1 Billion Mobile Apps Exposed To Account Hijacking Through OAuth 2.0 Flaw

Threatpost, the security news service of Kaspersky Lab, is reporting a new exploit which allows hijacking of third-party apps that support single sign-on from Google or Facebook (and support the OAuth 2.0 protocol). msm1267 quotes their article:
Three Chinese University of Hong Kong researchers presented at Black Hat EU last week a paper called "Signing into One Billion Mobile LApp Accounts Effortlessly with OAuth 2.0"… The researchers examined 600 top U.S. and Chinese mobile apps that use OAuth 2.0 APIs from Facebook, Google and Sina — which operates Weibo in China — and support single sign-on for third-party apps. The researchers found that 41.2% of the apps they tested were vulnerable to their attack… None of the apps were named in the paper, but some have been downloaded hundreds of millions of times and can be exploited for anything from free phone calls to fraudulent purchases. "The researchers said the apps they tested had been downloaded more than 2.4 billion times in aggregate."

Share on Google+

Read more of this story at Slashdot.

via http://ift.tt/2fIjK8N

Hundreds Of Operations Canceled After Malware Hacks Hospitals Systems

Computer viruses do not discriminate.

They are not just hacking your email and online banking accounts anymore.

Computer viruses do not distinguish between a personal computer or a hospital machine delivering therapy to patients — and the results could prove deadly.

Cyber attacks on hospitals have emerged as a significant cyber security risk in 2016, which not only threaten highly sensitive information but also potentially harm the very lives of those being protected.

In the latest incident, hundreds of planned operations, outpatient appointments, and diagnostic procedures have been canceled at multiple hospitals in Lincolnshire, England, after a "major" computer virus compromised the National Health Service (NHS) network on Sunday.

In a bright-red alert warning labeled "Major incident" on its website, the Northern Lincolnshire and Goole NHS Foundation Trust (NLAG) said its systems in Scunthorpe and Grimsby were infected with a virus on October 30.

The incident forced the trust to shut down all the major systems within its shared IT network in order to "isolate and destroy" the virus and cancel surgeries.

"We have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it," the NHS wrote on its website. "All planned operations, outpatient appointments and diagnostic procedures have been canceled for Wednesday, Nov. 2 with a small number of exceptions."

Some patients, including major trauma patients and high-risk women in labor, were diverted to neighbouring hospitals.

Although the majority of systems are now back and working, the NHS Trust has not provided any specific information about the sort of virus or malware or if it managed to breach any defense.

The incident took place after the U.S. and Canada issued a joint cyber alert, warning hospitals and other organizations against a surge in extortion attacks that

infect computers with Ransomware

that encrypts data and demand money for it to be unlocked.

Although it is unclear at the moment, the virus could likely be a ransomware that has previously

targeted hospitals

and healthcare facilities.

Life Threatening Cyber-Attacks

With the rise in

Ransomware threat

, we have seen an enormous growth in the malware businesses.

The countless transactions of Bitcoins into the dark web have energized the Ransomware authors to distribute and adopt new infection methods for the higher successful rate.

Today, Ransomware have been a soft target for both Corporates as well as Hospitals.

Since earlier this year, over a dozen hospitals have been targeted by ransomware, enforcing them to pay the ransom amount as per the demand by freezing the central medical systems.

Technological advancement in the medical arena has digitalized patients data in the form of Electronic Medical Record (EMR) in order to save them into the hospital’s central database.

Since the delay in patients treatment by temporary locking down their details could even result in the patient’s death, the attackers seek 100 percent guarantee ransom by infecting hospitals with Ransomware.

Due to this reason, in most of the cases, hospitals generally agrees to pay the ransom amount to the attackers.

Earlier this year, the Los Angeles-based Presbyterian

Medical Center paid $17,000

in Bitcoins to cyber crooks in order to restore access to its electronic medical systems, after a ransomware virus hit the hospital.

Also back in April, the MedStar Health chain that runs a number of hospitals in the Baltimore and Washington area, was attacked with

Samsam ransomware

(or Samas) that encrypted sensitive data at the hospitals.

Followingly, many more hospitals, including Methodist Hospital in Henderson and Kentucky, Desert Valley Hospital in California and Chino Valley Medical Center, have been infected with Ransomware.

via http://ift.tt/2eXHg3c

Three hospitals in England cancel operations over computer virus

Planned operations and outpatient appointments have been cancelled at three hospitals in northeastern England after a computer virus infected a health service network, the National Health Service Trust said.

In a post on its website, the Northern Lincolnshire and Goole NHS Foundation Trust called the attack a "major incident" and said it had cancelled all planned operations, outpatient appointments and diagnostic procedures for Wednesday.

via http://ift.tt/2f7Xnvz

Indian teen arrested in US for cyber attack choking 911 lines

An Indian-origin teenager has been arrested in the US for carrying out a cyber-attack that swamped Arizona’s emergency services with several bogus calls, an incident he claimed was a non-harmful joke gone wrong. Meetkumar Hiteshbhai Desai was taken into custody after the Surprise Police Department, Arizona, notified the Sheriff’s Office of more than 100 hang-up 911 calls.

via http://ift.tt/2fBBvth

Infernal Twin Updated 2.6.11 – Automated Wireless Hacking Suite

Infernal Twin is an automated wireless hacking suite written in Python which automates many of the repetitive tasks involved in security testing for wifi networks.

Infernal Twin - Automated Wireless Hacking Suite

Originally created to automate the Evil Twin attack, it has grown much beyond that into a comprehensive suite including various wireless attack vectors.

An evil twin attack is when a hacker sets its service identifier (SSID) to be the same as an access point at the local hotspot or corporate wireless network. The hacker disrupts or disables the legitimate AP by disconnecting it, directing a denial of service against it, or creating RF interference around it.

Users lose their connections to the legitimate AP and re-connect to the “evil twin,” allowing the hacker to intercept all the traffic to that device.


  • WPA2 hacking
  • WEP Hacking
  • WPA2 Enterprise hacking
  • Wireless Social Engineering
  • SSL Strip
  • Report Generation
  • Note Taking
  • Data saved in Database
  • Network mapping
  • MiTM
  • Probe Request

Latest Changes

  • Added Log retrieval button for various attack results.
  • Added BeeF XSS framework Integration
  • Added HTTP Traffic View within tool
  • Improved Infenral Wireless Attack
  • Visual View of some of the panel improved
  • Improved Basic Authentication during Social engineering assessment over wireless network

You can download Infernal Twin here:


Or read more here.

via http://ift.tt/2f9dBoH

Major Call Center Scam Network Revealed – 56 Indicted

This week the US Attorney for the Southern District of Texas unsealed indictments against 56 individuals operating a conspiracy to commit wire fraud through a sophisticated scam involving five call centers in Ahmedabad, Gujarat, India.

The Call Centers — HGlobal, Call Mantra, Worldwide Solutions, Sharma Business Process Outsourcing Services, and Zoriion Communications — placed calls in four primary types of telefraud, and then laundered the money through a network of Domestic Managers, Runners, and Payment Processors in the United States.   The money was then moved via a Hawaladar, a person who runs an underground banking system, or an international money transfer service called a Hawala.  Hawala banking speeds the availability of international funds by operating on a trust system where the Hawaladar can incur or pay debts in one country for a large number of trusted parties from locally available funds on hand.

October 27, 2016 Press Release

Fraud types

IRS Scams: India-based call centers impersonated U.S. Internal Revenue Service officers and defrauded U.S. residents by misleading them into believing that they owed money to the IRS and would be arrested and fined if they did not pay their alleged back taxes immediately.

Law Enforcement Scams: India-based call centers also impersonated various law enforcement agencies, as with the IRS scams, threatening immediate arrest if the victim failed to comply with transferring funds.  (This blog has covered this scam before, including sharing a recording of one such call — see: "

Warrant for Your Arrest Phone Scams

" from November 7, 2014.)

USCIS Scams: India-based call centers impersonated U.S. Citizen and Immigration Services (USCIS) officers and defrauded U.S. residents by misleading them into believing that they would be deported unless they paid a fine for alleged issues with their USCIS paperwork.

Payday Loan Scams: India-based call centers defrauded U.S. residents by misleading them into believing that the callers were loan officers and that the U.S. residents were eligible for a fictitious "payday loan".  They would then collect an upfront "worthiness fee" to demonstrate their ability to repay the loan.  The victims received nothing in return.

Government Grant Scams: India-based call centers defrauded U.S. residents by misleading them into believing that they were eligible for a fictitious government grant. Callers directed the U.S. residents to pay an upfront IRS tax or processing fee.  The victims received nothing in return.

Roles in the Operation

In the US, the primary parties were the Domestic Managers, the Runners, and the Payment Processors.  A Domestic Manager directed the activities of the runners and provided them with the resources they needed to do their work, including vehicles, and credit cards to be used to pay business expenses.  The Runners job was to purchase temporary "GPR cards" (General Purpose Reloadable) and then send the information about these cards to the scammers who were working in the call centers in India.  When they reached the "payout" portion of the scam, the funds would be transferred from the victim to the Runner’s GPR card.  The Runners would then retrieve the cash and send it further upstream, often via Western Union or Moneygram using false identification documents. 

Data Brokers helped to generate "lead lists" for the Call Center Operators.  (For example, One of the data brokers used by the call centers was working as an IT Consultant for a company in New York.  Vishal Gounder would steal the PII from company databases and use the identities to activate the GPR cards.  )

Payment Processors acted as the intermediary between the Runners and the Call Centers for exchanging funds either through Hawaladars or via GPS Cards and international wire transfers.

The Indicted

The largest number of arrested and indicted individuals came from the HGlobal call Center.  I’ve illustrated the information from the indictment below:

HGlobal: Runners in 8 states, including Alabama
The other Ahmedabad, Gujarat, India Call Centers and their indicted members


GreenDot Investigations 

One of the methods that the members of the conspiracy were tracked was by their reliance on certain GPR cards, including the GreenDot MoneyPak cards.  When a GreenDot MoneyPak card is used, an identity and a telephone number have to be associated with the card.   The call centers in India operate primarily by using "Magic Jack" devices to place unlimited international calls over Voice Over IP (VOIP) lines where they can choose the callerid number that is displayed.   GreenDot investigators found that more than 4,000 GreenDot cards had been registered to the same Magic Jack telephone number, (713) 370-3224, using the identity details of more than 1,200 different individuals!

That Magic Jack number was controlled by Hitesh Patel, the call center manager of HGlobal.

The criminals did a poor job back-stopping their fake identities.  In this case, the Magic Jack was registered to the email "acsglobal3@gmail.com" which used as its recovery email hitesh.hinglaj@gmail.com, which lists the telephone number 9879090909, which Hitesh also used on his US Visa Application.  The Magic Jack device had been purchased in Texas by Asvhwin Kabaria, who used the email acs.wun@gmail.com to send the news to acsglobal3@gmail.com that he was shipping him 20 Magic Jack devices via UPS.  The same individual would ship more than 100 Magic Jack devices to other members of the conspiracy, including people in India and in Hoffman Estates, Illinois.

Another Magic Jack number, (630) 974-1367, was associated by 990 Green Dot GPR Cards using 776 different stolen identities.  (785) 340-9064 was associated with 4,163 Green Dot cards using 1903 different stolen identites!  That one was used by Jatan_oza@rocketmail.com which was frequently checked from the same IP address that Magic Jack calls using this number were originating.

Sunny Joshi (sunny143sq@yahoo.com) was shown to have purchased $304,363.45 worth of GPR cards in a single month (October 2013!)  Emails to and from Sunny often had spreadsheets documenting which transactions had been funded by which GRP cards.  One spreadsheet showed $239,180.79 worth of transactions from 116 different cards!

Another investigative trick was to look for cards that were used in "geographically impossible" situations.  For example, on January 13, 2014 at 11:37 AM a conspirator used a card to buy gas in Racine, Wisconsin.  On the same day at 12:46 PM the same card was used to buy groceries in Las Vegas, Nevada.

At least 15,000 victims have been confirmed to have lost money to these scammers, and an additional 50,000 victims are known to have had their identity details in the possession of these scammers.

The Most Vulnerable Among Us

The most vulnerable victims seem to have been recent immigrants and the elderly.  Those who are accustomed through habit or fear to quickly obeying any order of authority, even when it seems incredulous.   There are several victims who were ordered repeatedly to purchase the largest possible Green Dot cards ($500 value) and to do so in batches over several days.  One victim in 2013 purchased 86 cards worth $43,000 and transmitted the details to the scammers.  These cards were accessed from the IP of the 703 Magic Jack phone and transferred by email to "hglobal01@gmail.com".  

One resident of Hayward, California was contacted repeatedly from January 9, 2014 through January 29, 2014 and extorted into purchasing 276 MoneyPaks worth $136,000 and transmitting the PIN numbers to the thieves.  She was frightened into believing she was speaking with the IRS and would be immediately arrested if she did not comply!

Recent immigrants are also especially vulnerable.  In one of the many examples from the indictment, Rushikesh B., a resident of Naperville, Illinois, was extorted for $14,400 by an individual claiming to be the Illinois State Police and threatening arrest if he did not immediately pay fines related to immigration violations.

Those who work with our elderly and with recent immigrant communities are strongly encouraged to remind them that NO LAW ENFORCEMENT OFFICIAL will EVER take payment for a fine via money transferred over the internet or email!  Nor will they ever require a GPR card to be used to pay such a fee!   

Anyone who hears of a friend, family member, co-worker who has been a victim of such a scam is strongly encouraged to file a report. 

For all IRS-related telephone scams, please help your colleague to report the scam by using the TIGTA website, "

IRS Impersonation Scam Reporting

" run by the Treasury Department’s Inspector General for Tax Administration. 

The URL is: http://ift.tt/1PRZw8x

For all other Telefraud scams involving government impersonation, this FTC website may be used: 


Email Traffic a key to the Case

The indictment goes on for 81 pages listing incident after incident, including many email accounts used by the criminals.  Some of the criminals made accounts for money movement, such as money.pak2012@gmail, payment8226@gmail, but others used their "primary emails" like Cyril Jhon who used the email cyrilhm2426@gmail for his conspiracy traffic. Saurin Rathod used the email saurin2407@gmail, while Hardik Patel used hardik.323@gmail!  One of the payment processors, Rajkamal Sharma, sent over 1,000 emails to conspirators with directions about where to deposit various funds. Almost 50 pages of the 81 page indictment are walking through the evidence uncovered by email analysis!

The full indictment is a fascinating read … you can find a copy here:

The indicted:

Hitesh Madhubhai Patel

Hardik Arvindbhai Patel

Janak Gangaram Sharma

Tilak Sanjaybhai Joshi

Saurin Jayeshkumar Rathod

Tarang Ranchhodbhai Patel

Kushal Nikhilbhai Shah

Karan Janakbhai Thakkar

Manish Balkrishna Bharaj

Rajpal Vastupal Shah

Sagar Thakar (aka Shaggy, Shahagir Thakkar)

Cyril Jhon Daniel

Jatin Vijaybhai Solanki

Jerry Norris (aka James Norris, IV)

Nisarg Patel

Miteshkumar Patel

Rajubhai Bholabhai Patel

Ashvinbhai Chaudhari

Fahad Ali

Jagdishkumar Chaudhari (Jagdish)

Bharatkumar Patel (Bharat)

Asmitaben Patel

Vijaykumar Patel

Montu Barot (Monty Barot)

Praful Patel

Ashwinbhai Kabaria

Dilipkumar Ramanlal Patel

Nilam Parikh

Dilipkumar Ambal Patel (Don Patel)

Viraj Patel

Abshishek Rajdev Trivedi

Samarth Kamleshbhai Patel

Harsh Patel

Aalamkhan Sikanderkhan Pathan

Jaykumar Rajanikant Joshi

Anjanee Pradeepkumar Sheth

Kunal Chatrabhuj Nagrani

Subish Surenran Ezhava (aka Chris Woods)

Sunny Tarunkumar Sureja (aka Khavya Sureja)

Sunny Joshi (aka Sharad Ishwarial Joshi, Sunny Mahashanker Joshi)

Rajesh Bhatt (aka Manoj Joshi, Mike Joshi)

Nilesh Pandya

Tarun Deepakbhai Sadhu

Vishalkumar Ravi Gounder (Vishal Gounder)

Bhavesh Patel

Raman Patel

Rajesh Kumar Un

Aniruddh Rajeshkumar Chauhan

Rahul Tilak Vijay Dogra

Vicky Rajkamal Bhardwaj

Clintwin Jacob Chrisstian

Aneesh Antony Padipurikal (Aneesh Anthony)

Jatankumar Kareshkumar Oza (aka Jatan Oza)

Rajkamal Omprakash Sharma

Vineet Dharmendra Vasishtha (aka Vineet Sharma, Vineet Vashistha)

Gopal Venkatesan Pillai

via http://ift.tt/2dSPkmR

No More Ransom Helps You Prevent and Recover from Ransomware Attacks

Ransomware attacks are on the rise, and once your computer or network has been infected, it can be really difficult to recover. No More Ransom can help, and more importantly, help you now, before an infection, and later, after one.

The No More Ransom site does a couple of great things. First, if you or a computer you use has already been compromised, you can upload an encrypted file and the details of the ransom letter you received and the service will analyze and tell you what type of ransomware you’re dealing with, and who’s behind it, if they know.

If you just want to protect yourself however, the site has plenty of tips to make sure your files and everything are safe and secure, starting with keeping regular backups. From there, it’s all about using robust antimalware tools on your computer, and learning a little internet savvy and good web hygiene (turning on “show file extensions” and never opening files or attachments sent to you by people you don’t know, and even then checking on ones from people you do know.)

The site is the result of a partnership between Intel Security and Kaspersky Labs, so keep an eye out for plugs for their specific tools and technologies, but overall the material there is correct and helpful—and worth a bookmark if you manage computers, work in IT, or are just worried a family member may call you one day asking whether what a Bitcoin is and why someone is demanding thousands of dollars in them to unlock their PC.

No More Ransom

Photo by Christiaan Colen and Malwarebytes.

via http://ift.tt/2ftf3mf

The ASUS RT-AC68U Is Your Favorite Wireless Router

Our wireless router Co-Op came down to a final face-off between two reader favorites, but in the end, the ASUS RT-AC68U took over 2/3 of the vote to claim the title.

This router is simply the best working router I’ve had in years. I’m not even using a tenth of what it’s capable of, but the fact of the matter is it’s the first router I’ve had where I didn’t feel like I needed to power cycle once every couple weeks. – lordkilgar

I second this. And if you’re brave enough, you can install third party firmware to unlock even more advanced features. – jbatubara

I’d also like to add 1) guest wifi to keep guest devices segregated from your network and 2) Asus has a baked in dynamic dns feature which makes accessing home network remotely a lot easier if you don’t have a static ip. – wherewallaceatstring

Commerce Content is independent of Editorial and Advertising, and if you buy something through our posts, we may get a small share of the sale. Click here to learn more, and don’t forget to sign up for our email newsletter. We want your feedback.

via http://ift.tt/2eN7DGx

Over 3.2 Million Debit Cards May Have Been Compromised, Says National Payment Corporation of India

A total of 3.2 million debit cards across 19 banks may have been compromised as a result of a suspected malware attack. The breach, possibly largest of its kind in India, was confirmed by the National Payment Corporation of India (NPCI) in a statement today. The problem was brought to NPCI’s attention via complaints from banks informing the agency that their customers’ cards were used fraudulently, mainly in China and USA, while customers were in India, according to the statement.

"How the breach could have occurred," Alex Mathew reporting in Bloomberg: "The breach that has apparently given hackers access to the PIN codes of several bank customers is likely to be on account of a malware attack. This attack is believed to have originated at an ATM. The actual modus operandi of the hackers will only become clear once the forensic audit is released in November… First, the hacker would have had to gain physical access to an ATM. The malware was then likely injected by connecting a laptop or another special device to a port on the cash disbursing machine, said Tiwari, a consultant at Centre For Internet & Society in Bengaluru. Once the malware is injected, it automatically spreads across the network…"

via http://ift.tt/2dSt6go