Malware Devil

Wednesday, June 30, 2021

Network Security News Summary for Wednesday June 30th, 2021

Phish Without Link; June Contest Solution; WD MyBook Details; Adobe Experience Manager PoC;

Google “Sweepstake” Phish Withouth Link
https://isc.sans.edu/forums/diary/Diving+into+a+Google+Sweepstakes+Phishing+Email/27578/

Forensics Contest Solution / Winner
https://isc.sans.edu/forums/diary/June+2021+Forensic+Contest+Answers+and+Analysis/27582/

WD MyBook Details
https://arstechnica.com/gadgets/2021/06/hackers-exploited-0-day-not-2018-bug-to-mass-wipe-my-book-live-devices/

Adobe Experience Manager PoC
https://labs.detectify.com/2021/06/28/aem-crx-bypass-0day-control-over-some-enterprise-aem-crx-package-manager/

keywords: phishing; google; sweepstakes; forensics; wd mybook; western digital; adobe; experience manager; poc

The post Network Security News Summary for Wednesday June 30th, 2021 appeared first on Malware Devil.



https://malwaredevil.com/2021/06/30/network-security-news-summary-for-wednesday-june-30th-2021/?utm_source=rss&utm_medium=rss&utm_campaign=network-security-news-summary-for-wednesday-june-30th-2021

June 2021 Forensic Contest: Answers and Analysis, (Wed, Jun 30th)

Introduction

Thanks to everyone who participated in our June 2021 forensic contest originally posted two weeks ago.  We received 10 submissions through our contact page, and four people found all three infections in the pcap.  Unfortunately, we could only pick one winner.  In this case, our winner was chosen through a random process among the four eligible people.  Join us in congratulating this month’s winner, Dimitri!  Dimitri will receive a Raspberry Pi 4 kit.

You can still find the pcap for our June 2021 forensic contest at this Github repository.

Answers

Three infected Windows clients show signs of infection within the Active Directory (AD) environment from the packet capture (pcap).  The infected Windows hosts are:

IP address: 10.6.15.93
MAC address: 00:23:54:a2:1f:b4
Host name: DEKSTOP-A1CTJVY
User account: raquel.anderson
Infected with: AgentTesla
Date/Time of infection activity: 2021-06-16 15:44 UTC

IP address: 10.6.15.119
MAC address: 00:23:54:e3:a3:55
Host name: DESKTOP-NIEE9LP
User account: tommy.vega
Infected with: Hancitor, Cobalt Strike, and Ficker Stealer
Date/Time of infection activity: 2021-06-16 14:37 UTC
Note: Malicious Word doc was sent through ststephenskisugu[.]church at 14:35 UTC

IP address: 10.6.15.187
MAC address: 00:23:54:72:c9:13
Host name: DESKTOP-YS6FZ2G
User account: horace.maddox
Infected with: Qakbot (Qbot)
Date/Time of infection activity: 2021-06-16 15:37 UTC
Note: Malicious zip archive was sent through solarwindsonline[.]com at 15:30 UTC

To help in your analysis of this activity, please review the Requirements section in our original diary for this month’s contest.

Creating Pcaps for Individual Hosts

As stated in our original post, the infected Windows hosts are part of an AD environment, and its characteristics are:

LAN segment range: 10.6.15.0/24 (10.6.15.0 through 10.6.15.255)
Domain: saltmobsters.com
Domain Controller: 10.6.15.5 – Saltmobsters-DC
LAN segment gateway: 10.6.15.1
LAN segment broadcast address: 10.6.15.255

To find IP addresses for Windows clients in this AD environment, use Statsistics –> Endpoints to bring up Wireshark’s Endpoints window.


Shown above:  Getting to the Endpoints window in Wireshark.

The Endpoints window shows all endpoints in the pcap.  Click on the IPv4 tab and sort by address to find IP addresses in the 10.6.15.0/24 range.


Shown above:  Sorting by Address under the IPv4 tab and finding the 10.6.15.0/24 addresses.

This should reveal six internal IP addresses within the 10.6.15.0/24 LAN segment ior saltmobsters.com:

10.6.15.1 (gateway)
10.6.15.5 (Domain controller, Saltmobsters-DC)
10.6.15.93
10.6.15.119
10.6.15.187
10.6.15.255 (broadcast address)

10.6.15.1, 10.6.15.5, and 10.6.15.255 are already accounted for, we should filter on each of the three remaining IP addresses and export traffic for each one into a separate pcap.

First, filter on ip.addr eq 10.6.15.93 then use File –> Export Specified Packets… to save the displayed traffic in a new pcap as shown below.


Shown above:  Filtering on 10.6.15.93 and saving the traffic to a new pcap.

Do the same thing for 10.6.15.119 and 10.6.15.187.  Now you should have three new pcaps that contain traffic from each of the Windows clients.


Shown above:  Three pcaps from Windows clients extracted from the June 2021 contest pcap.

Infection Traffic for Agent Tesla (AgentTesla)

Let’s review traffic from 10.6.15.93.  We can quickly determine host information by filtering on Kerberos.CNameString and viewing a customized column for CNameString as described in this tutorial.  The host information is:

IP address: 10.6.15.93
MAC address: 00:23:54:a2:1f:b4
Host name: DEKSTOP-A1CTJVY
User account name: raquel.anderson

You can find host information for the other two IP addresses using this method.  Note: When setting up this environment, I misspelled DESKTOP in the host name for DEKSTOP-A1CTJVY.


Shown above:  Host information for 10.6.15.93.

There’s nothing unusual in web traffic from 10.6.15.93, except for a dns query to turtleoil1998b[.]com that resolves to 45.142.212[.]61, but no TCP connection is established with that IP.  This traffic is related to the TA551 (Shathak) campaign, and it was pushing Ursnif (Gozi/ISFB) during this timeframe.  My personal research has confirmed turtleoil1998b[.]com was a domain used by TA551 to host malware DLL files for Ursnif on 2021-06-16.

Despite a lack of interesting web traffic, 10.6.15.93 generated unusual SMTP activity.  Filter on smtp, and the display will show unencrypted SMTP traffic over TCP port 587 to an external IP address.  This is not normal activity from a Windows client.


Shown above: SMTP traffic seen from 10.6.15.93.

Follow the TCP stream for any of the first few frames in the SMTP results.  Your TCP stream should reveal an email to accounts@staroxalate.com with usernames and passwords from the Windows host.  This is definitely malicious traffic.


Shown above:  TCP stream of unencrypted SMTP traffic with info from the infected host.

This activity matches what I’ve seen for AgentTesla malware.  It triggered an alert for AgentTesla-generated SMTP when I tested it in my lab environment.


Shown above:  EmergingThreats (ET) alert for AgentTesla.

The infected Windows host at 10.6.15.93 sent four emails to accounts@staroxalate.com.


Shown above:  Four different emails sent from 10.6.15.93.

The first message has passwords from the infected Windows host, and its subject line starts with PW.  The next three messages have keylogging data, and their subject lines start with KL.

Infection Traffic for Hancitor, Cobalt Strike, and Ficker Stealer

Traffic from 10.6.15.119 fits patterns for Hancitor, Cobalt Strike, and Ficker Stealer as described in this Wireshark Tutorial.  In recent weeks, Hancitor has used Google Feedproxy links as the initial URL to kick off an infection chain.  The initial Google Feedproxy link in this pcap redirected to a URL from, ststephenskisugu[.]church as part of this infection chain.

Indicators for the remaining activity are listed below.

Hancitor traffic:

port 80 – api.ipify.org – GET /
194.226.60[.]15 port 80 – hadevatjulps[.]com – POST /8/forum.php

Hancitor-infected host retrieves follow-up malware:

8.209.119[.]208 port 80 – srand04rf[.]ru – GET /16.bin
8.209.119[.]208 port 80 – srand04rf[.]ru – GET /16s.bin
8.209.119[.]208 port 80 – srand04rf[.]ru – GET /f7juhkryu4.exe

Cobalt Strike traffic:

162.244.83[.]95 port 80 – 162.244.83[.]95 – GET /VOoH
162.244.83[.]95 port 443 – 162.244.83[.]95:443 – GET /4Erq
65.60.35[.]141 port 80 – 65.60.35[.]141 – GET /pixel
65.60.35[.]141 port 443 – 65.60.35[.]141:443 – GET /g.pixel

Ficker Stealer traffic:

port 80 port api.ipify.org – GET /?format=xml
185.66.15[.]228 port 80 – pospvisis[.]com – TCP traffic (not HTTP)

EXE retrieved from the traffic:

SHA256 hash: dee4bb7d46bbbec6c01dc41349cb8826b27be9a0dcf39816ca8bd6e0a39c2019
File size: 272,910 bytes
File location: hxxp://srand04rf[.]ru/f7juhkryu4.exe
File description: Windows EXE for Ficker Stealer

Infection Traffic for Qakbot (Qbot)

Traffic from 10.6.15.187 fits patterns for Qakbot (Qbot) malware.  Indicators are:

192.186.204[.]161 port 80 – solarwindsonline[.]com – GET /miss-alicia-abbott/Oliver.Williams-84.zip
192.186.204[.]161 port 80 – solarwindsonline[.]com – GET /miss-alicia-abbott/documents.zip
103.28.39[.]29 port 443 – khangland[.]pro – HTTPS traffic
104.244.121[.]13 port 443 – jaipurbynite[.]com – HTTPS traffic
149.28.99[.]97 port 2222 – attempted TCP connections
95.77.223[.]148 port 443 – attempted TCP connections
207.246.77[.]75 port 2222 – HTTPS/SSL/TLS traffic

The initial URL for solarwindsonline[.]com was reported to URLhaus as returning a zip archive for Qakbot.  Unfortunately, due to packet loss in our pcap, we cannot export the zip archive that appears in this traffic.

However, this malware sample is an Excel spreadsheet associated with Qakbot that generates traffic to khangland[.]pro and jaipurbynite[.]com. Tria.ge sandbox analysis of the sample shows it generates the following HTTPS URLs when macros are enabled:

hxxps://khangland[.]pro/v8gEDeSB/sun.html
hxxps://jaipurbynite[.]com/stLdQs9R53/sun.htm

These two URLs fit patterns associated with Qakbot infections in recent weeks.  207.246.77[.]75:2222 is also known for malicious traffic associated with Qakbot.

Final Words

This month’s quiz was significantly more difficult than our previous two forensic contests, so thanks to all who participated.

Congratulations again to Dimitri for winning this month’s competition!

You can still find the pcap and malware at this Github repository.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post June 2021 Forensic Contest: Answers and Analysis, (Wed, Jun 30th) appeared first on Malware Devil.



https://malwaredevil.com/2021/06/30/june-2021-forensic-contest-answers-and-analysis-wed-jun-30th/?utm_source=rss&utm_medium=rss&utm_campaign=june-2021-forensic-contest-answers-and-analysis-wed-jun-30th

Tuesday, June 29, 2021

Returning Guest Host, GitHub Bounties, CISCO, Binance Banned, & WD Hacks

Special guest host Aaran Leyland returns for another episode of the Security Weekly News! Visit security weekly.com/swn131 for show notes and the full episode on GitHub Bounties, CISCO, Binance Banned, & WD Hacks.

The post Returning Guest Host, GitHub Bounties, CISCO, Binance Banned, & WD Hacks appeared first on Malware Devil.



https://malwaredevil.com/2021/06/29/returning-guest-host-github-bounties-cisco-binance-banned-wd-hacks/?utm_source=rss&utm_medium=rss&utm_campaign=returning-guest-host-github-bounties-cisco-binance-banned-wd-hacks

CARES Act Fraud, Paying People & Fraudsters

Steve Lenderman and the SCW hosts discuss CARES Act Fraud, Paying People, & Fradusters on this episode of Security and Compliance Weekly!

Full episode and show notes: https://securityweekly.com/scw78

The post CARES Act Fraud, Paying People & Fraudsters appeared first on Malware Devil.



https://malwaredevil.com/2021/06/29/cares-act-fraud-paying-people-fraudsters/?utm_source=rss&utm_medium=rss&utm_campaign=cares-act-fraud-paying-people-fraudsters

Returning Guest Host, GitHub Bounties, CISCO, Binance Banned, & WD Hacks – SWN #131

This week in the Security Weekly News, Number one in the charts, the cyber charts that is, Binance receives the ban hammer from UK’s FCA, Lawmakers introduce American Cybersecurity Literacy Act – Marines this does not apply, you keep chomping on your crayons, key vulnerabilities in the Atlassian project and software development platform, GitHub bug bounties: payouts surge past $1.5 million mark – sounds like rooky numbers to me, the UK MoD giving away secrets for free, if you ride the bus, and the return of Jason Wood for Expert Commentary!

Visit https://www.securityweekly.com/swn for all the latest episodes!

Show Notes: https://securityweekly.com/swn131

The post Returning Guest Host, GitHub Bounties, CISCO, Binance Banned, & WD Hacks – SWN #131 appeared first on Malware Devil.



https://malwaredevil.com/2021/06/29/returning-guest-host-github-bounties-cisco-binance-banned-wd-hacks-swn-131/?utm_source=rss&utm_medium=rss&utm_campaign=returning-guest-host-github-bounties-cisco-binance-banned-wd-hacks-swn-131

Users Clueless About Cybersecurity Risks: Study

The return to offices, coupled with uninformed users (including IT pros) has teed up an unprecedented risk of enterprise attack.
Read More

The post Users Clueless About Cybersecurity Risks: Study appeared first on Malware Devil.



https://malwaredevil.com/2021/06/29/users-clueless-about-cybersecurity-risks-study/?utm_source=rss&utm_medium=rss&utm_campaign=users-clueless-about-cybersecurity-risks-study

CARES Act Fraud, Paying People & Fraudsters, Part 2 – Steve Lenderman – SCW #78

We will review how synthetics are being utilized to perpetrate pandemic related frauds in the Payroll Protection Program and Unemployment Insurance. An overview of the government programs will take place with the controls that were in place, how they were compromised, by who and what you can do to remediate risk.

Visit https://www.securityweekly.com/scw for all the latest episodes!

Show Notes: https://securityweekly.com/scw78

The post CARES Act Fraud, Paying People & Fraudsters, Part 2 – Steve Lenderman – SCW #78 appeared first on Malware Devil.



https://malwaredevil.com/2021/06/29/cares-act-fraud-paying-people-fraudsters-part-2-steve-lenderman-scw-78/?utm_source=rss&utm_medium=rss&utm_campaign=cares-act-fraud-paying-people-fraudsters-part-2-steve-lenderman-scw-78

CARES Act Fraud, Paying People & Fraudsters, Part 1 – Steve Lenderman – SCW #78

We will review how synthetics are being utilized to perpetrate pandemic related frauds in the Payroll Protection Program and Unemployment Insurance. An overview of the government programs will take place with the controls that were in place, how they were compromised, by who and what you can do to remediate risk.

Visit https://www.securityweekly.com/scw for all the latest episodes!

Show Notes: https://securityweekly.com/scw78

The post CARES Act Fraud, Paying People & Fraudsters, Part 1 – Steve Lenderman – SCW #78 appeared first on Malware Devil.



https://malwaredevil.com/2021/06/29/cares-act-fraud-paying-people-fraudsters-part-1-steve-lenderman-scw-78/?utm_source=rss&utm_medium=rss&utm_campaign=cares-act-fraud-paying-people-fraudsters-part-1-steve-lenderman-scw-78

Technology’s Complexity and Opacity Threaten Critical Infrastructure Security

Addressing the complexity of modern distributed software development is one of the most important things we can do to decrease supply chain risk.

The post Technology’s Complexity and Opacity Threaten Critical Infrastructure Security appeared first on Malware Devil.



https://malwaredevil.com/2021/06/29/technologys-complexity-and-opacity-threaten-critical-infrastructure-security/?utm_source=rss&utm_medium=rss&utm_campaign=technologys-complexity-and-opacity-threaten-critical-infrastructure-security

Microsoft Translation Bugs Open Edge Browser to Trivial UXSS Attacks

The bug in Edge’s auto-translate could have let remote attackers pull off RCE on any foreign-language website just by sending a message with an XSS payload.
Read More

The post Microsoft Translation Bugs Open Edge Browser to Trivial UXSS Attacks appeared first on Malware Devil.



https://malwaredevil.com/2021/06/29/microsoft-translation-bugs-open-edge-browser-to-trivial-uxss-attacks/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-translation-bugs-open-edge-browser-to-trivial-uxss-attacks

🔴 LIVE: Security Weekly News #131

This week in the Security Weekly News Aaran Leyland joins us as a Special Guest Host! In the News for this week: Confidential Papers Left at Bus Stop, DMARC, GitHub Bug Bounties, Western Digital Hacks, Cyber Insurance isn’t helping, and the triumphant return of Jason Wood once more to provide his Expert Commentary on this edition of the Security Weekly News!

→Full Show Notes: https://securityweekly.com/swn131

→Join the Security Weekly Discord Server: https://discord.gg/pqSwWm4
→Visit our website: https://www.securityweekly.com
→Follow us on Twitter: https://www.twitter.com/securityweekly

The post 🔴 LIVE: Security Weekly News #131 appeared first on Malware Devil.



https://malwaredevil.com/2021/06/29/%f0%9f%94%b4-live-security-weekly-news-131/?utm_source=rss&utm_medium=rss&utm_campaign=%25f0%259f%2594%25b4-live-security-weekly-news-131

Security Weekly

→Visit our website: https://www.securityweekly.com
→Follow us on Twitter: https://www.twitter.com/securityweekly
→Like us on Facebook: https://www.facebook.com/secweekly

The post Security Weekly appeared first on Malware Devil.



https://malwaredevil.com/2021/06/29/security-weekly-5/?utm_source=rss&utm_medium=rss&utm_campaign=security-weekly-5

SafeDollar Stablecoin not Safe nor Stable: Hack Sends Value to ZERO

SafeDollar, a crypto token that’s pegged to the U.S. dollar, crashed this week. The team claim it had been hacked.

The post SafeDollar Stablecoin not Safe nor Stable: Hack Sends Value to ZERO appeared first on Security Boulevard.

Read More

The post SafeDollar Stablecoin not Safe nor Stable: Hack Sends Value to ZERO appeared first on Malware Devil.



https://malwaredevil.com/2021/06/29/safedollar-stablecoin-not-safe-nor-stable-hack-sends-value-to-zero/?utm_source=rss&utm_medium=rss&utm_campaign=safedollar-stablecoin-not-safe-nor-stable-hack-sends-value-to-zero

3 Ways Cybercriminals Are Undermining MFA

Using multifactor authentication is an excellent security step, but like everything else, it is not foolproof and will never be 100% effective.

The post 3 Ways Cybercriminals Are Undermining MFA appeared first on Malware Devil.



https://malwaredevil.com/2021/06/29/3-ways-cybercriminals-are-undermining-mfa/?utm_source=rss&utm_medium=rss&utm_campaign=3-ways-cybercriminals-are-undermining-mfa

Details of RCE Bug in Adobe Experience Manager Revealed

Disclosure of a bug in Adobe’s content-management solution – used by Mastercard, LinkedIn and PlayStation – were released.
Read More

The post Details of RCE Bug in Adobe Experience Manager Revealed appeared first on Malware Devil.



https://malwaredevil.com/2021/06/29/details-of-rce-bug-in-adobe-experience-manager-revealed/?utm_source=rss&utm_medium=rss&utm_campaign=details-of-rce-bug-in-adobe-experience-manager-revealed

Remote dating: How do the apps safeguard our data?

The pandemic and the restrictions that came with it have led to an increase in the popularity of dating apps. For example, the total number of swipes on Tinder increased by 11% last year, with the daily number of swipes surpassing the 3 billion mark for the first time as early as March 2020. This is hardly surprising when you consider that many places where people used to meet and go on dates were shut down repeatedly in 2020 and at the beginning of 2021.

The increased activity on dating apps could be accompanied by increased associated risks for their users. Users may face some of the following threats:

Identification of the user by third parties. Strangers can gain access to a user’s personal data, including their real name and information about where they live, work or This information can then be used for stalking or doxing.
Theft of login credentials.
Some of the most popular scams include asking users to transfer money under various pretexts, asking for “nudes” to be sent which are then used as blackmail in “sextortion scams”, as well as sending links to phishing websites, where users are tricked into entering their bank card details.

Whether a user will fall victim to any of these scams is largely dependent on the security measures that are implemented in the app and the kind of vulnerabilities it has. In 2017, we analyzed nine popular dating apps and revealed the following:

Six apps allowed people to pinpoint a user’s location.
Four apps made it possible to find out a user’s real name and track down their social media accounts.
Four apps allowed an adversary to intercept potentially sensitive information they transfer.

We decided to see whether the situation has improved in 2021, so we looked at the apps with the most users around the world, as well as ones which received high ratings in publications such as CNET, PC Mag and Tom’s Guide. The resulting sample included both generic dating apps and niche apps for LGBT dating, polyamorous relationships etc.:

Tinder — one of the world’s most popular dating apps. Downloaded more than 100 million times from Google Play.
OkCupid — downloaded more than 10 million times from Google Play.
Badoo — another very popular dating app. Downloaded more than 100 million times from Google Play.
Bumble — an application where women make the first move. Downloaded more than 10 million times from Google Play, with 42 million monthly active users during the third quarter of 2020.
Mamba — downloaded more than 10 million times from Google Play.
Pure — an app for casual hookups and anonymous dating. Downloaded more than 1 million times from Google Play.
Feeld — an app which allows you to search for partners in polyamorous relationships. Downloaded more than 1 million times from Google Play.
Happn — an application for dating with random people you cross paths with. Downloaded over 50 million times from Google Play.
Her — a dating app catering to LGBTQ+ women. More than 1 million downloads from Google Play.

Signing up

Most of the apps that were analyzed ask users to provide a phone number for account verification when they sign up to send them an SMS message with a confirmation code. Accounts created using numbers provided by free online services for receiving SMS messages without a phone are quickly banned, which makes creating fake profiles a little more difficult.

All the services apart from Pure also have the option of signing up using a Facebook login or through another social network. When an existing social media account is used for registration, some apps don’t require a phone number for account verification, as long as no suspicions are raised by the date when the social media account was created, the number of friends or other account information.

All the profile photos from the Facebook page are added to the dating profile by default in most of the apps when a user signs up using Facebook.


Registration on Mamba

Most of the services analyzed make it optional for users to enter where they study and/or work, as well as to connect their Instagram and Spotify accounts. Those who choose to do so will have their latest photos and favorite music pulled from their accounts and added to the dating profile. There are no direct links to a user’s social media accounts, even if such account is used to log in to the app, but information displayed on the profile such as a person’s name and age, their photos and information about where they study and work is often enough to track someone down on different sites.

Depending on how the user has configured their privacy settings on social media, individuals with sinister intentions may be able to gain access to a wealth of private information about their dating matches, such as their home addresses and personal photos. This leaves users vulnerable to cyberstalking and doxing (when private information is made public with the intent of shaming or harming the individual).

Determining the user’s location

Mamba, Badoo, OkCupid, Pure and Feeld don’t require mandatory access to location data. You can enter your location manually instead to find matches in your area. If you grant the app access to your GPS to search for nearby matches, it’ll show your approximate distance from other users. Different services calculate this distance to varying degrees of accuracy. The app with the smallest margin of error is Mamba, which is accurate to the nearest meter. At the same time, the service allows you to set a fake GPS location using third-party programs. This can be exploited by sinister individuals, who can “move around” on the map to more or less pinpoint the location of a person they’re interested in.

Mamba: your distance from other users to the nearest meter

This is how it can be done: although the app doesn’t show which direction you need to move in to find another user, you can draw the circle from where you’re located on the map if you know how far away from you they are. By moving to different locations on the map and receiving new distance info in each place, a stalker can find the point where these circles intersect. The margin of error prevents ill-intentioned users from obtaining another user’s exact coordinates in this way, but an approximate location may be enough to roughly determine where a person works or studies, which could then help the malicious user find the person’s other social media accounts or even go after them offline.

To use Tinder and Bumble, you must grant these applications access to your geolocation. At the same time, both services prevent users from faking their coordinates via third-party programs. You can change the search area for potential partners in paid versions of the apps, but you can only select a region, not exact coordinates. This then makes it more difficult to work out where other users are located.

Her only allows paying users to set their location themselves, but third-party apps are allowed.

Happn is another app which needs to be granted access to the user’s location but allows you to use a third-party fake GPS VPN to change your location. This application has privacy settings which allow you to hide your distance from other users, age and “online” status, but these options are only available in the paid version.
Happn has another function that the other apps don’t offer: in addition to your distance from other users, you can also see how many times you’ve crossed paths with the same person and at what points. The app also shows who you’ve crossed paths with most often.

List of users you crossed paths with near a specific point


You can therefore easily work out who visits a given place on a regular basis, and that means it’s most likely a place where they live, work or study.

App
Requires access to your device’s location
Allows setting the region manually in the free version
Allows setting the region manually in the paid version

Tinder
+

+

OkCupid

+

Badoo

+

Bumble
+

+

Mamba

+

Pure

+

Feeld

+

Happn
+

Her
+

+

Unauthorized use of photos and messages

Of all the services analyzed, the only app that allows users to blur their profile pictures for free is Mamba. Once this option is activated, only users approved by the account owner will be able to see the original non-blurred picture.


This feature is also available in some other applications but only in their paid versions.

Pure is the only application that allows you to sign up to create an account without any profile picture, and also prohibits its users from taking screenshots of messages. The other applications don’t rule out the possibility of users saving screenshots of profiles and messages, which could then be used for doxing or blackmail.

Traffic interception

All the apps that have been looked at use secure communication protocols for transfer of data. We also noted that the protection against certificate-spoofing man-in-the-middle (MITM) attacks has become much better compared to the results of the previous study. The apps stop exchanging data with the server if a fake certificate is detected, and Mamba even shows the user a warning message.

Data stored on the device

Similar to the results of the last study, the messages and cached images in most Android apps are stored on the user’s device. An attacker can gain access to them using a remote access Trojan (RAT) if the device has superuser (root) access rights. These devices can either be rooted by the user or by another Trojan which exploits Android OS vulnerabilities.

It’s worth noting that the risk of attackers gaining access to application data on the device is small, but it’s still a possibility.

Cleartext passwords

Mamba and Badoo send an email with a generated cleartext password to log in to your account. This can hardly be deemed good practice in cybersecurity, as without two-factor authentication an attacker who intercepts the email will gain access to the account in the app.

Vulnerability disclosure & bug bounty programs

Since 2017, dating apps seem to have become more concerned with security. In 2017, we discovered several dating apps with critical vulnerabilities. In 2021, we see that most developers are investing in bug bounty programs that help keep the apps secure.

Badoo and Bumble were the most open about the vulnerabilities they’ve detected and eliminated. These apps also have a joint bug bounty program: https://hackerone.com/bumble. Similar programs are also implemented by Tinder, Mamba and OkCupid.

Launching initiatives like vulnerability disclosure and bug bounty programs doesn’t necessarily guarantee greater app security, but it’s an important step in the right direction for these companies to take, as it encourages researchers to find vulnerabilities in apps and allows developers to eliminate them efficiently.

Conclusion

Dating apps are here to stay. A study conducted by Stanford back in 2019 found online dating was already the most popular way for US couples to meet. And the pandemic led to a real boom in remote dating. The good news is that as these apps continue to grow more and more popular, efforts are made to increase their security, particularly on the technical side. For example, while four of the apps studied in 2017 made it possible to intercept sent messages, all nine apps we examined in 2021 used secure data transfer protocols.

Yet dating apps still leave significant amounts of users’ personal information vulnerable, including their approximate or exact location, social media accounts with any data they contain, photos and chats. It’s never a good thing to give someone access to that much private information. Not only does it put your privacy at risk, it leaves you vulnerable to things like doxing and cyberstalking. Some risks are unfortunately hard to avoid, as many of the apps are location-based, which means you have to share your location to find potential matches.

There’s still plenty of room for improvement, but the companies behind these dating apps are moving in the right direction if the past few years are anything to go by. These are our hopes and expectations for a future of safe and secure digital connections:

One day, users will be able to hide both their photos and GPS locations from matches.
Accounts will be verified to prove your potential match is who they say they are, not a criminal.
Users will be able to restrict others from taking screenshots of their profiles and messages for free in any app.
Users will be able to delete their chats.
Apps will inform new users about the risks of sharing too much information.
App developers will harness AI to protect users from fraud and stop abusive and/or sensitive content from being shared.

In the meantime, here are a few things you can do to stay safe while dating online:

Don’t share too much personal information (your last name, employer, photos with friends, political views etc.).
Enter your location manually where possible.
Use two-factor authentication.
Delete or hide your profile if you’ve stopped using the app.

The post Remote dating: How do the apps safeguard our data? appeared first on Malware Devil.



https://malwaredevil.com/2021/06/29/remote-dating-how-do-the-apps-safeguard-our-data/?utm_source=rss&utm_medium=rss&utm_campaign=remote-dating-how-do-the-apps-safeguard-our-data

Cobalt Strike Usage Explodes Among Cybercrooks

The legit security tool has shown up 161 percent more, year-over-year, in cyberattacks, having “gone fully mainstream in the crimeware world.”
Read More

The post Cobalt Strike Usage Explodes Among Cybercrooks appeared first on Malware Devil.



https://malwaredevil.com/2021/06/29/cobalt-strike-usage-explodes-among-cybercrooks/?utm_source=rss&utm_medium=rss&utm_campaign=cobalt-strike-usage-explodes-among-cybercrooks

Understanding Global IoT Security Regulations

The IoT is maturing rapidly, and surveys show that global IoT spending will achieve a combined annual growth rate (CAGR) of 11.3% over the 2020-2024 forecast period. It offers promising benefits that are rapidly transforming a variety of industries, including manufacturing, health care, commercial buildings, smart homes, retail and energy. The huge potential of IoT..

The post Understanding Global IoT Security Regulations appeared first on Security Boulevard.

Read More

The post Understanding Global IoT Security Regulations appeared first on Malware Devil.



https://malwaredevil.com/2021/06/29/understanding-global-iot-security-regulations/?utm_source=rss&utm_medium=rss&utm_campaign=understanding-global-iot-security-regulations

Critical Vulnerability in DELL BIOSConnect (CERT-EU Security Advisory 2021-031)

On 24th of June 2021, Dell released a client platform security update for multiple vulnerabilities in the BIOSConnect and HTTPS Boot features as part of the Dell Client BIOS. The chain of vulnerabilities has a cumulative CVSS score of 8.3 (High) because it allows a privileged network adversary to impersonate “dell.com” and gain arbitrary code execution at the BIOS/UEFI level of the affected device. This would enable adversaries to control the device’s boot process and subvert the operating system and higher-layer security controls.
Read More

The post Critical Vulnerability in DELL BIOSConnect (CERT-EU Security Advisory 2021-031) appeared first on Malware Devil.



https://malwaredevil.com/2021/06/29/critical-vulnerability-in-dell-biosconnect-cert-eu-security-advisory-2021-031/?utm_source=rss&utm_medium=rss&utm_campaign=critical-vulnerability-in-dell-biosconnect-cert-eu-security-advisory-2021-031

4 Warning Signs of an Insecure App

The “golden age of digital transformation” is upon us, and companies around the globe are scurrying to meet consumers on the digital frontier. For developers, it is a virtual gold rush, as businesses overhaul their infrastructure to meet consumers where they are—their mobile phones. For most, this means developing a mobile app. Unfortunately, the byproduct..

The post 4 Warning Signs of an Insecure App appeared first on Security Boulevard.

Read More

The post 4 Warning Signs of an Insecure App appeared first on Malware Devil.



https://malwaredevil.com/2021/06/29/4-warning-signs-of-an-insecure-app/?utm_source=rss&utm_medium=rss&utm_campaign=4-warning-signs-of-an-insecure-app

Barbary Pirates and Russian Cybercrime

In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...