulnerability as soon as possible , because changing the password before the bug is fixed could compromise your new password as well.

If you own a vulnerable SSL Service, then you are recommended to:

• Upgrade the OpenSSL version to 1.0.1g
• Request revocation of the current SSL certificate
• Regenerate your private key
• Request and replace the SSL certificate

Don't reuse any old passwords and it is good practice to use two-factor authentication, which means with the password, the account requires a freshly generated pass code that shows up only on your personal smartphone, before getting into certain sites.

Stay Safe!

Google Admits that It Reads your Emails

Google has updated its privacy terms and conditions on Monday to offer more transparency regarding its email-scanning practices. One of the world’s biggest Web internet giant, Google, made it clear that the information its users submit and share with its systems is all analyzed.

Last year, Google was accused of its illegal interception of all electronic communications sent to Gmail account holders and using the gathering data to sell and place advertisements in order to serve related ads to its users. Practically, the more information you let Google collect about you, the more accurate its adverts become.

But Google has long insisted that its scanning practices are outlined in its terms of service.

So, finally admitting the accusation, Google has made some changes in its terms of service res a new paragraph that explains the manner in which its software automatically scans and analyzes the content of Gmail messages when they are sent, received, and stored.

"Our automated systems analyses your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising and spam and malware detection," reads Google's updated terms. "This analysis occurs as the content is sent, received, and when it is stored."

Google said the changes were purposed to make the company's privacy policy easier to understand by users. "Today's changes will give people even greater clarity and are based on feedback we've received over the last few months," the company said in a statement.

Google's terms of service clearly states, "When you upload, or otherwise submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content."

Despite several accusations of violating privacy and wiretapping laws, Google won an important case last month when a federal judge dismiss most of a lawsuit against Google over accusations.

Lucy Koh, a United States District Court judge in San Jose, had consented to having their e-mail read for the purposes of targeted advertising, allowing for a potential class-action suit against the company.

Unfortunately there's no way to stop Google scanning your inbox to serve adverts.

WhatsApp Flaw leaves User Location Vulnerable to Hackers and Spy Agencies

If you are using WhatsApp to chit-chat with your friends or relatives, then you should be careful about sharing your location with them using WhatsApp ‘Location Share’ feature.

No doubt, WhatsApp communication between your phone and company’s server is now encrypted with SSL, which means whatever you are sharing with your friends, is secured from the man-in-the-middle attacks.

But the extremely popular instant messaging service for Smartphones that delivers more than 1 billion messages per day has another serious security issue.

According to Researchers at UNH Cyber Forensics Research & Education Group, WhatsApp location sharing service could expose your location to hackers or Spy Agencies. While sharing the location on WhatsApp users need to first locate themselves on Google Map within the app window, as shown:

 Once selected, WhatsApp fetches the location and thumbnail (an image) from the Google Map service to share it as the message icon, but unfortunately WhatsApp downloads this image through an unencrypted channel from Google that could be sniffed during a Man-in-the-middle attack, as shown in the video demo.

“The main issue is that the location image is unencrypted, leaving it open for interception through either a Rouge AP, or any man-in-the middle attacks,” the reports read.

VIDEO DEMONSTRATION:

 

The flaw video demonstration

"We were not able to intercept the image until the message was sent from the phone, indicating that the download of the image did not occur until the message was actually sent." researcher said.

The captured image could be enough to expose your nearby location, but practically this attack is only possible when attacker and the victim are connected to the same network in order to facilitate the MITM attacks.

Such short-range dependency makes this vulnerability of very low severity level for normal attackers, but spy agencies like NSA or GCHQ, those are capable to perform large scale MITM attacks, could exploit this flaw to trace users’ location nation-wide.

PATCHED VERSION COMING SOON

Researchers have already reported this flaw to WhatsApp Team and it has already been fixed in the latest beta version of WhatsApp app available on their official website.

WhatsApp team have acknowledged the flaw with following reply:

"Hello XXXXXX, Thank you for your report. We have already implemented this solution in the latest beta versions of our app. We will be rolling this fix out to the general public with the next release on each platform. If you have any other questions or concerns, please feel free to contact us. We would be happy to help!"

The Company will release the patched version to Google Play Store with its next release, but meanwhile, users are also recommended not to share their location using WhatsApp with their contacts when connected to an un-trusted or a public Wi-Fi Network, until the bug is fixed.