PhoneSpeck Press Release

Tuesday, July 30, 2019

Truecaller bug allowed Indian users to register for payments service without consent

Truecaller Pay

Spam call blocker and UPI payment service provider Truecaller suffered a bug that allowed Indian users to register for its payments services Truecaller Pay without user consent. The latest released Android app bearing version number 10.41.6 have been discontinued immediately after the bug was discovered by some users.

Truecaller, in a statement, has confirmed that bug has affected a small number of Android users in India and the new app is being released with a fix. The bug was first reported by some twitter users who sent out a series of tweets accusing the app's unauthorized attempts.

Truecaller Pay needs a lot of manual inputs to process the complete registration with the service using UPI. Therefore, affected users would not have actually completed their registration. In case, the user wants to cancel the registration, can go through the overflow menu and choose to 'deregister', 'delete' or similar to the account deletion options.

Since the app attempted to access the UPI bank details without a user's permission and manual inputs, this would be a serious breach that could abuse the users' privacy. Truecaller, however, apologize for any inconvenience caused to its consumers.

In March 2017, the multi-service provider Trucaller launched its UPI payment service in the country and later this year in June, the Swedish company launched VoIP calling feature for Android users. Truecaller Pay has received a lot of attention from users in India counting with over 15 million customers, according to earlier reports.


Monday, July 29, 2019

American actress Jessica Alba's twitter account hacked, attacker posted offensive tweets

Jessica Alba

Image of Jessica Alba, courtesy of Instagram

American actress Jessica Marie Alba's Twitter account appears to have been compromised by an unknown attacker who sent out a series of offensive tweets from her account early Sunday between July 27 and 28, according to the multiple reports.

Jessica, a 38-year-old American actress with over 9 million twitter followers, has not yet confirmed whether the account was compromised or has tweeted accidentally. However, her twitter followers witnessed back-to-back inappropriate tweets sending out from her account.

The Dark Angel's leading actress Jessica has not yet tweeted any new tweet that could confirm the incident, neither she has responded to Bollywood Reporter's request for comment. The objectionable tweets posted by the attacker have since been removed from her twitter handle.

According to the Yahoo! News, one of the tweets appeared on Alba’s account demanded the release of American singer YNW Melly. Melly was arrested in 2018 and then again in 2019 over legal issues.

While looking at her Facebook and Instagram accounts, the founder of "The Honest Company" Jessica seems not to have added any new post regarding the incident that led her account to send objectionable tweets.

Via1, Via2

Tuesday, July 16, 2019

Critical security vulnerability discovered in Wordpress Ad Inserter plugin

wordpress software

Pete Linforth / Pixabay

Last month, Alert Logic security experts found a bug in a widely used WordPress plugin WP live chat that was fixed immediately after an alert. But this month, July 12, Threat Intelligence team at Wordfence discovered a security weakness that was residing inside a popular WordPress plugin Ad Inserter.

This bug allowed authenticated users (registered with an affected site as low as subscriber) to execute arbitrary PHP code remotely on the websites using the ad management tool Ad inserter. Users are requested to update the said plugin to the never version released 3-days ago after the bug was patched by the plugin developers.

For those who do not know about the Ad Inserter plugin, it is a tool developed for Wordpress software that allows a publisher to manage Google Adsense ads and other types of ads on ad inserter plugin-installed-websites.

The discovered bug (now patched), allows an attacker to add malicious variables to the site's URL and poses a security risk for personal data leaks of an admin managing the affected Wordpress site. Since the flaw has been fixed, plugin developers claim that the latest version 2.4.22 has the ability to prevent such attacks.


Monday, July 15, 2019

Instagram vulnerability could have allowed an attacker to remotely hack your account


Laxman Muthiyah, an Indian bug bounty hunter has recently discovered a security vulnerability in Instagram that could have allowed an attacker to hack any Instagram account by sending 1000 brute force requests from different IPs.

As a security measure, sending a number of malicious requests to the servers could block login attempts, therefore, the bug bounty hunter sent around 1000 requests from different IPS, and surprisingly, 250 of them went through and the rest 750 requests were rate limited.

At the time of writing this story, the security vulnerability was reported to Facebook for immediate fixes, and Laxman received a reward of $30,000 as part of the Bug bounty program. The program Bug bounty, allows a user to spot and report security weaknesses under certain disclosure policies.

The account takeover mechanism used in this test was "Instagram forgot password endpoint" performed via the web interface, but he said all attempts went unsuccessful as there were no bugs found during the process.

According to the report, the flaw existed inside Instagram's "mobile recovery system" which allows a user to recover "forgot password" via a 6 digit passcode sent to a registered mobile number, if available. Trying all the one million codes on the verify-code endpoint, an attacker could have changed account password without a user's consent, the report reads.

Race Hazard and IP rotation allowed the Bug Bounty hunter to bypass the verification mechanism and rate of traffic. Rate limiting is a DDoS prevention mechanism that controls the rate of traffic within the specific period of time the traffic is sent/received by the network.


Friday, July 12, 2019

Bitpoint exchange lost $32 million in a latest cryptocurrency cyber attack


WorldSpectrum / Pixabay

Bitpoint, a Tokyo-based cryptocurrency exchange, and also Remixpoint's subsidiary confirmed this Friday that the company has lost hard-earned virtual money amounting $32 million in the latest Cryptocurrency cyberattack, reports CoinDesk Japan.

According to a statement released by Remixpoint, cybercriminals hacked the company's hot wallet fraudulently that caused the Japanese cryptocurrency exchange Bitpoint to lose 3.5 billion yen (approx. $32 million) of worth virtual money. Bitpoint, however, has temporarily disabled all transactions on its platform.

Remixpoint runs a variety of cryptocurrencies on the platform, including Bitcoin, Bitcoin Cash, XRP, and Litecoin. However, the company has not confirmed what types of assets were lost in cyberattacks, even though the attack resulted in the loss of hard-earned money.

The company further stated in a statement that the attack was confirmed on Thursday and apologized for any inconvenience caused to its customers.

As time served, attackers use different techniques and malicious programs to enter the machines, but this time, it was not confirmed how hackers gained access to the company's wallet.

Source1, 2 (in Japanese) | Via

Wednesday, July 10, 2019

'Agent Smith' malware infected 25 million Android devices worldwide, 15 million in India

Agent Smith Android malware

Pasi Mämmelä / Pixabay

Agent Smith, not a Fictional character of Matrix franchise, but a newly discovered Android malware that has infected about 25 million Android devices worldwide and most of the infected users (15 million) are from India and other neighboring countries like Pakistan and Bangladesh, reports Check Point Researchers.

Disguised as a Google-related Android app, Check Point Research confirms that the malware manages to exploit known Android vulnerabilities and has targeted the Arabic, Indonesian, Hindi, and Russian speakers by automatically replacing installed apps on the devices with malicious versions.

In order to trick the users, the malicious software installed via a popular third-party app store 9Apps is intentionally designed to look similar to the original one. App Installation occurs without the users' consent or interaction, the report added.

According to the research report, once the app is installed on the victim's smartphone, it starts showing fraudulent ads related to financial gain that allow it to behave like previous campaigns such as Gooligan, HummingBad, and CopyCat.

The Agent Smith malware consists of Loader, Core, Boot, Patch, AdSDK and Update modules used for various malicious purposes staying under the radar. Cyber threat intelligence Check Point has worked closely with Google and at the time of publishing, no malicious apps remain on the Play Store, the report reads.


Friday, July 5, 2019

Man responsible for DDoS attacks on Microsoft, Sony gets 27 months in prison


Pete Linforth / Pixabay

A 23-year-old Utah-born man who launched a series of cyber-attacks in 2013-2014 has been sentenced to 27 months in the US prison. Sony PlayStation Online and Microsofts Xbox Live are among the other online gaming services affected by the DDoS attacks launched by the said hacker, ZDNet reported yesterday.

Austin Thompson was first arrested in 2014, but in 2018, pleaded guilty to the cyber-attacks carried out by him. 'DerpTrolling', the name he used for his Twitter account, was also engaged in sharing details of carried out Distributed Denial of Service (DDoS) attacks with his followers, possibly other hackers.

The hacker in the talk admitted that he was responsible for carrying out back-to-back yet extremely successful cyber attacks on online gaming services just "to spoil everyone's holiday", "to make people spend time with their families" during the Christmas holiday.

Thompson is currently free on bond, however, according to the Department of Justice press release published Wednesday, the 27-months jail sentence term of Thompson is scheduled to start on August 27.

Source1 | Source2

Tuesday, July 2, 2019

Android July 2019 Security Update patches various new vulnerabilities

Android July 2019 Security Update

Last month, smartphone makers released new firmware updates designed to bring improvements in camera and device performance. However, the update, along with the Android June 2019 security update, fixes minor bugs in Google's Android operating system.

This time, Google has started rolling out a new security update for Android July 2019 to patch and address the new security vulnerabilities found in its operating system. The tech giant has also started notifying the vendors about this security update.

The new vulnerabilities affect components of the Android OS, update, however, is able to patch the security weaknesses that resides in Android. Google has published detailed information about the update on its Android Open Source Project.

The vulnerabilities affect various Android components that have been identified as the Android operating system, library, media framework, framework, Qualcomm components, and Qualcomm closed-source components. You can find detailed information on the Android security advisory.

The "Security patch levels of 2019-07-01" released by Google has patched the most critical vulnerability this month, the most severe of which could allow a remote attacker to execute arbitrary code.


Tuesday, June 25, 2019

Case study: Over 2,000 dangerous apps discovered on Google Play Store

app store

A recent study by the WSJ revealed that there are millions of fake business listings on Google Maps, and another two-year-long study has discovered one more security weakness indicating thousands of malware-ridden counterfeit apps on Google Play Store.

Google Play Store contains millions of apps, but not all apps are the same by their nature and unusual behavior. Only 2,040 apps were found possibly infected apps, while some apps were caught stealing users data by requiring users to grant permissions, according to the University of Sydney and Data61 study.

It's not confirmed whether suspicious apps managed to steal any data linked to the app users.

Google is continuously making efforts to keep the platform virus-free and threat-free. It has removed many security weaknesses in the Chrome browser by providing the latest updates for the desktop version and mobile-based web browser. In the past, the search giant flagged thousands of fake apps on its app store — but we need to take more drastic action against the offenders.

The University of Sydney worked with Australian federal government agency CSIRO's data science research team and spent two years revealing the facts through a tool designed to identify similar app icons and text descriptions. The AI-based tools used in research detected 49,608 threats. However, none of the studied apps are available on the app store, as Google has removed suspicious apps in an effort to protect its platform from being used for offensive purposes.

The study further reveals that fraudsters have used similar titles and app icons of the most popular games to spread fake apps across the play store. Temple Run, Free Flow, and Hill Climb Racing were among the impersonated apps, reports Computer World.

Don't look at download counts — It's important to double-check app rating, developer reputation, and if possible, read app review on the web as well as on app store, but be sure to identify if the app developer hasn't self-reviewed an app.

Source | Via

Saturday, June 22, 2019

More than 11 million fake business listings discovered on Google Maps

google maps

Sebastian Hietsch / Unsplash

A recent study by the Wall Street Journal found that a wide range of counterfeit businesses has been discovered on Google Maps. During the study, the Journal investigators found only 2 businesses with legitimate addresses out of 20 listings, the report reveals.

Google is not the only technology giant with fake accounts. In the past, Facebook, Twitter, and other social giants have removed millions of fake profiles from their platforms. Scammers use many deceptive techniques to bypass the authentication process on the Internet. However, undermine does not last long.

With thousands of new accounts being added every month to Google's database, Google Maps is bombarded with over 11 million fake listings. Most of the fake business listings found in the study are contractors, repairmen, and car towing services, which are either never-existed or closed ones.

Google has already addressed the fake listings by internally calling it 'duress verticals'. In terms of Google's study, duress verticals are the companies people turn to in emergencies and typically without much time to verify the business'.

We have also closed one of the businesses. Does that still sound a fake listing?

In 2017, Google conducted autodidactic study claiming that only 0.5 percent of local searches are false listings and the rest ones are valid. However, the WSJ reveals more than 11 million false listings during the study.

Knowing that people trust what Google shows from its Database, scammers use the most reliable and search-friendly Web mapping service Google Maps to deceive the searchers. To tackle these challenges, Google offers "Suggest an edit" option to the searcher. If the information found to be true then a researcher can suggest an edit either by updating the current information to reflect the recent changes or can suggest "remove this place".

Source  Via

Friday, June 21, 2019

Crime Branch Kashmir burst a fake online shopping gang

online shopping gang burst

Pete Linforth / Pixabay

The Kashmir crime branch burst a fake online shopping gang that was fraudulently acting to be employees of the e-commerce giant Naaptol and Government-led financial body State Bank of India. The suspected scammers have been identified upon receiving a complaint from a local resident, Greater Kashmir reports.

The written complaint reveals that the victim was initially targeted by an unknown caller. During the investigations conducted the state crime branch, it has been revealed that fraudsters asked the victim to deposit Rs. 23,05588 in ten different installments to their given bank accounts.

Unfortunately, the victim deposited the above-mentioned amount into fraudster's bank accounts, and the gang members has managed to steal hard-earned-money of the complainant amounting INR23,05588 ($33155).

The written complaint submitted to the Kashmiri crime department further indicates that the complainant has received a text message from a mobile number located in Bihar Telecom circle, informing him that the victim has won a lucky prize of Rs. 12,80,000 and a Tata Safari vehicle from Naaptol, Greater Kashmir reports.

The gang members have been identified as residents of Mumbai, Bihar and other Indian states. However, it has not yet been confirmed how many people are affected by this scam.


Thursday, June 20, 2019

Cybersecurity experts discovered an ongoing scam in WhatsApp

whatsapp scam

Gerd Altmann - Pixabay

WhatsApp is still one of the best apps for fraudsters to run a variety of malicious campaigns by enticing the victims to participate in gift card scams, fake vouchers, never-seen-offers, and hoax. Now the scammers are targeting the users with a new scheme claiming 1TB of free Internet traffic, according to a CNews report.

The cybersecurity experts at ESET have discovered this fraud, which lets the attackers send their victims to the phishing website.  According to CNews reports published on June 14, hackers are targeting victims by giving a fake chance to win 1TB free internet traffic.

The phishing website offers a fraudulent survey designed to be completed and referred by the victim up to 30 WhatsApp contacts that leads other users to get involved in the said scam. The purpose of this ongoing campaign is to spread advertisement on a large-scale without user-consent, suggests ESET.

To make this campaign more horrifying, victims are asked to enter personal details via a malicious link, which was discovered during an investigation conducted by Slovakia-based anti-virus company ESET.

English TechLekhak contacted ESET to learn more about this campaign, however, the experts at the said company did not immediately respond to a request for more details.

As seen in other phishing attacks, hackers pretend to be executives from a real company, organization or a well-known body. Adidas, Nescafé, Rolex, and other reputable companies are being circulated under this campaign.

Source (in RussianVia

Thursday, June 13, 2019

Telegram suffered a major cyber attack, the app remained down across the globe


Encrypted messaging app available on all platforms suffered a cyber attack this Wednesday that led the app to remain down for all users across the globe, according to the multiple sources.

The attack appeared to originate from China to disrupt the Hong Kong protest against the proposed extradition bill, which made the service unavailable for just a little over an hour. Later, the company CEO explained the nature of the attack in his tweet, according to the Business Standard.

The nature of the attack has been identified as a denial of service attack (DDoS), which temporarily interrupts the service by sending a massive number of malicious requests to the host that leads the server crash or unavailable.

Telegram is considered one of the safest apps that provides encrypted messaging service. However, despite being a secure platform, application servers were found vulnerable to DDoS attacks. Recent Denial-of-service attack determines the stability of telegram's host connected machines.

In the past, we have seen many cyber-attacks and privacy incidents. So, it sounds unusual when we find someone criticizing other services. Tech firms will need to work hard towards their user's privacy because cybercriminals are actively exploiting hidden vulnerabilities, as history witnessed.

Pavel Durov, the CEO of telegram criticized the WhatsApp in May, saying that users data of the Instant messaging App is accessible to hackers. To recall, the Facebook-owned messaging App WhatsApp suffered a privacy breach that compromised the privacy of 1.5 billion users. The incident was linked to an Israeli spyware software developer NSO group.

Source1  Source2  Source3  Via 

Tuesday, June 11, 2019

WP Live Chat plugin vulnerability gives hackers ability to manipulate chat sessions

WP Live Chat plugin bug

Image by simplu27 from Pixabay

Wordpress live chat plugin suffers a critical vulnerability that allows hackers to gain unauthorized access to chat sessions without valid credentials. The new vulnerability was discovered by security researchers at Alert Logic.

The affected live chat bearing version number was 8.0.32 and earlier, however, the software developers has released an updated version 8.0.33 to fix the bug. The bug has been identified as CVE-2019-12498, according to Alert Logic.

Undiscovered bugs enable hackers to hijack chat logs and REST API functionality, which means that an attacker was able to insert their own text into an active chat window that could expose highly sensitive data communicated between a customer representative and a site visitor.

It has not been confirmed whether the attacker actively exploited the software, said Alert Logic. The researchers further stated that attacker was able to extract the entire chat history of all chat sessions.

Now moving around live chat plugin - Chatting plugin is a widely used software installed by more than 50,000 Wordpress websites to provide on-site chat support for business owners. The plugin in question is primarily used to handle customer requests and feedback.

Source   Via

© Copyright 2019 PhoneSpeck | All Right Reserved