fbpx

On March 19 of this year, Hillary Clinton’s campaign chairman John Podesta received an alarming email that appeared to come from Google.

The email, however, didn’t come from the internet giant. It was actually an attempt to hack into his personal account. In fact, the message came from a group of hackers that security researchers, as well as the US government, believe are spies working for the Russian government. At the time, however, Podesta didn’t know any of this, and he clicked on the malicious link contained in the email, giving hackers access to his account.

Months later, on October 9, WikiLeaks began publishing thousands of Podesta’s hacked emails. Almost everyone immediately pointed the finger at Russia, who is suspected of being behind a long and sophisticated hacking campaign that has the apparent goal of influencing the upcoming US elections. But there was no public evidence proving the same group that targeted the Democratic National Committeewas behind the hack on Podesta—until now.

The data linking a group of Russian hackers—known as Fancy Bear, APT28, or Sofacy—to the hack on Podesta is also yet another piece in a growing heap of evidencepointing toward the Kremlin. And it also shows a clear thread between apparently separate and independent leaks that have appeared on a website called DC Leaks, such as that of Colin Powell’s emails; and the Podesta leak, which was publicized on WikiLeaks.

All these hacks were done using the same tool: malicious short URLs hidden in fake Gmail messages. And those URLs, according to a security firm that’s tracked them for a year, were created with Bitly account linked to a domain under the control of Fancy Bear.

THE TRAIL THAT LEADS TO FANCY BEAR

The phishing email that Podesta received on March 19 contained a URL, created with the popular Bitly shortening service, pointing to a longer URL that, to an untrained eye, looked like a Google link.

A screenshot of the Bitly link used against John Podesta.

Inside that long URL, there’s a 30-character string that looks like gibberish but is actually the encoded Gmail address of John Podesta. According to Bitly’s own statistics, that link, which has never been published, was clicked two times in March.

That’s the link that opened Podesta’s account to the hackers, a source close to the investigation into the hack confirmed to Motherboard.

That link is only one of almost 9,000 links Fancy Bear used to target almost 4,000 individuals from October 2015 to May 2016. Each one of these URLs contained the email and name of the actual target. The hackers created them with with two Bitly accounts in their control, but forgot to set those accounts to private, according to SecureWorks, a security firm that’s been tracking Fancy Bear for the last year.

SecureWorks was tracking known Fancy Bear command and control domains. One of these lead to a Bitly shortlink, which led to the Bitly account, which led to the thousands of Bitly URLs that were later connected to a variety of attacks, including on the Clinton campaign. With this privileged point of view, for example, the researchers saw Fancy Bear using 213 short links targeting 108 email addresses on the hillaryclinton.com domain, as the company explained in a somewhat overlooked report earlier this summer, and as BuzzFeed reported last week.

Using Bitly allowed “third parties to see their entire campaign including all their targets— something you'd want to keep secret,” Tom Finney, a researcher at SecureWorks, told Motherboard.

It was one of Fancy Bear’s “gravest mistakes,” as Thomas Rid, a professor at King's College who has closely studied the case, put it in a new piece published on Thursday in Esquire, as it gave researchers unprecedented visibility into the activities of Fancy Bear, linking different parts of its larger campaign together.

This is how researchers have been able to find the phishing link that tricked Colin Powell and got him hacked. This also allowed them to confirm other public reports of compromises, such as that of William Rinehart, a staffer with Clinton’s presidential campaign. As The Smoking Gun reported in August, Rinehart received a malicious Google security alert on March 22, according to a screenshot Rinehart shared with the site. SecureWorks found a URL that had Rinehart’s Gmail address encoded, which had the same date.

A screenshot of the phishing email received by Rinehart. (Image: The Smoking Gun)

A screenshot of the malicious Bitly URL received by Rinehart.

 

Similar malicious emails and short URLs have also been used recently against independent journalists from Bellingcat, a website that has investigated the incident of the shootdown of Malaysian Airlines Flight 17 (MH17) over Ukraine in 2014, finding evidence that Russian-backed rebels were behind it.

A screenshot of a phishing email received by a Bellingcat journalist.

 

Other journalists in eastern Europe have also recently been targeted with phishing emails trying to break into their Gmail accounts.

These malicious emails, just like the ones used against Podesta, Powell, Rinehart and many others, looked like Google alerts, and contained the same type of encoded strings hiding the victims’ names.

It’s unclear why the hackers used the encoded strings, which effectively reveal their targets to anyone. Kyle Ehmke, a threat intelligence researcher at security firm ThreatConnect, argued that “the strings might help them keep track of or better organize their operations, tailor credential harvesting pages to specific victims, monitor the effectiveness of their operations, or diffuse their operations against various targets across several URLs to facilitate continuity should one of the URLs be discovered.”

The use of popular link shortening services such as Bitly or Tinyurl might have a simpler explanation. According to Rid, the hackers probably wanted to make sure their phishing attempts went past their targets' spam filters.

THE SMOKING GUN?

None of this new data constitutes a smoking gun that can clearly frame Russia as the culprit behind the almost unprecedented hacking campaign that has hit the DNC and several other targets somewhat connected to the US presidential election.

Almost two weeks ago, the US government took the rare step of publicly pointing the finger at the Russian government, accusing it of directing the recent string of hacks and data breaches. The intelligence community declined to explain how they reached their conclusion, and it’s fair to assume they have data no one else can see.

”They don’t want to understand the evidence.”

This newly uncovered data paints an even clearer picture for the public, showing a credible link between the several leaking outlets chosen by the hackers, and, once again, pointing toward Fancy Bear, a notorious hacking group that’s widely believed to be connected with the Russian government. While there are still naysayers, including presidential candidate and former reality TV star Donald Trump, for many, the debate over who hacked the DNC, and who’s behind all this hacking, is pretty much closed.

 

“We are approaching the point in this case where there are only two reasons for why people say there’s no good evidence,” Rid told me. “The first reason is because they don’t understand the evidence—because the don’t have the necessary technical knowledge. The second reason is they don’t want to understand the evidence.”

UPDATE, 10/20/2016, 4:31 p.m.: After publication of this story, Bitly sent Motherboard a statement to say the company can only do so much to prevent malicious actors from using its service, as it "cannot proactively police our customers’ private data without compromising our commitment to their privacy."

"The links and accounts related to this situation were blocked as soon as we were informed. This is not an exploit of Bitly, but an unfortunate exploit of Internet users through social engineering. It serves as a reminder that even the savviest, most skeptical users can be vulnerable to opening unsolicited emails," the statement read. 

Get six of our favorite Motherboard stories every day by signing up for our newsletter.

Source : motherboard

Categorized in Internet Privacy

Thanks to fake Gmail sign-in pages, hackers were able to dupe John Podesta and the entire Clinton campaign.

According to Naked Security, a technique known as spear phishing was used to hack into John Podesta and the entire Clinton campaign’s account. This hacking technique involves using fake Gmail sign-in pages and security alerts to trick the owner of the email into revealing his or her password to the person attempting to hack into the Gmail account. 

The Smoking Gun reports that when it came to John Podesta’s Gmail account, he received an email alert telling him that someone was trying to access his account from an unusual location. Basically, the email he received was asking him to change his password to secure his account.

With this hacking technique, John and the entire Clinton campaign was duped into believing the fake security alert and using the fake Gmail sign-in pages to give their login information directly to the hacker. From there, the hackers were able to log in to the Gmail accounts of anyone who used the fake Gmail sign-in page and do whatever they wanted to with the account.

Townhall reports that government officials using their private emails in order to avoid their emails becoming public record has become a very common occurrence. The hacking of Hillary Clinton and John Podesta’s private Gmail accounts put these two in the spotlight, but a former top State Department official acknowledges the fact that this is something nearly every government official does in order to avoid their conversations being a matter of public record.

Townhall goes on to report that the former State Department official claims that if something would be done to stop government officials from using their private email accounts for work-related matters, the issues with hacking wouldn’t have been a problem to begin with.

 

Nashville Chatter reports the same group of Russian hackers that was believed to have developed the fake Gmail sign-in pages and security alerts that hacked the Clinton campaign is responsible for a recent Microsoft bug as well. Microsoft was given a grace period of a week before Google’s Threat Analysis group made a public announcement about the vulnerability that was exposing people to malware attacks.

Terry Myerson, the executive VP of Microsoft Windows, claims a sophisticated group of hackers was exploiting a Microsoft bug. This group of hackers has since been identified as the same group who caused the DNC and Clinton campaign data breaches. Microsoft is currently working on fixing the bug, but Terry Myerson is urging Windows users to upgrade their operating systems to Windows 10 in order to protect their devices from this potential threat.

Microsoft is currently working with Adobe and Google in order to create security patches to protect the lower levels of Windows. There are several versions of the security patches currently being tested. These patches will be released on November 7 for Windows users.

Do you find it embarrassing that government officials were hacked by nothing more than fake Gmail sign-in pages and security alerts? More importantly, do you think government officials should be able to use their private Gmail accounts in order to avoid their conversations becoming public record? Share your answers to these two questions in the comments section below.

Source : inquisitr

Categorized in Internet Privacy

CYBERCRIMINALS linked to the Russian government were behind the recent attacks that exploited a critical vulnerability in the Windows operating system, Microsoft has claimed.

Microsoft has confirmed that a number of cyber attacks by notorious hacking group Strontium have taken place.

The group, which has also been linked to the unprecedented hacking campaign aimed at disrupting and discrediting the upcoming US election, is believed to have exploited a newly discovered Windows security flaw.

Google published details about the critical vulnerability in Windows earlier this week – something Microsoft isn't too happy about.

The US search engine's Threat Analysis department disclosed details of the critical vulnerability in a post on its security blog.

The glitch can be used to bypass the security sandboxing used in the Windows32K system, Google has claimed.

Google said it reported the bug to Microsoft 10 days ago, but the Redmond firm has done nothing to address the issue.

Google has already patched its Chrome web browser against the bug, and Adobe has issued a fix for its Flash software.

However Windows itself is still vulnerable – something that Microsoft claimed hackers used to execute the spear phishing.

 

In spear phishing, an attacker will typically send targeted messages – typically via email – that exploit known information to trick victims into clicking on malicious links or open tainted attachments.

Microsoft chided rival Google for going public with details of the vulnerabilities before it had time to prepare and test a patch to fix them.

"Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk," Microsoft said.

Microsoft-WIndows-Exploit-706214.jpg

Microsoft says hacking group Strontium has exploited the vulnerability highlighted by Google

Microsoft's disclosure of the new attacks and the link to Russia came as Washington accused Moscow of launching a cyber campaign to disrupt the US election.

The US government last month formally blamed the Russian government for the election-season hacks of Democratic Party emails and their subsequent disclosure via WikiLeaks and other entities. Russia has denied those accusations.

Microsoft said a patch to protect Windows users against the newly discovered threat will be released on November 8th – Election Day.

It was not clear whether the Windows vulnerability had been used in any of the recent US political hacks.

Representatives of the FBI and the Department of Homeland Security could not immediately be reached for comment.

Google disclosed the serious security flaw on Monday, following its standing policy of going public seven days after discovering "critical vulnerabilities" that are being actively exploited by hackers.

Google gives software companies 60 days to patch less serious bugs.

Source : express

Categorized in Internet Technology

Computer viruses and malware are spreading faster than their biological counterparts it seems.

Numbers from security firms point to the fact that close to 20 million malware threats have been neutralized in the first quarter of 2016. This equates to about 27,000 in one single day.

This leads us to a frightening scenario: huge amounts of malware is being created and distributed intentionally on a daily basis only for the creators to make huge sums of money over the internet.

The hackers employ a variety of methods to spread the viruses on the victims’ computers.

Methods of Spreading Malware

Spreading is the name of the technique used by hackers to circulate viruses. These days it seems to be getting easy with many tutorials being made available on the Clearnet that teaches one the many methods used to spread malware.

The effort to spread starts with making payloads in a manner that makes the malware most effective once it is delivered to a victim’s computer.

It is usually done by packing the malware within contents of other files. The .exe files which are portable have a lot of space left that is used up by hackers for loading the malware programs. This makes it easy to be transported over the internet safely.

Sometimes, the hackers attach the malicious files to bundles of executable files that otherwise appear safe and normal. Viruses may be inserted even into .pdf and document files.

In a client-server setup, hackers sometimes use vulnerabilities of software that reside on client-side machines. The hackers use a technique called “java drive-by” and make it possible for the malicious software to download and run itself with or without user intervention.

This is possible when client-side browsers are weak and insecure. There are many platforms used by hackers to spread malicious software.

One example is pirate bay which is a torrent network. Using such a platform, it is possible even for a beginner hacker to infect millions of users within a short period.

In one instance, about 12 million users were infected with malware in a months’ time.

Malvertising is another common method used by hackers to spread malware.

They attach the malicious software into advertisements on well-trusted websites that earn their revenues through advertisements.

This ends up infecting millions of unsuspecting users’ computers from trusted platforms.

The biggest advantage that the hackers have is that there is no suspicion caused.

Anti-Virus and Malware

In the midst of such a scenario, it has now been understood that an anti-virus program alone is just not enough to keep data safe against malware these days.

However, in this context, it is important to know as to how an anti-virus program works.

 

Anti-virus programs are designed to scan all files residing on the hard disk and detect typical signatures that are found in infected files. The anti-virus program maintains large databases of signatures or even bits of code that typically come from malware or virus programs.

However, it is possible for the hackers to change signatures of virus programs with reasonable ease.

For this purpose, hackers use programs called runtime crypters that are available in darknet markets and specific forums that are frequented by hackers. Crypters are programs that contain coded versions of the actual malware.

When such a program is executed, the malware decrypts itself and runs from the memory. The malware thus effectively evades the action of the anti-virus.

Some anti-virus programs work by quarantining programs that remotely resemble malware. This is referred to as sandboxing.

In these methods, also called heuristic methods, a file’s contents are examined using algorithms which detect suspicious code.

Malware programs are now being designed to outwait the surveillance times of anti-virus programs before they start to work.

The latest malware programs are also designed to do nothing if they are run on virtual machines. Popular types of malware include Remote Access Trojan, spyware, and rootkits. Distributed denial-of-service (DDoS) attacks using malware is becoming more common.

Such programs are also called ransomware where an attack encrypts all data, and the hackers demand a ransom for regaining the data through an encryption key.

At the end of it all, according to security experts, the best option for any unsuspecting user to avoid such pitfalls is to educate oneself about lesser known aspects of computer security.

Source : darkwebnews

Categorized in Internet Privacy

The internet of insecure things just keeps getting murkier and more problematic. Researchers have determined that hackers are abusing a 12-year-old vulnerability in OpenSSH to attack the ‘internet of unpatchable things’.

Since anyone can now download the Mirai source code – it’s is even on GitHub – then players across the field, both botnet dabblers and researchers, are playing around with the malware that hijacks IoT devices and is responsible for the largest DDoS attack on record. 

In fact, researchers at Incapusla are already reporting new attacks that seem to be “experimental first steps of new Mirai users who were testing the water after the malware became widely available. Likely, these are signs of things to come and we expect to deal with Mirai-powered attacks in the near future.”

Is the sky really falling or is it FUD? Well, if the underground market treats Mirai malware like it has other malicious source code which has been leaked, then welcome to an IoT DDoSing nightmare. Researchers at F5 said to expect thugs “to adapt, combine, and improve the code, resulting in newer and enhanced variants.” F5 warned, “We can definitely expect the IoT DDoSing trend to rise massively in the global threat landscape.”

IoT devices being used in mass-scale SSHowDowN Proxy attacks

Add to that an OpenSSH vulnerability which has been around for 12 years and the fact that attackers are exploiting the flaw to create huge amounts of traffic for SSHowDowN Proxy attacks launched against e-commerce and other sites.

Researchers at Akamai Technologies disclosed that new targeted attacks, which use a very old flaw, are originating from IoT devices such as: DVR, NVR and CCTV video surveillance devices, satellite antenna equipment, networking devices such as routers, hotspots, WiMax, cable and ADSL modems, and Network Attached Storage (NAS) devices connected to the internet. Other devices hooked online may also be susceptible.

The IoT devices are being used to mount attacks “against a multitude of internet targets and internet-facing services, such as HTTP, SMTP and network scanning,” as well as to mount attacks against internal networks that host the devices.

In many cases, there are default login settings such as “admin” and “admin” or other lax credentials to get to the web management console. Once attackers access the web admin console, they can compromise the device’s data and sometimes even take complete control of the machine.

The attack itself is not new, but Akamai Technologies has seen a surge in SSHowDowN Proxy attacks in which IoT devices are being “actively exploited in mass scale attack campaigns.”

A new report on exploiting IoT and SSHowDowN (pdf) explained that the root causes for the vulnerability include weak factory-default administration credentials, the fact that the devices allow remote SSH connections and the devices allow TCP forwarding.

 

Default passwords

Default passwords have long plagued the security industry and put users at great risk. Since the Mirai source code was made public, many sites have published the 61 passwords powering the Mirai botnet which is capable of hijacking over 500,000 vulnerable IoT devices.

Double that number by adding in devices with shoddy-to-no-security which are made by the Chinese firm XiongMai Technologies. Flashpoint researcherssaid there are over 500,000 devices on public IPs that are vulnerable to the username and password combination “root” and “xc3511.”

130,000 vulnerable Avtech systems

Search Lab’s Gergely Eberhardt found 14 vulnerabilities in Avtech devices like DVRs and IP cameras; there are 130,000 Avtech devices exposed on the internet and “Avtech is the second most popular search term in Shodan.”

Eberhardt found the vulnerabilities and first attempted to contact the company back in September 2015. After more than a year and zero response from Avtech, Eberhardt published an advisory and proof-of-concept scripts for the flaws.

If you don’t want your Avtech device to end up as part of an IoT botnet, then owners should change the default admin password and go the extra safe mile of never exposing “the web interface of any Avtech device to the internet.”You should always change the default passwords to anything, but some manufacturers didn’t have enough concern for users to build in that option.

Internet of unpatchable things

“We're entering a very interesting time when it comes to DDoS and other web attacks; 'The Internet of Unpatchable Things' so to speak,” explained Ory Segal, senior director of Threat Research at Akamai. “New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it. We've been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.”

$50,000 for innovative IoT security solution

MITRE, on the other hand, hopes to find innovative IoT security solutions and launched the Unique Identification of IoT Devices Challenge. The winner will walk away $50,000 richer and the solution may help to save us from an IoT nightmare.

Source : computerworld

Categorized in Internet Privacy
Page 2 of 2

AOFIRS

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media