Last Week In Blockchain and CyberSecurity News - April 9, 2019

Hackers Are Targeting D-Link Home Routers 

A cybercrime group has been targeting home routers (mostly D-Link models) to change DNS server settings and hijack traffic meant for legitimate sites to malicious ones. Researchers identified three waves of attacks which took place between December 2018 and March 2019. In the blog, researchers stated exploit attempts originated from hosts on the network of Google Cloud Platform (AS15169). The attackers abused well-known exploits in router firmware to hack into devices and change the router’s DNS configuration. As many aren’t notified of these changes, the attacks can go on without the user even knowing.  

Targeted Routers include: 

  • D-Link DSL-2640B 

  • D-Link DSL-2740R  

  • D-Link DSL-2780B 

  • D-Link DSL-526B 

  • ARG-W4 ADSL routers  

  • DSLink 260E routers 

  • Secutech routers  

  • TOTOLINK routers 

Google cloud has suspended the fraudulent accounts found by the researchers and is working through "established protocols" to identify any new ones that emerge. It is essential to have up to date software and hardware to protect oneself against attacks like DNS hijacking. 

Read more

540 Million Facebook Records Leaked by Public Amazon S3 Buckets 

Over 540 million records of Facebook users were exposed by publicly available Amazon S3 buckets used by two third-party apps. The bucket used by Cultura Colectiva stored 146 gigabytes of files containing information related to Facebook users. Information included account names, comments, likes, user ID’s, and more. The misconfigured Amazon S3 bucket gave anyone download permissions. Another database pertained information to the “At the Pool” app which had 22,000 records that included users' passwords in plain text. As the company who owned the app ceased operations five years ago, it raises the question of how many other misconfigured databases exist. 

Read more here

Dozens of Credit Card Info Skimming Scripts Infect Thousands of Sites 

Researchers at RiskIQ have discovered numerous Magecart groups that attempt to steal credit card data from online stores. The name Magecart refers to groups that scrape “card data via malicious JavaScript code that loads on checkout pages.” The researchers discovered 38 different families of malicious code planted on victim websites. In 15 of those 38 families, researchers found “2,440 websites had been infected” with an estimated 1.5 million unique visitors on those sites daily. RiskIQ researchers stated 8 of those families have never been analyzed before, highlighting that some can steal card data from different payment systems. Other families manage to keep their code under the radar by using a unique code for each infection, such as making code only activate when a buyer completes a transaction, allowing the malicious script to bypass most detection systems. To compromise their targets, cybercriminals may exploit vulnerabilities in online store platforms, or conduct supply chain attacks.  

Get more information here


Cryptocurrency Wallet Possibly Vulnerable on Samsung Galaxy S10 As the Fingerprint Sensor Is Fooled by A 3D Printed Fingerprint 

In a video, the user ‘darkshark’ conducts a step-by-step approach on how to bypass Samsung Galaxy S10’s biometric authentication system. Unlike other smartphone fingerprint sensors, the Galaxy S10 utilizes ultrasonic technology to read the physical contours of a person's fingertip. Samsung states this produces a more secure authentication system than its rivals. However, as indicated above darkshark was able to bypass Samsung’s fingerprint model efficiently in under 20 minutes. This bypass brings up many questions and concerns as a malicious actor can take an unsuspecting victim’s fingerprint without them knowing and unlock their phone. As Samsung has a cryptocurrency wallet, it may be at risk by this bypass as well. If the victim’s phone has any information regarding the password, or the wallet utilizes biometrics, a malicious actor can use this tactic to their advantage and steal coins. 

Read more here
 

LokiBot Trojan Spotted Hitching a Ride Inside .PNG Files 

A spam campaign has been using a new technique to avoid detection and spread the info-stealing LokiBot trojan. Researchers have observed spam messages that include a malicious zipx attachment hidden inside a .PNG file slip past some email security systems. LokiBot is a trojan designed to steal information from compromised accounts/devices secretly. By obfuscating the malicious code using the file signature of a .PNG, it is usually identified as a .PNG image, even though it is a .zipx extension. The code that holds the LokiBot trojan is appended to the end of the .PNG file signature. To successfully infect a victim, a user must click on the message attachment, decompress the .zipx file successfully, and then click the .exe file. While those who are somewhat tech savvy may not fall for tricks like this, many unsuspecting users will. It is always important to take security precautions to decrease the likelihood of infection.  

Read more here